MetaFilter posts tagged with privacy and security

What Does DHS Know About You?

chunking express — Mon, 05 Oct 2009 07:07:15 -0800

What Does DHS Know About You? A lot. The complete (annotated) report. [PDF]

And like that... he's gone

homunculus — Mon, 17 Aug 2009 08:42:04 -0800

Gone Forever: What Does It Take to Really Disappear?

Neurosecurity

homunculus — Wed, 08 Jul 2009 20:29:23 -0800

Neurosecurity: security and privacy for neural devices. "An increasing number of neural implantable devices will become available in the near future due to advances in neural engineering. This discipline holds the potential to improve many patients' lives dramatically by offering improved—and in some cases entirely new—forms of rehabilitation for conditions ranging from missing limbs to degenerative cognitive diseases. The use of standard engineering practices, medical trials, and neuroethical evaluations during the design process can create systems that are safe and that follow ethical guidelines; unfortunately, none of these disciplines currently ensure that neural devices are robust against adversarial entities trying to exploit these devices to alter, block, or eavesdrop on neural signals. The authors define 'neurosecurity'—a version of computer science security principles and methods applied to neural engineering—and discuss why neurosecurity should be a critical consideration in the design of future neural devices." [Via Mind Hacks]

Watch Lists

homunculus — Sat, 08 Mar 2008 19:50:34 -0800

ACLU Watch List Counter: U.S. Terror List Now Exceeds 900,000 Names. That's an awful lot of terrorists. More Privacy and Surveillance Filter: Bruce Schneier on The Myth of the 'Transparent Society', Glenn Greenwald on The Banality of the Surveillance State, and Stephen Colbert on AT & Treason. A spokesman for the Terrorist Screening Center had a response to the ACLU in a comment at Threat Level.

"Leaving no trace [of our daily lives] is nearly impossible."

amyms — Sat, 16 Feb 2008 00:14:48 -0800

The Anonymity Experiment. Is it possible to hide in plain sight? Privacy-minded people have long warned of a world in which an individual’s every action leaves a trace, in which corporations and governments can peer at will into your life with a few keystrokes on a computer. Now one of the people in charge of information-gathering for the U.S. government says, essentially, that such a world has arrived.

Sears Wants To Hack Your Computer

ikkyu2 — Thu, 03 Jan 2008 18:52:19 -0800

Online communities to become more 'all-encompassing.' If you join the SHC community on Sears.com, all web traffic to and from your computer thereafter will be copied and sent to a third party marketing research firm - including, for example, your secure sessions with your bank! The Sears.com proxy will send your logins and passwords along with a cleartext copy of all the supposedly secure data. But wait, it gets better: you can only view the true TOS once the proxy has already been installed. Hey Matt, you're lagging behind - this is the future of online community-building! [Via.]

Amazing discoveries in plain-text Tor exit traffic.

Anything — Tue, 04 Dec 2007 18:04:45 -0800

This is an ironic tale of the consequences of inept application of cryptographic tools. Or is it? Dan Egerstad, a Swedish hacker, gained access to hundreds of computer network accounts around the world, belonging to various embassies, corporations and other organizations. How did he do it? Very easily: by sniffing exit traffic on his Tor nodes. Egerstad ran exit nodes on the Tor anonymity network, used as links from the network to the rest of the world. He looked at the traffic going through his nodes and found that many users were logging in to sensitive accounts without using end-to-end encryption. From the Sydney Morning Herald article:

After a couple of months sniffing and capturing information, Egerstad was faced with a moral dilemma: what to do with all the intercepted passwords and emails. If he turned his findings over to the Swedish authorities, his experiment might be used by his country's intelligence services to continue monitoring the compromised accounts. That was a little too close to espionage for his liking. So Egerstad set about notifying the affected governments. He approached a few, but the only one to respond was Iran. "They wanted to know everything I knew," he says. "That's the only response I got, except a couple of calls from the Swedish security police, but that was pretty much all the response I got from any authority." Frustrated by the lack of a response, Egerstad's next step caused high anxiety for government staffers - and perhaps intelligence services - across the globe. He posted 100 email log-ins and passwords on his blog, DEranged Security. "I just ended up (saying) 'Screw it, I'm just going to put it online and see what happens'."

