tag:blogger.com,1999:blog-4503292949532760618.post1324581132103389699..comments2024-03-28T07:23:23.408-07:00Comments on DSHR's Blog: "Privacy Is No Longer A Social Norm"David.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4503292949532760618.post-90399969612839581102018-12-07T19:47:38.995-08:002018-12-07T19:47:38.995-08:00A week ago the US Treasury issued a press release ...A week ago the US Treasury issued a press release <a href="https://home.treasury.gov/news/press-releases/sm556" rel="nofollow"><i>Treasury Designates Iran-Based Financial Facilitators of Malicious Cyber Activity and for the First Time Identifies Associated Digital Currency Addresses</i></a>:<br /><br />"The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) took action today against two Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who helped exchange digital currency (bitcoin) ransom payments into Iranian rial on behalf of Iranian malicious cyber actors involved with the SamSam ransomware scheme that targeted over 200 known victims. Also today, OFAC identified two digital currency addresses associated with these two financial facilitators. Over 7,000 transactions in bitcoin, worth millions of U.S. dollars, have processed through these two addresses - some of which involved SamSam ransomware derived bitcoin."<br /><br />See <a href="https://blog.dshr.org/2018/05/privacy-is-no-longer-social-norm.html?showComment=1532375128110#c5454860445562767967" rel="nofollow">this comment above</a> about the ease with which transactions can deanonymize cryptocurrency users.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-66945939000896553952018-08-30T20:10:22.676-07:002018-08-30T20:10:22.676-07:00"For the past year, select Google advertisers..."For the past year, select Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S. That insight came thanks in part to a stockpile of Mastercard transactions that Google paid for.<br /><br />But most of the two billion Mastercard holders aren’t aware of this behind-the-scenes tracking. That’s because the companies never told the public about the arrangement." from <a href="https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales" rel="nofollow"><i>Google and Mastercard Cut a Secret Ad Deal to Track Retail Sales</i></a> by Mark Bergen and Jennifer Surane.<br /><br />Hat tip <a href="https://boingboing.net/2018/08/30/mastercard-sold-google-data-on.html" rel="nofollow">Rob Beschizza</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-8051324424227205172018-08-27T11:57:34.597-07:002018-08-27T11:57:34.597-07:00Prof. Douglas Schmidt's must-read report Googl...Prof. Douglas Schmidt's must-read report <a href="https://digitalcontentnext.org/wp-content/uploads/2018/08/DCN-Google-Data-Collection-Paper.pdf" rel="nofollow"><i>Google Data Collection</i></a> is a deep dive into the myriad ways Google collects data on you. For example:<br /><br />"Android helps Google collect personal user information (e.g. name, mobile phone number,birthdate, zip code, and in many cases, credit card number), activity on the mobile phone (e.g. apps used, websites visited), and location coordinates. In the background, Android frequently sends Google user location and device-related information, such as apps usage, crash reports, device configuration, backups, and various device-related identifiers."<br /><br />and:<br /><br />"Our experiments show that a dormant, stationary Android phone (with Chrome active in the background) communicated location information to Google 340 times during a 24-hour period, or at <br />an average of 14 data communications per hour."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-54548604455627679672018-07-23T12:45:28.110-07:002018-07-23T12:45:28.110-07:00The abstract of When the cookie meets the blockcha...The abstract of <a href="https://arxiv.org/pdf/1708.04748.pdf" rel="nofollow"><i>When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies</i></a> by Steven Goldfeder <i>et al</i> reads:<br /><br />"We show how third-party web trackers can deanonymize users of cryptocurrencies. We present two distinct but complementary attacks. On most shopping websites, third party trackers receive information about user purchases for purposes of advertising and analytics. We show that, if the<br />user pays using a cryptocurrency, trackers typically possess enough information about the purchase to uniquely identify the transaction on the blockchain, link it to the user’s cookie, and further to the user’s real identity. Our second attack shows that if the tracker is able to link two purchases of the same user to the blockchain in this manner, it can identify the user’s entire cluster of addresses and transactions on the blockchain, even if the user employs blockchain anonymity techniques such as CoinJoin. The attacks are passive and hence can be retroactively applied to past purchases. We discuss several mitigations, but none are perfect."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-81145550297033389892018-07-19T14:06:35.900-07:002018-07-19T14:06:35.900-07:00" When Hang Do Thi Duc published her work on ..." When Hang Do Thi Duc <a href="https://boingboing.net/2018/07/17/privacy-by-design-vs-venmo.html" rel="nofollow">published her work</a> on the privacy implications of payment processor Venmo's "public-by-default" directory of payments, she did not release her dataset out of respect for the privacy of the Venmo users whose personal lives were on display in the data.<br /><br />Joel Guerra went further. In an effort to create a sense of urgency around this bad privacy design, he's created a twitterbot called <a href="https://twitter.com/venmodrugs" rel="nofollow">@venmodrugs</a>, which scours public Venmo data for keywords and emojis that seem to indicate a sarcastic jokes about drug-buys and payment for sexual services and tweets them."