Skip to main content

Home/ Future of the Web/ Group items tagged insecure

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

We Need to Save the Internet from the Internet of Things | Motherboard - 0 views

motherboard.vice.com/...et-from-the-internet-of-things

cybersecurity Internet-of-things DDOS

shared by Paul Merrell on 16 Oct 16 - No Cached
  • Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.In many ways, this is nothing new. Distributed denial-of-service attacks are a family of attacks that cause websites and other internet-connected systems to crash by overloading them with traffic. The "distributed" part means that other insecure computers on the internet—sometimes in the millions—are recruited to a botnet to unwittingly participate in the attack. The tactics are decades old; DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics. There are defenses, and there are companies that offer DDoS mitigation services for hire. Basically, it's a size vs. size game. If the attackers can cobble together a fire hose of data bigger than the defender's capability to cope with, they win. If the defenders can increase their capability in the face of attack, they win. What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
  • Paul Merrell on 16 Oct 16
     
    Bruce Schneier pointing to a massive security hole in the Internet of Things ("IoT").
Gonzalo San Gil, PhD.

uProxy - 0 views

www.uproxy.org

uProxy Internet browser extension allowance connection share...

shared by Gonzalo San Gil, PhD. on 16 Sep 15 - No Cached
  • Gonzalo San Gil, PhD. on 16 Sep 15
     
    "uProxy is a browser extension that lets friends route their connection to their Internet through each other's computers. It can help people with restricted or insecure access to the Internet get to the content they care about safely. Learn more"
  • Gonzalo San Gil, PhD. on 16 Sep 15
     
    "uProxy is a browser extension that lets friends route their connection to their Internet through each other's computers. It can help people with restricted or insecure access to the Internet get to the content they care about safely. Learn more"
Paul Merrell

Reset The Net - Privacy Pack - 1 views

pack.resetthenet.org

surveillance state digital-privacy NSA-reform Reset-the-Net

shared by Paul Merrell on 03 Jun 14 - No Cached
  • This June 5th, I pledge to take strong steps to protect my freedom from government mass surveillance. I expect the services I use to do the same.
  • Fight for the Future and Center for Rights will contact you about future campaigns. Privacy Policy
  • Paul Merrell on 03 Jun 14
     
    I wound up joining this campaign at the urging of the ACLU after checking the Privacy Policy. The Reset the Net campaign seems to be endorsed by a lot of change-oriented groups, from the ACLU to Greenpeac to the Pirate Party. A fair number of groups with a Progressive agenda, but certainly not limited to them. The right answer to that situation is to urge other groups to endorse, not to avoid the campaign. Single-issue coalition-building is all about focusing on an area of agreement rather than worrying about who you are rubbing elbows with.  I have been looking for a a bipartisan group that's tackling government surveillance issues via mass actions but has no corporate sponsors. This might be the one. The reason: Corporate types like Google have no incentive to really butt heads with the government voyeurs. They are themselves engaged in massive surveillance of their users and certainly will not carry the battle for digital privacy over to the private sector. But this *is* a battle over digital privacy and legally defining user privacy rights in the private sector is just as important as cutting back on government surveillance. As we have learned through the Snowden disclosures, what the private internet companies have, the NSA can and does get.  The big internet services successfully pushed in the U.S. for authorization to publish more numbers about how many times they pass private data to the government, but went no farther. They wanted to be able to say they did something, but there's a revolving door of staffers between NSA and the big internet companies and the internet service companies' data is an open book to the NSA.   The big internet services are not champions of their users' privacy. If they were, they would be featuring end-to-end encryption with encryption keys unique to each user and unknown to the companies.  Like some startups in Europe are doing. E.g., the Wuala.com filesync service in Switzerland (first 5 GB of storage free). Compare tha
  • Gonzalo San Gil, PhD. on 04 Jun 14
     
    "This June 5th, I pledge to take strong steps to protect my freedom from government mass surveillance. I expect the services I use to do the same."
  • Paul Merrell on 07 Jun 14
     