He later removed the information from his blog, says the hard drives are "long gone"; also, there don't appear to be any public mirrors of the data. Nonetheless, the incident got him arrested and his hardware confiscated. One curious angle in this story is the question of which of the plain-text logins sniffed by Egerstad were made by unauthorized third party attackers instead of unwitting legitimate users.

However, Egerstad now believes the victims of his experiment may not have been using Tor. It's quite possible he stumbled on an underground intelligence gathering exercise, carried out by parties unknown. "The whole point of the story that has been forgotten, and I haven't said much about it, (is that) many of these accounts had been compromised," he says. "The logins I caught were not legit users but actual hackers who'd been reading these accounts."

Here's Bruce Schneier's commentary on the case. Here's the Tor FAQ, which tells you what it's good for and how to use it properly.

You and I were/weren't meant to fly....

never used baby shoes — Fri, 12 Oct 2007 11:48:50 -0800

The U.S. Department of Homeland Security is proposing new rules regarding passenger pre-screening both domestically and internationally. Interestingly, this includes flights that overfly the continental US without ever touching the ground. Overflying the Continental United States. This proposed rule defines ``overflying the continental United States' as departing from an airport or location outside the United States, and transiting the airspace of the continental United States en route to another airport or location outside the United States...In this proposed rule, flights ``overflying the continental United States' are a category of ``covered flights' for which TSA would conduct passenger watch list matching in order to protect the airspace over the continental United States and prevent individuals on a watch list from taking control of an aircraft...From the proposed rule. The rule does not cover flights that originate in one country, overfly the US, and land again in the originating country. For example, a flight between Toronto and Vancouver would be exempt. Since Transport Canada has already implemented a no-fly list, ATAC is questioning the purpose of this. Others wonder about different effects on the travel habits of Canadians and Americans.

The kids are allright

wuwei — Sun, 07 Oct 2007 17:08:25 -0800

This is what happens when paranoia overwhelms common sense. A high school in NY state banned backpacks and bags from the student body. The whole situation reached a critical mass when a security guard pulled a young woman out of class because she had a small purse. He asked her if she was on her period. Way to humiliate teenagers. The female students were allowed to continue to carry purses ONLY if they were having their period and needed to carry female hygiene supplies. In response the kids have protested by wearing tampax necklaces, and one young man streaked the school. Some of the male students have also stuck maxi-pads to themselves in supportof their female classmates. Nice to see the kids sticking up for each other.

The Age of Disaster Capitalism

y2karl — Wed, 12 Sep 2007 10:29:22 -0800

The Age of Disaster Capitalism

...Through all its various name changes - the war on terror, the war on radical Islam, the war against Islamofascism, the third world war, the long war, the generational war - the basic shape of the conflict has remained unchanged. It is limited by neither time nor space nor target. From a military perspective, these sprawling and amorphous traits make the war on terror an unwinnable proposition. But from an economic perspective, they make it an unbeatable one: not a flash-in-the-pan war that could potentially be won but a new and permanent fixture in the global economic architecture. That was the business prospectus that the Bush administration put before corporate America after September 11. The revenue stream was a seemingly bottomless supply of tax dollars to be funnelled from the Pentagon ($270bn in 2005 to private contractors, a $137bn increase since Bush took office), US intelligence agencies and the newest arrival, the department of homeland security. Between September 11 2001 and 2006, the Department of Homeland Security handed out $130bn to contractors - money that was not in the private sector before and that is more than the GDP of Chile or the Czech Republic.

