• privacy preserving engineering from the start and a transport card

    There is a transport card in Belgium that is now being digitalized and that will be extended the coming years to other means of public transport. It seems logical - one card for one person for all his means of public transport - but for a privacypreserving architect it is a real headache. Privacy is easier to maintain when information is dispersed and it is not possible to link them. The more information is linked and integrated or - worse - reformatted into one coherent database instead of 10 different ones - even if there are sometimes ways to find some information between the different databases - the bigger the threats are for privacy. And the bigger are the consequences if the card is lost or the central database is breached or its information (backuptapes) is lost.

    This is where privacypreserving technology comes in. This is not accesscontrol. Accesscontrol is only a way to control who may access this total coherent integrated database - the privacyrisk. Privacypreserving technology makes it possible to only give the data that is useful and to mask the data that is not useful personally but statistically.

    So they say that this card needs to keep the three last trips of a person because one can only change the lines of transport within the hour.

    Seems reasonable and logical. But why is this information on a fully paid 'all lines anytime' card where you can switch as long as you want as many times as you want ? And why is the information not limited to the lines one takes instead of the station (wipe out the station information on the badgereader and only send the lines information) and so on.

    When one reads how the card functions and what information is kept and linked one can clearly see that the people around the table when he project was started were transportmanagers and marketingpeople. A privacyofficer would have changed all that while making the objective needs of the planners possible. But that information would be globalized and would be anonymous (datamasking).

    On the contrary with datamasking one could have collected much more information than they have now without all the continuing never ending battles around privacyconcerns.

    It is not personalisation that is important in datamining because with personalisation comes a whole bunch of privacyconcerns that may derail your multimillion project anytime. It is globalisation of the information and datamining for realtime trends that is important.

    It is possible that they do this. But they never said so. And they never said so because they have no privacyofficer who can explain this and guarantee this.

    In the States big government agencies and public utilities and companies have a special privacy officer. Just to be sure that they keep privacy in mind from the beginning of a project and that it doesn't derail their multiyear multimillion projects because they have forgotten to integrate it in its architecture, process and communication.

    And it is not because it is not illegal that it is acceptable. This is surely the case with privacy.

  • all our carplates are automaticcally scanned at the Belgian West Coast

    In the Humo of this week there is an interview with lawyer Yespers - who has written a good book about privacy and the European organised intrusion in it.

    An interesting detail is that in the Policezone of the western part of the Belgian Coast every incoming numberplate is automaticcally scanned.

    To do what ?

    It is maybe time to have a discussion about the tracking of numberpates and the consequences and dangers of it.

  • what you need to know about the interception of your mobile calls by spies

    Last week a presentation rocked the ITscene. A security researcher bought for 1500$ the necessary
    hardware to install his laptop (powerful laptops these days ....) and set it up as a GSM tower.
    In practice this meant that he intercepted all the OUTGOING calls nearby where rerouted through his tower on which he could intercept (and record) them and break any encryption.

    Since a few years there are already rumors and some articles that the encryption of GSM was broken or
    easy to break. This guy has done it the easy way. Instead of trying to break something that takes days and
    lots of processing power, he just plays for the imposter and acts as a go-between.

    This looks like the rogue hotspots (or wireless access providers in hotels and airports)
    You could also set up a laptop like a wireless access provider and record all the logins and passwords.

    Here are some interesting facts

    * only the OUTgoing calls were intercepted, the incoming didn't find the phonenumber and just arrived at the mailbox

    * the encrypted 3G service could be directed to his GSM tower by jamming at the same time the 3G service in the room. This means that those who pay for 3G should know when they fall back on GSM and lose all security.

    * this interception attack is interesting around official and financial buildings, not far from business lounges in
    airports or at specific targeted locations.

    * the typical mobile is not secure enough for high-secure communications and was never intended to be.

    * this is an easier way for the police or intelligence services to get all the mobile communications during social
    unrest, football riots or drug raids (or antiguerilla operations). It could also be used by the other side if the official services have no secured communications.

    In practice it means that only those that could be targeted will be targeted because of this easier and cheap technology. And those who know that they could be targeted will have to take the appropriate measures to secure their communications and/or limit the communication of confidential information.

  • The facebook privacy debacle : are your details incorporated in the massive leak ?

