Is it me, or are we finally seeing some
serious attention paid to Privacy issues? (and will my Ethical
Hackers be able to turn on and redirect the “man in the middle”
feature?)
EFF
Gets Straight Privacy Answers From Amazon About New “Silk” Tablet
Browser
October 19, 2011 by Dissent
Dan Auerbach writes:
Amazon recently
announced that the new Kindle Fire tablet will ship with a brand new
browser called Silk.
The Silk browser works in “cloud acceleration”
mode by routing most webpage requests through servers controlled by
Amazon. The idea is to capitalize on Amazon’s powerful
AWS
cloud servers to parallelize
and hence speed up downloading web page elements, and then pass that
information back to the tablet through a persistent connection using
the SPDY
protocol. This protocol is generally faster than the standard
HTTP protocol. This split-browser idea, not
unique to Amazon, is a departure from the way major browsers work
today.
Following the
announcement, security
experts as well as lawmakers
have raised privacy questions and concerns about Silk. After all,
while in cloud acceleration mode, the user is trusting Amazon with an
incredible amount of information. This is because Amazon is sitting
in the middle of most communications between a user’s Fire tablet
on the one hand, and the website she chooses to visit on the other.
This puts Amazon in a position to track a user’s
browsing habits and possibly sensitive content. As there
were a lot of questions that the Silk announcement left unresolved,
we decided to follow up with Amazon to learn more about the privacy
implications.
Our
conversation with Amazon allayed many of our major concerns.
Cloud acceleration mode is the default setting, but Amazon has
assured us it will be easy to turn off on the first page of the
browser settings menu. When turned off, Silk operates as a normal
web browser, sending the requests directly to the web sites you are
visiting.
Read more on EFF.
(Related) While Amazon offers speed in
exchange for a peek at your data, Google offers a secure connection
from your desktop to their servers (where they can peek at your data)
Google
makes search more secure
October 19, 2011 by Dissent
From Google’s blog:
We’ve worked
hard over the past few years to increase our services’ use of an
encryption protocol called SSL, as well as encouraging the industry
to adopt stronger security standards. For example, we made SSL
the default setting in Gmail in January 2010 and introduced
an encrypted search service located at https://encrypted.google.com
four months later. Other prominent web companies have also
added
SSL support in recent months.
As search becomes
an increasingly customized experience, we recognize the growing
importance of protecting the personalized
search results we deliver. As a result, we’re enhancing our
default search experience for signed-in users. Over the next few
weeks, many of you will find yourselves redirected to
https://www.google.com (note
the extra “s”) when you’re signed in to your Google Account.
This change encrypts
your search queries and Google’s results page. This is
especially important when you’re using an unsecured Internet
connection, such as a WiFi hotspot in an Internet cafe. You can also
navigate to https://www.google.com
directly if you’re signed out or if you don’t have a Google
Account.
Read the full blog entry on Google.
(Related) and Twitter protects
rioters?
Twitter
chief: We will protect our users from Government
October 18, 2011 by Dissent
Emma Barnett reports:
Dick Costolo,
Twitter’s chief, has stood by the company’s decision not to
suspend the service during the UK riots or disclose user identities
to authorities.
Speaking at the
annual Web 2.0 Summit in San Francisco, Costolo referred specifically
to the UK riots when talking about the need to ensure Twitter remains
a platform upon which freedom of speech is prioritised, even during
times of civil unrest.
“One of our core
values is respect and the need to defend the user’s voice,” he
explained. “In the case of the London riots…the
majority of the tweets were more about organising cleans ups [rather
than inciting violence].”
It was thought
that after a number of executives from Twitter, Facebook and
Blackberry were summoned to a meeting with Theresa May, the Home
Secretary, after their services were used to coordinate and encourage
looting during the UK riots, the Government would try to temporarily
suspend the digital networks.
However, Costolo
revealed that instead of engaging in shut down talks in such
meetings, it told government officials that the “hope” is the
majority of tweets around a hot topic such as the riots, will be
geared at trying to help matters, rather than incite more violence.
He reiterated that
a free speech was a core tenet of Twitter, citing the motto of the
company’s General Counsel: “We are the free speech wing of the
free speech party.”
Read more on The
Telegraph. Previous coverage of Twitter’s standing up for its
users can be found on the ThankTwitter
page.
Perhaps this is why all those huge
Internet &Social companies are paying attention? Statutory
damages?
EPIC
responds to Facebook et al.’s attempts to eliminate class action
lawsuits based on statutory damages
October 18, 2011 by Dissent
Ah, thumbs up to EPIC – they jumped
into a SCOTUS case that Facebook, LinkedIn, and Zynga had tried to
use as an opportunity to free themselves from litigation
where consumers could not demonstrate actual harm. The
firms filed
an amicus brief that argued that there should be no standing or
statutory damages absent a showing of actual harm:
Specifically,
under the Ninth Circuit’s ruling, if any of the millions of
consumers who interact with one of these companies is willing (or can
be enticed by a plaintiffs’ attorney) to allege that a generalized
practice or act of the company violated a law providing for statutory
damages, she could launch a putative class action on behalf of
herself and millions of other “similarly situated” users—and
pursue a concomitant multi-billion dollar statutory damages
claim—without herself or a single other class member having
suffered any injury from the practice or act at issue.
Allowing
plaintiffs to file such no-injury class action lawsuits could subject
businesses such as amici to damages demands that, at least on their
face, would be potentially bankrupting. Just the threat of these
massive damages claims create strong incentives to end even baseless
suits with settlement payments, essentially rewarding plaintiffs (and
their opportunistic counsel) for filing extortionate strike suits.
While Internet businesses such as amici would almost certainly have
valid defenses on the merits to such lawsuits, if they were unable to
eliminate these strike suits “at the courthouse door,” the in
terrorem effect of even a small chance of a devastating loss, as
well as the prospect of significant litigation costs, would increase
the likelihood of meritless suits being settled by monetary payments
that benefit only plaintiffs’ attorneys.
While I think there are some meritless
lawsuits, it is already hard enough for consumers to demonstrate
standing and the elimination of statutory damages would make things
even harder. Thankfully, EPIC
responded with their own brief:
EPIC filed a
“friend of the court” brief
in the United States Supreme Court urging the Court to affirm
Congress’ power to enact strong statutes that protect consumer
privacy. First
American v. Edwards presents the question of whether a person can
sue to enforce a provision of the Real Estate Settlement Procedures
Act (RESPA), which gives individuals a right to untainted real estate
referral services, and enforces this right by specifying an amount of
damages for which violators are liable. Surprisingly, Facebook,
Linkedin, Yahoo, and Zynga filed a brief in support of the bank First
American and arguing against enforcement of privacy
statutes in certain circumstances. EPIC then filed a
brief in support of the consumer Edwards and argued that if the Court
did not uphold statutory damage provisions, “it would become
virtually impossible to enforce privacy safeguards in the United
States.” Statutory damage provisions help ensure
compliance with Fair Information Practices, the foundation
of modern privacy law.
This shouldn't surprise anyone...
Before you fire the big guns, you should have a target in mind...
Son
of Stuxnet Found in the Wild on Systems in Europe
A little more than one year after the
infrastructure-destroying Stuxnet worm was discovered on computer
systems in Iran, a new piece of malware using some of the same
techniques has been found infecting systems in Europe, according to
researchers at security firm Symantec.
The new malware, dubbed “Duqu”
[dü-kyü], contains parts that are nearly identical to Stuxnet and
appears to have been written by the same authors behind Stuxnet, or
at least by someone who had direct access to the Stuxnet source code,
says Liam O Murchu. He’s one of the leading experts on Stuxnet who
produced
extensive analysis of that worm with two of his Symantec colleagues
last year and has posted
a paper detailing the Duqu analysis to date.
… The new code does not
self-replicate in order to spread itself — and is therefore not a
worm. Nor does it contain a destructive payload to damage hardware
in the way that Stuxnet did. Instead, it appears to be a precursor
to a Stuxnet-like attack, designed to conduct
reconnaissance on an unknown industrial control system and
gather intelligence that can later be used to conduct a targeted
attack.
For my Ethical Hackers – no need to
install software or attach hardware!
"Researchers at Georgia Tech
demonstrate that a mobile phone located near a keyboard can use
its accelerometers to recover text typed by a target. 'The
technique works through probability and by detecting pairs of
keystrokes, rather than individual keys (which still is too difficult
to accomplish reliably, Traynor said). It models “keyboard events”
in pairs, then determines whether the pair of keys pressed is on the
left versus right side of the keyboard, and whether they are close
together or far apart. After the system has determined these
characteristics for each pair of keys depressed, it compares the
results against a preloaded dictionary, each word of which has been
broken down along similar measurements (i.e., are the letters
left/right, near/far on a standard QWERTY keyboard).'"
Stuff for students (Includes links to
the tools mentioned)
How
To Prepare Your Laptop For A Case Of Theft
Use
Locks for Laptop Theft Protection
[Including
physical locks Bob] However, there are several other
ways to lock your laptop, for example using a USB flash drive and
software. These locks can trigger an alarm when someone tries to
break them, for example by removing the flash drive or by entering a
wrong password.
Password
Protect All User Accounts
Encrypt
Sensitive Data
Backup
Your Data
Install
Applications to Track Down Your Laptop
Customize
Your Laptop Data and Record Information
No comments:
Post a Comment