Geek Squad Steals Porn?

charmston — Fri, 06 Jul 2007 18:48:04 -0800

Using a computer set to auto-screencast, The Consumerist catches a Geek Squad technician copying porn from a client's computer to a thumbdrive, and they've got video and logfiles (CSV) to prove it. Also, the Geek Squad CEO responds, and an anonymous Geek Squad tech confesses that this is not an uncommon practice: "stealing customers' nudie pics was an easter egg hunt." Consumerist users suggest that this practice might not be limited to Geek Squad. Via.

Big Brother is Watching You. On CCTV.

homunculus — Mon, 02 Apr 2007 01:09:39 -0800

George Orwell, Big Brother is watching your house. With CCTV. Perhaps the Surveillance Camera Players could put on a performance there. It looks like Britain really is becoming a surveillance society . [Via Digg.]

FTC imposes $10M fine against ChoicePoint for data breach

mk1gti — Thu, 26 Jan 2006 14:41:45 -0800

FTC imposes $10M fine against ChoicePoint for data breach The U.S. Federal Trade Commission has fined ChoicePoint $10 million for a data breach that allowed identity thieves posing as legitimate businesses to steal social security numbers, credit reports, and other data from nearly 140,000 people. This is the largest fine ever levied by the FTC. ChoicePoint also has to set up a 'trust fund' for people victimized by identity thieves. From the article: 'As part of its agreement with the FTC, ChoicePoint will also have to submit to comprehensive security audits every two years for the next 20 years.'" BusinessWeek has additional info. Perhaps there might be hope for individual privacy after all. Let's all keep our fingers crossed.

Mohan also declined to say how often or in what volume CBP might be opening mail.

amberglow — Fri, 06 Jan 2006 18:48:09 -0800

Private Mail--Not. ...Goodman, an 81-year-old retired University of Kansas history professor, received a letter from his friend in the Philippines that had been opened and resealed with a strip of dark green tape bearing the words “by Border Protection” and carrying the official Homeland Security seal. ...the agency can, will and does open mail coming to U.S. citizens that originates from a foreign country whenever it’s deemed necessary. ...

Because there just haven't been enough government scandals lately...

darkstar — Fri, 23 Dec 2005 12:40:24 -0800

Federal surveillance of over a hundred homes, businesses, mosques, warehouses and other sites has been conducted without warrants, according to a new USNews report. Indications are that the persons so targeted were US citizens. "In numerous cases, the monitoring required investigators to go on to the property under surveillance, although no search warrants or court orders were ever obtained, according to those with knowledge of the program. Some participants were threatened with loss of their jobs when they questioned the legality of the operation, according to these accounts."

Echelon: 60 Minutes discussion

Postroad — Mon, 19 Dec 2005 14:40:30 -0800

Echelon This is what we know--or do not know--about NSA prgram called Echelon, from 60 Minute show (TV) in 2000. If we assume this what had been going on and there were some sort of restraints for internal spying, then what is going on now? This evening I had heard on radio that the White House claimed that only calls going in and out of the country might be monitored. But this early interview suggests that such calls were monitored previous to the "new" approach. Why were legal restraints put in place calling for judicial hearings? Because of spying abuse done under Nixon. Those restraints are now removed.

Stealing Osama's Identity

rzklkng — Fri, 15 Jul 2005 13:26:06 -0800

Security, the TSA, and the No-Fly List You would think that our National Security apparatus would be like the TV series "24", with the most ingenious and sophisticated technology available. You would be wrong. Disclaimer: TSA is not an ~~intelligent~~ intelligence agency. Here's a blurb from the resume of the designer(Kenneth Mack) of the application the airline industry uses for *PDF* managing their employee data and the cross-checking them with the no-fly list:

- Sr. Developer: Developed a program [for Goddard Technologies] that uses the "No-Fly List" Excel spreadsheet, provided by the FAA and the database of badged employees to permute the name combinations. It takes into consideration multiple first and middle names, with Soundex and the various "initial" combinations. This program reduced the time for comparison from 3 days to 10 minutes.

The scary yet interesting part of all of this is that the No-Fly List is nothing more than a password-protected spreadsheet (see this PDF). One would guess our Government's geeks would know that it's a bad idea to send email attachments containing social security numbers and dates of birth, unencrypted, over the internets, even if they might be terrorists.

