« August 2007 | Main | October 2007 »
September 28, 2007
Bill Would Up Fines for Slow ISP Response to Child Porn
Anne Broache has an entry on the Protecting Children in the 21st Century Act, which was approved by the Senate Commerce Committee yesterday.
ISPs face bigger fines if they don't alert law enforcement when they discover child pornography -- the amount was changed from $100,000 to $300,000 -- and it calls for a working group to review existing parental control technology, filtering software and other tools for effectiveness.
Broache's entry picks up another provision: ISP data retention policies will probably come up for review, too, renewing federal attempts to introduce longer periods before providers can dump logs.
Search engines, of course, already cite "child predators" as one reason they hold onto logs as long as they do.
Posted by mhall at 6:12 PM | Add Comment
September 27, 2007
Novel Gmail Vulnerability Creates Malicious Filters
GNUCitizen outlines a Gmail hijack technique that involves injecting a filter into the victim's Gmail account. Since Gmail filters can do all sorts of things, including just dumbly forwarding mail to some other address.
Two things:
From the comments in that entry, it looks like Google's already shutting down attempts to recreate the exploit by popping up "Sorry ... your account is malfunctioning" messages.
The problem is a little oversold in that blog entry:
I repeat, it is persistent. It is very critical and very unlikely that you will detect it unless you are an uber user.
If, by "uber user" we mean "people who use filters," because anyone who uses them and happens to look over his or her filter list will probably catch this.
Other comments in that entry note the Firefox add-on NoScript as a potential remedy for this attack and others like it.
I use NoScript and I admire its thoroughness if not its occasional inconvenience. It's a pain to hand-clear sites .... especially ones that use Javascript in a manner that they either fail to respond to clicks without obviously failing or whisk the user off to a 404 page if whatever automated URL generation that's supposed to happen in the page's code doesn't.
Pain or not, I'd rather deal with NoScript's occasional overprotectiveness than the alternative.
Posted by mhall at 3:04 PM | Add Comment
September 26, 2007
Shorter Pudding VoIP Premise: What's the Fourth Amendment Between Friends?
Pudding's been getting buzz for a few days.
Nutshell: Free VoIP, like Skype, only it will listen to your conversation for keywords and present contextual ads.
For one: Ew.
For two: Please do not ever call me using this service.
For three: Listen to your friends at the EFF who say this has ramifications way beyond the simple squick factor -- it could undermine your Fourth Amendment rights:
Perhaps the most chilling implication of this "service" is its potential impact on your constitutional right to privacy in your phone calls. Fourth Amendment protections against government eavesdropping rely on your having a "reasonable expectation of privacy" in your calls, something you'll arguably be trading away by using ThePudding.com's VoIP service. The government can and likely will argue -- as it has argued when it comes to your Gmail, in the case of U.S. v. Warshak -- that allowing a company to scan your communications for ad-serving purposes eliminates any Fourth Amendment privacy protections in those communications. Far from being "free", you may be paying for ThePudding.com's service with your constitutional rights.
Nice. And a handy rebuttal to the usual crowd of melonheads who show up to say "I traded away my privacy to Gmail a long time ago and I feel fine, ya chicken littles!"
Posted by mhall at 3:42 PM | Add Comment
September 25, 2007
Amazon mp3's: Watermarked, But Not Scarily
I wondered if Amazon was watermarking the MP3s it's selling with its newly launched service. Evidently it isn't, but some record labels do, but not in any way that allows the file to be linked to a specific purchaser.
That's good. I spent lunch comparing Amazon's selection with my music collection (and iTunes') and came up with just enough matches that I'm encouraged to look at Amazon first before buying anything: Costs less, no DRM (or fee for its lack). Finding out the files I was downloading were bugged would have been a bummer.
Posted by mhall at 7:00 PM | Add Comment
September 24, 2007
OpenID: With What Would You Entrust It?
Lifehacker's got an interesting rundown of what's good and bad about OpenID.
On the pro side: It's convenient when it's not inconvenient or plain old not working.
On the con side: It's potentially corrosive of your privacy and there are some real security issues that make its use for anything besides trivial signons (e.g. blog commenting) problematic.
Any temptation I've had to use OpenID has been mitigated by Password Composer, which I wrote about briefly over at Practically Networked last week.