    No matter how you see it, it is a leak because if some programs starts collecting information in a way that is not feasable for humans and than let it be used by datamining programs and marketeers than that is very serious. In fact Facebook and others have assumed that the privacy was also protected by the massive amount of users (and data) they collect. They never thought that a program would collect it all this way and that humans would never be able to do this themselvers. The security researcher did nothing illegal and Facebook did nothing illegal, it is just that neither did anything good. Facebook should have opted from the beginning for a opt-out privacyrule (everything is private except if you decide otherwise) and not a opt-in (in which for each bit of information you have to set a number of rules to protect the privacy). The securityresearcher should have shown the information as a proof of concept and as a tool to get Facebook to get its act together about Privacy (it is becoming its sword of Damocles).

    By publishing it on the internet he has made it too easy for corporations and organisations (or for individuals in those organisations and eventually without the approval of them) to download the dataset. Some can use solely for research but there may also be some opportunities for marketeers.

    Facebook will have to take some actions to protect its members from this kind of expecting spam and will have to monitor more closely the use of its network. Just as other networks (like Google and Scribd) are closing bots or people who are seemingly searching too much information to quickly, Facebook should block this kind of massive informationcollecting.

    Some of the firms and organisation that have now your public facebook information are

    A.C. Nielsen
    AT&T - Possible Macrovision
    Baker & McKenzie
    Bertelsmann Media
    Church of Scientology
    Cisco Systems
    Cox Enterprises
    Davis Polk & Wardwell
    Deutsche Telekom
    Ernst & Young
    Goldman Sachs
    HBO & Company
    Hilton Hospitality
    Levi Strauss & Co.
    Lockheed-Martin Corp
    Lucent Technologies
    Matsushita Electric Industrial Co
    Northrop Grumman
    O'Melveny & Myers
    Oracle Corp
    Pepsi Cola
    Procter and Gamble
    Random House
    Road Runner RRWE
    Siemens AG
    Sun Microsystems
    Time Warner Telecom
    Turner Broadcasting system
    Ubisoft Entertainment
    Wells Fargo
    Xerox PARC

    A lof of others will have used individual accounts or proxies to download the file and stay anonymous.

    Expect a lot of garbage, marketing and attacks on your Facebook account in the coming months if you had a public profile.

  • the Dutroux files/DVD's - more questions

    There was some brouhaha about DVD's found by the police in the archive of the Bishop of Belgium.

    The reaction of the press was that most had already those DVD's and that they were distributed during the trial of Dutroux to make it easier for them to do their work.

    This seems to be unknown to many others working in the justice department and they said they never heard about such a thing before.

    It also seems that there was no 'NDA or Non disclosure Agreement'

    It also seems that the files are not encrypted or protected by fingerprint (CONFIRMED)

    It also seems that the DVD's are not linked to a particular machine (CONFIRMED)

    It also seems that the files are not watermarked (CONFIRMED)

    Some specialists - speaking off the record - are very astonished about even the fact that all the files about a trial are made public this way. It could be that the judge was concerned that the fact that the journalists would be getting their facts and quotes wrong could hamper the trial and above all the public perception of it (Belgium was during  some months of the 'Dutroux period' according to the Prime minister Dehaene at the time in a pre-revolutionary situation - anything could happen anytime and nobody had a real control over events).

    As usual the decision was taken without much technical expertise and without any security guarantees to limit the possible further leakage of these documents/DVD's.

    Part of them are for the moment published on the Internet (I have nothing to do with that).

    I have nothing against the practice and I would even welcome a broader publication of parts of important trials but sometimes it is necessary to take the necessary measures to make sure that only information is made public that doesn't impact the privacy or 'feelings of the victims' or 'rights of the innocent'. Who would want to find a detailed description of the rape or murder of his kid on the internet ?

    I think the next minister of Justice will have to take some measures to clarify this and to oblige the courts to use not only caution but also the available technologies to protect the files if necessary and to be able to track those that are still distributing the files.

