Big Brother in the Restroom

Wikes! This is nasty, and while the porn industry has commercialized the idea a long time ago, I never imagined the levels of crime in public restrooms would "reach" levels requiring CCTVs to be installed -- if there's so much vandalism going on in public restrooms, these will definitely get stolen as well, picture the situation! Norway installs surveillance cameras in park restrooms.

Hint : once you get involved in the CCTV irony, I say irony mainly because the dude behind the 40 motion detection and face recognition wall is having another CCTV behind his back, you end up spending tax payers money to cover "blind spots", and end up with a negative ROI while trying to achieve self-regulation, if one matters!

Surveillance and Society's journal still remains the most resourceful publication on surveillance studies and its impact on society.

Further reading and previous cases:
The Hidden Camera
Iowa Judge Says Hidden Restroom Camera Case Can Proceed to Trial Continue reading →

World's Internet Censorship Map

While it seems rather quiet on the Internet's censorship front, the media coverage on the topic represents a cyclical buzz that reemerges with the time.

Thankfully, initiatives as the OpenNet one, and organizations such as Reporters Without Borders never stop being the society's true watchdogs when it comes to Internet censorship. ONI's neat visualization of the Internet filtering map is a great way of pin pointing key locations, and provide further details through their in-depth reports, take a look for yourself!

Censorship is capable of running entire governments, maintaining historical political power, and mostly ruling by "excluding the middle". Recently, two of China's leading Internet portals were shut down due to maintenance issues acting as the excuse for improving their filtering capabilities. Reporters Without Borders conducted an outstanding analysis of the situation, coming to the conclusion "that the search engines of China’s two leading Internet portals, Sina and Sohu, after they were shut down from 19 to 21 June for what they described as a “technical upgrade” but which in fact was designed to improve the filtering of their search results."

What is Google up to? Making business compromises in order to harness the power of the growing Chinese Internet population. And while the Wall is cracking from within, the world is also taking actions against the fact that there're currently 30 journalists behind bars in China. Continue reading →

All Your Confidentiality Are Belong To Us

The proof that commercial and open source encryption has surpassed the technologies to police it, or the idea that privacy and business growth as top priorities would ruin the whole initiative?

"The Government has launched a public consultation into a draft code of practice for a controversial UK law that critics have said could alienate big business and IT professionals. Part III of the Regulation of Investigatory Powers Act 2000 (RIPA) will, as it stands, give police the authority to force organisations and individuals to disclose encryption keys. The Government issued the public consultation on the code of practice for Part III, which will regulate how police and the courts use powers under the legislation, on Wednesday."

It would be interesting to see how they would initiate the response from individuals, without raising the the eyebrows on the majority of civil liberties watch dogs out there and, of course, businessess. That's of course, assuming they use encryption at the first place. Could be much more "wiser" to take advantage of covert practices to obtain the necessary information, instead of "forcing" this measure -- detecting encrypted/covert communication channels is another topic. Moreover, compared to the Australian police whose capabilities of obtaining information on criminals include the use of spyware is a bit contraversial, but adaptave approach.

If national infrastructure security matters, have individuals and enterprises personally take care of their security and encryption keys, promote data encryption, instead of dictating the vibrations by slowing down the basics through such laws. Continue reading →

Pocket Anonymity

While the threats posed by improper use of removable media will continue to make headlines, here's a company that's offering the complete all-in-one pocket anonymity solution -- at least that's how they position it. From the article :



"Last month, a company called Stealth Ideas Inc. of Woodland Hills, Calif., came out with its StealthSurfer II ID Protect. The miniature flash drive lets you surf anonymously from any computer using an integrated browser that runs in an encrypted mode. It comes loaded with several tools, including Anonymizer Anonymous Surfing 1.540 (which has IP masking), RoboForm Pass2Go 6.5.9 (a user ID/password management application) and Thunderbird 1.0.7 (for e-mail access). But before you buy, check to see if the company has upgraded its browser, which, according to company officials at the product’s launch, is Firefox 1.5.0.1. US-CERT and others have warned about significant vulnerabilities in certain versions of Firefox (and Thunderbird, for that matter). The version available as of press time, Version 1.5.0.2, addresses those flaws."



Is the Anonymizer behind the idea, or is it a middleman trying to add value to the Anonymizer's existing offer, and harness the brand powers of Firefox and Hushmail all in one? Wise, but the entire idea of anonymity is based on the Anonymizer's service, when anonymity still can be freely achieved to a certain extend. Very portable idea, the thing is there are already free alternatives when it comes to pocket anonymity and that's TorPark: Anonymous browsing on a USB drive, and I think I can live without the enhancements. Continue reading →

Snooping on Historical Click Streams

In a previous post "The Feds, Google, MSN's reaction, and how you got "bigbrothered"? I gave practical advices on how can easily do your homework on the popularity of certain search terms and sites, without the need of issuing a subpoena. The other day, AlltheWeb (Yahoo!) introduced their Livesearch feature, seems nice, still it basically clusters possible opportunities. Now the interesting part, on the next day Google launched Google Trends which is :



"builds on the idea behind the Google Zeitgeist, allowing you to sort through several years of Google search queries from around the world to get a general idea of everything from user preferences on ice-cream flavors to the relative popularity of politicians in their respective cities or countries."

This is what I've been waiting for quite some time, and you can easily make very good judgements on key topics based on regions, languages, even cities -- marketers get yourself down to business!



