Article 43

 

Broadband Privacy

Saturday, October 05, 2013

Lavabit

spying.jpg

Cheeky Lavabit *did* hand over crypto keys to US government after all - printed in a 4-point font

By Paul Duncan
Naked Security
October 4, 2013

Just under two months ago, we wrote about the closure of secure EMAIL SRERVICE Lavabit.

Lavabit’s founder, Ladar Levison, explained that he was in a spot of legal bother that made it impossible for him to continue to operate with a clear conscience, so he would suspend the service.

He also noted that, much as he wanted to, he couldn’t give details about said legal bother.

All he could do was to point out that he had lodged an appeal and hoped to open up the service again one day.

Of course, the smart money was that law enforcement wanted access to data belonging to a certain Mr EDWARD SNOWDEN, the National Security Agency (NSA) whisteblower, who was known to be a Lavabit user.

We HEDGED OUR BETS on Naked Security, since the only thing we knew we knew was that we didn’t know whether the kerfuffle involved Snowden at all.

But recently unsealed COURT DOCUMENTS [PDF, 162 pages, 16MB] now tell a bit more of the story.

The name Snowden is still mentioned only in passing (various redactions have suppressed names throughout the unsealed documents).

So we still don’t have official confirmation that Snowden, amongst others, was the target of the investigation.

lb-warrant.png

That, however, hardly matters any more.

What matters is the intriguing tale of the court requiring Lavabit to hand over its SSL private keys, and Lavabit arguing that it ought not to comply, since that would give access to all messages to and from all customers, which would be unfair and unreasonable.

Very greatly simplified (and I hope I have not oversimplified to the point of misunderstanding), the court wanted Lavabit to enable law enforcement to intercept so-called email metadata for a particular user.

But due to the use of SSL/TLS at all times, with data kept encrypted in transit and at rest, even accessing mail headers was no simple matter - unless law enforcement were given Lavabit’s private keys.

(A MiTM, or man-in-the-middle, attack on encrypted traffic is trivial if you have all the encryption keys and certificates to use “in the middle.")

Eventually, Lavabit had little choice but to comply, turning over five SSL private keys.

It still wasn’t game over for Lavabit user’s privacy, however, because Levison gamely supplied the cryptgraphic material in printed form, stretched over 11 pages in a four-point font.

lb-key.png

To say that the law enforcement officers were underwhelmed is the understatement of the year, and matters were soon back in court, with “handing over the keys” quickly redefined to mean, “handing over the keys as computer-readable PEM files suitable for immediate use, and no more mucking around.”

Indeed, to guard against further stalling tactics, the government petitioned the court to fine Levison $5000 for every day he continued to dither.

At this point, Levison folded and complied, but pulled the plug on Lavabit at the same time, and that was that for the men-in-the-middle.

The New York Times REPORTS that a prosecutor referred to the abrupt shutdown of Lavabit as “just short of a criminal act,” but, then, nearly-a-crime isn’t actually a crime.

What can we learn from this?

Aside, of course, from the fact that the government didn’t let up for a minute, giving back in court to Lavabit as good as it got - better, in fact, were it not for Levison’s confounded coup de grce.

To me, one of the most interesting aspects of this story is the recognition by a non-tech-savvy court that at least part of the problem was the regrettable fact that Lavabit would need to put the privacy of 400,000 users at risk to secure the lawful surveillance of just one person.

As the court pointed out (this is a transcript, not a written judgement):

[Y]ou’re blaming the government for something that’s overbroad [the requirement to hand over the all-revealing SSL keys], but it seems to me that your client is the one that set up the system that’s designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another. And to say you can’t do that just because you’ve set up a system that everybody has to—has to be unencrypted, [read: in which all users are encrypted in the same way] if there’s such a word, that doesn’t seem to me to be a very persuasive argument.

In short, the court is as good as saying, “If you wanted to come up with this ‘but what about the privacy of all the 399,999 other users’ argument, why didn’t you implement the system so their individual privacy was better protected?”

After all, Lavabit could have taken an approach more like the one used by Kiwi internet showman Kim Dotcom’s Mega service, so that each user’s encrypted traffic and content could stand (or fall) alone.

Of course, that wouldn’t have stopped Levison shuttering the entire service, effectively DDoSing all his users to protect the privacy of one of them.

But from a cryptographic point of view, it would have made a lot more sense to me.

