bwiese + privacy   242

New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps
Facebook today quietly announced that it discovered a new API bug in its photo-sharing system that let 876 developers access users' private photos which they never shared on their timeline, including images uploaded to Marketplace or Facebook Stories.
"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories,"
facebook  privacy  photos 
9 weeks ago by bwiese
Facebook Well Aware That Tracking Contacts Is Creepy: Emails
Thanks to poor Android permission design at the time, there was a way to update the Facebook app to get “Read Call Log” permission without actually asking for it. “Based on their initial testing, it seems that this would allow us to upgrade users without subjecting them to an Android permissions dialog at all,” Kwon is quoted. “It would still be a breaking change, so users would have to click to upgrade, but no permissions dialog screen. They’re trying to finish testing by tomorrow to see if the behavior holds true across different versions of Android.”

Oh yay! Facebook could suck more data from users without scaring them by telling them it was doing it! This is a little surprising coming from Yul Kwon because he is Facebook’s chief ‘privacy sherpa,’ who is supposed to make sure that new products coming out of Facebook are privacy-compliant.
facebook  privacy  android 
9 weeks ago by bwiese
Turning Off Facebook Location Services Doesn't Stop Tracking
Aleksandra Korolova has turned off Facebook’s access to her location in every way that she can. She has turned off location history in the Facebook app and told her iPhone that she “Never” wants the app to get her location. She doesn’t “check-in” to places and doesn’t list her current city on her profile.

Despite all this, she constantly sees location-based ads on Facebook. She sees ads targeted at “people who live near Santa Monica” (where she lives) and at “people who live or were recently near Los Angeles” (where she works as an assistant professor at the University of Southern California). When she traveled to Glacier National Park, she saw an ad for activities in Montana, and when she went on a work trip to Cambridge, Massachusetts, she saw an ad for a ceramics school there.
facebook  privacy  location  ads 
9 weeks ago by bwiese
Facebook had a secret data deal with Amazon, NYT reports - Business Insider
The documents showed that, as of 2017, Amazon was able to get people's names and emails via their Facebook friends, a practice which Facebook said it put an end to in 2014.
Amazon, in turn, supplied Facebook with contact lists to help the social network suggest more friend recommendations, the documents show.
Amazon told the Times that it used user data appropriately, but declined to comment on exactly how its partnership with Facebook worked.
facebook  amazon  privacy 
9 weeks ago by bwiese
Facebook allowed Netflix and Spotify to access private messages - Business Insider
Citing internal Facebook documents, The Times said Spotify could see the messages of more than 70 million Facebook users a month. The Times reported that Spotify, Netflix, and the Royal Bank of Canada could read, write, and even delete people's messages.
facebook  netflix  spotify  privacy 
9 weeks ago by bwiese
I'm giving up on PGP
Mostly I'll use Signal or WhatsApp, which offer vastly better endpoint security on iOS, ephemerality, and smoother key rotation.

If you need to securely contact me, your best bet is to DM me asking for my Signal number. If needed we can decide an appropriate way to compare fingerprints.

If we meet in person and need to setup a secure channel, we will just exchange a secret passphrase to use with what's most appropriate: OTR, Pond, Ricochet.

If it turns out we really need PGP, we will setup some ad-hoc keys, more à-la-Operational PGP. Same for any signed releases or canaries I might maintain in the future.

To exchange files, we will negotiate Magic Wormhole, OnionShare, or ad-hoc PGP keys over the secure channel we already have. The point is not to avoid the gpg tool, but the PGP key management model.

If you really need to cold-contact me, I might maintain a Keybase key, but no promises. I like rooting trust in your social profiles better since it makes key rotation much more natural, and is probably how most people know me anyway.

I'm also not dropping YubiKeys. I'm very happy about my new YubiKey 4 with touch-to-operate, which I use for SSH keys, password storage and machine bootstrap. But these things are 100% under my control.
yubikey  pgp  crypto  privacy  whatsapp  signal 
11 weeks ago by bwiese
Encrypting SNI: Fixing One of the Core Internet Bugs
One solution to this problem was to create certificates with multiple Subject Alternative Names (SANs). These certificates would encrypt traffic for multiple domains that could all be hosted on the same IP. This is how Cloudflare handles HTTPS traffic from older browsers that don't support SNI. We limit that feature to our paying customers, however, for the same reason that SANs aren't a great solution: they're a hack, a pain to manage, and can slow down performance if they include too many domains.

The more scalable solution was SNI. The analogy that makes sense to me is to think of a postal mail envelope. The contents inside the envelope are protected and can't be seen by the postal carrier. However, outside the envelope is the street address which the postal carrier uses to bring the envelope to the right building. On the Internet, a web server's IP address is the equivalent of the street address.