Antivirus, Malware, Spyware, NSA, Censorship, Privacy



What's next, the rise of MyWare and its integration on the Web? Give a try to Yahoo!'s Buzz, and PacketStormSecurity's instant StormWatch as well. Continue reading →

Wiretapping VoIP Order Questioned

There's been a lot of buzz recently on the FCC's order requiring all VoIP providers to begin compliance with CALEA in order to lawfully intercept VoIP communications by the middle of 2007 . Yesterday, a U.S judge seems to have challenged the order, from the article :



"The skepticism expressed so openly toward the administration's case encouraged civil liberties and education groups that argued that the U.S. is improperly applying telephone-era rules to a new generation of Internet services. "Your argument makes no sense,'' U.S. Circuit Judge Harry T. Edwards told the lawyer for the Federal Communications Commission, Jacob Lewis. ''When you go back to the office, have a big chuckle. I'm not missing this. This is ridiculous. Counsel!' The Justice Department, which has lobbied aggressively on the subject, warned in court papers that failure to expand the wiretap requirements to the fast-growing Internet phone industry ''could effectively provide a surveillance safe haven for criminals and terrorists who make use of new communications services.''



What's worth mentioning is that on a wide scale VoIP services are often banned in many countries, ISPs don't tend to tolerate the traffic which on the other hand directly bypasses their VoIP offers, and even China, one of the largest telecom market continues to have concerns about VoIP. Companies also seem to be revising their practices while trying to block Skype, among the most popular VoIP applications. Rather interesting, T-Mobile just announced that it would ban VoIP on its 3G network, but is it inability to achieve compliance or direct contradiction with their business practices?


Whatever the reason, VoIP communications aren't everyone's favorite, but represent a revolution in cheap, yet reliable communications. The more easily a network is made wiretap-ready, the easier for attackers in both, the short, and the long-term to abuse the backdoored idea itself, so don't. You can actually go through the 2005's Wiretap Report and figure out the cost of wiretapping, limiting it by promoting insecure networks isn't going to solve anything, given you actually know what you're looking for at the bottom line.



Image courtesy of EFF's "Monsters of Privacy" Animation.



Related resources :
VoIP, FCC, CALEA
Communications Assistance for Law Enforcement Act and Broadband Access and Services
Secure VoIP - Zfone
Sniffing VoIP Using Cain
Oreka VoIP Sniffer Continue reading →

The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking

I've once mentioned various privacy issues related to mobile devices, the growing trend of "assets tracking", and of course, cell phones tracking. Yesterday I came across to great summary of the current situation -- privacy groups make a point of it. From the article :



"Real-time tracking of cell phones is possible because mobile phones are constantly sending data to cell towers, which allows incoming calls to be routed correctly. The towers record the strength of the signal along with the side of the tower the signal is coming from. This allows the phone's position to be easily triangulated to within a few hundred yards. But the legal grounds for obtaining a tracking order is murky -- not surprising since technology often outpaces legislation. The panel agreed that Congress should write rules governing what level of suspicion cops need to have before tracking people through their cell phones."



While on the other hand, there's also an ongoing commercialization of the service by the industry itself, if the government were to start using practices like these with grey subpoenas, it would undermine the customers' trust in the industry and BigBrother is going to get even bigger. Enthusiasts are already experimenting with DIY cell phone tracking abilities, so if you worry about being tracked through your phone, you should also start worrying about having an extra one in your bag. Physical insecurities such as digital forensics on cell phones, even counter-offerings are today's reality, while flexible lawful wiretapping may still be taking one way or another -- I guess the NSA got all the attention recently, with their domestic spying program.



As the Mindmaker pointed out, we must assume that we are trackable wherever we go, but I think this dependence would get even more abused in the future by the time proposed laws match with the technology. Continue reading →

Biased Privacy Violation

This is a very interesting initiative, going beyond the usual MySpace's teen heaven privacy issues, but directly exposing the mature audience in a way I find as a totally biased one. Girls writing stories on men that supposedly chated on them. DontDateHimGirl.com aims to :



"DontDateHimGirl.com is an online resource for women who have shared the experience of dating a no-good man! Browse our search engine of alleged cheaters, liars and cads right now! This controversial site has been featured on MSNBC, the Today Show, ABC News, CNN and Entertainment Tonight! There is finally a way for women to check a guy out BEFORE dating, marrying or otherwise committing to him! Warn other women about the men who have cheated, lied or used you! Register and become a member today! You'll receive our free newsletter and other valuable goodies! It's fast, easy and best of all, it's free! You'll be doing your sisters around the world an invaluable service! Don't Date Him Girl!"



Basically stuff like, "post a cheating man", "search for a cheating man", or browse through the 3593 ones already "categorized" as cheaters with personal stories and photos whenever available. What I feel they shouldn't do, is aggregate that kind of community powered personal details for third-parties, and making it searchable. Some stories are pretty fun and average enough to make you think :



"Quite a charmer in the beginning, as all guys tend to be. Called me beautiful, gorgeous.. kissed my forehead.. He did all the right things. He could do no wrong. We "dated" for a good 6 months, and things seemed to be going good. He was the love of my life. Lots of firsts with him, then he did a total 180. He stopped calling and didn't respond to my phone calls and/or messages. I was so distraught. I thought I did something to fuck things up. "



Perhaps she did, didn't she?! Still, that's entirely between them given they actually respect each other.


Don't get me wrong, there are pathological polygamists, but what's next, Local Google Maps to pin point the cheating areas around town?