  • if you work for a fortune100 company and used piratebay....

    there are rumors swirling that some fortune100 companies have 'bought' the hacked userdatase of the piratebay to check if there were any internal ip addresses and contact present

    the hacker didn't want to sell it to the RIAA and even if he did they couldn't have done anything with it as it was obtained through illegal means. It shouldn't stand up in US court.

    but there are some Fortune100 companies who were willing to pay something to get their hands on the stuff and be able to control that someone of their company or from on their network had used the Piratebay recently.

    it also shows why those firms hire ex spooks and hackers and handlers to do the stuff a lawyer wouldn't want to be informed about

    It would go something like this

    "interesting, all those users - we already had a visit of the RIAA and it did cost us several thousands dollars and some working days to clean up the copyright-infringment mess by those freelance contractors on the network"

    "I could do a study for about 10.000 dollars to see if there are still people in your network using Piratebay"

    "fine you do that - I'll pay it to Investigative Services"

    a few weeks later

    "thank you for those names, we were in the process of restructuring our IT service anyway"

    "you know where to find me if you need some info"


    ps double identities on the web are no luxury


  • The Woerth affair, some interesting details

    In this French affair in which a french minister would have played go-between in a scheme to transfer
    money from one of the richest families of France (Bettencourt) and the now elect President Sarkozy
    there are masses of articles and opinions being written.
    Some interesting details shouldn't get lost.

    1. When someone becomes minister or part of an administration he or she should first make sure that there
    is no possibility of any question about impartiality. THe most extreme procedures are to be found in the US.
    But they are the most clear and may have prevented already hundreds of scandals.
    Being a minister responsable for Fiscal controls while your wife works for one of the biggest family fortunes
    in France is just a scandal waiting to burst.

    2. The scandal broke out when transcripts of illegally taped private conversation between Mdm Betancourt and her
    accountants and family were published. It is not clear who has installed the bugging devices, who has used the
    transcripts for which reason and who transmitted them at the press. It is clear in those transcripts that the family
    had set up some tax-evasion methods.
    At one side one wants to use this information to get justice done.
    At the other side do we want that anybody could place anywhere bugging devices or hidden camera's in any house or office and use (part of) these transcripts to get people be prosecuted.
    In a state of law it is up for the police- and intelligence services to set up such special investigation methods
    under the control of the law and a judge. If other services are installing these bugging devices they can maybe use
    it for intelligence gathering but they can't do anything with it.

    3. It shows that a journalistic medium that is paid by its readers can be succesfull if they do real investigative
    work that the other papers have forgotten to do (or to coninue after the publication of the first scoop).
    It shows that people are willing to pay for something that gives them more than only 'news', 'facts' 'reporting'
    that in fact gives us nothing new. Investigative journalism means getting information that otherwise will not be
    published and secondly continuing to explore the subject.

  • the belgian bishop had Dutroux files ? who didn't ?

    A scandal has broken out because the former Belgian bishop Danneels had internal files of the investigation about Dutroux (and some other linked affairs) in his archive. These seem to be internal documents from the investigation.

    But this is not that big a deal.

    These documents were and are circulating around the insider world of journalists, investigators and researchers.

    Some are published on Wikileaks and scribd and other internet places.

    But this may not be a surprise. They are not encrypted or protected by passwords, sources tell.

    The digitalisation of the justice department is one thing, the other thing is to do it properly so that the information is protected for the eyes of people who normally shouldn't have access to it.

  • Kill tor before you trust it too much

    Too many people think that any network or service that is set up by voluntary people to guarantee the privacy and anonimity of their online actions is so idealistic that they do stupid things.

    Tor is such a thing. It is a network of anonimization servers set up by unconnected volunteers that have nothing to do one with another. You surf to the Tor server with your Torclient and than you surf the web or send your email and you can even get out or off from another exit point.

    The problem is that not all these entry and exitpoints are set up by volunteers. They are set up sometimes by police, copyrightagents and hackers-spies.

    So there is no free VPN network set up by freedomloving people around the world.

    It is now clear that aside from the childporn you can find there, people have also found millions of official documents and drops with logs and logins. Wikileaks and the researchers that found the Chinese spyring Ghostnet found their official stolen documents one one of these unsecured parts of TOR. For anyone to download or intercept.

    So you should block TOR on your network.

    You shouldn't use TOR for official business (or commercial business).

    You should make it clear that TOR is a NO_USE service for your employees.

    You can use it now and than for some free innocent stuff like using a service to send fake emails for someones birthday. But for other stuff ? Or you should encrypt and defend your computer completely before going in this palace of mirrors in which nothing is what is seems like.