Posted by mhall at 2:44 PM | Add Comment
September 22, 2007
Spammers Trying Out Google Queries of Mass Destruction
Spam filters are getting good at finding URLs that point to spam sites, so spammers have a new trick: They figure out the Google query that'll put their site at the top of the results and use that as the URL in the message, including a qualifier that turns the query into an "I Feel Lucky"/go-to-the-first-result-automatically search.
Posted by mhall at 1:33 PM | Add Comment
September 21, 2007
Telcos Scrambling for Wiretapping Immunity
An Ars Technica rundown on telcos seeking wiretapping immunity can take us into the weekend:
The list of allegations continues to lengthen. There are now several lawsuits under way concerning the NSA's domestic spying program. In addition, recent revelations have suggested that major carriers turned over customer data in response to the FBI's "exigent letters" despite the fact that those letters are not authorized by statute. [EFF legal director Cindy] Cohn notes that EFF's intimate involvement in both of those controversies makes the organization ideally situated to help the FCC begin an inquiry.
Cohn quotes section 222 of the Communications Act, which says that telecommunications carriers may not "use, disclose, or permit access to individually identifiable customer proprietary network information" except as required by law. It appears that neither the NSA's domestic spying program nor the FBI's "exigent letters" were authorized by statute, suggesting that AT&T, Verizon, and other communications providers broke the law if they provided information to the government in response to such requests.
Despite all this, the FCC wants little to do with investigating any of it, preferring to wait until an intensive lobbying effort by telcos can pay off in retroactive immunity for their illegal eavesdropping.
On Wednesday I linked to Glen Greenwald's comments on a New York Times report regarding that effort. Yesterday, Newsweek featured a much more thorough treatment:
The case for new legislation retroactively giving telecoms companies protection against private lawsuits—including lawsuits already pending—was outlined this week by Kenneth Wainstein, assistant attorney general for national security. At a House Judiciary Committee hearing chaired by Rep. John Conyers, a Michigan Democrat, Wainstein said that giving telecoms companies retroactive liability was a matter of "general fairness."
"I think it's sort of fundamentally unfair and just not right to—if a company allegedly assisted the government in its national-security efforts, in an effort to defend the country at a time of peril, that they then get turned around and face tremendously costly litigation and maybe even crushing liability for having helped the United States government at a time of need ... it's just not right," Wainstein testified.
That's an absurd rationale the EFF has identified for what it is: An effort to shut down or preempt any further inquiry into the nature of wiretap programs of questionable legality:
"It's clear the goal is to kill our case," said Cindy Cohn, legal director of the Electronic Frontier Foundation, a San Francisco-based privacy group that filed the main lawsuit against the telecoms after The New York Times first disclosed, in December 2005, that President Bush had approved a secret program to monitor the phone conversations of U.S. residents without first seeking judicial warrants. The White House subsequently confirmed that it had authorized the National Security Agency to conduct what it called a "terrorist surveillance program" aimed at communications between suspected terrorists overseas and individuals inside the United States. But the administration has also intervened, unsuccessfully so far, to try to block the lawsuit from proceeding and has consistently refused to discuss any details about the extent of the program—rebuffing repeated congressional requests for key legal memos about it.
"They are trying to completely immunize this [the surveillance program] from any kind of judicial review," added Cohn. "I find it a little shocking that Congress would participate in the covering up of what has been going on."
After the pre-recess sheep stampede, I'm inclined to think there's nothing shocking about it at all.
Posted by mhall at 7:08 PM | Add Comment
September 20, 2007
How Much Security Constitutes "Certain?"
Christopher Soghoian wonders if Bank of America is lying to its customers when it says its security measures allow them to be "certain" they're not being phished.
The nut of his objection is that BoA's two-factor authentication system, which presents an image known only to the user and the bank before allowing the user to enter his or her credentials, is vulnerable to man-in-the-middle attacks:
The problem is that all of these schemes--every single one of them--is vulnerable to a form of deception known as a man-in-the-middle (MITM) attack. Russian phishers launched a sophisticated MITM attack against the hardware-token-based, two-factor authentication scheme used by Citibank. Another group of hackers was able to rip off customers of the Dutch bank ABN Amro, which also issued hardware tokens.
On multiple occasions in 2005 and 2006, security researchers raised the alarm regarding the false promises of two-factor authentication, and in particular, Bank of America's SiteKey system.
