“If anything can go wrong, it will.”
September 1, 2011
Unredacted
U.S. Diplomatic WikiLeaks Cables Published
It looks as if the entire
mass of U.S.
diplomatic cables that WikiLeaks had is available online
somewhere. How this came about is a good illustration of how
security can go wrong in ways you don't expect.
Near as I can tell, this is what
happened:
- In order to send the Guardian the cables, WikiLeaks encrypted them and put them on its website at a hidden URL.
- WikiLeaks sent the Guardian the URL.
- WikiLeaks sent the Guardian the encryption key.
- The Guardian downloaded and decrypted the file.
- WikiLeaks removed the file from their server.
- Somehow, the encrypted file ends up on BitTorrent. Perhaps someone found the hidden URL, downloaded the file, and then uploaded it to BitTorrent. Perhaps it is the "insurance file." I don't know.
- The Guardian published a book about WikiLeaks. Thinking the decryption key had no value, it published the key in the book.
- A reader used the key from the book to decrypt the archive from BitTorrent, and published the decrypted version: all the U.S. diplomatic cables in unredacted form.
Memo to the Guardian: Publishing
encryption keys is almost always a bad idea. Memo to WikiLeaks:
Using the same key for the Guardian and for the insurance file
-- if that's what you did -- was a bad idea.
EDITED TO ADD (9/1): From pp 138-9 of
WikiLeaks:
Assange wrote down
on a scrap of paper:
ACollectionOfHistorySince_1966_ToThe_PresentDay#. "That's
the password," he said. "But you have to add one extra
word when you type it in. You have to put in the word 'Diplomatic'
before the word 'History'. Can you remember that?"
I think we can all agree that that's a
secure encryption key.
EDITED TO ADD (9/1): WikiLeaks says
that the Guardian file and the insurance file are not
encrypted with the same key. Which brings us back to the question:
how did the encrypted Guardian file get loose?
EDITED TO ADD (9/1): Spiegel has
the detailed
story.
“To err is human. To really screw
thing up, use a computer!”
Scanning
2.4 Billion Eyes, India Tries to Connect Poor to Growth
September 2, 2011 by Dissent
Lydia Polgreen of The New York Times
has a detailed article on India’s national ID system, and how it
will presumably improve life for India’s impoverished citizens.
Reading her article,
some of the lofty ideals sure sound swell, but I remain skeptical
that creating a mandatory identity database is necessary – and it
is certainly not sufficient – to really begin to equalize the
inequities in India’s economy and control of power. Like all
technology, such things have the potential for good or evil, and by
now, I don’t see government databases as generally being a source
of good in this world. See what you think when you read it.
[From the article:
“One cannot improve human beings,”
said Ram
Sevak Sharma, the director general of the identity program. “But
one can certainly improve systems. And the same
flawed human beings with a better system will be able to produce
better results.”
Not required by law, but now a
competitive imperative?
Breach
Notification: Time for a Wake Up Call
In case you haven't heard, the days of
having no obligation to notify consumers of a data breach or loss
that involves only email addresses may have ended. This should be a
major wakeup call for every CIO.
Historically, a business and its CIO
were only required to be concerned about personally identifiable
information. In other words, if a business did not collect banking
information, Social Security numbers, medical information or similar
data, then the duty to report a breach or loss only arose in the
event that the business had contractually promised its customers that
it would do so.
… However, those in charge of
safeguarding consumer information may have noticed something a little
odd about the Epsilon data theft this spring. When news of the
Epsilon data breach broke, and notifications started arriving, the
pendulum toward breach notification obligation made a further shift —
a seismic leap, frankly.
… The disclosure of an email-only
data theft may have changed the rules of the game forever. A
number of substantial companies may have inadvertently taken
legislating out of the hands of the federal and state governments.
New industry pressure will be applied going forward for the loss of
fairly innocuous data. This change in practice has the potential to
affect every CIO who collects “contact” information from
consumers, maybe even from employees in an otherwise purely
commercial context.
Another change in the public's
perception of Privacy?