  • we are mostly leechers and not uploaders

    "In a paper presented earlier this week at the Usenix Workshop on Large-Scale Exploits and Emergent Threats, the researchers demonstrated how they used the technique to continuously spy on BitTorrent users for 103 days. They collected 148 million IP addresses and identified 2 billion copies of downloads, many of them copyrighted.

    The researchers, from the French National Institute for Research in Computer Science and Control, also identified the IP addresses where much of the content originated. They discovered the the vast majority of the material on BitTorrent started with a relatively small number of individuals."

    So why are they trying to sue the millions instead of getting the few that upload the stuff that those millions want without paying ?

  • search all the stupid things people say on Facebook has some funny idea

    They want to make it much more easy to find the stuff other people are posting online for everybody to see - if they know that or not because the privacy principles of Facebook have changed many times and are still changing - and not for the better.

    You should be stupid to post some things online in facebook or other sites like that because you may never know who will read it

    It is quite funny to read   which means many things around the world but is a bad word here for  young immigrants which means as much as whore which means as much as son of a bitch  which means fucking

  • Already 700.000 facebook logins sold, time to change

    There are about 400 million facebook users (or with a login that is)

    Of those the biggest list untill now was being put up for sale on the net by a Russian hacker at giveaway prices. The list claimed to have about 1.5 million logins.

    According to sources already 700.000 of those have effectively been sold.

    Time to change your password of Facebook

    Even if the chance is one in 400

    It is just good security.

  • netlog used in a trial as proof

    A family wanted to stop the organizers of a sportevent because it would disturb their daugher who would have to study.

    The judge surfed to her netlogprofile and saw that she had enough friends she could go to and that in her profile she said that she didn't like to study at all and that school wasn't that important.

    So he refused their demand based on that evidence.

    What you publish online if public and can be used against you.

  • use GPS to be sure that kids go to school ....

    paranoïd ? No I have read about RFID wireless devices in Japanese schools to control the whereabouts of kids and smartcards and stuff like that.

    THis goes a bit further and brings the problem of locational privacy and GPS tracking to the forefront. I don't think there is anything in Belgium about that .....

    But as the discussions are flaring up about what to do about all these innercity youngsters that nearly never show up at school - and don't get work either and sometimes just become small criminals - it is important to make an important point.

    It is not the technology that makes the difference. It is the human counseling and empowerment that is important. As for ex-prisoners or prisoners who have 'house arrest'. The success of this program is the human aspect,  not the technological one. It only helps.

    "The monitoring is still a vital part of the program, the students are given the device and have to punch in a code as soon as they arrive to school and check in with their counselors in the morning, lunchtime and at night to make sure they are staying on track. If the GPS detects the students are not where they are supposed to be at any given time, the students get a call from that counselor. Yet the type of monitoring device utilized by AIM, one that isn't physically attached to the student, was also a well thought out component to the program, Dooley said.

    "The point behind that is when someone has a tracking device that's physically attached to them, they look in the mirror and see themselves as a criminal. Then they start behaving as a criminal," he said.

    According to Dooley, a device the students are tasked with holding onto and taking care of gives them something they are responsible for, something they are constantly reminded of and have to do well with, which in turn will lead them to greater self confidenc


  • why giving your EID or passport out of hand and sight may make you a terrorist

    This is what probably happened with the European citizens who found their names on the frontpages worldwide as being part of the Israeli hit team.


    The report by the UK's Serious Organised Crime Agency (Soca) into the use of cloned British passports in the Dubai assassination makes clear their view that this is what happened as Britons travelled through the airport in the months and years before the plot was hatched to kill the Hamas commander Mahmoud al-Mabhouh.

    The Soca report concluded that the passports must have been cloned at the airport or at other interfaces with Israeli officialdom, such as airline offices in other countries. There were no other links between the 12 individuals whose identities were stolen.

    According to insiders, the language in the Soca report, produced after a four-week investigation, was "direct" and the findings unequivocal: the inquiry showed that the victims' data was taken, stored and passed on when they handed their passports to Israeli officials or those linked to them.

    "We cannot pin it on individuals, but the evidence draws us to the conclusion that the only place these passports could have been cloned is when they were inspected at the Israeli border or in other countries, where they were passed to Israelis," said one source."

  • Unisys securityindex Belgium : it is how you ask the question that counts

    Unisys proofs with something called a study - or that wants to look like it that the answers are always influenced by the question itself or the environment/mood in which you ask the question. The problem is that their questions are so positive (if your data is kept secure) or neutral by not asking them for example if they think that banks for example should be obliged to report data breaches.