To balance the powers, and make it even worse there's even a DontDateHerMan.com coming along, but try not to bring your personal life stuff to such an end, or is it just me? :) Continue reading →

April's Security Streams

Hi folks, it's about time to quickly summarize April's Security Streams. As of today, my blog is officially six months old and the feeling of witnessing change and improvements has always been a pleasant one. Blogging "my way" takes a lot of time, that is, posts going beyond "preaching" but emphasizing on "teaching", a little bit of investigative research, full-disclosure, and constructive key points on emerging or possible future trends related to infosec. Thanks for everyone's feedback, and actually reading not just going my posts as far as the average visitors' time spent is concerned!



1. "Wanna get yourself a portable Enigma encryption machine?"Already sold, but auctioned on Ebay, it's remarkable how the seller managed to preserve an original Enigma in such a condition, and the bids were worth it!



2. "The "threat" by Google Earth has just vanished in the air" Coming across Microsoft's Windows Live Local Street-Side Drive-by provoked contradictive thoughts, so I've decided to sum up recent ideas on the issue. The use of public satellite imagery for conducting OSINT is inevitable, while on the other hand the providers are simply making the world a smaller place. It is also questionable whether potential terrorists are "abroad" or within the countries themselves, that is knowing each and every corner of a possible "attack location", but with the ability to syndicate and share maps it would be naive not to think that they way you chat, they also do, and the way you plan activities while "zooming-out", they also do. At the bottom line, snooping from above might actually deal more with self-confidence than anything else. Have an opinion? Feel free to comment on the topic



3. "Insider fined $870" Virtual worlds are emerging and so are security techniques to steal someone's sword, be it through insiders, phishing, or trojan horse attacks. What's important to keep in mind when it comes to insiders is that on the majority of occasions you're are never aware that there's an ongoing potential breach on its way, and moreover, that the quantitative losses due to insiders are totally based on a company's sales projections, rather than successfully (if one can) measuring the value of intellectual property



4. "Securing political investments through censorship" We constantly talk on how the Internet is changing our daily lifes, our attitudes, and giving us the opportunity to tap into the biggest think-tank in the world -- on the majority of occasions for free. Internet censorship is still a very active practice by well-known regimes, while this post was trying to emphasize on the current situation - securing political investments through censorship



5. "Heading in the opposite direction" Companies and financial institutions are the most often targets of phishing attacks, and it's getting hard for them to both, convince their users and society that they're working on fighting the problem, and most importantly where's the real problem and how to fight it. In this post, I try to emphasize that building communications over a broken channel Bank2Customer over email is the worst possible strategy you could start executing. The irony in here is how in the way both, phishers and any bank in question may sometimes be using images stored on the banks server -- altogether!



6. "IM me" a strike order" It's a common myth that the military have came up with a Über secret and secure communications network, going beyond the Internet. And while there're such, they all suffer the same weakness, lack of usability, and budget deficits compared to IP based communications, that is the Internet. The post goes through research surveys on IMs in the military, and tries to bring more awareness on how age-old IM threats can easily exploit military IM communications as well



7. "Catching up on how to lawfully intercept in the digital era" On as daily basis we discuss security breaches, threats, privacy violations, whereas constantly misses the fact that there's a practice called lawful interception, namely that even if the NSA's domestic spying program got so much attention and concerns, it doesn't mean they aren't going to continue keeping themselves up-to-date with what is going wherever OSINT, SIGINT and HUMINT are applicable. The bottom line is that a person behind a CCTV camera's network is also under surveillance, so I advise you go through a very good resource on the topic, the Surveillance and Society Journal



8. "On the Insecurities of the Internet" IP spoofing by default, DNS and BGP abuses, Distributed Reflection Denial of Service Attacks, are among the ones worth mentioning, while perhaps the biggest insecurity lies in the fact that the Internet we're all striving to adapt for E-commerce and E-business, was developed as a scientific network we got used to so fast



9. "Distributed cracking of a utopian mystery code" Continuing the "distributed concepts" series of posts, this one deals with virtual worlds, and a wise idea on how to keep the players coming back for more -- let them even bruteforce the next part of the puzzle



10. "Fighting Internet's email junk through licensing" China's Internet population is about to surpass the U.S one and it would continue to grow resulting in China becoming the "novice" king of insecure networks. Trying to centrally control spam, they you can control the flow of traffic going out and coming in the country is a typical, but weak approach that could have worked years ago as no one needs a mail server to generate spam of phishing attacks these days. In respect to their concerns of users learning more about infosec, in China a cyber dissident is a heroic potential hacker, one that can easily bypass the Great Firewall and spread the word on how it can be done. As a matter of fact, PBS has done an outstanding job in their Tank Man episode, and while many considered the Chinese students' inability to recognize the infamous photo, what they were actually afraid of is showing a face-gesture that they indeed recognized it -- as they did of course.



11. "Would somebody please buy this Titan 1 ICBM Missile Base?" I think the buyer of this base should have better though of what he's buying, or let's just say how on Earth was he expecting to break-even given he missed the post-cold war momentum itself? It's indeed once in a lifetime purchase that you would think twice before not purchasing, and so I hope the auction would continue to attract visitors the way it is -- high-profit margins whenever the momentum is lost is a "lost case" by itself



12. "Spotting valuable investments in the information security market" An in-depth post on current market and vendor trends, as well as more info on the, now fully realistic acquisition of SiteAdvisor my McAfee, something I've blogged about in January. It's great to know that both parties came across the posts themselves, and to witness how such a wide-scale community power, but still backed by technology, startup got so easily acquired. What the acquirer must now ensure, is that it doesn't cannibalize the culture at SiteAdvisor -- every day is a startup day for us type of attitude is a permanent generator of creativity and attitude