In its defense, BoA says its SiteKey system is just part of a whole arsenal of security measures. Soghoian isn't buying it:
Customers expect some companies to lie to them. Very few people expect cosmetics and skin creams to actually make them look 20 years younger. Likewise, few would be surprised if the salads at fast-food restaurants are actually full of calories and fat. However, when a bank tells its customers that its online banking system is safe and secure, most people would be shocked to find out otherwise. Thus, a major question remains: Is Bank of America lying to its customers when it tells them that they can be "certain (they're) at the valid Online Banking Web site" when they see the SiteKey image? Do banks have a responsibility to acknowledge the risks, and to inform consumers of them?
Anyone who says something is definitively and incorruptibly secure isn't telling the truth. People who think about security a lot subconsciously append "until it's compromised" to any assertion about a security technique or product.
And BoA's responses to Soghoian's charges skip around the fact that they specifically represent SiteKey as absolutely secure.
BoA should be qualifying its claims. Any sensitive transaction done over the Web should involve some sort of due diligence on the part of the end user: A quick glance at the location bar, making sure the browser thinks it has a secure connection by looking for the padlock icon, and a scan of the page to make sure it looks right.
Encouraging end users to focus on one thing, like whether or not a single image matches what they expect to see, also encourages them to ignore other problems with a page that might give them pause.
Posted by mhall at 5:07 PM | Add Comment
September 19, 2007
Symantec CEO Warns EU of Peeping Tom Cookie Menace - Evidently Still Using IE 3
O.k. O.k. So, the past few days maybe I've been sounding sort of strident. I'll admit it. I've been irritable about social networking sites, touchy about government secrecy, hard on poor Google. So maybe I'm noticing this because I'm trying to find a way to right boat a little ... restore a sense of balance ... take a little of the edge off:
Symantec CEO Urges Cookie Notification:
"I don't have an issue with people having cookies on their machine as long as I've been told one just got planted there," Thompson said. "I think there is an opt-in option here that should be available to everyone."
He questioned whether there is a "difference between a peeping Tom in the physical world and a cookie prying into my private affairs in the digital world."
...
He would not say if he thought the European Commission should flex its muscles and require user permission for cookies, merely saying "if the EU felt that was a problem, they might want to insert themselves here."
O.k. Right off the bat:
(Click for a bigger version of Firefox's privacy panel)
That's the Firefox privacy panel, which lets you deny all cookies, pick which cookies can or can't be set in your browser, decide how long they persist (on a case-by-case basis), or even selectively remove cookies.
"Oh, sure," say the doubters ... "FIREFOX. That's the elite uber-nerd browser! This cookie-blocking technology is light years ahead of the competition!"
Er ...
(Click for a bigger version of IE 6's privacy panel)
That'd be Internet Explorer's cookie management panel.
I think we've got this one covered without involving the whole continent of Europe.
(Although it'd kill nobody to make mention of site-specific cookies and their handling in privacy policies.)
Posted by mhall at 7:27 PM | Add Comment
Amidst Dubious Claims, Push to Extend Surevillance Is On
As a citizen in a free society that elects representatives instead of holding referendums for every single thing, I'm comfortable with the idea that my representatives will get to know things I don't. Extending that to the problem of international terrorism ... heck ... even international relations in general, I can accept the idea that there are people in the world who could do much more harm with a piece of intelligence information than I could good. If I didn't get that before I served in the military, I did coming out of it.
What I don't understand is how my representatives continue to be stymied by assertions that they are, in effect, no more qualified or trustworthy than I am to evaluate matters of national intelligence or security. That's the takeaway I get when I read things like TPM's followup on Director of National Intelligence Michael McConnell's continued selective disclosure:
Yesterday, the director of national intelligence, Admiral Michael McConnell, casually informed the House Judiciary Committee that the FISA Court had gotten so restrictive that its rulings required the NSA to obtain warrants before spying on Iraqi insurgents that had kidnapped U.S. troops.
That sounded dubious to us. Would the FISA Court have really issued such a patently absurd ruling? And it turns out we're not the only ones. FISA expert Kate Martin of the Center for National Security Studies also finds McConnell's statement dubious.
"It's totally implausible, like the claim about the arrests in Germany. Doesn't NSA have collection capabilities in Iraq? If so, they are totally outside FISA," Martin says. "Even if they're taking the Iraqi insurgent calls off the wire in the U.S. talking to each other, they don't need a court order and no court is going to bar them. Or is it that the NSA is so incompetent that it doesn't know they are Iraqi insurgents talking to each other and they were just blindly searching all traffic, which the court said they weren't allowed to do?"