SOURCE

Posted by Elvis on 10/05/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Sunday, July 07, 2013

For Sale - Your Cell Phone Records

attnsa.jpg

AT&T has announced that it will begin SELLING customers smart phone data to the highest bidder, putting the telecommunications giant in line with Verizon, Facebook and other competitors that quietly use a consumer’s history for marketing purposes.

RT news
July 6, 2013

The company claims its new privacy policy, to be updated within “the next few weeks,” exists to deliver “mor erelevant advertising” to users based on which apps they use and their location, which is provided by GPS-tracking. Apparently recognizing the natural privacy concerns a customer might have, AT&T assured the public that all data would be aggregated and made anonymous to prevent individual identification.

A letter to customers, for instance, described how someone identified as a movie fan will be sent personalized ads for a nearby cinema.

“People who live in a particular geographic area might appear to be very interested in movies, thanks to collective information that shows wireless devices from that area are often located in the vicinity of movie theaters,” the letter states. “We might create a ‘movie’ characteristic for that area, and deliver movie ads to the people who live there.”

A June 28 blog post from AT&Ts chief privacy officer Bob Quinn said the new policy will focus on “Providing You Service and Improving Our Network and Services,” but the online reaction has been overwhelmingly negative, with many customers looking for a way to avoid the new conditions.

“You require that we allow you to store a persistent cookieof your choosing in our web browsers to ”OPT-OUT” one person wrote. “No mention of how other HTTP clients, such as email clients, can opt out. If you really did care about your customers, you would provide a way for us to opt out all traffic to/from our connection and mobile devices in one easy setting.:

One problem for any customer hoping for a new service is the lack of options, smartphone or otherwise. Facebook, Google, Twitter and Verizon each store consumer data for purposes that have not yet been made clear. And because of the profit potential that exists when a customer blindly trusts a company with their data, small Internet start-ups, including AirSage and many others, have developed a way to streamline information into dollars.

The nefarious aspect of AT&Ts announcement is underscored by the recent headlines around the National Security Agency, which has spent years has compelling wireless corporations to hand over data collected on millions of Americans. Unfortunately for the privacy of those concerned, AT&Ts new policy may only be a sign of things to come.

“Instead of merely offering customers a trusted conduit for communication, carriers are coming to see subscribers as sources of data that can be mined for profit, a practice more common among providers of free online services like Google and Facebook,” the Wall Street Journal wrote about the matter in May.

SOURCE

Posted by Elvis on 07/07/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Thursday, June 06, 2013

Warrentless Wiretapping - Verizon

spying.jpg

By Glenn Greenwald
The Guardian
June 5, 2013

NSA collecting phone records of millions of Verizon customers daily
Top secret court order requiring Verizon to hand over all call data shows scale of domestic surveillance under Obama

The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret COURT order issued in April.

The order, a copy of which has been obtained by the Guardian, REQUIRES VERIZON on an “ongoing, daily basis” to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.

The documentshows for the first time that under the Obama administration the communication records of millions of US citizens are being collected INDISCRIMINATELY and IN BULK - regardless of whether they are suspected of any wrongdoing.

The secret Foreign Intelligence Surveillance Court (FISA) granted the order to the FBI on April 25, giving the government unlimited authority to obtain the data for a specified three-month period ending on July 19.

Under the terms of the blanket order, the numbers of both parties on a call are handed over, as is location data, call duration, unique identifiers, and the time and duration of all calls. The contents of the conversation itself are not covered.

The disclosure is likely to reignite longstanding debates in the US over the proper extent of the government’s domestic spying powers.

Under the Bush administration, officials in security agencies had disclosed to reporters the large-scale collection of call records data by the NSA, but this is the first time significant and top-secret documents have revealed the continuation of the practice on a MASSIVE SCALE under President Obama.

The unlimited nature of the records being handed over to the NSA is extremely unusual. FISA court orders typically direct the production of records pertaining to a specific named target who is suspected of being an agent of a terrorist group or foreign state, or a finite set of individually named targets.

The Guardian approached the National Security Agency, the White House and the Department of Justice for comment in advance of publication on Wednesday. All declined. The agencies were also offered the opportunity to raise specific security concerns regarding the publication of the court order.

The court order expressly bars Verizon from disclosing to the public either the existence of the FBI’s request for its customers’ records, or the court order itself.

“We decline comment,” said Ed McFadden, a Washington-based Verizon spokesman.

The order, signed by Judge Roger Vinson, compels Verizon to produce to the NSA electronic copies of “all call detail records or ‘telephony metadata’ created by Verizon for communications between the United States and abroad” or “wholly within the United States, including local telephone calls”.