13. "Digital forensics - efficient data acquisition devices" A resourceful post mentioning on the release of the CellDEK, no, it's not a portable DJs one, but a acquisition device detecting over 160 cell phone models and having the capacity to simultaneously acquire it from numerous devices all at once. Virtual cyber crime is all about quality forensics, whereas different legislations and approaches for gathering and coordinating such data across various countries remains a problem



14. "The anti virus industry's panacea - a virus recovery button" Try to get this on the Super Bowl and watch a generating falling for the lack of complexity in this "solution". Gratefully, I got many comments from readers with cheers on mentioning this and how useless the button is at the bottom line



15. "Why's that radar screen not blinking over there?" Quite some sites picked up the story, yet we can always question, and than again, so what? In a crucial situation a scenario like this could prove invaluable for the final outcome, but right now it's just a PR activity from the other side of the camp. Symmetric warfare is a tangible defense/offensive concept, whereas asymmetric warfare is fully capable of balancing powers -- to a certain extend as no matter how much NCW you put on the ground, you would still need "tangible" forces on the finish line



16. "25 ways to distinguish yourself -- and be happy?" A little bit of self-esteem is never too much and that's what these series can help you with



17. "Wild Wild Underground" An in-depth summary of some findings I intended to post for quite some time, but didn't have the time to. If you just take yourself some time to rethink over, you would hopefully realize that a guy like this is capable of recruiting people who actually come up with their own algorithms -- beyond their will in one way or another. Moreover, responding to comments I received, of course I did report the links, which are now down, as well as some of the forum posts I managed to digg. Ryan1918 is rather active though



18. "In between the lines of personal and sensitive information" Government reclassification of documents isn't the most pragmatic way, as these have already been online once, therefore someone out there still keeps a copy, and is now more than ever motivated to disseminate it, given someone is trying to censor it. I feel a common structure of the different types of information, formal training for those dealing with that type of info etc. and putting in place risk management solutions, considering that humans are totally not to be trusted (are computers to be?) is a way to mitigate these risks. Trying to censor something you end up making it even more popular that it could have been without you censoring it, just a thought



19. "DIY Marketing Culture" Personalization and Customization are emerging by default, and so is virtual viral marketing. In this post I mention the possibility to get your own custom MMs, and FireFox's FireFlicks initiative



20. "A comparison of US and European Privacy Practices" You can rarely come across a infosec survey with well formulated questions, ones that are the basis of a quality one. I think this company did a very good job in formulating and summarizing the outcome of a very trendy topic



Updated to add the averages for each month since I've started tracking my readers, looks nice, and in case you're interested you can also go through the summaries of previous months. Continue reading →

A comparison of US and European Privacy Practices

A new study on "US and European Corporate Privacy Practices" was released two days ago, and as I constantly monitor the topic knowing EU's stricter information sharing and privacy violations laws comparing to the U.S, thought you might find this useful. To sum up the findings :



"European companies are much more likely to have privacy practices that restrict or limit the sharing of customer or employees' sensitive personal information and are also more likely to provide employees with choice or consent on how information is used or shared," said David Bender, head of White & Case's Global Privacy practice." still at the "sharing sensitive information is bad"


promotional stage, I feel the research reasonable points out the lack of a systematic technical approach, bureaucracy can also be an issue, but with so many CERTs in Europe there's potential for lots of developments I think. Established in 2004, ENISA is the current body overseeing and guiding the Community towards data protection practices -- slowly, but steadily gaining grounds.



"But the research also revealed that US companies are engaging in more security and control-oriented compliance activities than their European counterparts. As a result, US corporations scored higher in five of the eight areas of corporate privacy practice." - structured implementation on a technical level, that is people auditing networks and being accountable in case of not doing so, and privacy policies by default. A little something bringing more insight from the Safe Harbor framework :



"The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union, however, relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin."



Of course there are differences and there should always be as they provoke constructive discussions, but among the many well-developed survey questions, some made me a quick impression :



"Is there a process for communicating the privacy policy to all customers and consumers?" Europe - 33% United States - 69%



"Is privacy training mandatory for key employees (those who handle, manage or control personal information)?" Europe - 22% United States - 62%



"Do you use technologies to prevent unauthorized or illegal movement or transfer of data or documents?" Europe - 17% Unites States - 45%



"Will the company notify individuals when their personal information is lost or stolen?" Europe 33% United States - 62%



Perimer based defenses naturally dominate as a perception of being secure, still, I feel that the growing infosec market and IT infrastructures in both the U.S and Europe would continue to fuel the growth of new technologies and also result in more informed decision makers -- at the bottom line it's always about a common goal and better information sharing. Continue reading →

Catching up on how to lawfully intercept in the digital era

In one of my previous posts "A top level espionage case in Greece" I blogged about two cases of unlawful interception -- good old espionage practices in modern environment. What's also worth mentioning is the rush for lawful interception in the post 9/11 world, that is free spirits get detained for singing or being nerds, activities you can hardly datamine at the bottom line, and then again, so what?


Last month, Australia extended its phone-tap laws to e-mails and SMS, OMG, good morning Vietnam. An excerpt from the news item :



"Australia has passed new laws that would allow police to intercept phone calls, e-mails, and text messages of people who are just suspected of a crime. Attorney-General Philip Ruddock says the new laws account for challenges posed by technology; in December 2005, Middle Eastern and white supremacist youth used SMS messages to coordinate during race riots. However, civil liberties groups warn that the laws could allow police to target the privileged conversations of lawyers and journalists or to target innocent people for investigation. Australia has been tightening security laws since the September 11, 2001, terrorist attacks in the US."



Whether compliance, or new revenue sources from a telecom/network giant's point of view, lawful interception has always been happening. A single vendor's box can easily monitor over 30,000 DSL connections, and while the problem still remains processing power and decentralized/encrypted communications, steganography as a concept has always been the biggest downsize of any approach from my point of view.



