Tuesday, July 22, 2014
For my Ethical Hackers. Reads like an April Fools joke, but remember that few users know how their browsers work. Also, we should look for some place that lists the world's “Opt Outs,” because no one seems to be doing it. Business opportunity?
by Julia Angwin ProPublica, July 21, 2014, 9 a.m. This story was co-published with Mashable.
A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.
First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.
Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit profiles that shape which ads, news articles, or other types of content are displayed to them.
But fingerprints are unusually hard to block: They can’t be prevented by using standard Web browser privacy settings or using anti-tracking tools such as AdBlock Plus.
The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5 percent of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).
Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.
“We’re looking for a cookie alternative,” Harris said in an interview.
Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”
He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.
Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”
Device fingerprints rely on the fact that every computer is slightly different: Each contains different fonts, different software, different clock settings and other distinctive features. Computers automatically broadcast some of their attributes when they connect to another computer over the Internet.
Tracking companies have long sought to use those differences to uniquely identify devices for online advertising purposes, particularly as Web users are increasingly using ad-blocking software and deleting cookies.
In May 2012, researchers at the University of California, San Diego, noticed that a Web programming feature called “canvas” could allow for a new type of fingerprint by pulling in different attributes than a typical device fingerprint.
In June, the Tor Project added a feature to its privacy-protecting Web browser to notify users when a website attempts to use the canvas feature and sends a blank canvas image. But other Web browsers did not add notifications for canvas fingerprinting.
A year later, Russian programmer Valentin Vasilyev noticed the study and added a canvas feature to freely available fingerprint code that he had posted on the Internet. The code was immediately popular.
But Vasilyev said that the company he was working for at the time decided against using the fingerprint technology. “We collected several million fingerprints but we decided against using them because accuracy was 90 percent,” he said, “and many of our customers were on mobile and the fingerprinting doesn’t work well on mobile.”
Vasilyev added that he wasn’t worried about the privacy concerns of fingerprinting. “The fingerprint itself is a number which in no way is related to a personality,” he said.
AddThis improved upon Vasilyev’s code by adding new tests and using the canvas to draw a pangram “Cwm fjordbank glyphs vext quiz” a sentence that uses every letter of the alphabet at least once. This allows the company to capture slight variations in how each letter is displayed.
AddThis said it rolled out the feature to a small portion of the 13 million websites on which its technology appears, but is considering ending its test soon. “It’s not uniquely identifying enough,” Harris said.
AddThis did not notify the websites on which the code was placed because “we conduct R&D projects in live environments to get the best results from testing,” according to a spokeswoman.
She added that the company does not use any of the data it collects whether from canvas fingerprints or traditional cookie-based tracking from government websites including WhiteHouse.gov for ad targeting or personalization.
The company offered no such assurances about data it routinely collects from visitors to other sites, such as YouPorn.com. YouPorn.com did not respond to inquiries from ProPublica about whether it was aware of AddThis’ test of canvas fingerprinting on its website.
(Related) Is this the solution to all our security concerns? (Students who answered “Yes” will be shot!)
Stop Sneaky Online Tracking with EFF’s Privacy Badger
by Sabrina I. Pacifici on Jul 21, 2014
“The Electronic Frontier Foundation (EFF) has released a beta version of Privacy Badger, a browser extension for Firefox and Chrome that detects and blocks online advertising and other embedded content that tracks you without your permission. Privacy Badger was launched in an alpha version less than three months ago, and already more than 150,000 users have installed the extension. Today’s beta release includes a feature that automatically limits the tracking function of social media widgets, like the Facebook “Like” button, replacing them with a stand-in version that allows you to “like” something but prevents the social media tool from tracking your reading habits. “Widgets that say ‘Like this page on Facebook’ or ‘Tweet this’ often allow those companies to see what webpages you are visiting, even if you never click the widget’s button,” said EFF Technology Projects Director Peter Eckersley. “The Privacy Badger alpha would detect that, and block those widgets outright. But now Privacy Badger’s beta version has gotten smarter: it can block the tracking while still giving you the option to see and click on those buttons if you so choose.” EFF created Privacy Badger to fight intrusive and objectionable practices in the online advertising industry. Merely visiting a website with certain kinds of embedded images, scripts, or advertising can open the door to a third-party tracker, which can then collect a record of the page you are visiting and merge that with a database of what you did beforehand and afterward. If Privacy Badger spots a tracker following you without your permission, it will either block all content from that tracker or screen out the tracking cookies.”