Ryan Singel at Wired doesn't buy it, either.
The ongoing presentation of assorted horror stories about our intelligence operatives being hobbled without, or triumphing thanks to, some new erosion of our privacy is consistent primarily in the way much of it is dubious and vague, and the way demands for more information from the people you and I elected to write laws to help us find our way through these challenges are deflected when they're inconvenient to the narrative.
Nevertheless, the AP reports that the push to make temporary expanded surveillance powers permanent is on, even though those temporary provisions were widely considered even by those who passed them to be hastily slapped together and over-reaching.
Worse, Glenn Greenwald notes, there are signs that heretofore illegal activities by telecom companies conducting data gathering are likely to get a piece of retroactive immunity they've been demanding that'll clear them of past illegal activity.
Posted by mhall at 5:59 PM | Add Comment
September 18, 2007
David Maynor Releases the "Howto" of Last Year's Apple Wi-Fi Kerfuffle
Remember the great Macbook Wi-Fi 'Sploit Kerfuffle? And how it drove all the Mac, er, "colleagues" appears to be the preferred term, nuts and they all swore up and down it was a damnable lie?
Maybe not, seeing as how long-awaited documentation from the researcher who first claimed to find the vulnerability, then said Apple and his own company hushed him up when pressed for proof, has finally arrived.
Most sensible thing said so far about the release? That'd be the nothing from Daring Fireball's John Gruber, who knows better.
Close second? Glenn Fleishman of Wi-Fi Networking News, who says what Gruber's thinking: "The report is extremely technically detailed and beyond my ability to confirm. Perhaps someone can load up an appropriate computer with 10.4.7 and follow his instructions to duplicate what he achieved?"
I'm guessing that's happened at least a few dozen times since the report hit the 'net.
Update: Looks like Metasploit will soon include a module:
Meanwhile, the Metasploit Project is releasing a new module for the exploit that runs on the popular penetration test tool, so researchers can test-run it themselves.
"[Maynor's] paper is a great example of turning a WiFi driver vulnerability into a working remote exploit and serves as an excellent resource for exploitation kernel-land vulnerabilities in OS X -- with Metasploit," says HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems.
Posted by mhall at 9:02 PM | Add Comment
Scare-Spammer Rapleaf Finds Kindred Spirit In New Partner
"Collective nouns for a group of weasels include boogle, gang, pack, and confusion." -- Wikipedia, "Weasel"
Valleywag notes that Rapleaf, the social networking identity service with the odious scare-spams, has found a kindred spirit in its new partner, MerchantCircle:
A directory on its face, MerchantCircle at its root, it is a cynical, poorly-conceived search-engine-optimization play using deceptive techniques to harvest business data. MerchantCircle is notorious for autodialing merchants to build its database. The recorded message tries to dupe merchants into entering their data with the lie that someone has left a bad review. It's a classic bait-and-switch not unlike Rapleaf's "someone has searched for you" emails.
To repeat a piece of useful information if you ever get one of Rapleaf's smarmy "We just wanted you to know someone's looking for you on the interweb" scare spams, you don't have to sign up for an account to have your address expunged from its database:
An individual may request information removed for a given email address by emailing opt-out@rapleaf.com. This email address and information pertaining to this email address will no longer be displayed on the Rapleaf site and will be physically removed from Rapleaf�s databases.
Don't bother with creating an account to "manage" anything. You'll just be validating Rapleaf's creepy marketing and helping it make sure its data is good.
Just opt out.
Previously:
Posted by mhall at 6:03 PM | Add Comment
MediaDefender's Embarrassment Mounts
MediaDefender's woes get worse in worse in the wake of that e-mail compromise. Rather, its woes grow in number. Wired:
At least two more MediaDefender hacks have emerged since Saturday. In one, hackers obtained a copy of an internal company database identifying some of the decoy files the company has slipped onto peer-to-peer networks. In the other, intruders released a digital recording of a private phone call that appears to be a discussion between MediaDefender personnel and staff at the New York attorney general's office.
Bruce Schneier has a bit of a phone transcript that indicates the company might not have been the brightest about security.
Posted by mhall at 4:11 PM | Add Comment
September 17, 2007
ACLU Unveils "Surveillance Society Clock"
The ACLU's dramatizing the growth of "a genuine surveillance society" in the U.S. with its new Surveillance Society Clock which it today set to six minutes before midnight.