    I wound up joining this campaign at the urging of the ACLU after checking the Privacy Policy. The Reset the Net campaign seems to be endorsed by a lot of change-oriented groups, from the ACLU to Greenpeac to the Pirate Party. A fair number of groups with a Progressive agenda, but certainly not limited to them. The right answer to that situation is to urge other groups to endorse, not to avoid the campaign. Single-issue coalition-building is all about focusing on an area of agreement rather than worrying about who you are rubbing elbows with.  I have been looking for a a bipartisan group that's tackling government surveillance issues via mass actions but has no corporate sponsors. This might be the one. The reason: Corporate types like Google have no incentive to really butt heads with the government voyeurs. They are themselves engaged in massive surveillance of their users and certainly will not carry the battle for digital privacy over to the private sector. But this *is* a battle over digital privacy and legally defining user privacy rights in the private sector is just as important as cutting back on government surveillance. As we have learned through the Snowden disclosures, what the private internet companies have, the NSA can and does get.  The big internet services successfully pushed in the U.S. for authorization to publish more numbers about how many times they pass private data to the government, but went no farther. They wanted to be able to say they did something, but there's a revolving door of staffers between NSA and the big internet companies and the internet service companies' data is an open book to the NSA.   The big internet services are not champions of their users' privacy. If they were, they would be featuring end-to-end encryption with encryption keys unique to each user and unknown to the companies.  Like some startups in Europe are doing. E.g., the Wuala.com filesync service in Switzerland (first 5 GB of storage free). Com
Gonzalo San Gil, PhD.

Why Linux Distros Look Insecure Even Though They're Not | FOSS Force - 0 views

fossforce.com/...nsecure-even-though-theyre-not

linux distros look insecure but false open source more security than proprietary

shared by Gonzalo San Gil, PhD. on 06 Mar 16 - No Cached
  • Gonzalo San Gil, PhD. on 06 Mar 16
     
    "Robin "Roblimo" Miller The transparency of open software means that security vulnerabilities are visible and can't be quietly swept under the rug."
Paul Merrell

The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters | Motherboard - 0 views

motherboard.vice.com/...-large-scale-internet-disaster

computer-security Internet-of-things Scneier

shared by Paul Merrell on 15 Aug 16 - No Cached
  • Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them.Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).
  • So far, internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing, as in the theft of celebrity photos from Apple’s iCloud in 2014 or the Ashley Madison breach in 2015. They can be damaging, as when the government of North Korea stole tens of thousands of internal documents from Sony or when hackers stole data about 83 million customer accounts from JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office of Personnel Management data breach by—presumptively—China in 2015. On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door—or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location. With the advent of the Internet of Things and cyber-physical systems in general, we've given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete. Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.
  • Paul Merrell on 15 Aug 16
     
    Bruce Scneier on the insecurity of the Internet of Things, and possible consequences.
Paul Merrell

EXCLUSIVE: Edward Snowden Explains Why Apple Should Continue To Fight the Government on... - 0 views

firstlook.org/...ryption-just-doesnt-make-sense

surveillance state encryption Apple Google Snowden Comey back-door-debate

shared by Paul Merrell on 03 Aug 15 - No Cached
  • As the Obama administration campaign to stop the commercialization of strong encryption heats up, National Security Agency whistleblower Edward Snowden is firing back on behalf of the companies like Apple and Google that are finding themselves under attack. “Technologists and companies working to protect ordinary citizens should be applauded, not sued or prosecuted,” Snowden wrote in an email through his lawyer. Snowden was asked by The Intercept to respond to the contentious suggestion — made Thursday on a blog that frequently promotes the interests of the national security establishment — that companies like Apple and Google might in certain cases be found legally liable for providing material aid to a terrorist organization because they provide encryption services to their users.
  • In his email, Snowden explained how law enforcement officials who are demanding that U.S. companies build some sort of window into unbreakable end-to-end encryption — he calls that an “insecurity mandate” — haven’t thought things through. “The central problem with insecurity mandates has never been addressed by its proponents: if one government can demand access to private communications, all governments can,” Snowden wrote. “No matter how good the reason, if the U.S. sets the precedent that Apple has to compromise the security of a customer in response to a piece of government paper, what can they do when the government is China and the customer is the Dalai Lama?”
  • Weakened encryption would only drive people away from the American technology industry, Snowden wrote. “Putting the most important driver of our economy in a position where they have to deal with the devil or lose access to international markets is public policy that makes us less competitive and less safe.”
  • ...1 more annotation...
  • FBI Director James Comey and others have repeatedly stated that law enforcement is “going dark” when it comes to the ability to track bad actors’ communications because of end-to-end encrypted messages, which can only be deciphered by the sender and the receiver. They have never provided evidence for that, however, and have put forth no technologically realistic alternative. Meanwhile, Apple and Google are currently rolling out user-friendly end-to-end encryption for their customers, many of whom have demanded greater privacy protections — especially following Snowden’s disclosures.
Paul Merrell