Since when has, “I prefer to be ignorant” been a hallmark of senior management?
Survey Highlights Communications Levels Between Security Pros and Executives
According to a survey of nearly 5,000 IT security professionals around the globe, 31 percent of cyber-security teams never speak with their executive team about cyber-security. Of those that did, 23 percent did so annually. Only one percent spoke to executives weekly, while 11 percent did so quarterly.
… Fifty-two percent said their companies do not provide cyber-security education to their employees, and only four percent plan to do so in the next 12 months. Only 38 percent believe their company is investing enough in personnel and technologies to be effective in executing its cyber-security objectives.
… A complete copy of the report, including survey methodology, consolidated results and individual response rates by country can be read here.
This could be amusing... My Computer Security students know that you should never allow “backdoors” into your secure ecosystem. You never know who might be hitching a ride,
Security Researcher Finds iPhone Backdoor
A security researcher by the name of Jonathan Zdziarski claims to have found backdoors built into every iOS device. The accusation is that Apple put these access points in on purpose along with undocumented services designed to allow encrypted data to be retrieved at will.
Zdziarski also claims these services are always running in the background potentially leaking data, and that switching off your iPhone or iPad is the only way of securing that data. He suggests, rather ironically, that Apple has made progress in securing iOS against typical attacks while ensuring the company itself can easily access the 600 million iOS devices currently in the wild.
Apple has responded to the claims, actually admitting the existence of the backdoor. However, it denies it has anything to do with “any government agency” maintaining it is solely used by “IT departments, developers and Apple for troubleshooting technical issues.” We’re not sure if that makes it OK, but you can make your own minds up.
EU rules, French rules, German rules, Italian rules – Google has to Google the rules it operates under.
Google gets 18-month deadline to overhaul data handling in Italy
The relationship between Google and Italy hasn't always been an easy one.
… Now it's the turn of Italy's data protection authority, the Garante della protezione dei dati personali, to tackle the company. Yesterday, the data watchdog brought in new regulations that will force the Mountain View-based company to change its data handling practices.
Google will have to alter the way it informs users how their data is being collected, ask for prior consent before using it to build up a profile for targeted advertising and other purposes, and modify its data retention practices. Google will have 18 months to bring itself into line with the provisions.
Will this change research for my students? Probably not.
Facebook Improves News Feed With A 'Save' Feature
Today Facebook announced a new feature that lets you “save” items that are posted on the News Feed. You will be able to save links, news stories, video clips, music and places from the News Feed to be viewed later. Your saved items will be kept private, unless you decide to share them. Facebook will sometimes show you reminders for the saved items if you do not look at them for a while.
To save something that you see on Facebook, click on the “Save” button in the bottom-right of a post or click the down-arrow icon at the top right of the item and select “Save”:
For my students who
Free books: 100 legal sites to download literature
So my students can addict their children.
Ten Resources for Helping Students Learn to Code and Program
In many of my presentations I tell the story of the first time that I wanted to stay after school. That was in the sixth grade when we could sign-up to use one of my elementary school's two computers to program things in Logo Writer. Today we have many more ways to introduce students to programming and coding. Here are some good resources that you can use to introduce students to programming and coding.
I see no practical use, buy it purely for the “cool factor.” But thinking outside the box, could this project animated tattoos?
Ritot Projects Notifications onto your Hand
Ritot, a new wristband concept device projects your notifications, such as emails and incoming calls straight onto your hand.
Ritot is expected to retail for around $120 and will ship starting in early 2015.