In the United States, ISPs were briefly restricted in their ability to gather customer browsing data under FCC rules passed at the end of the Obama administration. ISPs, however, lobbied Congress and, in April 2017, President Trump signed a Congressional Resolution repealing those protections. As ISPs increasingly acquire media companies and ad targeting businesses, being able to mine the data flowing through their pipes is an increasingly attractive business for them and an increasingly troubling privacy threat to all of us.
cybersecurity  privacy  tls  dns  cloudflare 
september 2018 by bwiese
Facebook to Banks: Give Us Your Data, We’ll Give You Our Users - WSJ
Facebook has asked large U.S. banks to share detailed financial information about customers as it seeks to boost user engagement
facebook  privacy  banking 
august 2018 by bwiese
A Major Privacy Win, a Vault 7 Indictment, and More Security News This Week | WIRED
Supreme Court issued a hotly anticipated ruling in Carpenter v. United States, establishing that the government will need to get a warrant if it wants to track your location with cell sites

Former CIA employee Joshua Adam Schulte was indicted this week; authorities allege that he was responsible for the devastating Vault 7 leak that revealed many of the agency's hacking secrets.

Virus Total Monitor
privacy  cellphone  dns  vault7  cia  nsa  virustotal 
july 2018 by bwiese
NSA Spy Buildings, Facebook Data, and More Security News This Week | WIRED
California has passed the strongest digital privacy law in the United States, for starters, which as of 2020 will give customers the right to know what data companies use, and to disallow those companies from selling it. It's just the latest in a string of uncommonly good bits of privacy news, which included last week's landmark Supreme Court decision in Carpenter v. US. That ruling will require law enforcement to get a warrant before accessing cell tower location data. And at the beginning of the week, the Wi-Fi Alliance detailed the full specifications of the WPA3 security standard that's going to make the next generation of Wi-Fi much, much safer to use.
nsa  wifi  privacy  cellphone  toread 
july 2018 by bwiese
Yellow dots identify printers: Computer scientists of TU Dresden develop a tool for printer anonymisation — Chair of Privacy and Data Security — TU Dresden
Based on a sample of 1286 prints from 141 printers from 18 different manufacturers (partially provided by the German DFKI, who studied these artifacts in 2005) they where able to develop an app that automatically decodes, which information has been embedded in the print. It can also be used to anonymize the prints, by scrambling the yellow dot patterns.
cybersecurity  privacy  printer  anon  gdpr 
july 2018 by bwiese
A Technical Deep Dive into STARTTLS Everywhere | Electronic Frontier Foundation
Prevent STARTTLS downgrade attacks.
In order to detect downgrade attacks, we’re hosting a policy list of mailservers that we know support STARTTLS. This list acts essentially as a preload list of MTA-STS security policies. We’ve already preloaded a select number of big-player email domains, like Gmail, Yahoo, and Outlook.
starttls  tls  encryption  eff  privacy 
july 2018 by bwiese
A Swarm of Drones Ruined an FBI Hostage Raid
“They had people fly their own drones up and put the footage to YouTube so that the guys who had cellular access could go to the YouTube site and pull down the video,” Mazel told the conference.

Of course, law enforcement isn’t exactly innocent on this front either, as they have their own questionable intentions for the technology. Local and federal agencies have been all too happy to try to push for drones that can be used to do everything from intercepting cell phone signals to spying on citizens without a warrant to killing people.
drones  privacy  cybersecurity  fbi 
june 2018 by bwiese
How to encrypt your entire life in less than an hour
“If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” — Cardinal Richelieu in 1641
In this article, I will show you how you can protect yourself by leveraging state-of-the-art encryption. In a single sitting, you can make great strides toward securing your privacy.
cybersecurity  privacy  encryption 
june 2018 by bwiese
Ponemon Institute - 2017 Cost of a Data Breach
Data breaches are most expensive in the United States and Canada
The average per capita cost of data breach was $225 in the United States and $190 in Canada.
The average total organizational cost in the United States was $7.35 million and $4.94 million in the Middle East
The average global cost of data breach per lost or stolen record was $141.
the United States, these costs were $1.56 million on on post data breach response.
..include help desk activities, inbound communications, special
investigative activities, remediation, legal expenditures, product discounts, identity protection
services and regulatory interventions
cybersecurity  report  pdf  ponemon  databreach  privacy  economics 
june 2018 by bwiese
Failing to Keep Pace: The Cyber Threat and Its Implications for Our Privacy Laws</em> by Glenn S. Gerstell, General Counsel, National Security Agency at the Georgetown Cybersecurity Law Institute in Washington, DC on May 23, 2018 -
We also can't forget that each one of us has a great deal of personal responsibility for our own private information. Regard less of what steps the government ultimately takes, we need to maintain awareness of and exercise some amount of discretion about how we are exposing our personal data over the internet.
privacy  cybersecurity  history  legal  nsa 
june 2018 by bwiese
Federal agents confirm they quietly installed surveillance cameras along 23rd Ave in the CD | CHS Capitol Hill Seattle
Last Thursday, the U.S. Department of Alcohol, Tobacco, and Firearms confirmed it was the agency behind two cameras installed high-up on light poles at 23rd and Union and 23rd and Jackson. support an ongoing federal criminal investigation. These cameras belong to our agency. They weren’t requested by nor are they monitored by the Seattle Police Department.