What is Boxcryptor | Easy to use encryption for cloud storage | boxcryptor.com - 0 views

www.boxcryptor.com/boxcryptor

cloud security end-to-end-encryption

shared by Paul Merrell on 25 Mar 15 - No Cached
  • Boxcryptor is an easy-to-use encryption software optimized for the cloud. It allows the secure use of cloud storage services without sacrificing comfort. Boxcryptor supports all major cloud storage providers (such as Dropbox, Google Drive, Microsoft OneDrive, SugarSync) and supports all the clouds that use the WebDAV standard (such as Cubby, Strato HiDrive, and ownCloud). With Boxcryptor your files go protected to your cloud provider and you can enjoy peace of mind knowing that your information cannot fall into the wrong hands. Here is how it works: Boxcryptor creates a virtual drive on your computer that allows you to encrypt your files locally before uploading them to your cloud or clouds of choice. It encrypts individual files - and does not create containers. Any file dropped into an encrypted folder within the Boxcryptor drive will get automatically encrypted before it is synced to the cloud. To protect your files, Boxcryptor uses the AES-256 and RSA encryption algorithms.
  • Paul Merrell on 25 Mar 15
     
    Free for personal use. I haven't tried this yet, but the need for it has been near the top of my head since I first tried Dropbox and then realized how insecure it was. I tried a lot of sync services, but am now using Wuala, which features end-to-end encryption baked into the client software. But I also use MEGAsync for remote backup so I'[ll probably be trying this out with that service. I hope there's a way to sync the two programs.
Paul Merrell

He Was a Hacker for the NSA and He Was Willing to Talk. I Was Willing to Listen. - 2 views