The order directs Verizon to “continue production on an ongoing daily basis thereafter for the duration of this order”. It specifies that the records to be produced include “session identifying information”, such as “originating and terminating number”, the duration of each call, telephone calling card numbers, trunk identifiers, International Mobile Subscriber Identity (IMSI) number, and “comprehensive communication routing information”.

The information is classed as “metadata”, or transactional information, rather than communications, and so does not require individual warrants to access. The documentalso specifies that such “metadata” is NOT LIMITED to the aforementioned items. A 2005 court ruling judged that cell site location data - the nearest cell tower a phone was connected to - was also transactional data, and so could potentially fall under the scope of the order.

While the order itself does not include either the contents of messages or the personal information of the subscriber of any particular cell number, its collection would allow the NSA to build easily a comprehensive picture of who any individual contacted, how and when, and possibly from where, retrospectively.

It is not known whether Verizon is the only cell-phone provider to be targeted with such an order, although previous reporting has suggested the NSA has collected cell records from all major mobile networks. It is also unclear from the leaked documentwhether the three-month order was a one-off, or the latest in a series of similar orders.

The court order appears to explain the numerous cryptic public warnings by two US senators, Ron Wyden and Mark Udall, about the scope of the Obama administration’s surveillance activities.

For roughly two years, the two Democrats have been stridently advising the public that the US government is relying on “secret legal interpretations” to claim surveillance powers so broad that the American public would be “stunned” to learn of the kind of domestic spying being conducted.

Because those activities are classified, the senators, both members of the Senate intelligence committee, have been prevented from specifying which domestic surveillance programs they find so alarming. But the information they have been able to disclose in their public warnings perfectly tracks both the specific law cited by the April 25 court order as well as the vast scope of record-gathering it authorized.

Julian Sanchez, a surveillance expert with the Cato Institute, explained: “We’ve certainly seen the government increasingly strain the bounds of ‘relevance’ to collect large numbers of records at once ֗ everyone at one or two degrees of separation from a target but vacuuming all metadata up indiscriminately would be an extraordinary repudiation of any pretence of constraint or particularized suspicion.” The April order requested by the FBI and NSA does precisely that.

The law on which the order explicitly relies is the so-called “business records” provision of the Patriot Act, 50 USC section 1861. That is the provision which Wyden and Udall have repeatedly cited when warning the public of what they believe is the Obama administration’s extreme interpretation of the law to engage in excessive domestic surveillance.

In a letter to attorney general Eric Holder last year, they argued that “there is now a significant gap between what most Americans think the law allows and what the government secretly claims the law allows.”

“We believe,” they wrote, “that most Americans would be stunned to learn the details of how these secret court opinions have interpreted” the “business records” provision of the Patriot Act.

Privacy advocates have long warned that allowing the government to collect and store unlimited “metadata” is a highly invasive form of surveillance of citizens’ communications activities. Those records enable the government to know the identity of every person with whom an individual communicates electronically, how long they spoke, and their location at the time of the communication.

Such metadata is what the US government has long attempted to obtain in order to discover an individual’s network of associations and communication patterns. The request for the bulk collection of all Verizon domestic telephone records indicates that the agency is continuing some version of the data-mining program begun by the Bush administration in the immediate aftermath of the 9/11 attack.

The NSA, as part of a program secretly authorized by President Bush on 4 October 2001, implemented a bulk collection program of domestic telephone, internet and EMAIL records. A furore erupted in 2006 when USA Today reported that the NSA had “been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth” and was “using the data to analyze calling patterns in an effort to detect terrorist activity.” Until now, there has been no indication that the Obama administration implemented a similar program.

These recent events reflect how profoundly the NSA’s mission has transformed from an agency exclusively devoted to foreign intelligence gathering, into one that focuses increasingly on domestic communications. A 30-year employee of the NSA, William Binney, resigned from the agency shortly after 9/11 in protest at the agency’s focus on domestic activities.

In the mid-1970s, Congress, for the first time, investigated the surveillance activities of the US government. Back then, the mandate of the NSA was that it would never direct its surveillance apparatus domestically.

At the conclusion of that investigation, Frank Church, the Democratic senator from Idaho who chaired the investigative committee, warned: “The NSA’s capability at any time could be turned around on the American people, and no American would have any privacy left, such is the capability to monitor everything: telephone conversations, telegrams, it doesn’t matter.”