The City’s surveillance ordinance requires city departments to obtain permission to install cameras, but that doesn’t apply to federal agencies.

ex-cop Tim Burgess to institute a $25 tax on gun sales and a 5 cent tax on each round of ammunition. The city estimates the taxes would raise up to $500,000 per year. Burgess said taxpayers paid more than $12 million in 2014 to offset unpaid medical bills for gunshot victims at Harborview. The revenue from the tax would fund a two-year gun violence prevention program.

UPDATE: The City Council unanimously passed the gun and ammunition tax Monday, as well as a measure that would require mandatory reporting of lost or stolen firearms to SPD. Burgess, a strong frontrunner in the Position 8 City Council race, thanked his colleagues in a statement:
seattle  surveillance  guncontrol  privacy  taxes 
may 2018 by bwiese
Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site — Krebs on Security
On May 10, The New York Times broke the news that a different cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to a sheriff’s office in Mississippi County, Mo.

On May 15, ran a piece saying that Securus was getting its data through an intermediary — Carlsbad, CA-based LocationSmart.

Wednesday afternoon Motherboard published another bombshell: A hacker had broken into the servers of Securus and stolen 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users. Most of the stolen credentials reportedly belonged to law enforcement officers across the country — stretching from 2011 up to this year. — since mid-2011, but it’s unclear if that service used the same code. is one of four other sites hosted on the same server as, according to
cybersecurity  cellphone  location  privacy  krebsonsecurity  api 
may 2018 by bwiese
US cell carriers are selling access to your real-time phone location data | ZDNet
In case you missed it, a senator last week sent a letter demanding the Federal Communications Commission (FCC) investigate why Securus, a prison technology company, can track any phone "within seconds" by using data obtained from the country's largest cell giants, including AT&T, Verizon, T-Mobile, and Sprint, through an intermediary, LocationSmart

Electronic Communications Privacy Act only restricts telecom companies from disclosing data to the government. It doesn't restrict disclosure to other companies, who then may disclose that same data to the government.

He called that loophole "one of the biggest gaps in US privacy law."

law enforcement may be violating the law by not seeking data directly from the phone carriers. "Law enforcement shouldn't have unfettered access to this data, whether they get it from Securus or directly from the phone companies," said the EFF.
privacy  location  cybersecurity  cellphone  surveillance  legal  eff 
may 2018 by bwiese
LocationSmart API Vulnerability – Robert Xiao
On May 16th, I found a vulnerability in the LocationSmart website which allowed anyone, with no prior authentication or consent, to obtain the realtime location of any cellphone in the US to within a few hundred feet. I immediately moved to contact US CERT to coordinate disclosure, and worked with Brian Krebs to publish the story after the vulnerability was fixed this morning (May 17th).
cybersecurity  privacy  cellphone  location  tracking  python 
may 2018 by bwiese
Website leaked real-time location of most US cell phones to almost anyone | Ars Technica
the gist of it is I can track most people's cell phones without their consent.”

Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.

cellular carriers by law are required to know the approximate location of customers in the event it’s needed by emergency 911 services. Whether the carriers are permitted to sell or otherwise provide the information to other third parties is less clear. Expect there to be much more scrutiny about this in the coming weeks and months.
cellphone  privacy  location  locationtracking  cybersecurity 
may 2018 by bwiese
Revocation is broken
It is true that OCSP offered a significant performance advantage over fetching a CRL, but, that performance advantage did come with a cost (don't you hate it when that happens?). The cost was a pretty significant one too, it was your privacy... When we think about what an OCSP request is, the request for the status of a very particular, single certificate, you may start to realise that you're leaking some information. When you send an OCSP request, you're basically asking the CA this:

soft fail revocation check. That is, the browser will try to do a revocation check but if the response doesn't come back, or doesn't come back in a short period of time, the browser will simply forget about it. Even is worse is that Chrome doesn't even do revocation checks, at all. Yes, you did read that right, Chrome doesn't even try to check the revocation status of certificates that it encounter -- Chrome calls theirs CRLsets and Firefox call theirs OneCRL and they curate lists of revoked certificates by combining available CRLs and selecting certificates from them to be included