<br /><br />From Cory Doctorow's <a href="https://boingboing.net/2018/07/19/god-speed.html" rel="nofollow"><i>Twitterbot mines Venmo's public-by-default transactions and tweets presumably sarcastic drug buys and sexual services</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-51134932923494145202018-07-18T08:59:19.345-07:002018-07-18T08:59:19.345-07:00"With little public scrutiny, the health insu..."With little public scrutiny, the health insurance industry has joined forces with data brokers to vacuum up personal details about hundreds of millions of Americans, including, odds are, many readers of this story. The companies are tracking your race, education level, TV habits, marital status, net worth. They’re collecting what you post on social media, whether you’re behind on your bills, what you order online. Then they feed this information into complicated computer algorithms that spit out predictions about how much your health care could cost them."<br /><br />From Marshall Allen's <a href="https://www.propublica.org/article/health-insurers-are-vacuuming-up-details-about-you-and-it-could-raise-your-rates" rel="nofollow"><i>Health Insurers Are Vacuuming Up Details About You — And It Could Raise Your Rates</i></a>. Because the last thing for-profit health insurance is about is health.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-52239300135927139902018-07-16T17:18:21.590-07:002018-07-16T17:18:21.590-07:00"In a dossier published on Tuesday, civil-rig..."In a dossier <a href="https://privacyinternational.org/campaigns/state-sponsors-surveillance-governments-helping-others-spy" rel="nofollow">published on Tuesday</a>, civil-rights warriors Privacy International said that top governments – from the US, UK and China to France, Germany, and the European Union – are <a href="https://privacyinternational.org/feature/2167/teach-em-phish-state-sponsors-surveillance" rel="nofollow">financing, training and equipping countries</a>, including authoritarian regimes, with surveillance capabilities. By doing so, the countries with the most extensive security and military agencies are “transferring their electronic surveillance capabilities, practices, and legislation around the world,” the report said." from Rebecca Hill's <a href="https://www.theregister.co.uk/2018/07/16/states_fund_foreign_surveillance/" rel="nofollow"><i>Revealed in detail: World powers stuff spyware kit, how-to guides in dodgy nations' pockets</i></a> at <i>The Register</i>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-30440667011104424812018-06-29T14:45:40.243-07:002018-06-29T14:45:40.243-07:00This post should have mentioned that Apple is alon...This post should have mentioned that Apple is alone among the big tech companies in trying to build systems that care about privacy. A good example is described in <a href="https://techcrunch.com/2018/06/29/apple-is-rebuilding-maps-from-the-ground-up/" rel="nofollow"><i>Apple is rebuilding Maps from the ground up</i></a> by Matthew Panzarino. For example:<br /><br />"Because only random segments of any person’s drive is ever sent and that data is completely anonymized, there is never a way to tell if any trip was ever a single individual. The local system signs the IDs and only it knows to whom that ID refers. Apple is working very hard here to not know anything about its users. This kind of privacy can’t be added on at the end, it has to be woven in at the ground level.<br /><br />Because Apple’s business model does not rely on it serving to you, say, an ad for a Chevron on your route, it doesn’t need to even tie advertising identifiers to users.<br /><br />Any personalization or Siri requests are all handled on-board by the iOS device’s processor. So if you get a drive notification that tells you it’s time to leave for your commute, that’s learned, remembered and delivered locally, not from Apple’s servers."<br /><br />Go read the whole article - it is really interesting.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-64303921651002574032018-06-16T16:07:19.010-07:002018-06-16T16:07:19.010-07:00"the US Attorney's Office for the Souther..."the US Attorney's Office for the Southern District of New York revealed today that it had obtained additional evidence for review—including a trove of messages and call logs from WhatsApp and Signal on one of two BlackBerry phones belonging to Cohen. The messages and call logs together constitute 731 pages of potential evidence. ... This change is likely because of the way the messages are stored by the applications, not because the FBI had to break any sort of encryption on them. WhatsApp and Signal store their messages in encrypted databases on the device, so an initial dump of the phone would have only provided a cryptographic blob. The key is required to decrypt the contents of such a database, and there are <a href="https://andreas-mausch.de/whatsapp-viewer/" rel="nofollow">tools readily available to access the WhatsApp database on a PC</a>." writes <a href="https://arstechnica.com/information-technology/2018/06/fbi-recovered-hundreds-of-encrypted-messages-from-michael-cohens-phone/" rel="nofollow">Sean Gallagher at <i>Ars Technica</i></a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-73095095305205893642018-05-30T20:17:05.236-07:002018-05-30T20:17:05.236-07:00What a surprise. Dan Gooding writes in SS7 routing...What a surprise. Dan Gooding writes in <a href="https://arstechnica.com/information-technology/2018/05/nefarious-actors-may-have-abused-routing-protocol-to-spy-on-us-phone-users/" rel="nofollow"><i>SS7 routing-protocol breach of US cellular carrier exposed customer data</i></a>:<br /><br />"On Tuesday, [Senator] Wyden sent a letter to Federal Communications Commission Chairman Ajit Pai that heightened concerns of SS7 hacks on US infrastructure.