Hidden
CCTV cameras to be audited amid privacy concerns
September 2, 2011 by Dissent
Peter Michael reports:
Queensland’s
Privacy Commission plans to audit the booming numbers of CCTV camera
networks to thwart concerns about “significant”
abuses of vision obtained by hidden surveillance.
The move comes
after The
Courier-Mail this week revealed police were investigating
fresh leads after security footage stolen from Cairns’ Reef casino
of public sex and bar fights had been posted to YouTube.
Officials admit
they do not know how many hidden cameras and security networks are
tracking our everyday movements.
Read more on: The
Courier-Mail
A simple way to override all the
Facebook snooping? No wonder Facebook is concerned.
First time accepted submitter FlameWise
writes
"Yesterday,
German technology news site Heise changed
their social 'like' buttons to a two-click format (Original
in German). This will effectively disable unintentional
automatic tracking of all page visits by third-party social sites
like Facebook, Twitter or Google+. Less than 24 hours later over 500
websites have asked about the technology. Facebook
is now threatening to blacklist Heise (Original
in German)."
As I read the updated story, Facebook
has backpedaled a bit, so "blacklist" may no longer be the
operative word. An anonymous reader adds a quick explanation of the
changed interface: "Instead of enabling Facebook to track a
user (arguably without prior consent) by placing a 'like' button on
the website in the usual way, a greyed-out like button is shown. If
a user wants to share or 'like,' he has to execute an additional
click to enable the original Facebook 'like' button and get the
desired behavior. This technique obviously has a
disadvantage for Facebook, because the behavioral tracking does not
work anymore."
Will this translate to US law?
Norway:
Hunt For Student File-Sharers Thwarted By Data Privacy Ruling
enigmax writes:
Copyright holders
and anti-piracy companies have been dealt a blow in their attempts to
monitor and track down student file-sharers in Norway. Following a
decision by the Data Inspectorate, universities will
not be allowed to spy on the online activities of their students
and data gathered for network maintenance purposes
will kept well away from rightsholders and lawyers.
Read more on TorrentFreak.
This sounds like a TSA argument.
Unfortunately, there is more than a grain of truth here.
The
Bilateral Fourth Amendment and the Duties of Law-Abiding Persons
September 2, 2011 by Dissent
L. Rush Atkinson, law clerk to the
Honorable Julia Smith Gibbons, U.S. Court of Appeals for the Sixth
Circuit, has an article in Georgetown Law Journal, Issue
99.6 (August 2011)> Here’s the abstract:
The Fourth
Amendment protects the innocent only from “unreasonable”
searches. In light of the limited nature of this constitutional
safeguard, law abiders consistently take precautions
to avoid government searches. [We do? After reading the article, we
do! Bob] This Article considers why constitutional
jurisprudence limits the protection of the innocent to “unreasonable”
searches, thereby forcing them to alter their behavior. [It does?
Bob] The most satisfying answer derives from an
often-overlooked fact: Searches of innocent persons are often
“bilateral accidents,” meaning that both the innocent suspect and
the police can affect the likelihood that an erroneous search will
occur. In bilateral conditions, a reasonableness rule induces both
the searcher and the searched to take optimal care to avoid mistaken
searches, while other rules embodied in constitutional
protections—like that within the Takings Clause of the Fifth
Amendment—cannot.
By assigning costs
for erroneous-but-reasonable searches to the innocent, the Fourth
Amendment functions as an important regulatory device, channeling
law abiders away from activity that unintentionally masks others’
criminal enterprises. [Sounds like taking reasonable security
protection makes us “law abiders” look like criminals! Bob]
Thus, the Amendment regulates the very people that it protects from
governmental intrusions. This Article refers to this duality as the
“bilateral Fourth Amendment” and argues that the Amendment’s
incentives for the innocent are best understood as a
duty for law-abiding people to act reasonably.
At the same time,
identifying the “bilateral” nature of searches should influence
the legal rules dictating what evidence police may use as grounds to
search a suspect. Because the innocent alter their behavior based on
which activities the government deems “suspicious,” rules about
cause and suspicion cannot singly turn on evidence’s probative
value; they must also account for the socially beneficial activity
that is reduced by labeling behavior “suspicious.”
[The article is here:
Dilbert sums up Management's view of IP
Law!
No comments:
Post a Comment