The clock's an entertaining visual gimmick, but the occasion of its launch is the release of a new report from the ACLU entitled "Even Bigger, Even Weaker: The Emerging Surveillance Society: Where Are We Now?" The report's a followup to the 2004 report "Bigger Monster, Weaker Chains," (which appears appended to the downloadable PDF at the link above).
It's a brief report -- just 9 pages long on top of the original report's 20 -- and it represents a useful overview. If you've been listening to your jumpy privacy nut friend getting all caffeinated about the latest outrage and getting jaded about his caffeinated outrage, read the report. You might not agree with the parts the ACLU calls "alarming," but you'll get everything the ACLU has found of note -- not just "heard it on the interwebs" huffing -- in one shot.
Posted by mhall at 6:57 PM | Add Comment
September 14, 2007
EPIC: Google's "Privacy Crusade" Is a Preemptive Weasel Strike
The Washington Post's headline writers were in a particularly credulous mood when they came up with "Google Launches Global Privacy Crusade."
On the other hand, look at what they had to work with:
Drawing upon its clout as the Internet's most powerful company, Google Inc. is calling on businesses and regulators throughout the world to adopt international standards for protecting consumer privacy online and offline.
Hooray! Google is throwing its might into the battle for our privacy! Today we are all Googleheads!
It might seem so if, like the Washington Post, you interviewed EPIC's executive director but somehow fail to get what CNET got from the same source:
Marc Rotenberg, executive director of the Electronic Privacy Information Center, called the APEC Privacy Framework "backward looking" and said it "is the weakest international framework for privacy protection, far below what the Europeans require or what is allowed for transatlantic transfers between Europe and the U.S.," particularly because it focuses on the need to show harm to the consumer."
In fact, what the Post got out of the story is what a lot of reporters seem to settle on: Rather than writing a story questioning the substance of Google's security proposal (which Rotenberg did), the reporter focused on inside baseball: Whether Google's making this particular proposal at this particular time for a reason besides its abiding love of privacy.
Motive is easy to cover, right? One guy impugns another guy's intent so the reporter just gets the initial assertion, then a counter-assertion: Scales are balanced, he said/she-said, utterly "balanced" in that way "balanced" has come to mean "make sure each side has an equal number of facts."
But the problem is, why Google is doing this has nothing to do with the quality of the policy Google's proposing. That would be hard to cover in a story because you have to understand the policy, understand why someone else thinks it's problematic, then understand how to outline the argument for the casual observer.
So, you know ... just go with the Google narrative, leave aside the substantive issues Google's proposals raise, and call people who have an issue with Google's policy "strident."
Posted by mhall at 6:10 PM | Add Comment
September 13, 2007
EFF: Terror Plot Busted by Police Work, Not Warrantless Spying
EFF: German Plot Uncovered By Old Fashioned Police Work:
The recent terrorist plot uncovered in Germany was detected by traditional means. According to Newsweek, "One U.S. intelligence official described the law-enforcement operation as a case of 'good old-fashioned police work.'"
Nevertheless, when Mike McConnell, the Director of National Intelligence, testified before Congress on Monday, he cited the German arrests as proof of the importance of conducting electronic surveillance without warrants under the so-called Protect America Act.
After these contradictions came to light, the DNI recanted: "Information contributing to the recent arrests was not collected under authorities provided by the Protect America Act," McConnell admitted in a statement released on Wednesday.
The foiled terrorist plot in Germany shows that we can protect America while protecting Americans' rights. In response to McConnell's testimony, Rep. Rush Holt stated "The German terror case in question is another example of why I voted against the 'Protect America Act' when it came to the House floor in August. Our existing collection activities are working well overall, uncovering potential terrorist plots in Europe and elsewhere."
Further evidence that the intelligence community -- and the Bush administration -- need to be compelled to back up their extraordinary claims with more than "Because we say so."
Posted by mhall at 7:25 PM | Add Comment
September 12, 2007
China's "Great Firewall" Runs on Fear
Science Blog: China's 'Eye on the Internet' a Fraud
The "Great Firewall of China," used by the government of the People's Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.
The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.
Posted by mhall at 2:00 PM | Add Comment
September 11, 2007
Rapleaf Spams You Then Asks for More Addresses to Spam
If you value your friends, don't search for information on them on Rapleaf: They'll get spammed with a message designed to create just enough unease to panic them into signing up for an account, at which point they'll probably set someone else up for more spam.