theintercept.com/...o-talk-i-was-willing-to-listen

surveillance state NSA-hacker-interview

shared by Paul Merrell on 03 Jul 16 - No Cached
  • he message arrived at night and consisted of three words: “Good evening sir!” The sender was a hacker who had written a series of provocative memos at the National Security Agency. His secret memos had explained — with an earthy use of slang and emojis that was unusual for an operative of the largest eavesdropping organization in the world — how the NSA breaks into the digital accounts of people who manage computer networks, and how it tries to unmask people who use Tor to browse the web anonymously. Outlining some of the NSA’s most sensitive activities, the memos were leaked by Edward Snowden, and I had written about a few of them for The Intercept. There is no Miss Manners for exchanging pleasantries with a man the government has trained to be the digital equivalent of a Navy SEAL. Though I had initiated the contact, I was wary of how he might respond. The hacker had publicly expressed a visceral dislike for Snowden and had accused The Intercept of jeopardizing lives by publishing classified information. One of his memos outlined the ways the NSA reroutes (or “shapes”) the internet traffic of entire countries, and another memo was titled “I Hunt Sysadmins.” I felt sure he could hack anyone’s computer, including mine. Good evening sir!
  • The sender was a hacker who had written a series of provocative memos at the National Security Agency. His secret memos had explained — with an earthy use of slang and emojis that was unusual for an operative of the largest eavesdropping organization in the world — how the NSA breaks into the digital accounts of people who manage computer networks, and how it tries to unmask people who use Tor to browse the web anonymously. Outlining some of the NSA’s most sensitive activities, the memos were leaked by Edward Snowden, and I had written about a few of them for The Intercept. There is no Miss Manners for exchanging pleasantries with a man the government has trained to be the digital equivalent of a Navy SEAL. Though I had initiated the contact, I was wary of how he might respond. The hacker had publicly expressed a visceral dislike for Snowden and had accused The Intercept of jeopardizing lives by publishing classified information. One of his memos outlined the ways the NSA reroutes (or “shapes”) the internet traffic of entire countries, and another memo was titled “I Hunt Sysadmins.” I felt sure he could hack anyone’s computer, including mine.
  • I got lucky with the hacker, because he recently left the agency for the cybersecurity industry; it would be his choice to talk, not the NSA’s. Fortunately, speaking out is his second nature.
  • ...7 more annotations...
  • He agreed to a video chat that turned into a three-hour discussion sprawling from the ethics of surveillance to the downsides of home improvements and the difficulty of securing your laptop.
  • In recent years, two developments have helped make hacking for the government a lot more attractive than hacking for yourself. First, the Department of Justice has cracked down on freelance hacking, whether it be altruistic or malignant. If the DOJ doesn’t like the way you hack, you are going to jail. Meanwhile, hackers have been warmly invited to deploy their transgressive impulses in service to the homeland, because the NSA and other federal agencies have turned themselves into licensed hives of breaking into other people’s computers. For many, it’s a techno sandbox of irresistible delights, according to Gabriella Coleman, a professor at McGill University who studies hackers. “The NSA is a very exciting place for hackers because you have unlimited resources, you have some of the best talent in the world, whether it’s cryptographers or mathematicians or hackers,” she said. “It is just too intellectually exciting not to go there.”
  • The Lamb’s memos on cool ways to hunt sysadmins triggered a strong reaction when I wrote about them in 2014 with my colleague Ryan Gallagher. The memos explained how the NSA tracks down the email and Facebook accounts of systems administrators who oversee computer networks. After plundering their accounts, the NSA can impersonate the admins to get into their computer networks and pilfer the data flowing through them. As the Lamb wrote, “sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network … who better to target than the person that already has the ‘keys to the kingdom’?” Another of his NSA memos, “Network Shaping 101,” used Yemen as a theoretical case study for secretly redirecting the entirety of a country’s internet traffic to NSA servers.
  • “If I turn the tables on you,” I asked the Lamb, “and say, OK, you’re a target for all kinds of people for all kinds of reasons. How do you feel about being a target and that kind of justification being used to justify getting all of your credentials and the keys to your kingdom?” The Lamb smiled. “There is no real safe, sacred ground on the internet,” he replied. “Whatever you do on the internet is an attack surface of some sort and is just something that you live with. Any time that I do something on the internet, yeah, that is on the back of my mind. Anyone from a script kiddie to some random hacker to some other foreign intelligence service, each with their different capabilities — what could they be doing to me?”
  • “You know, the situation is what it is,” he said. “There are protocols that were designed years ago before anybody had any care about security, because when they were developed, nobody was foreseeing that they would be taken advantage of. … A lot of people on the internet seem to approach the problem [with the attitude of] ‘I’m just going to walk naked outside of my house and hope that nobody looks at me.’ From a security perspective, is that a good way to go about thinking? No, horrible … There are good ways to be more secure on the internet. But do most people use Tor? No. Do most people use Signal? No. Do most people use insecure things that most people can hack? Yes. Is that a bash against the intelligence community that people use stuff that’s easily exploitable? That’s a hard argument for me to make.”
  • I mentioned that lots of people, including Snowden, are now working on the problem of how to make the internet more secure, yet he seemed to do the opposite at the NSA by trying to find ways to track and identify people who use Tor and other anonymizers. Would he consider working on the other side of things? He wouldn’t rule it out, he said, but dismally suggested the game was over as far as having a liberating and safe internet, because our laptops and smartphones will betray us no matter what we do with them. “There’s the old adage that the only secure computer is one that is turned off, buried in a box ten feet underground, and never turned on,” he said. “From a user perspective, someone trying to find holes by day and then just live on the internet by night, there’s the expectation [that] if somebody wants to have access to your computer bad enough, they’re going to get it. Whether that’s an intelligence agency or a cybercrimes syndicate, whoever that is, it’s probably going to happen.”
  • There are precautions one can take, and I did that with the Lamb. When we had our video chat, I used a computer that had been wiped clean of everything except its operating system and essential applications. Afterward, it was wiped clean again. My concern was that the Lamb might use the session to obtain data from or about the computer I was using; there are a lot of things he might have tried, if he was in a scheming mood. At the end of our three hours together, I mentioned to him that I had taken these precautions—and he approved. “That’s fair,” he said. “I’m glad you have that appreciation. … From a perspective of a journalist who has access to classified information, it would be remiss to think you’re not a target of foreign intelligence services.” He was telling me the U.S. government should be the least of my worries. He was trying to help me. Documents published with this article: Tracking Targets Through Proxies & Anonymizers Network Shaping 101 Shaping Diagram I Hunt Sys Admins (first published in 2014)
Paul Merrell