<br /><br />“This threat is not merely hypothetical—malicious attackers are already exploiting SS7 vulnerabilities,” Wyden <a href="https://www.wyden.senate.gov/imo/media/doc/wyden-fcc-ss7-letter-may-2018.pdf" rel="nofollow">wrote</a>. “One of the major wireless carriers informed my office that it reported an SS7 breach, in which customer data was accessed, to law enforcement through the government’s Customer Proprietary Network Information (CPNI) Reporting Portal.”<br /><br />Such reports are legally required when carriers believe customer data has been illegally accessed. [Wyden's spokesperson] Chu declined to say who the US carrier is."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-42877063928098177192018-05-20T14:40:10.552-07:002018-05-20T14:40:10.552-07:00News crew discovers 40 cellphone-tracking devices ...<a href="https://boingboing.net/2018/05/20/the-future.html" rel="nofollow"><i>News crew discovers 40 cellphone-tracking devices operating around DC</i></a> by Cory Doctorow reports:<br /><br />"An NBC investigative journalism team and a security researcher went wardriving around the DC area with a cell-site-simulator detector that would tell them whenever they came in range of a fake cellphone tower that tried to trick their phones into connecting to it in order to covertly track their locations (some cell site simulators can also hack phones to spy on SMS, calls and data).<br /><br />They found more than 40 such devices in a single ride; these were sited in such sensitive locations as K-Street, home to DC's massive lobbyist contingent; the Trump Tower hotel; around the city's many embassies; around the Pentagon, Fort Meade and Langley; and in many residential areas. "David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-52703996034795055162018-05-20T14:25:47.630-07:002018-05-20T14:25:47.630-07:00Tracking Firm LocationSmart Leaked Location Data f...<a href="https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" rel="nofollow"><i>Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site</i></a> by Brian Krebs starts:<br /><br />"LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — <i>without the need for any password or other form of authentication or authorization</i> — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-66400652108812553212018-05-03T07:58:46.452-07:002018-05-03T07:58:46.452-07:00I missed at least three important points in this p...I missed at least three important points in this post.<br /><br /><b>First</b>, we talk about online privacy as if the problem is what <i>companies</i> know about you. But it is also what the <i>people</i> in the companies know about you, and not just CEOs like Peter Thiel. Joseph Cox & Max Hoppenstedt's <a href="https://motherboard.vice.com/en_us/article/bjp9zv/facebook-employees-look-at-user-data" rel="nofollow"><i>Sources: Facebook Has Fired Multiple Employees for Snooping on Users</i></a> spotlights this problem:<br /><br />"On Tuesday, Facebook <a href="https://motherboard.vice.com/en_us/article/bjpqw4/facebook-fires-employee-stalk-women-online" rel="nofollow">fired an employee</a> who had <a href="https://motherboard.vice.com/en_us/article/kzxdny/facebook-investigating-employee-stalking-women-online" rel="nofollow">allegedly used their privileged data access</a> to stalk women online. Now, multiple former Facebook employees and people familiar with the company describe to Motherboard parts of the social media giant’s data access policies. This includes how those in the security team, which the fired employee was allegedly a part of, have less oversight on their access than others."<br /><br /><b>Second</b>, McNealy's idea that if you don't like what one company is doing with your data you can move to another ignores the way the <a href="http://thehill.com/blogs/congress-blog/technology/267070-businesses-are-invading-your-privacy#" rel="nofollow">companies who collect data monetize it by selling it to other companies</a>:<br /><br />"Consumers and policymakers are only just now waking up to the reality that many businesses quietly seek to identify consumers personally and sell information about them to others. This information is transferred to data brokers, and repackaged and resold. Keeping the consumer in the dark is key to new information-intensive business models, because data brokers know that consumers will object to them."<br /><br />And these companies sell it to other companies and so on <i>ad infinitum</i>.<br /><br /><b>Third</b>, as I pointed out in <a href="https://blog.dshr.org/2017/10/not-whether-but-when.html" rel="nofollow"><i>Not Whether But When</i></a>, it is inevitable that personal data collected about you will eventually end up in the hands of criminals and governments other than your own. Richard Smith, the CEO of Equifax while the company leaked personal information on most Americans <a href="http://fortune.com/2017/09/29/equifax-ceo-hack-worry/" rel="nofollow">uttered an uncomfortable truth</a>:<br /><br />"There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it,"<br /><br />This is true of governments as well as companies. See, for example, the <a href="http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/" rel="nofollow">OPM hack</a>.<br /><br />McNealy doesn't trust the US government. Does he trust the Russian or Chinese government? Or some scam artist like <a href="https://qz.com/1259524/mmm-and-bitcoin-russian-ponzi-mastermind-sergei-mavrodi-is-dead-but-his-legacy-lives-on-in-crypto/" rel="nofollow">Sergei Mavrodi</a>?David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.com