This morning I checked my inbox and learned that someone has been looking for information about me on Rapleaf. I know this because my "friends" there decided to send me a notice:
Dear xxxxxx,
Someone researched your reputation on Rapleaf by searching "xxx@xxxx.com."
To view (or update) your profile, check out:
http://www.rapleaf.com/pub/xxxxx
Why does this matter?
Someone is interested in learning about you for business or personal reasons.
You are now aware of what information about you is publicly available on the internet.
You now have the opportunity to take control of your information and privacy online.
At Rapleaf, you can find such information as age, location, history, social network links, and more on over 60 million people. And you can make all or some of the information about yourself private.
-Your friends at Rapleaf.com
www.rapleaf.com
What a skeezy pitch!
And actually, it was several spams. One for each of several addresses.
Rapleaf isn't doing anything illegal. It's just harvesting what's out there. In this case it was funnier than not because the address it notified doesn't have any accounts on any social networking sites, Amazon wishlists, or any of the other stuff Rapleaf trolls for. Then it offers you a way to make all that information as available as it was before Rapleaf went trolling for it if you just trade away a bit more of your privacy by signing up for an account and, indirectly, validating Rapleaf's data.
Because I am interested above all else in science, I went ahead and let my throwaway account be a guinea pig to see what registration with Rapleaf might get me. The account isn't connected to anything, so there wasn't any data to validate.
Rapleaf had a message waiting for me on my new profile page:
"By creating a Rapleaf reputation, you have taken a step towards a society where it is more profitable to be ethical."
How comforting.
Rapleaf offers new members the opportunity to upload an address book from Gmail, AOL, Yahoo, Hotmail or Outlook, which is how I think I must have earned the three spams Rapleaf sent my way this morning. I didn't take that step because I had a suspicion I'd be setting up a bunch of friends and coworkers for a scare-spamming.
According to Rapleaf's privacy policy, those addresses are classified as non-personally identifiable information (non-PII). While the company says it won't ever "sell, rent, or lease email addresses to clients or third-party marketers," it's happy to use non-PII data for "targeted advertising," where the targets are, apparently, anyone in the address book of anyone signing up for Rapleaf, or any e-mail address someone searches for on Rapleaf.
I wonder what this does to anonymous profiles in cases where someone's friend has multiple address book entries for a given name?
Let's say, for instance, I have an imaginary friend named Chuck. Let's say my imaginary friend is a deacon at his church. Chuck's MySpace and Facebook pages reflect that he is a devout Methodist who loves his children and married his high school sweetheart. Let's say the address Chuck uses for all his online wholesomeness is "chuck@wholesomeness.foo."
At this point, Rapleaf knows three things about Chuck: His e-mail address and two social networking sites he maintains presences on.
Now let's imagine Chuck has a curious hobby. Maybe Chuck really enjoys consensual bondage. Enjoys it so much that he has his own domain ... "consensualbondage.bar" ... where he has a blog. Chuck's not interested in his co-religionists knowing that about him, not because he thinks it's wrong, but because he's not dumb enough to think there's no stigma attached to his hobby. So Chuck has been careful about his online life: He's paid a little extra to anonymize his domain registration. He only uses the address "leatherdaddy@consensualbondage.bar" when he's registering for social networks where he wants to be able to talk about his hobby.
At this point, Rapleaf knows three things about someone who goes by "leatherdaddy@consensualbondage.bar:" It knows that he's got an Amazon wishlist that's sort of naughty, a flickr page with pictures of consensual bondage people who read his blog send to him for posting, and that he's "leatherdaddy" on several social networking sites.
The thing Rapleaf is missing is any connection between this "leatherdaddy" character, master of the flog and knot-tying king, and "chuck," Methodist deacon.
So let's say Chuck and I have known each other for a long time ... 20 years. Let's say I was his best man, even. Let's say that Chuck even kept his hobby from me for a long time. Then one day Chuck slips up and sends me a mail with a reply-to of "leatherdaddy@consensualbondage.foo." Because my spam filter nearly caused me to miss the mail, I add the leatherdaddy address under Chuck's entry in my address book as an "other" e-mail so it'll be whitelisted in the future. The next time I see Chuck, I ask him about the address thinking there might be a funny story, and he decides to confess to me that he and his wife love to go to costumed sex parties where he ties her up and spanks her. He makes it clear that this is a secret of his ... one he's not interested in sharing with anyone and that he'd probably not have even told me if he hadn't slipped up.