New open-source router firmware opens your Wi-Fi network to strangers | Ars Technica - 0 views

arstechnica.com/...our-wi-fi-network-to-strangers

open-wireless routers EFF

shared by Paul Merrell on 24 Jun 14 - No Cached
  • We’ve often heard security folks explain their belief that one of the best ways to protect Web privacy and security on one's home turf is to lock down one's private Wi-Fi network with a strong password. But a coalition of advocacy organizations is calling such conventional wisdom into question. Members of the “Open Wireless Movement,” including the Electronic Frontier Foundation (EFF), Free Press, Mozilla, and Fight for the Future are advocating that we open up our Wi-Fi private networks (or at least a small slice of our available bandwidth) to strangers. They claim that such a random act of kindness can actually make us safer online while simultaneously facilitating a better allocation of finite broadband resources. The OpenWireless.org website explains the group’s initiative. “We are aiming to build technologies that would make it easy for Internet subscribers to portion off their wireless networks for guests and the public while maintaining security, protecting privacy, and preserving quality of access," its mission statement reads. "And we are working to debunk myths (and confront truths) about open wireless while creating technologies and legal precedent to ensure it is safe, private, and legal to open your network.”
  • One such technology, which EFF plans to unveil at the Hackers on Planet Earth (HOPE X) conference next month, is open-sourced router firmware called Open Wireless Router. This firmware would enable individuals to share a portion of their Wi-Fi networks with anyone nearby, password-free, as Adi Kamdar, an EFF activist, told Ars on Friday. Home network sharing tools are not new, and the EFF has been touting the benefits of open-sourcing Web connections for years, but Kamdar believes this new tool marks the second phase in the open wireless initiative. Unlike previous tools, he claims, EFF’s software will be free for all, will not require any sort of registration, and will actually make surfing the Web safer and more efficient.
  • Kamdar said that the new firmware utilizes smart technologies that prioritize the network owner's traffic over others', so good samaritans won't have to wait for Netflix to load because of strangers using their home networks. What's more, he said, "every connection is walled off from all other connections," so as to decrease the risk of unwanted snooping. Additionally, EFF hopes that opening one’s Wi-Fi network will, in the long run, make it more difficult to tie an IP address to an individual. “From a legal perspective, we have been trying to tackle this idea that law enforcement and certain bad plaintiffs have been pushing, that your IP address is tied to your identity. Your identity is not your IP address. You shouldn't be targeted by a copyright troll just because they know your IP address," said Kamdar.
  • ...1 more annotation...
  • While the EFF firmware will initially be compatible with only one specific router, the organization would like to eventually make it compatible with other routers and even, perhaps, develop its own router. “We noticed that router software, in general, is pretty insecure and inefficient," Kamdar said. “There are a few major players in the router space. Even though various flaws have been exposed, there have not been many fixes.”
Paul Merrell