At the bottom line it would eventually provide the ECHELON's community with more information to take hold of, whereas retaining or trying to data mine it still remains an abstract concept whose only justification has been the contradictive Able Danger scenario. It is my opinion that erasing terrabytes of intelligence information on a terrorist group is a pure science-fiction scenario, they way there's a desperate need for a clear ROI in respect to CCTV cameras.



Don't over-empower the watchers for the sake of your Security, or you'll end up with a false feeling of it.



More resources on surveillance and lawful interception worth going through are :

International Campaign Against Mass Surveillance
Development of surveillance technology and risk of abuse of economic information
Legal Analysis of the NSA Domestic Surveillance Program
Wiretapping, FISA, and the NSA
Can the government track your cell phone's location without probable cause?
Attack Detection Methods for All-Optical Networks
2006 = 1984?
Privacy issues related to mobile and wireless Internet access
Lawful Interception of the Internet
Using MAC Addresses in the Lawful Interception of IP Traffic
Open Source Intelligence (OSINT)
Making Intelligence Accountable: Legal Standards and Best Practice for Oversight of Intelligence Agencies
What is Project ECHELON?
Surveillance and Society Journal
Cybercrime in New Network Ecosystem: vulnerabilities and new forensic capabilities
Strategies for Lawful Intercept
Summary - Lawful Interception plugtest
Whistle-Blower Outs NSA Spy Room



Technorati tags:
Security, Intelligence, Surveillance, Wiretapping, Privacy, Lawful Interception Continue reading →

Securing political investments through censorship

I try to extensively blog on various privacy and Internet censorship related issues affecting different parts of the world, or provide comments on the big picture they way I see it.



Spending millions -- 6 million euro here, and I guess you also wouldn't let someone spread the word whether the cover is fancy enough for a vote or not -- on political campaigns to directly or indirectly influence the outcome of an election, is a common practice these days. Whereas, trying to build a wall around a government's practices is like having a tidal wave of comments smashing it. I recently came across the following article : "



"Singapore has reminded its citizens that web users who post commentary on upcoming elections could face prosecution. Election commentary is tightly controlled under Singaporean law; independent bloggers may comment on the election, but must register their site with the Media Development Authority (MDA)."



I'm so not into politics -- and try not to -- but threatening with prosecution on commentary, registering users, while not first "introducing yourself" as "During the November 2001 elections, Singapore's political parties limited their use of the Internet to posting schedules and candidate backgrounds." isn't the smartest long-term political strategy ever, don't you think?



More resources on the state of censorship in Singapore worth checking out are :

Internet Filtering in Singapore in 2004- 2005: A Country Study
EFF "Censorship - Singapore" Archive
Censorship in Singapore
To Net or Not to Net: Singapore’s Regulation of the Internet
Censorship Review Committee 2002/2003
The Internet and Political Control in Singapore



Technorati tags:
Censorship, Politics Continue reading →

The "threat" by Google Earth has just vanished in the air

Or has it actually? In one of my previous posts "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" I mentioned the usefulness of Google Earth by the general public, and the possibility to assist terrorists. The most popular argument on how useless the publicly available satellite imagery is that it doesn't provide a high-resolution images, and recent data as well -- that's of course unless you don't request one, but isn't it bothering you that here we have a street-side drive-by POC?



The recently introduced Windows Live Local Street-Side Drive-by (A9's maps have been around for quite a while), is setting a new benchmark for interactive OSINT -- if any as this is also a privacy violation that can be compared with efforts like these if it was in real-time. Having had several conversations with a friend that's way too much into satellite imagery than me, I've realized that starting from the basic fact of targeting a well known or a movie-plot location doesn't really requires satellite imagery. I find that today's sources basically provoke the imagination and the self-confidence -- and hopefully nothing more!


There have been numerous articles on the threat posed by Google Earth, and India seems to be the most concerned country about this for the time being :



"Chief of the Indian Army General J.J. Singh warns that Google Earth could endanger national security by providing high resolution photographs of strategic defense facilities. The software could prove especially useful to countries that do not have their own satellite capabilities. Singh called Google Earth a shared concern for all countries, requiring all countries to cooperate to address the issue. Indian President APJ Abdul Kalam has also expressed concerns over Google Earth and national security."



You can spend hours counting the cars in front of NSA's parking lot through public satellite imagery resources, still you would never get to see what's going on in there, I guess things have greatly changed since the days when tourists sent over the USSR, or exactly the opposite, to the U.S, would try to get hold of as many maps as possible finish the puzzle.



In some of my previous posts on Cyberterrorism, I said that terrorists are not rocket scientists until we make them feel so, and I'm still sticking to this statement, what about you? As a matter of fact, Schneier is inviting everyone to participate in the Movie-Plot Threat contest -- stuff like terrorist EMP warfare, Nuclear truck bombs (the same story from 3 years ago), and other science fiction scenarios worth keeping an eye on.



Terrorism is a profitable paranoia these days, that's constantly fuelling further growth in defense and intelligence spending, as satellite imagery is promoted for the bust of Bin Laden, whereas their infrastructure seems to pretty safe, isn't it? (More photos, 1, 2, 3, 4, 5, 6) I'd rather we have known parties as an adversary, the way it used to be during the Cold War, whose competition sent us in Space, and landed us on the Moon , instead of seeing terrorists everywhere and missing the big opportunity.



Technorati tags:
Security, Terrorism, Cyberterrorism, Privacy, Google Earth, Google Maps, Space, Microsoft Live, New Media Continue reading →

Are cyber criminals or bureaucrats the industry's top performer?