Additional reporting by Ewen MacAskill and Spencer Ackerman

SOURCE

Posted by Elvis on 06/06/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Sunday, March 24, 2013

Bitcoin Privacy

spying.jpg

Bitcoin Privacy Extension to Have Backdoor for Government Snooping?

By Eric Blair
Activist Post
March 24, 2013

Bankers are desperate to force governments into regulating decentralized virtual currencies like Bitcoin. With good reason.

As currency wars rage with a rush to devaluation while banker bureaucrats openly ROB DEPOSITORS IN CYPRUS and as FINANCIAL PRIVACY DISAPPEARS, Bitcoin has become a SAFE HAVEN CURRENCY to a growing number of people. Bankers and governments can’t control it or tax it, but now they’re attempting to do fix that.

Andrew Leonard of Salon WRITES:

The more popular Bitcoin gets, whether as a symbol of resistance or a perceived safe haven in financially troubled times, the more government attention it will inevitably draw, and the more inexorably it will be sucked into existing regulatory structures. Incomes denominated in Bitcoins will be taxed. Efforts at money laundering will be cracked down upon. Its the price of success. Resistance is futile.

Last week, the Financial Crimes Enforcement Network (FinCEN) revealed their INITIAL GUIDELINES TO REGULATE VIRTUAL CURRENCIES. Although it said that users of virtual currencies are not subject to FinCEN regulations, exchanges for that currency are:

A user of virtual currency is not an MSB under FinCEN’s regulations and therefore is not subject to MSB registration, reporting, and recordkeeping regulations. However, an administrator or exchanger is an MSB under FinCEN’s regulations, specifically, a money transmitter, unless a limitation to or exemption from the definition applies to the person. An administrator or exchanger is not a provider or seller of prepaid access, or a dealer in foreign exchange, under FinCEN’s regulations.

Additionally, the CIA’s venture capital firm IN-Q-TEL has taken a great interest in Bitcoin and has called some of its DEVELOPERS TO GIVE A PRESENTATION about Bitcoin this June, which is troublesome for the prospect of freedom and privacy.

But resistance is not futile as Andrew Leonard would like his readers to believe. Other developers are working on Bitcoin extensions to add further privacy for users. Bitcoin transactions are already fairly anonymous even though they can be viewed on a public open-source record.

Privacy lacks for Bitcoin users, not in the transaction, but in where the coins are stored. Specific encrypted coins can be traced through a transaction to a certain wallet whose owner is may or may not be anonymous. Even if the wallet is anonymous, everyone knows where their specific coins have been which could potentially expose the wallet owner’s activity and identity.

A new Bitcoin privacy extension, Zerocoin, is seeking to solve this privacy concern. Zerocoin, being developed by Johns Hopkins University, will basically pool Bitcoins in escrow and scramble them between buyers and sellers to hide the origin and destination of specific coins.

New Scientist REPORTS:

Called Zerocoin, it’s a cryptographic add-on to Bitcoin that allows for transactions which cannot be linked together. The key is that it does this without introducing any new centralised elements into the network or using laundering, whereby coins are spent through intermediaries to hide the root purchaser’s wallet address.

Zerocoin works by allowing Bitcoin users to leave their coins floating on the network for someone else to redeem, on the condition that they can redeem the same amount of Bitcoin, similarly left floating on the network, at an arbitrary time in the future.

Jon Matonis of the American Banker INTERVIEWED Johns Hopkins research professor Matthew Green, who said:

“Zerocoin creates an ‘escrow pool’ of bitcoins, which users can contribute to and then later redeem from,” Green explained. Users receive different coins than they put in (though the same amount) and there is no entity that can trace your transactions or steal your money. “Unlike previous e-cash schemes, this whole process requires no trusted party. As long as all the nodes in the network support the Zerocoin protocol, the system works in a fully distributed fashion,” added Green.

Green is due to present his paper Zerocoin: Anonymous Distributed E-Cash from Bitcoin at the IEEE SYMPOSIUM ON SECURITY AND PRIVACY this May.

It sounds like an amazing innovation for a CURRENCY THAT IS FAR SUPERIOR IN MANY WAYS to establishment currencies and banking. However, Green adds one disturbing statement with huge implications for the legitimacy of Zerocoin.

Green told the New Scientist, “Zerocoin would give you this incredible privacy guarantee, then we could add on some features which let the police, for instance, to be able to track money laundering. A back door.”

Apparently Green has received a lot of grief for attempting to provide an anonymous privacy protocol that would allow back-door snooping, and he has since backed off his previous statement even if it still appears in his paper.