Beijing Strikes Back in US-China Tech Wars | The Diplomat - 0 views

thediplomat.com/...kes-back-in-us-china-tech-wars

surveillance state China tech-security

shared by Paul Merrell on 11 Mar 15 - No Cached
  • China’s new draft anti-terror legislation has sent waves across the U.S. tech community. If there is a brewing tech war between U.S. and China over government surveillance backdoors and a preference for indigenous software, China’s new draft terror law makes it clear that Beijing is happy to give the United States a taste of its own medicine. The law has already drawn considerable criticism from international human rights groups, including Amnesty International and Human Rights Watch for its purported attempts to legitimize wanton human rights violations in the name of counter-terrorism. Additionally, China has opted to implement its own definition of terrorism, placing  “any thought, speech, or activity that, by means of violence, sabotage, or threat, aims to generate social panic, influence national policy-making, create ethnic hatred, subvert state power, or split the state” under the umbrella of the overused T-word. The problematic human rights issues aside, the draft anti-terror law will have important implications for foreign tech firms within China. According to Reuters’ reporting on the draft anti-terror law, counter-terrorism precautions by the Chinese government would essentially require foreign firms to “hand over encryption keys and install security ‘backdoors’” into their software. Additionally, these firms would have to store critical data — certainly data on Chinese citizens and residents — on Chinese soil. The onerous implications of this law could have lead to an immediate freeze to the activities of several Western tech companies in China, the world’s second largest economy and a booming emerging market for new technologies.
  • On the surface, the most troublesome implication of this law is that in order to comply with this law, Western firms, including non-technical ventures such as financial institutions and manufacturers, will be forced to give up a great deal of security. In essence, corporate secrets, financial data — all critical data — would be insecure and available for access by Chinese regulators. The new law would also prohibit the use of secure virtual private networks (VPNs) to get around these requirements.
  • The U.S. diplomatic response to Beijing’s new draft law is perhaps best captured in the fact that a whopping four cabinet members in the Obama administration, including Secretary of State John Kerry and U.S. Trade Representative Michael Froman, wrote the Chinese government expressing “serious concern.” China, for its part, seemed unfazed by U.S. concerns. Foreign Ministry spokesperson Hua Chunying told the press that she hoped the United States would view the new anti-terror precautions in “in a calm and objective way.” Indeed, following Edward Snowden’s revelations regarding the extent of the United States’ surveillance of private firms both within and outside the United States, Beijing likely views U.S. concerns as hypocritical. One U.S. industry source told Reuters that the new law was ”the equivalent of the Patriot Act on really, really strong steroids.”
Paul Merrell

Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls |... - 0 views

www.eff.org/...verizon-x-uidh

surveillance state Verizon X-UIDH tracker

shared by Paul Merrell on 04 Nov 14 - No Cached
  • Verizon users might want to start looking for another provider. In an effort to better serve advertisers, Verizon Wireless has been silently modifying its users' web traffic on its network to inject a cookie-like tracker. This tracker, included in an HTTP header called X-UIDH, is sent to every unencrypted website a Verizon customer visits from a mobile device. It allows third-party advertisers and websites to assemble a deep, permanent profile of visitors' web browsing habits without their consent.Verizon apparently created this mechanism to expand their advertising programs, but it has privacy implications far beyond those programs. Indeed, while we're concerned about Verizon's own use of the header, we're even more worried about what it allows others to find out about Verizon users. The X-UIDH header effectively reinvents the cookie, but does so in a way that is shockingly insecure and dangerous to your privacy. Worse still, Verizon doesn't let users turn off this "feature." In fact, it functions even if you use a private browsing mode or clear your cookies. You can test whether the header is injected in your traffic by visiting lessonslearned.org/sniff or amibeingtracked.com over a cell data connection.How X-UIDH Works, and Why It's a Problem
  • To compound the problem, the header also affects more than just web browsers. Mobile apps that send HTTP requests will also have the header inserted. This means that users' behavior in apps can be correlated with their behavior on the web, which would be difficult or impossible without the header. Verizon describes this as a key benefit of using their system. But Verizon bypasses the 'Limit Ad Tracking' settings in iOS and Android that are specifically intended to limit abuse of unique identifiers by mobile apps.
  • Because the header is injected at the network level, Verizon can add it to anyone using their towers, even those who aren't Verizon customers.
  • ...1 more annotation...
  • We're also concerned that Verizon's failure to permit its users to opt out of X-UIDH may be a violation of the federal law that requires phone companies to maintain the confidentiality of their customers' data. Only two months ago, the wireline sector of Verizon's business was hit with a $7.4 million fine by the Federal Communications Commission after it was caught using its "customers' personal information for thousands of marketing campaigns without even giving them the choice to opt out." With this header, it looks like Verizon lets its customers opt out of the marketing side of the program, but not from the disclosure of their browsing habits.
Gonzalo San Gil, PhD.

The kernel of the argument over Linux's vulnerabilities | The Washington Post - 0 views

www.washingtonpost.com/...ity-the-kernel-of-the-argument

washingtonpost.com Linux kernel argument security use spreading worldwide Internet www web running open source free software

shared by Gonzalo San Gil, PhD. on 07 Nov 15 - No Cached
  • Gonzalo San Gil, PhD. on 07 Nov 15
     
    "Fast, flexible and free, Linux is taking over the online world. But there is growing unease about security weaknesses."
1 - 12 of 12
Showing 20 items per page