OCSP Stapling is great and we should all support it on our sites, but, do we honestly think an attacker is going to enable OCSP Stapling? No, I didn't think so, of course they aren't going to. What we need is a way to force the server to OCSP Staple and this is what OCSP Must-Staple is for

OCSP Expect-Staple but I will give the TL;DR here. You request an addition to the HSTS preload list that asks the browser to send you a report if it isn't happy with the OCSP Staple. You can collect the reports your self or use my service,, to do it for you and you can learn exactly how often you would hit problems if you turned on OCSP Must-Staple.

see all certificates issued for my domain and you can search for your own, you can also use CertSpotter from sslmate to do the same and I use the Facebook Certificate Transparency Monitoring
ocsp  cybersecurity  ssl  tls  privacy  certificates  certificatetransparency 
may 2018 by bwiese
How Europe's New Privacy Law Will Change the Web, and More | WIRED
Email and Phone are most important identifiers, changed to UIDs
Device ID, corporate consumer identifiers (experian, verizon, amazon, apple, microsoft, google, facebook)
Postal Address
Gender, Name, Birthdate, Zip
Calculate identity from correlation/fingerprints: places visited (websites, physical), apps in use, videos watched, purchase history, contacts added
Temporary tracking: cookie IDs, device fingerprints (hw, sw), browser fingerprints, IP address
eugdpr  privacy  cybersecurity  databreach  pii 
april 2018 by bwiese
Europe is doing way more than the US to protect online privacy - Vox
The point is that Facebook sees it all, owns it all, and can sell it all. Your data is the cryptocurrency of the digital economy; you have no idea how it is being used to sell you stuff, intentionally, by a tech company — or used against you by being stolen.

If my location at a concert in Seattle on a specific date and time is being sold for money to some travel website, as is the fact that I live in New York, I should know that; but I don’t.

She argued that “data collection by companies and surveillance by governments are connected, not separate.”

law was approved in April 2016, with a two-year grace period before it would be enforced. It applies to any company transacting with an EU national for goods or services — regardless of whether there is a payment involved.
eugdrp  privacy  facebook 
april 2018 by bwiese
Data Firm Leaks 48 Million User Profiles it Scraped From Facebook, LinkedIn, Others - Slashdot
Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.
s3  cybersecurity  cloudleak  privacy  facebook  linkedin 
april 2018 by bwiese
Over 100GB of Secret Credit Data Leaked Online - Infosecurity Magazine
Some 111GB of highly sensitive information including consumer credit histories has been exposed by the National Credit Federation as the result of yet another misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.
cloudleak  privacy  breach 
april 2018 by bwiese
How to Opt Out of Equifax Revealing Your Salary History — Krebs on Security
Equifax took down their salary portal — a service from the company’s Workforce Solutions division known as The Work Number (formerly “TALX“) — just a few hours after my story went live on Oct. 8. The company explained that the site was being disabled for routine maintenance, but Equifax didn’t fully reopen the portal until Nov. 2, following the addition of unspecified “security improvements.”
equifax  privacy  cybersecurity  security  todo  salary  credit  krebsonsecurity 
april 2018 by bwiese
Critical VPN Security Flaw Leaks Customer IP Addresses - ExtremeTech
WebRTC allows requests to be made to STUN servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.

The results of the requests can be accessed using JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console.

The only requirement for this de-anonymizing technique to work is WebRTC and JavaScript support from the browser.
cybersecurity  webrtc  vpn  privacy 
april 2018 by bwiese
Facebook Keeps Tabs on Android SMS and calls - Infosecurity Magazine
Facebook had been collecting call records and SMS messages.

Following the report by Ars Technica, Facebook posted a blog on March 25 2018, which said: “You may have seen some recent reports that Facebook has been logging people’s call and SMS (text) history without their permission. This is not the case.

“Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about and provides you with a better experience on Facebook.
facebook  privacy 
march 2018 by bwiese
Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds
Israeli U.S. government manufacturer Cellebrite that it could unlock the latest Apple iPhone models, another service has emerged promising much the same. Except this time it comes from an unkown entity, an obscure American startup named Grayshift, which appears to be run by long-time U.S. intelligence agency contractors and an ex-Apple security engineer.