Last week, I came across a great article at Forbes.com, "Fighting Hackers, Viruses, Bureaucracy", an excerpt :



"Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did stints in the State Department, the National Security Council and as an adviser to President George W. Bush on matters relating to computer security. "Our job is to shine a bright light on it, to help people understand it."



Basically, it provides more info on how bureaucracy tends to dominate, and how security often ends up in the "backseat". Moreover, Paul Kurtz executive director of the Cyber Security Industry Alliance and it's multi-billion market capitalization members can indeed become biased on a certain occasions.


Still, he provides his viewpoint on important legislative priorities :



- setting national standards for data breach notification

PrivacyRight's "Chronology of Data Breaches Reported Since the ChoicePoint Incident" keeps growing with the recent Fidelity's loss of laptop. Standards for data breach notification are important, and the trends is growing with more states joining this legal obligation to notify customers in case their personal information is breached into -- given they are actually aware of the breach. Moreover, with companies wondering "To report, or not to report?" and let me add "What is worth reporting?", Uncle Sam has a lot of work to do, that will eventually act as a benchmark for a great number of developed/developing countries. Personal data security breaches are inevitable given the unregulated ways of storing and processing the data, or is it just to many attack vectors malicious identity thieves could take advantage of these days? E-banking is still insecure, and protection against phishing seems too complicated for the "average victim". Compliance means expenses as well, so it better be a long-term one, if one exists given today's challenging threatscape.



- a law on spyware

Do your homework and try to bring some sense into who's liable for what. Claria obviously isn't, and it's not just pocket money we're talking about here. Spyware legislations are a very interesting topic, that I also find quite contradictive, laws and legislations change quite often, but given the Internet's disperse international laws, or the lack of such, a spyware/adware's vendor business practices may actually be legal under specific laws, or the simple absence of these.



- and ratification of the Council of Europe's Convention on Cybercrime

That's important, the Convention on Cybercrime I mean, would they go as far as ratifying Europe's well known stricter compared to the U.S privacy laws? Excluding the data retention legislation, and various other privacy issues to keep in mind, there's this tiny sentence in its privacy policy "Google processes personal information on our servers in the United States of America and in other countries.


In some cases, we process personal information on a server outside your own country", makes it so virtually easy to bypass a nation's privacy regulations that I wonder why it hasn't received the necessary attention already. On the other hand, we have Interpol acting as a common cybercrime body, that according to a recent article :



"We need an integrated legal framework to exchange data. A lot of legislation doesn't consider a data stream as evidence, because the evidence is hidden behind 0s and 1s. We have to rethink the legislative framework".


There is already such and that's the NSP-SEC - a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks.


Still, The Internet Storm Center remains the most popular Internet Sensor.



No matter how many security policies you develop and hopefully implement, at the bottom line you either need regulations or insightful security czar in charge. And while the majority of industry players profitable provide perimeter based defenses, going through "2004's Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" a decision-maker will hopefully start perceiving the problem under a different angle. While I find plain-text communications a problem, Bluecoat seems to be actively working in exactly the opposite direction. And while I find measuring the real cost of Cybercrime rather hard, applying a little bit of marginal thinking still comes handy. The future of privacy may indeed seem shady to some, and while data mining is definitely not the answer, sacrificing security for privacy shouldn't be accepted at all. Moreover, do not take a survey's results for granted, mainly because "There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year" - in NetworkWorld's great article "It's raining IT security surveys".



To sum up, I feel in the security world it's the malicious attacker having the time and financial motivation to "spread ambitions" that outperforms, while in the financial world, it's Symantec that is the top performer - (Google Finance, Yahoo! Finance) with its constant acquisitions and trendy business strategy realizing the current shift towards convergence in the industry. Wish they could also diversify and take some market share of WetPlanet Beverage's Jolt Cola drink :)



Illustration by Mark Zug



UPDATE : This post was recently featured at LinuxSecurity.com "Are cyber criminals or bureaucrats the industry's top performer?"



Technorati tags :
Security, Information Security, Technology, Compliance, Survey, Bureaucracy, CSIA, Cybercrime Continue reading →

Privacy issues related to mobile and wireless Internet access

I just came across a research worth checking out by all the wardrivers and mobile/wireless Internet users out there. While it's written in 2004, "Privacy, Control and Internet Mobility", provides relevant info on an important topic - what kind of information is leaking and how can this be reduced. The abstract describes it as :



"This position paper explores privacy issues created by mobile and wireless Internet access. We consider the information about the users identity, location, and the serviced accessed that is necessarily or unnecessarily revealed observers, including the access network, interme- diaries within the Internet, and the peer endpoints. In particular, we are interested in data that can be collected from packet headers and signaling messages and exploited to control the users access to communications resources and online services. We also suggest some solutions to reduce the amount of information that is leaked."



A more in-depth overview on the topic can also be found in "A Framework for Location Privacy in Wireless Networks", an excerpt :



"For example, even if an anonymous routing protocol such as ANODR is used, an attacker can track a user's location through each connection, and associate multiple connections with the same user. When the user arrives at home, she will have left a trail of packet crumbs which can be used to determine her identity. In this paper, we explore some of the possible requirements and designs, and present a toolbox of several techniques that can be used to achieve the required level of privacy protection."



Mobile/Wireless location privacy would inevitable emerge as an important issue given the growth of that type of communication, and the obvious abuses of it.