Who is watching Big Brother?

UbuRoivas — Mon, 29 Nov 2004 20:30:42 -0800

Who is watching Big Brother? Last week, the Australian Privacy Foundation held its annual Big Brother Awards, with biometric passports winning the prestigious "Orwell" for the most invasive technology (other countries' Big Brother Awards here). Not long before, Privacy International and the Electronic Privacy Information Center released their 7th Annual Survey on the state of privacy in sixty countries, claiming that threats to personal privacy have reached a level that is dangerous to fundamental human rights. Are we edging closer to Room 101?

crime

semmi — Mon, 25 Oct 2004 09:06:07 -0800

Identity theft is epidemic.

Intercepting E-Mail

homunculus — Wed, 07 Jul 2004 00:30:41 -0800

E-mail snooping is legal. A U.S. federal appeals court set an unsettling precedent last week by ruling (PDF) that an e-mail provider did not break the law when he copied and read e-mail messages sent to customers through his server.

RFID: Taking Away Your Privacy One Product at a Time

ed — Mon, 29 Sep 2003 13:20:22 -0800

We've discussed it before, but RFID, that fun-loving little radio transmitter that can be attached to everything from that stereo system to a carton of milk, is plowing ahead faster than you can say "unregulated." Earlier this year, Wal-Mart issued a mandate that required its top 100 suppliers to include RFIDs on their merchandise by 2005, bringing new meaning to the phrase "panties in a bunch." (Incidentally, Wal-Mart was also the benign corporation that ushered in bar codes for mass consumption in the late 70s and early 80s.) With no regulations on the table, the New York Times reports that the Defense Department plans to issue a statement requiring all suppliers to use RFID. Hitachi has even offered to put it in your currency. Imagine a store a few years from now that can track all of the objects in your cart, and that, thanks to a microscopic RFID stuck to your shoe when you slide through the doors, can determine how many seconds you or your children react to a display. Imagine a world that tracks exactly where each one of your dollar bills go. (So much for the anonymity of johns and porn enthusiasts.) Is this the kind of world we want to abdicate to large retail corporations? Is this the kind of information that governments or private institutions are entitled to know? Discuss.

Universal Surveillance, Inc.

Irontom — Tue, 08 Jul 2003 07:35:39 -0800

RFID tagging and tracking plans (mirror 1, mirror 2) With the tag line "Identify Any Object Anywhere Automatically", this group (the MIT Auto-ID Center) is leading the way into our bold new future of total tracking. {Originally uncovered by CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)}

Big Brother Is Watching You...Idiotically

jonp72 — Thu, 06 Mar 2003 21:23:19 -0800

Nominate the world's stupidest security procedure. UK-based watchdog group, Privacy International, is accepting nominations until March 15th from the general public about the most annoying and invasive security measures with the lowest effectiveness in protecting individual safety. What would you nominate?

Red Alert!!

SweetJesus — Fri, 13 Dec 2002 12:47:04 -0800

At InfoSecuity 2002, an annual corporate security conference, new "computer forensics" software is on display, including software "that allows corporate IT folks to research employees' criminal histories, credit information, financial asset details, friends and associates. "

The software is called Red Alert 2.0, and more specifically the research software is an optional subscription based add-on called Intelligent Information Dossier plus. Isn't this tantamount to your employer spying on your private life, in real time?

As I work for a very large military contractor myself, I could easily see something like this being used where I work. Would you feel comfortable working for a company that uses this sort of intrusive software?

E-Bay Scammers and Internet Fraud

tgrundke — Thu, 12 Dec 2002 13:08:17 -0800

A Mac user scorned is a dangerous thing... Gotta hand it to this guy: persistence pays off. After being scammed with $3000 in forged cashier checques in an eBay transaction, this seller took matters into his own hands. How secure do you feel making transaction over eBay and related services? What kinds of internet fraud have you faced or fear? And most interesting of all, to what extent have you gone to correct evils done to you?