Suddenly, I'm in possession of some information about Chuck that I know I'll never share willingly with anyone else, but I've probably forgotten it's in my address book, or it doesn't occur to me that my address book is interesting to anyone besides me.
So when I get a scary spam from Rapleaf telling me someone's looking for information on me, after I get over my initial panic that Rapleaf has somehow gathered information I haven't already made public, I decide that this whole thing might be kind of cool. The privacy policy says Rapleaf will never sell e-mail addresses, so I upload my address book, the better to see who I know that's already using the service.
Now Rapleaf has that missing connection. It's got a record that strongly suggests "leatherdadddy@consensualbondage.foo" might be the same person as "chuck@wholesomeness.foo."
What's next for Chuck? Do his two distinct profiles commingle at that point? If they don't now, might they eventually? I don't know, and I don't want to set more people up for spam from Rapleaf by looking around for similar situations among my friends.
Whatever happens, Chuck will get a message pointing out that the connection is there to be made, and that if he wants that connection re-obscured he can sign up for an account or send an opt-out mail:
An individual may request information removed for a given email address by emailing opt-out@rapleaf.com. This email address and information pertaining to this email address will no longer be displayed on the Rapleaf site and will be physically removed from Rapleaf's databases.
But Rapleaf's just a subsidiary. Is that connection still around somewhere else? Like Upscoop or Trustfuse? Rapleaf's not really on the hook for having the information: It didn't get it illegally, so if it happens to pass the connection along to its corporate parent or sibling before removing the record, the information's still there and still reusable at some future point.
Chuck's never going to know one way or the other, and he's never going to know who saw that connection before he managed to opt out (or sign up and remove it that way).
My imaginary friend's potential embarrassment is limited in harm to what connections Rapleaf might ferret out and publish. Imagine that connection as part of the services Rapleaf sells, and let's make Chuck's alter-ego a member of a group for people with a rare but curable disease, labor activists, or any other demographic employers can't fire for, but won't hire either. Rapleaf sells the connections and relationships it accrues to make it easier for marketers to automate research. Or, perhaps, for an employer to dump a list of e-mail addresses harvested from the week's received resumés to see if there are any troubling connections.
If you pause to consider the storied failings of Web censorware, which sometimes blocks sites because they link to a site that links to a site with "objectionable content," you get a hint of why a skittish HR department with a database of every single online group, list or "network" you belong to along with any connections your friends may have inadvertently provided is not a happy prospect.
Because the online world is fueled by hyperbole and overreaction, a certain type of personality is going to suggest two things pretty quickly in an effort to be the lone voice of reason in a mob of pitchfork-wielding privacy nuts:
The whole (hypothetical) situation is Chuck's own damn fault. He screwed up the day he forgot to check which address he was mailing from, then he screwed up by not making sure his careless friend deleted the mail and didn't record the address.
Rapleaf's not being "evil" because facts are facts ... aggregating and presenting them is ethically neutral, no more laden with moral import than telling a stranger the time.
I'll happily concede that Rapleaf is not evil. I'll even concede that the whole thing is Chuck's fault, to the extent he started the chain of events in motion.
Does that make Rapleaf seem any more desirable to you? It doesn't to me, and I'm pretty sure it's a service I'll do my best to avoid helping out in any way I can. And it provides another moment to stop and think about the services it's harvesting information from. Are any of them worth what another Rapleaf could make of them?
Posted by mhall at 7:26 PM | Add Comment
September 10, 2007
Security Researcher Underscores Tor's Last-Leg Shortcomings
Wired: Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise:
A security researcher intercepted thousands of private e-mail messages sent by foreign embassies and human rights groups around the world by turning portions of the Tor internet anonymity service into his own private listening post.
A little over a week ago, Swedish computer security consultant Dan Egerstad posted the user names and passwords for 100 e-mail accounts used by the victims, but didn’t say how he obtained them. He revealed Friday that he intercepted the information by hosting five Tor exit nodes placed in different locations on the internet as a research project.
Tor is a sophisticated privacy tool designed to prevent tracking of where a web user surfs on the internet and with whom a user communicates. It’s endorsed by the Electronic Frontier Foundation and other civil liberties groups as a method for whistleblowers and human-rights workers to communicate with journalists, among other uses.
Posted by mhall at 12:46 PM | Add Comment
September 7, 2007
Analyst On Insecure Employee Behavior: "Don't make them resort to Gmail."