Technorati tags :
Security, Privacy, Wireless, Mobile, Tracking Continue reading →

The Practical Complexities of Adware Advertising

A report released by the The Center for Democracy and Technology yesterday, "How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend", outlines the practical complexities of Adware Advertising. It gives a great overview of the parties involved, discusses a case study "CDT egages the advertisers", as well as outlines a possible solution, namely Adoption and Enforcement of Advertising Placement Policies. Here's a excerpt from the research findings :



"At this point, CDT has set a low bar by merely asking a small group of companies to contact us to discuss their advertising policies in the context of nuisance and harmful adware. We are working to increase awareness of the complex business models associated with nuisance and harmful adware, and we are pointing advertisers to policies and criteria that already exist as a step towards creating and enforcing their own policies. It is also imperative that advertising networks engage in self-regulation in order to aid in this endeavor. Initiatives such as the TRUSTe Trusted Download Program can help to set certification standards and provide public criteria for evaluating adware makers. Advertisers must demand strict compliance from their affiliates and refuse to work with blind networks and other networks that cannot commit to following stringent advertising policies. Without advertising dollars, there would be no nuisance or harmful adware. CDT is committed to working with advertisers to stem the tide of this nefarious form of software."



Now, if major advertising platforms start measuring the maliciousness of the Web, namely evaluate the participants' condition on a regular basis, they will loose the scale necessary for generating the billions of dollars necessary to, sort of, live with click-fraud. In respect to future online advertising trends, I feel that cost per performance/action model, would sooner or later emerge, given the successful collective bargaining of all the sites participating -- I really hope so!



How it would influence Google's ability to perform financially, contribute to the growth of Web 2.0, being among the few companies born in, is yet another topic to speculate on. As a matter of fact, Google recently launched Google Finance, still I miss what's all the buzz all about as compared to Yahoo's Finance Google still has a lot of job to do, given they actually want to turn and position themselves as Yahoo! 2.0 in respect to turning into a Internet Portal -- which I doubt as they tend to be rather productive while disrupting.



Great report, so consider going through it. And, in case you're interested in learning more about the different spyware/adware legislations, current and future trends, you can also check Ben Edelman's and Eric Goldman's outstanding research on the topic.



The post recently appeared at Net-Security.org - "The practical complexities of adware advertising"



More resources can also be found at :

Spyware/Adware Podcasts
Top 10 Anti Spyware Apps reviewed
Clean and Infected File Sharing Programs



Technorati tags :
Security, Spyware, Adware, Advertising, Center for Democracy and Technology Continue reading →

Security vs Privacy or what's left from it

My latest privacy related posts had to do with "The Future of Privacy = don't over-empower the watchers!" and "Data mining, terrorism and security" in respect to the the still active TIA and the hopes for the effectiveness out of data mining. While these are important topics I feel every decent citizen living in the 21st century should be aware of -- many still "think conspiracies" than real-life scenarios. At the bottom line, privacy violations for the sake of your security and civil liberties are a common event these days!



Today, I came across an article "Google must capitulate to DoJ, says judge" in relation to the DoJ's subpoena trying to get access to random sites and searches in order to justify its statement that anti-porn filters do not protect young children online.


The NYtimes is also a running a story on this. What I truly liked is US District Judge James Ware's comment that he was reluctant to give the Justice Department everything it wanted because of the "perception by the public that this is subject to government scrutiny" when they type search terms into Google.com, that's right, but you would be also right to conclude that such requests would turn into a habit given Google's data aggregation power. It's s a complex process to run the world's most popular search engine when everyone wants to take a bite from you, at least they have hell of motto to sort of guide them in future situations like this, but is it?



This time it's a misjudged online porn request that gets approved, next time, it would be Google against the terrorists, again, for the sake of your Security, one backed up by a little bit of glue as on the majority of occasions!



Technorati tags :
Privacy, Google, Search Engine Continue reading →

The Future of Privacy = don't over-empower the watchers!

I blog a lot about privacy, anonymity and censorship, mainly because I feel not just concerned, but obliged to build awareness on the big picture the way I see it. Moreover, I find these interrelated and excluding any of these would result in missing the big picture, at least from my point of view. Some posts I did, worth mentioning are : "Anonymity or Privacy on the Internet?", "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Still worry about your search history and BigBrother?", "The Feds, Google, MSN's reaction, and how you got "bigbrothered?", "Twisted Reality", "Chinese Internet Censorship efforts and the outbreak", and the most recent one, "Data mining, terrorism and security".



Yesterday, I read a very nice essay by Bruce Schneier "The Future of Privacy" and while I feel it has been written for the general public to understand, you can still update yourself on some of the current trends he's highlighting, mostly the digital storage of our life activities, and how possible it really is.


Some comments that made me an impression though :

"The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video." - scary stuff, but so true!



"Today, personal information about you is not yours; it's owned by the collector." - if you were to question the practices of each and every "collector" you wouldn't be able to properly function in the 21st century.



"The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations." - typical Columbian style, still applicable in here.

"In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it isto pass laws regulating its generation, use and eventual disposal."



I agree on regulation, given someone follows and it's actually implemented, still, I feel it's all about balancing the powers of the public and the rulling parties. The more a government is empowered to invade privacy in one way or another, the higher the risk of them abusing their power, or even worse, having their communications infrastructure wiretap-ready for third parties.



UPDATE - this post recently appeared at LinuxSecurity.com - The Future of Privacy = don't over-empower the watchers!



Technorati tags :
Privacy, Anonymity, Censorship Continue reading →

Chinese Internet Censorship efforts and the outbreak

In some of my January's Security Streams, I did some extensive blogging expressing my point of view on the current Internet censorship activities, and tried to emphasize on the country whose Internet population is about to outpace the U.S one - China. In my posts "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Twisted Reality", you can quickly update yourself on some of the recent developments related to the topic, but what has changed ever since?