In recent weeks, its marketing materials have been disseminated around private online police and forensics groups, offering a $15,000 iPhone unlock tool named GrayKey, which permits 300 uses. That's for the online mode that requires constant connectivity at the customer end, whilst an offline version costs $30,000. The latter comes with unlimited uses.
iphone  cybersecurity  privacy  unlock 
march 2018 by bwiese
Yes, Cops Are Now Opening iPhones With Dead People's Fingerprints
no privacy for the dead - now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhones, devices which have been wrapped up in increasingly powerful encryption over recent years. For instance, the technique has been used in overdose cases, said one source. In such instances, the victim's phone could contain information leading directly to the dealer.
privacy  iphone  police 
march 2018 by bwiese
US Intelligence Chiefs Agree Huawei Is Not to Be Trusted—Even as FBI Pushes for Backdoors
concerns about the trustworthiness of these Chinese companies seems hugely hypocritical when you consider that the FBI asked Apple to create a special government-only backdoor into iOS—and continues to push the need for encryption backdoors—which is the exact thing they are worried about the People’s Republic doing with Apple’s Chinese competitors. On top of that, its not like Huawei or ZTE are new companies, with Huawei even being the responsible for much of the hardware in Google’s Nexus 6P back in 2015.
cybersecurity  hauwei  fbi  nsa  google  privacy 
february 2018 by bwiese
FedEx Customer Data Exposed on Unsecured S3 Server
Although the organization was closed, data inherited from 2009-2012 remained available on the server, exposing personal identifiable information from citizens representing Canada, Japan, China, Australia, the EU, and other countries until the bucket was removed from public access this month. The server contained more than 119,000 scanned documents including passports, driver's licenses, and security IDs, in addition to scanned "Applications for Delivery of Mail Through Agent" forms with names, home addresses, phone numbers, and zip codes.

easier to look for data left on misconfigured S3 servers. The service, dubbed BuckHacker, lets people search by file name or bucket name, which may include the name of the business using the server
privacy  s3  fedex  aws  cybersecurity 
february 2018 by bwiese
Data Privacy Day is the perfect time to consider the implications of GDPR
GDPR as Global Data Protection Regulation (to be clear, GDPR stands for General Data Protection Regulation). At first I thought it was a typo, but then I realized the author might have been making a point, because GDPR does have global implications.

There’s not enough space here to detail the journey from the 1981 Convention to the GDPR, which goes into effect May 25, 2018 (as discussed in numerous WeLiveSecurity articles). That journey passes through the previously mentioned EU Data Protection Directive of 1995 which mandated that a uniform set of legal protections for personally identifiable data be implemented in the laws of each EU country.
privacy  internet  security 
february 2018 by bwiese
[1802.01468] PinMe: Tracking a Smartphone User around the World
t. In this paper, we demonstrate that neither of the above-mentioned requirements is essential for compromising the user's location privacy. We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment's air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user's location when all location services, e.g., GPS, are turned off.
gps  cellphone  privacy  location 
february 2018 by bwiese
How we found the identity of military personnel using Strava
Within a couple of hours, we were able to map the identity of 18 people from Norway, Denmark, USA, France, Netherland, Italy and England.

This is not a critique of Strava’s security: For it’s actual purpose, Flyby has real value. The problem is human: Understanding the implications of recording and broadcasting location data, when your current situation might make is a matter of life and death.
strava  gps  privacy  running  iraq  afghanistan  war 
february 2018 by bwiese
GitHub - jbtronics/CrookedStyleSheets: Webpage tracking only using CSS (and no JS)
Proof of concept for website tracking/analytics using only CSS and without JavaScript.

We can gather some basic information about the user, like the screen resolution (when the browser is maximized) and which browser (or engine) is used.

Further, we can detect if a user clicks a link or hovers with the mouse over an element. This can be used to track which (external) links a user visits using the hover method. It should even be possible to track how the user moved their mouse (using an invisible table of fields in the page background). However, using my method it's only possible to track when a user visits a link or hovers over a field for the first time. Maybe it's possible to modify the method so that it is possible to track every click.

Furthermore, it is possible to detect if a user has installed a specific font. Based on this information, it should be possible to detect the user's OS, because different operating systems ship different fonts, such as "Calibri" on Windows.
html  css  tracking  privacy 
january 2018 by bwiese
U.S. soldiers are revealing sensitive and dangerous information by jogging
The Global Heat Map, published by the GPS tracking company Strava, uses satellite information to map the locations and movements of subscribers to the company's fitness service. The map is not live — rather, it shows a pattern of accumulated activity between 2015 and September 2017.