    Another reason is off course that the mainstream press does not really inform the people of the growing dangers of the internet - except when it really breaks


    You have now the headlines as if Belgians would give all their privacy up for a safe airline trip or for identification by banks, government and so on. Naturally you get those answers when all the rest of the interview has been in a positive mood and the people you are questioning have not been confronted by facts that could have changed their minds.

    Do they know for example that if the US wants the PNR data of travellers that this includes nearly all their information and that it will be stocked indefinitely without any chance to review, correct or even demand the suppression of (some) information ? And do you think they would be as willing to respond positively if you would have asked the question in this way ?

    Would you be willing to send over all your personal information to the US where the US government would keep it as long as they want and could do with it whatever they want without you having anything right to ask access or information about what information they have about you and what they are doing with it in order to take an airline to the US ?

    how many would respond positively to this question ?

  • Mexico may cut millions of anonymous cell phones

    In its overall descending into a nearly-failing state because of the military power that the drug cartels have built up for years (and that you can't just disarm like that) the Mexican government has decided that it will block all cellphones that aren't registered. Off course what is the use of listening to a cellphone if you don't know who is belongs to ? 

    I don't think this measure would be very popular because around 30 million phones aren't registered yet..... and saturday is the limit

    "Most of Mexico's 84 million mobile phones are prepaid handsets with a limited number of minutes of use that can be easily bought in stores. The phones can be topped up with more minutes through street corner vendors." source

    But even afterwards this will not be of much help because there are always ways around.

  • tips on how to speak about confidential matters without encryption (is this for real ?)

    • If you have no alternative (such as using encryption software) and urgently need to discuss confidential matters over a mobile phone:
    • cover your mouth so you can't be lip-read
    • choose a location where you can't be overheard
    • talk quietly and be brief
    • use code words
    • split information across different channels (e.g. refer to emails or send texts etc so information is incomplete and meaningless on its own)

  • Brussel National airport will follow your bluetooth

    They will follow - but not identify - all bluetooth enabled smartphone and other digital niceties to have to have a clearer idea of how many people are in line or arriving to depart.

    First there is no clear idea that they won't register anything somewhere.

    Secondly it is just a stupid idea because it won't tell them anything. How many people have enabled their bluetooth ? Especially in an airport where social engineering and other attackers are - according to the hacker manuals - going around to find the  CEO with much confidential data on the digital smartphone without any protection.

    Another reason to cut it out.

  • Belgium wanted to keep ACTA secret ?

    Belgium, Portugal, Germany, Denmark, South Korea and Singapore all supported keeping ACTA secret, with Denmark being the most vocal supporter of secrecy.

    ACTA is the name of an international treaty project that as an anti piracy treaty would make it possible for inventors to have more legal leaverage against organised copying or imitating. But there are several other things that have been added to this treaty that don't necessarily belong there like the right of the  US border control to control, seize and destroy digital media and computers if they think there have pirated material on them. Also it wabted to oblige ISP's to have a termination policy for offenders of copyrights and a policy to limit the transfer of such files on their networks.

    A leaked version can be found here

    The European Parliament voted now for more opennes on the matter.

    "The resolution demanded complete access to the ACTA negotiating texts, and it threatens a lawsuit if the European Commission fails to turn them over. Parliament was particularly miffed that the process has taken place in such secrecy, when major international IP treaties have in fact been negotiated much more openly at venues like WIPO and the WTO.

    Karel de Gucht European Commissioner has reacted to the vote

    * he will ask for more transparancy

    "Nevertheless, I will see to it that at the next negotiating round, in April, the Commission will vigorously push its negotiating partners to agree to release the text and I will raise European Parliament concerns bilaterally with ACTA parties like the US I am scheduled to meet before then."

    * the three strike rule should stay out of ACTA

    "Let me be very clear on this, so there is no room for ambiguity. The 'three-strike rule' or graduated response systems are not compulsory in Europe. Different EU countries have different approaches, and we want to keep this flexibility, while fully respecting fundamental rights, freedoms and civil liberties. The EU does not support and will not accept that ACTA creates an obligation to disconnect people from the internet because of illegal downloads."

    Will the Belgian delegation disagree with Karel De Gucht ?