Government bodies such as the DoJ seem to favour the amount of data the most popular and advanced search engine Google holds and tried to obtain information for the purpose of "social responsibility". What's more to consider are some of the weak statements made, namely :



"House Government Reform Committee Chairman Tom Davis (R-VA) has criticized Google for refusing to hand search records over to the US Justice Department while cooperating with China in censoring certain topics. Justice sought the records to bolster its case against a challenge to online anti-pornography laws, but Google refuses to submit the records on privacy grounds. Davis does not expect a standoff between Google and the government, but hopes an agreement can be reached, allowing Google to supply the records without frightening users that their searches may be examined."



and in case you're interested, some of my comments, :



"Is it just me or that must be sort of a black humour political blackmail given the situation?! First, and most of all, the idea of using search engines to bolster the online anti-pornography laws created enough debate for years of commentaries and news stories, and was wrong from the very beginning. Even if Google provide the data requested it doesn’t necessarily solve the problem, so instead of blowing the whistle without any point, sample the top 100 portals and see how they enforce these policies, if they do. As far as China is concerned, or actually used as a point of discussion, remember the different between modern communism, and democracy as a concept, the first is an excuse for the second, still, I feel it’s one thing to censor, another to report actual activity to law enforcement. I feel alternative methods should be used, and porn “to go” is a more realistic threat to minors than the Net is to a certain extend, yet the Net remains the king of content as always."



Google indeed issued a statement, sort of excusing the censorship under the statement of "the time has come to open ourselves to the Chinese market", and while their intentions make business sense, the outbreak had very positive consequences from my point of view - build more awareness and have the world's eyes on the Chinese enforcement of censorship practices, but is it just China to blame given "Western" countries do censor as well, or is it China's huge ambitions of maintaining a modern communism in the 21st century that seem to be the root of the problem?



In an article "A day in the life of a Chinese Internet Police Officer" I read some time ago, you can clearly see the motivation, but also come across the facts themselves : you cannot easily censor such a huge Internet population, instead, guidance instead of blocking, and self-regulation(that is limiting yourself with fear of prosecution) seem to be the current practice, besides jailing journalists! And while sometimes, you really need to come up with a creative topic worth writing about, free speech is among the most important human rights at the bottom line.



Chris Smith, Chairman of the House subcommittee that oversees Global Human Rights, proposed a discussion draft "The Global Online Freedom Act of 2006" "to promote freedom of expression on the internet [and] to protect United States businesses from coercion to participate in repression by authoritarian foreign governments". It is so "surprising" to find out that they are so interested in locating cyber-dissidents : "U.S. search engine providers must transparently share with the U.S. Office of Global Internet freedom details of terms or parameters submitted by Internet-restricting countries." exactly the same way I mentioned in my previous "Anonymity or Privacy on the Internet?" post.



Meanwhile, the OpenNetInitiative also released a bulletin analyzing Chinese non-commercial website registration regulation, giving even further details on the recent "you're being watched" culture that tries to cost-effectively deal with the issue of self-regulation :



"In a report published last year, “Internet Filtering in China: 2004-2005,” ONI shared its research findings that China’s filtering regime is the most extensive, technologically sophisticated, and broad-reaching Internet filtering system in the world. This new regulation does not rely on sophisticated filtering technology, but uses the threat of surveillance and legal sanction to pressure bloggers and website owners into self-censorship. While savvy website owners might thwart the registration requirement with relative ease, the regulation puts the vast majority of Chinese Internet users on notice that their online behaviour is being monitored and adds another layer of control to China’s already expansive and successful Internet filtering regime."



Yet another recent research I came across is a university study that finds out that "60% Oppose Search Engines Storing Search Behaviours", you can also consider the "alternatives" if you're interested :) A lots to happen for sure, but it is my opinion that personalized search is the worst privacy time bomb a leading search engine should not be responsible for, besides open-topic data retention policies and not communicating an event such as the DoJ's one, but complying with it right away, bad Yahoo!, bad MSN!



At the bottom line, Google's notifications of censored content(as of March, 2005 only, excluding the period before!), the general public's common sense on easily evaluating what's blocked and what isn't, and the powerful digital rights fighting organizations that simultaneously increased their efforts to gain the maximum out of the momentum seemed to have done a great job of building awareness on the problem. Still, having to live with the booming wanna be "free market" Chinese economy, and the country's steadily climbing position as a major economic partner, economic sanctions, quotas, or real-life scenarios would remain science fiction.



Technorati tags :
Privacy, Anonymity, Censorship, China, Search Engine Continue reading →

What search engines know, or may find out about us?

Today, CNET's staff did an outstanding job of finding out what major search companies retain about their users. AOL, Google, Microsoft and Yahoo! respond on very well researched questions!

Whatever you do, just don't sacrifice innovation and trust in the current services for misjudged requests at the first place from my point of view.

At the bottom line, differentiate your Private Searches Versus Personally Identifiable Searches, consider visiting Root.net, and control your Clickstream. You can also go through Eric Goldman's comments on the issue and his open letter regarding Search Engines and China.

As a matter of fact, I have just came across a very disturbing fact that I compare with initiatives to mine blogs for marketing research, EPIC has the details on its front page. It was about time a private entity comes up with the idea given the potential and usability of the idea. Could such a concept spot, or actually seek for cyber dissidents in restrictive regimes with the idea to actually reach them, besides mining for extremists' data? I really hope so!

Technorati tags:  

Privacy, search engine, Google, Yahoo, MSN, AOL

Continue reading →