The Global Heat Map was posted online in November 2017, but the information it contains was publicized Saturday only after a 20-year-old Australian student stumbled across it. Nathan Ruser, who is studying international security and the Middle East
opsec  privacy  running  maps  military  afghanistan 
january 2018 by bwiese
ICE has struck a deal to track license plates across the US - The Verge
ICE agents would be able to query that database in two ways. A historical search would turn up every place a given license plate has been spotted in the last five years, a detailed record of the target’s movements. That data could be used to find a given subject’s residence or even identify associates if a given car is regularly spotted in a specific parking lot.

sheer scale of Vigilant’s network, assembled almost entirely outside of public accountability. “If ICE were to propose a system that would do what Vigilant does, there would be a huge privacy uproar and I don’t think Congress would approve it,” Stanley says. “But because it’s a private contract, they can sidestep that process.”
licenseplate  privacy  immigration  policestate 
january 2018 by bwiese
Spinner: Semi-Automatic Detection of Pinning without Hostname Verification
We present Spinner, a new
tool for black-box testing for this vulnerability at scale that does
not require purchasing any certificates. By redirecting traffic to
websites which use the relevant certificates and then analysing the
(encrypted) network traffic we are able to determine whether the
hostname check is correctly done, even in the presence of certificate
pinning. We use Spinner to analyse 400 security-sensitive Android
and iPhone apps. We found that 9 apps had this flaw, including
two of the largest banks in the world: Bank of America and HSBC.
We also found that TunnelBear, one of the most popular VPN apps
was also vulnerable. These apps have a joint user base of tens of
millions of users.
tls  cybersecurity  app  banking  compsci  privacy  certificatepinning 
december 2017 by bwiese
HALF A BILLION TERRORISTS: WhatsApp encrypts ALL its worldwide jabber • The Register
The open-source TextSecure software allows two devices to exchange encryption and decryption keys in a way that an eavesdropper and the TextSecure servers cannot crack. Assuming WhatsApp uses the same system, and hasn't compromised it for the feds, WhatsApp can't decrypt messages in transit, and TextSecure encrypts data at rest
imessage  privacy  security  encryption  textsecure  whatsapp 
february 2015 by bwiese
Ueli Steck the Swiss Superman Ice Climber | Outside Athletes |
At last I start to get it: it’s another Swiss thing. In the U.S., we tend to be forgiving of others’ flaws, especially if they’ve parlayed them into strengths. But in Switzerland, comeback kids are rare; the Swiss find nothing at all to admire about shortcomings. You either do something well or you go practice quietly on your own until you’re competent.

“There are great swaths of the U.S. where people don’t even know what climbing is,” says Viesturs. “Think anyone in the Midwest is going to buy an Ed Viesturs chocolate bar?”

like most Swiss, he draws a firm line between work and play, I’ve been ordered not to contact Nicole or his family, which irks me.

Audi Quattro parked in the driveway. The German car company gives Steck a new one every year to drive for free. I’m too polite to ask what he earns, but from the looks of things the Stecks are solidly middle-class. “I never expected to make a living from climbing,”
training  mountaineering  climbing  celebrity  privacy  interview  culture  switzerland  uelisteck 
december 2014 by bwiese
Tor plays down fears that network analysis attack could identify users - SC Magazine UK
"Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections," reads the paper.

"Although the capacity of current networks makes packet-level monitoring at such a scale quite challenging, adversaries could potentially use less accurate but readily available traffic monitoring functionality, such as Cisco's NetFlow, to mount large-scale traffic analysis attacks."
anonymous  research  privacy  security  netflow  tor 
november 2014 by bwiese
Secrets, lies and Snowden's email: why I was forced to shut down Lavabit | Comment is free |
But that wasn't enough. The federal agents then claimed that their court order required me to surrender my company's private encryption keys, and I balked. What they said they needed were customer passwords – which were sent securely – so that they could access the plain-text versions of messages from customers using my company's encrypted storage feature. (The government would later claim they only made this demand because of my "noncompliance".)

Bothered by what the agents were saying, I informed them that I would first need to read the order they had just delivered – and then consult with an attorney. The feds seemed surprised by my hesitation.

What ensued was a flurry of legal proceedings that would last 38 days, ending not only my startup but also destroying, bit by bit, the very principle upon which I founded it – that we all have a right to personal privacy.
fbi  encryption  lavabit  snowden  privacy 
may 2014 by bwiese
Choose whether to show images - Gmail Help
How Gmail makes images safe

Some senders try to use externally linked images in harmful ways, but Gmail takes action to ensure that images are loaded safely. Gmail serves all images through Google’s image proxy servers and transcodes them before delivery to protect you in the following ways:

Senders can’t use image loading to get information like your IP address or location.
Senders can’t set or read cookies in your browser.
Gmail checks your images for known viruses or malware.
In some cases, senders may be able to know whether an individual has opened a message with unique image links. As always, Gmail scans every message for suspicious content and if Gmail considers a sender or message potentially suspicious, images won’t be displayed and you’ll be asked whether you want to see the images.
privacy  security  google  images  gmail 
december 2013 by bwiese
Ask The Headhunter: A Challenge to LinkedIn -- Grow Some Integrity! | The Business Desk with Paul Solman | PBS NewsHour | PBS
Enough Already

The user has already declined three times to provide access to all his contacts. Now he is asked a fourth time. Is it any wonder that some users finally acquiesce, even if it's only because they're confused about whether LinkedIn already has their email information?
socialnetwork  legal  privacy  linkedin  email 
october 2013 by bwiese
ssh tunnel via multiple hops - Super User
3. Tunnel from localhost to host1 and from localhost to host2:

ssh -L 9998:host2:22 -N host1
ssh -L 9999:localhost:1234 -N -p 9998 localhost

This will open a tunnel from localhost to host1 through which the SSH service on host2 can be used. Then a second tunnel is opened from localhost to host2 through the first tunnel.