“The back door isn’t part of Zerocoin. There’s absolutely no need for it, and building one in would take significant additional effort. In fact, we only mentioned it as a brief note in the conclusion of our paper, mostly to motivate future research work,” Green told the American Banker.

So Green included the idea of a backdoor to “motivate future research work”?  In other words, he seems to be seeking public funding to continue creating this backdoor. Obviously, the “authorities” would be the only ones interested in this pursuit which answers the question about who he is trying to motivate. The bigger question is who funded this work?

In an attempt to put the issue to rest, Green claimed that a backdoor was impossible, anyway; “If someone did try to build a back door for any reason, the open source Zerocoin would quickly become Zero-adoption.”

In any respect, creating a random escrow pool for Bitcoin transactions is a brilliant concept and an innovation that can be used alongside other open-source programs like COIN CONTROL which allows users to choose what wallet they want individual transactions to go to.

Yet as Bitcoin developers are hard at work finding ways to make it even more anonymous, will they be successful in preventing backdoors for government access, thwarting FinCEN regulations, and involvement by the CIA?

SOURCE

Posted by Elvis on 03/24/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home

Amazon And The CIA

amazon-honor.jpg

Our Privacy.... It’s Disappeared into the “Clouds”

By Perrie Halpern
The News Talkers
March 20, 2013

Quiz: What does the CIA and Amazon have in common?

A. Too much power

B. Invasion into our privacy

C. A big investment in the computer business

D. All of the above

The old saying goes that every cloud has a silver lining. Of course in real life, we know that some clouds are dark an ominous. In our tech world, some clouds can’t even be seen. Usually, it’s the things that we can’t see that should be feared the most.

Today in New York City, the CIA’s technology officer, Ira “Gus” Hunt outlined the agency’s new concept for the CIA’s view of information gathering.

“The value of any piece of information is only known when you can CONNECT IT WITH SOMETHING ELSE that arrives at a future point in time,” Hunt said. “Since you can’t connect dots you don’t have, it drives us into a mode of, we fundamentally try to collect everything and hang onto it forever.”

Everything is a lot and everything is a very long time. There must be a plan! And so there is! But unlike any spy novel, there is no secret agency involved. No spooks, spooks, no MI6. Instead, the CIA has enlisted the help of an unlikely ally, AMAZON. In it’s quest for “big data”.. which is so big that the CIA has a dedicated job recruitment site page on its website pitching big data jobs to prospective employees.

These comments come two days after Federal Computer Week reported, that the CIA is joining with Amazon in a 10 year, $600 million cloud service with storage and analysis capabilities on a massive scale. In a slide during Hunt’s presentation, his pronouncement was made, “It is nearly within our grasp to compute on all human generated information.” He continued:

“You’re already a walking sensor platform,” he said, nothing that mobiles, smartphones and iPads come with cameras, accelerometers, light detectors and geolocation capabilities.

“You are aware of the fact that somebody can know where you are at all times, because you carry a mobile device, even if that mobile device is turned off,” he said. “You know this, I hope? Yes? Well, you should.”

As for privacy and law, all Hunt had to say was, “Technology in this world is moving faster than government or law can keep up,” he said. “It’s moving faster I would argue than you can keep up: You should be asking the question of what are your rights and who owns your data.

Yes, ominous clouds are forming. Clouds that store your personal information....that you will be actually helping grow with each and every purchase of a KINDLE Fire, and maybe IPHONE or a Nexus 7.

BTW, the answer to the question is D. 

SOURCE

Posted by Elvis on 03/24/13 •
Section Privacy And Rights • Section Broadband Privacy
View (0) comment(s) or add a new one
Printable viewLink to this article
Home
Page 3 of 25 pages « First  <  1 2 3 4 5 >  Last »

Statistics

Total page hits 8813888
Page rendered in 1.1827 seconds
41 queries executed
Debug mode is off
Total Entries: 3139
Total Comments: 337
Most Recent Entry: 10/19/2018 10:34 am
Most Recent Comment on: 01/02/2016 09:13 pm
Total Logged in members: 0
Total guests: 10
Total anonymous users: 0
The most visitors ever was 114 on 10/26/2017 04:23 am


Email Us

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

The hardest thing in life, is letting go of what you thought was real. - Anonymous

Search


Advanced Search

Sections

Calendar

October 2018
S M T W T F S
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Must Read

Most recent entries

RSS Feeds

Today's News

ARS Technica

External Links

Elvis Picks

BLS Pages

Favorites

All Posts

Archives

RSS


Creative Commons License


Support Bloggers' Rights