Enterprise Networking Planet: Security Breaches: Ineptitude Goes a Long Way
According to Young, the risks associated with social networking and messaging applications often point to other internal problems. “Often it’s just an employee trying to solve a problem,” he said. “If the enterprise solves the problem, then the risk goes away.”
Crosley added that organizations often calculate risks improperly, being overly conservative when it comes to communications tools. They focus on the wrong things and don’t accurately estimate the real costs associated with adopting versus ignoring a technology. Does a spike in productivity and efficiency offset the deployment cost? Does internal control offset the risk of having employees bring in technologies through the backdoor?
“If employees are desperate for good web-based email, give it to them. Don’t make them resort to Gmail,” he said.
Posted by mhall at 6:25 PM | Add Comment
September 6, 2007
Federal Judge Hands Down PATRIOT Act Setback
AHN: Federal Judge Strikes Down Portions Of Rewritten Patriot Act For Violating Constitution
A federal district judge struck down portions of the revised USA Patriot Act on Thursday ruling in favor of plaintiffs, saying that investigators need a court order to ask Internet providers, telephone companies and public libraries to turn over customer’s records.
Plaintiff American Civil Liberties Union argued that the revised Patriot Act allowed the FBI to demand records without obtaining the kind of court order that is required for other government searches, the Associated Press reports.
And the judge agreed, saying that the law as written “reflects an attempt by Congress and the executive [branch] to infringe upon the judiciary’s designated role under the Constitution,” U.S. District Judge Victor Marrero was quoted as writing by the AP.
Saying the recently rewritten Patriot Act “offends the fundamental constitutional principles of checks and balances and separation of powers,” Marrero said that government orders must be subjected to meaningful judicial review.
Posted by mhall at 2:23 PM | Add Comment
September 5, 2007
Facebook Offers Warning Period Before Letting the Spiders In
The buzz today: Facebook is opening up user profiles to search by non-members and, starting next month, indexing by public search engines. Facebook users can opt out, or tune the information they're willing to provide to non-users.
Reuters prefers to characterize the change as "let[ting] users tell the rest of the world how to find them on the site," which suggests Facebook's flacks did an admirable job of framing the matter as one of adding a feature.
Om Malik is less sure it's a gift, and points to an article that appeared on ZDNet last week which considers businesses that specialize in gathering up the little bits and pieces each social networking site lets slip to create a more complete profile of everyone who participates. They then sell that information in ways that might not occur to people who don't regularly think in demographic terms, and in a manner that's within the letter of their privacy policies:
In other words, Rapleaf sweeps up all the publicly available but sometimes hard-to-get information it can find about you on the Web, via social networks, other sites and, soon to be added, blogs. At the other end of the business, TrustFuse packages information culled from sites in a profile and sells the profile to marketers. All three companies appear to operate within the scope of their stated privacy policies, which say they do "not sell, rent or lease e-mail addresses to third parties."
And that's right. Marketers bring TrustFuse their own list of e-mail addresses to buy access to demographic, behavioral and Internet usage data on those people, according to the company's privacy policy and sales documents.
Malik takes the right tone here: Facebook has announced its new policy and has provided a clear enough way to opt out, so hysterics are not in order. On the other hand, Facebook has also provided another opportunity to think about what its policy, and others like it, mean in the bigger picture.
Even if you're one of those people who's sort of pleased that your "voice" is being heard as part of an aggregate of consumer data and don't happen to be troubled by the kind of information sharing that ZDNet article discusses, you still might want to consider the implications in terms of two things:
How easy it is for the information aggregators to get the information they have without violating any privacy policies or laws.
How many large collections of information you care to be a part of.
The aggregators may just be figuring out ways to target you for the best coupons, but that doesn't mean they'll always have perfect control of the information they've amassed.
Posted by mhall at 4:24 PM | Add Comment
September 4, 2007
Social Networking Site Quechup Makes No Friends
Boing Boing: Quechup is rotten: don't accept invites - Boing Boing:
While you were Burning / vacationing / spacing out offline this Labor Day weekend, many folks online were hit with invitations from a social networking service called Quechup that anally rapes your address book, and violates user trust by spamming all your contacts.
Now that people are coming back from the Labor Day holiday, expect a bunch of invites -- I've received a dozen just this morning. Delete 'em if you know what's good for you. Link to one of many first person accounts, Link to another. And another, and another (punch line: the spam blast created by Quechup caused Google to suspended that victim's Gmail account).
By "anally rapes" Xeni means "uses the address book info you pr