Option 3 is mainly useful to access a service on host2 that is only reachable from host2 itself.
howto  privacy  sysadmin  unix  tunnel  ssh 
august 2013 by bwiese
BBC News - Europe alarmed by US surveillance
He said the commission would raise the issue with the US at a meeting in Dublin on Friday. The German MEP, Manfred Weber, said it was "completely unacceptable" that the US has different rules for its own citizens and those of other countries. A Dutch MEP, Sophie In't Veld, criticised the commission for failing to protect EU citizens.

She said the reports of surveillance cast doubt on the special relationship between Europe and the US. But the British MEP Timothy Kirkhope warned against knee-jerk anti-Americanism, saying "friends listen most when you talk and not when you shout."
europe  news  bbc  internet  privacy  nsa  prism 
june 2013 by bwiese
U.S. Maintains Vast Database of Phone Calls, Lawmakers Say -
The program appears to warehouse and analyze calling “metadata” — time and number logs showing when communications have been made, but not their content or the name of any subscriber — that the government analyzes to try to identify terrorists. Mr. Chambliss, the intelligence panel’s top Republican, said that under the rules of the program, when a computer program flags a number as suspicious, the authorities return to the national security court for permission to scrutinize that person more closely.

“It’s metadata only and it’s what we call minimized,” Mr. Chambliss said. “All of these numbers are basically ferreted out by a computer, but if there’s a number that matches a terrorist number that has been dialed by a U.S. number or dialed from a terrorist to a U.S. number, then that may be flagged. And they may or may not seek a court order to go further on that particular instance. But that’s the only time that this information is ever used in any kind of substantive way.”
terrorism  patriotact  law  congress  4a  privacy  nsa 
june 2013 by bwiese
Here's a Good Reason to Encrypt Your Data | Threat Level |
Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, stressed that the decision was important, and not because it might hinder a kiddie-porn prosecution.

“This isn’t just about child porn. It’s about anything on your computer that prosecutors or government officials may want,” he said in a telephone interview.

Federal prosecutors did not immediately respond for comment, but said in court papers they have spent months trying to decrypt the data.
supremecourt  court  crypto  encryption  legal  law  5A  constitution  privacy 
june 2013 by bwiese
Google Public Policy Blog: Plan your digital afterlife with Inactive Account Manager
The feature is called Inactive Account Manager — not a great name, we know — and you’ll find it on your Google Account settings page. You can tell us what to do with your Gmail messages and data from several other Google services if your account becomes inactive for any reason.

For example, you can choose to have your data deleted — after three, six, nine or 12 months of inactivity. Or you can select trusted contacts to receive data from some or all of the following services: +1s; Blogger; Contacts and Circles; Drive; Gmail; Google+ Profiles, Pages and Streams; Picasa Web Albums; Google Voice and YouTube. Before our systems take any action, we’ll first warn you by sending a text message to your cellphone and email to the secondary address you’ve provided.

We hope that this new feature will enable you to plan your digital afterlife — in a way that protects your privacy and security — and make life easier for your loved ones after you’re gone.
privacy  data  death  google 
april 2013 by bwiese
Inactive Account Manager - Account Settings
What should happen to your photos, emails and documents when you stop using your account? Google puts you in control.

You might want your data to be shared with a trusted friend or family member, or, you might want your account to be deleted entirely. There are many situations that might prevent you from accessing or using your Google account. Whatever the reason, we give you the option of deciding what happens to your data.

Using Inactive Account Manager, you can decide if and when your account is treated as inactive, what happens with your data and who is notified.
privacy  internet  data  death  google 
april 2013 by bwiese
What It Feels Like To Be Photographed In A Moment Of Grief : The Picture Show : NPR
Her mood changed abruptly, she says, when "all of a sudden I hear 'clickclickclickclickclick' all over the place. And there are people in the bushes, all around me, and they are photographing me, and now I'm pissed. I felt like a zoo animal."

What particularly troubles her, she says, is "no one came up to me and said 'Hi, I'm from this paper and I took your photograph.' No one introduced themselves. I felt violated. And yes, it was a lovely photograph, but there is a sense of privacy in a moment like that, and they didn't ask."

One is that they can obtain accurate caption information — which ultimately adds more meaning, value and credibility to the photo for the reader. The other is that it can make the experience of being photographed more rewarding for the subject — even in a moment of extreme grief.
prayer  streetphotography  newtown  news  privacy  modelrelease  photography  emotion 
january 2013 by bwiese
Schneier on Security: DHS Gets to Spy on Everyone
Now, NCTC can copy entire government databases -- flight records, casino-employee lists, the names of Americans hosting foreign-exchange students and many others. The agency has new authority to keep data about innocent U.S. citizens for up to five years, and to analyze it for suspicious patterns of behavior. Previously, both were prohibited. Data about Americans "reasonably believed to constitute terrorism information" may be permanently retained.
privacy  government  terrorism 
january 2013 by bwiese
« earlier      
per page:    204080120160

related tags

4a  4chan  5A  60minutes  abortion  ads  advertising  advice  adwords  afghanistan  ai  airline  airport  amazon  ameritrade  android  anon  anonyminity  anonymous  apache  api  app  apple  apps  art  article  attractive  authentication  aws  backup  banking  bbc  bigbrother  bigbusiness  bigdata  billboard  bing  bittorrent  blackandwhite  blackhat  blog  bluebird  bobbarr  book  breach  breakup  bsd  bugerking  business  buystuff  california  candid  carrieriq  caseyneistat  cdn  celebrity  cellphone  certificatepinning  certificates  certificatetransparency  changes  china  chrome  cia  climbing  cloudcomputing  cloudflare  cloudleak  college  commercial  compsci  con  congress  conspiracy  constitution  cookies  copyright  court  creativity  credit  crime  critique  crypto  cryptography  css  culture  cybersecurity  cyberwar  data  database  databreach  death  defcon  delete  democracy  design  disguise  divorce  dns  dod  domainfronting  doubleclick  draf  drm  drones  dropbox  economics  editorial  eff  electromagnetic  electronics  email  emotion  employment  encrypt  encryption  equifax  ethics  eugdpr  eugdrp  europe  evolution  expression  extension  facebook  facialrecognition  faq  father  fbi  fear  fedex  film  finance  firefox  flickr  flights  foss  free  freespeech  freeware  friends  gdpr  geolocation  germany  gizmodo  gmail  google  googlemaps  googleplus  googlevideo  gov  government  govt  gps  graphics  graphsearch  guncontrol  gwot  hack  hacker  hackers  hacking  hacks  hauwei  health  heatmap  history  hollywood  hosting  hosts  howto  html  https  hulu  humor  hw  identification  identity  images  imessage  immigration  inspiration  instagram  intel  intell  intellectual  interenet  interesting  international  internet  interview  ios  iphone  iraq  irs  jailbreak  javascript  journalism  js  judgement  keyboard  kiss  krebsonsecurity  laptop  lavabit  law  legal  liberty  licenseplate  licenseplatereaders  lifehacker  lifehacks  linkedin  linux  livecd  location  locationtracking  m$  makeup  management  manhood  map  maps  maryland  mastercard  media  meme  microsoft  mil  military  mit  mobile  model  modeling  modelrelease  models  money  monitoring  morality  mountaineering  mozilla  mtbachelor  musicvideo  myspace  name  netflix  netflow  networking  networks  news  newtown  nifty  npr  nsa  ocsp  opensource  opsec  p2p  paris  password  passwords  patreon  patriotact  pbs  pdf  people  performance  personalinformation  pgp  phone  phonenumber  photographer  photography  photojournalism  photos  pii  planes  poem  police  policestate  policy  politics  ponemon  prayer  printer  prism  privacy  profile  property  proxy  psa  python  quote  quotes  radio  ref  reference  report  research  rfid  rights  robertdoisneau  rome  ronpaul  running  s3  salary  sales  schneier  search  seattle  secrecy  security  seo  server  service  services  sharing  signal  skype  slashdot  smartphone  sms  snopes  snowden  socialmedia  socialnetwork  socialnetworking  socialnetworks  society  software  spam  speech-recognition  speechtotext  spotify  spy  spying  spyware  ssh  ssl  stalking  starttls  stevejobs  stocks  storage  strava  street  streetphotography  supremecourt  supression  surveillance  switzerland  sysadmin  taxes  tech  technology  techsupport  ted  telemetry  tempest  terrorism  textsecure  theonion  thesis  timeline  tips  tls  todo  tools  tor  toread  tpm  tracking  training  travel  tsa  tumblr  tunnel  tv  twitter  uelisteck  unix  unlock  usenet  usps  vault7  video  videography  virustotal  vista  visualization  voip  vpn  war  web  web2.0  webrtc  whatsapp  wifi  windows  windoze  wireless  wiretap  youtube  yubikey  zeroknowledge 

Copy this bookmark: