Once more, with passion: Fingerprints suck as passwords

Once more, with passion: Fingerprints suck as passwords
By Rick Falkvinge

Imagine you had a really strong and complex password. It was so hard for anyone to remember, that you had printed thousands of business cards with the complex password on them, and left such a card at every single object you just happened to touch. Would that be a good password?

This week, there was a story about an FBI house search where the people in the house were compelled to give up their fingerprints in order to unlock phones, which were locked just with fingerprints.

Most people seemed to be appalled at the FBI being able to coerce somebody into unlocking their phone, while pretty much nobody would have blinked at phones being seized as part of a lawful search.

How many stopped to reflect over the fact that the house was probably filled to capacity, on every object and every surface, with those fingerprints required to unlock the phones in question? That it would have been absolutely trivial to recover them from the first glass fetched from the kitchen?

Fingerprints aren’t authentication.

Fingerprints are identity.

Fingerprints are something public, which is why it should really bother nobody with a sense of security that the FBI used them to unlock seized phones. You’re literally leaving your fingerprints on every object you touch. That makes for an abysmally awful authentication token.

It’s true that phones can be unlocked with fingerprints, but that doesn’t turn the fingerprint into a security token. Rather, it turns the phone lock into a phone bolt, without a key requirement – an electronic bolt which one particular person can open trivially (because they carry the fingerprints on their hands) and everybody else can open with a small amount of effort (because those fingerprints are trivially retrievable and copyable). But in no way should it be considered secure, or even a lock: it’s merely something that takes less effort to open for one particular person.

Yes, of course it’s better to have a bolt on something than no bolt (fingerprint security is better than nothing). But a bolt that requires a sliding action should not be mistaken for a lock that requires a key. A false sense of security can be worse than no security in some cases.

Biometrics were never authentication tokens. They were identity tokens. Authentication tokens are secret and replaceable, and your fingerprints (your retina, your iris, and so on) are neither.

When you authenticate something even slightly sensitive with biometrics, you’re doing it wrong.

The right way to do it is to identify with biometrics, and then authenticate with a proper security token, which is secret.

Privacy remains your own responsibility.

The post Once more, with passion: Fingerprints suck as passwords appeared first on Privacy Online News.

October 23, 2016 at 04:15PM
via Privacy Online News http://ift.tt/2e0RUmK

Google is now tracking your private, personally identifiable information from all sources possible (ie; Gmail, Chrome, DoubleClick) by default

Google is now tracking your private, personally identifiable information from all sources possible (ie; Gmail, Chrome, DoubleClick) by default
By Caleb Chen

Since this summer, new users are now being tracked to Google’s fullest potential unless they opt-out. Google has bought many tech companies over the last few decades. One such purpose, in 2007, of DoubleClick, prompted many concerns. Google, which had the promising slogan “Do no evil,” back then, promised that they would not combine Google’s already monolithic stack of user internet browsing history data with new acquisitions such as DoubleClick. DoubleClick is an extensive ad network that is used on half of the Internet’s top 1 million most popular sites. Now, Now that DoubleClick’s data is available to Google, Google can easily build a complete profile of you, the customer. This profile could include name, search history, and keywords used in email, all of which will expressly be used to target you for advertising or handed over to the government at the drop of a rubber stamp.

Google’s slippery slope of Privacy

Back in 2007, Google founder Sergey Brin even specifically tried to assuage the growing concerns by promising that privacy would always remain the “number one priority when we contemplate new kinds of advertising products.”

It’s possible that Google has no new kinds of advertising products left, and is now dipping into stored sources of data, like an animal that buries food for the winter. For privacy-minded individuals that have already started ditching Google’s suite of tracking products, this might not seem like news; however, experts say that this represents a point of no return for consumer privacy on the Internet. Paul Ohm, of Georgetown University Center on Privacy and Technology, told ProPublica:

“The fact that DoubleClick data wasn’t being regularly connected to personally identifiable information was a really significant last stand. It was a border wall between being watched everywhere and maintaining a tiny semblance of privacy. That wall has just fallen.”

How to protect yourself from Google tracking

While there may still (for now) be protections for us that keep this data from being sold to less scrupulous third party advertisers, the fact that Google compiles this personally identifiable information and attaches it to our real names means that all of that information is available to government agencies. Consider leaving Google’s centralized services entirely and only connecting to the Internet via a VPN and with the proper tools in place on your browser. Check out PrivacyBadger by the EFF.

If you can’t leave Google’s playground, you’ll have to opt-out of this Google tracking. To do so, go to the Activity controls on your Google Account page. Once there, you will unmark the option that says “Include Chrome browsing history and activity from websites and apps that use Google services.”

The post Google is now tracking your private, personally identifiable information from all sources possible (ie; Gmail, Chrome, DoubleClick) by default appeared first on Privacy Online News.

October 21, 2016 at 04:53PM
via Privacy Online News http://ift.tt/2ethaU2

The U.S. Government Wants To Read Travelers’ Tweets Before Letting Them In

The U.S. Government Wants To Read Travelers’ Tweets Before Letting Them In
By Cora Currier

Soon, foreign visitors to the United States will be expected to tell U.S. authorities about their social media accounts.

U.S. Customs and Border Protection wants to start collecting “information associated with your online presence” from travelers from countries eligible for a visa waiver, including much of Europe and a handful of other countries. Earlier this summer, the agency proposed including a field on certain customs forms for “provider/platform” and “social media identifier,” making headlines in the international press. If approved by the Office of Management and Budget, the change could take effect as soon as December.

Privacy groups in recent weeks have pushed back against the idea, saying it could chill online expression and that it gives DHS and CBP overbroad authority to determine what kind of online activity constitutes a “risk to the United States” or “nefarious activity.”

The United Nations Special Rapporteur on the right to freedom of opinion and expression wrote last month that the scope of information being collected was “vague and open-ended,” and that he was “concerned” that with the change, “government officials might have largely unfettered authority to collect, analyze, share and retain personal and sensitive information about travelers and their online associations.”

“It appears that even if a friend or associate has not directly interacted with the applicant on social media, the agency will ferret out connections,” a group of 11 civil liberties groups said in a letter commenting on the CBP proposal.

“If a ‘follower’ of an applicant raises a red flag for the agency, the applicant herself may be denied permission to travel to the United States.”

CBP and its parent agency, the Department of Homeland Security, said that the social media question will be optional, and that the agencies “would only have access to information publicly available on those platforms, consistent with the privacy settings of the platforms.”

A CBP spokesperson provided a statement saying that collecting social media information “may help detect potential threats because experience has shown that criminals and terrorists, whether intentionally or not, have provided previously unavailable information via social media that identified their true intentions.” The statement also said that “the collection of social media identifiers will not be used to prevent travel based on applicant’s political views, race, or religion.”

The CBP spokesperson did not say whether leaving social media information off an application would adversely impact someone’s visa waiver application, or flag them for extra screening, saying only that the application could still be submitted without it.

Earlier this month The Intercept detailed how CBP works closely with the FBI to screen passengers as potential informants, passing the bureau information gleaned from travel records and secondary screenings. The goal was “looking for ‘good guys,’ not ‘bad guys,’” in the words of one of the FBI documents.

The American Civil Liberties Union said that the documents appeared to show CBP conducting “unduly invasive” questioning, and “using the border as a dragnet for intelligence gathering on innocent people.” It is precisely that kind of program that privacy advocates are worried about when it comes to ordinary travelers turning over their online lives to border authorities.

“We know that they are going to use this for ‘contact chaining,’ or ‘two-hop’ analysis,” said Nathan White, of the internet freedom advocacy group Access Now, referring to the practice of looking not just at someone’s contacts but also their contacts’ contacts. “Apply that to social media and imagine they’re interested in a friend of a friend of the traveler to recruit as an informant. They could see all those connections.”

Access Now and other groups also noted that by looking at the social presence of foreigners, DHS will inevitably suck up, retain, and share with other agencies huge amounts of information on Americans who are connected to them, even in a tangential way.

In order to institute the change, the CBP had to open the proposal for public comments. That period ended earlier this month, and now the Office of Management and Budget has 60 days to ask the agency to amend the proposal or sign off on the change. The OMB doesn’t evaluate the change for privacy or civil liberties implications, but rather from a paperwork and cost standpoint.

“To the OMB, we’re making the argument that it’s expensive to collect this, and it’s useless—only innocent people are going to give you their real information,” said White.

Top photo: A traveler arriving from overseas is processed upon arriving to Newark International Airport on August 24, 2009, in Newark, New Jersey.

The post The U.S. Government Wants To Read Travelers’ Tweets Before Letting Them In appeared first on The Intercept.

October 21, 2016 at 02:48PM
via The Intercept http://ift.tt/2edrtgn

Here’s how I handle online abuse

Here’s how I handle online abuse
By Troy Hunt

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

I originally wrote this post earlier on in the year. I honestly can’t remember what the abuse was that led to it and frankly, that’s probably for the best as its allowed me to re-read this and ensure it comes across as general advice rather than a knee-jerk reaction to a specific unpleasant experience. Whilst the simple process of writing it helped me get the episode off my chest at the time, I’ve decided to post it now because I think it’s important, both for others who encounter nasty behaviour online and for myself when I next do.

Unfortunately, if you spend enough time online and especially if you’re public enough, this is something you’re going to have to deal with sooner or later. Here’s how I handle it.


I’m writing this outside the context of any recent events for reasons that will become clearer as you read on, but after the last abuse incident I thought I’d finally jot some things down. Mostly this serves as a reference point – something I may direct people to in the future – but I also write many of my blog posts as a way of forcing me to think clearly about a topic and articulate it in a cohesive fashion.

It may not be something that many of you would have expected, but I’ve often found myself at the receiving end of online abuse. As time goes by and I get more exposure or profile or whatever you want to call it that puts me in front of more people, I get more vitriol from online antagonists. Let me explain what I mean by that, the types of abuse I get and how I’ve elected to handle these incidents.

What I think constitutes abuse

Let me clear this up first because I appreciate there’s a degree of subjectivity to all this. The sorts of online abuse I get ranges from minor name-calling to slurs about my competence or professionalism to serious threats related to my personal life (I’ve come close to contacting the police in the past). I’m not going to detail what any of these actually were here as I simply don’t want to give the trolls the airtime (more on that later), but I do want to describe some of the broader behaviours.

What I don’t consider abuse is vehement disagreement with my points of view, finding factual faults with things I’ve written or said that are incorrect or any other sort of constructive argument that I may not agree with, but is aired without malice or spite. It’s the stuff that’s said first and foremost to insult or cause harm that I put in the abuse bucket. This is particularly true when it’s done from behind the veil of anonymity.

Very frequently, this is aired publicly via Twitter, in blog comments on troyhunt.com or via other online channels. Only very occasionally does it come via private means and it has never come verbally either face to face or via the phone. At times where I have actually engaged with the other party and offered to talk to them, the opportunity has never been taken up.

I should also be very clear that this is nothing like the abuse you hear of some people copping online; repeated threats to safety or family, prolonged “campaigns” of torment, racial or sexual abuse – all of that is a world apart from what I’m describing here. What I cop is merely nasty vitriol in comparison. In fact, very often it’s the sort of thing I’m teaching my six-year-old is just inappropriate, nasty behaviour and I’m teaching him this because it’s the sort of thing you expect from kids, not grown adults.

Let me explain some of the grievances that have come up multiple times before and I’m going to address them here once and for all.

I’m “profiting from security”

The very first blog post I wrote was in 2009. The first dollar of any significance I recall making out of security was when my first Pluralsight course went live four years later. There may have been some other inconsequential amounts but what I can say for sure is that until Pluralsight kicked in, 90% plus of my income came from working my arse off in a very corporatey role at Pfizer.

One thing that many people don’t realise is that almost every time I talk at an event – including when I travel to the other side of the world to do it – I don’t earn a cent (there are a small handful of rare exceptions). Actually, I make negative money because a huge amount of time goes into not just the travel, but the preparation as well. Between conferences, podcasts and interviews, I’ve done hundreds of talks and almost never made a cent directly from them. These events are about meeting people and increasing my exposure, not just in terms of me putting my name out there, but me getting exposed to other really smart people. My experience has been that the best way to ultimately be personally successful in this area is to do as much as you can for free!

In more recent years, the work I’ve done has begun to pay well, almost entirely off the back of Pluralsight and the workshops I run. It pays well because it’s in demand; there’s a dearth of good security content targeted at developers and evidently the approach I take to explaining it is popular, something I make no apologies for. Which actually brings me to my next point: who my content is for.

I’m not explaining things “the right way”

Let me give you a perfect example of this: I’ve often seen disparaging comments about the use of the Wifi Pineapple to demonstrate security concepts. I’ll see comments about how it’s trivial or a “script kiddy” tool or how real men build their own devices and so on and so forth. What a lot of people seem to miss – and this predominantly comes from security professionals – is who I’m talking to.

The material I create, whether that be on blogs or at talks or in workshops, is very heavily biased towards software developers. Not only is that my background, but I believe that’s where I can make the most difference to security; at the point where software is being written. In a case like the risks the Pineapple demonstrates, the vast majority of developers are unaware of how easily traffic can be hijacked or the risks behind practices such as loading login forms over HTTP. My goal is to make these concepts easily consumable to them and the most impactful possible way I’ve found to do that is by showing how you can order a $100 device off the web, pull it out of the box and 5 minutes later be hijacking traffic. That resonates more with that audience than rolling your own MitM tools ever will.

I fully appreciate that the way I’m explaining security to developers is not the way some security professionals would like to consume it themselves; it’s not meant to be and the very fact that developers often get exposed to security in ways they have trouble consuming goes a long way to explaining why so many of them have such a poor grasp on it. In fact, that’s the very reason I started getting involved in security many years ago – because of the friction I saw between developers and security teams.

There are people who understand many of the concepts I talk about at a greater depth than I do. Some of them are specialists in various niches, others have simply been focusing on specific things for longer. What I’ve found my strength to be is in explaining concepts in a way that’s consumable by the people I speak to. I hope that makes sense and whilst not everyone will agree with the way I present some of these concepts, they can at least appreciate why I put them forward in that fashion.

“Tall poppy syndrome”

This is a term we hear a lot in Australia and whilst there might be different descriptions for it overseas, it generally means the same thing:

The tall poppy syndrome is a pejorative term primarily used in the United Kingdom, Australia, New Zealand, and other Anglosphere nations to describe a social phenomenon in which people of genuine merit are resented, attacked, cut down, or criticised because their talents or achievements elevate them above or distinguish them from their peers. This is similar to begrudgery, the resentment or envy of the success of a peer.

In other words, people being pissed because you’ve done well. I remember learning this term as a kid when you’d see someone getting cranky because someone else has just driven past in a nice car. I’m not sure if tall poppy syndrome is actually jealousy or just the view that someone else shouldn’t be successful in what they’re doing, but frequently this seems to be the undertone of abusive messages I receive.

Sometimes, the underlying resentment when a positive event occurs is particularly raw. I’ve seen cases where I’ve announced something or had some level of success or positive coverage and amongst the outpouring of absolutely awesome feedback, is one lone dissenting voice. Not a subtle disagreement, but outright vitriol. It’s happened enough times in the past to be something I now expect, yet it never ceases to amaze me just how opposite that voice is to all the other ones.

Abuse like this doesn’t have to be cogent or well-articulated and indeed the position of “I don’t like you because you’ve achieved some level of success” is neither of these things. Yet somehow, antagonists taking this position seem to find time to commit to explaining how little attention others should be paying!

I’m a Microsoft / Lenovo / [anything else] shill

I’m certainly not alone in copping flack for affiliations and I can understand the assumption of me being incentivised to say positive things about companies that give me things, but there’s a fundamental misunderstanding of the order in which these things occur. I’m a Microsoft Regional Director and MVP because I spent years writing about their technologies while receiving nothing from them. I’m a Lenovo Insider because I spent decades buying their gear and sharing my experiences publicly before they gave me a thing.

The irony of some of the abuse I get (and certainly some people do get very angry about my affiliations), is that I’ll be reading about how I’m a Microsoft fanboy whilst using my iPhone (I don’t want a Windows phone) or am beholden to Lenovo while reading that on the W540 I bought with my own hard-earned cash a couple of years ago. Independence and trustworthiness is massively important to me to the point where I push back on anything which has even an inkling of a chance of not being consistent with that. If it’s not something that’s an accurate reflection of my own independent views, I outright refuse and that’s the end of it. It’s that simple.

Funnily enough, I’ve often copped flak (I’ll stop short of calling these incidents “abuse”) about my ongoing promotion of tools like Freedome VPN and 1Password. I’ve never received a cent from either of them and I’ve bought every single version of their respective products at retail prices out of my own wallet! I have no financial incentive, yet I influence people to purchase them simply because they’re very good!

I recently spoke to someone in another position of influence with a similar affiliation to another large tech company and was very surprised at the pressure they had to not be seen with competitors’ equipment. That’s never the case with Microsoft or Lenovo and frankly, we’re all that much better off that the opinions of those of us involved in their programs genuinely are independent, regardless of what those who like to hurl insults from the sidelines may think.

Actions I take when receiving abuse

I’ve changed my approach over the years as I’ve gone through various nasty experiences. Earlier on, I’d be tempted to confront antagonisers and challenge their negative perceptions – reason with them, if you like. Other times I’ve allowed followers to argue with them via channels such as Twitter and blog comments, sometimes I’ve even RT’d their ridiculous comments purely to invite a torrent of defensive comments. These days, I’m trying to be much more passive.

One common thing among these individuals is that they want a fight. They’re out there to argue and debate and do whatever they can to piss you off and consume your time. I now mute them at the first sign of the behaviours I described above. Twitter is easy because there’s literally a mute feature and for anyone else who finds themselves in the same position, I highly recommend this. It’s different to “blocking” them in that they can still see my timeline and as far as they know, I just haven’t see their message or I’m ignoring it – the they joy of muting is that they don’t know. Blocking is more “passive aggressive” and it’s implicit engagement; IMHO, simply ignoring them from the outset is less confrontational. If it’s comments on other blogs or social sites, I self-mute or in other words, I simply don’t go back to that discussion. I make a conscious decision that doing so would be counterproductive and I simply tune out and go do something constructive.

Comments on my own blog are different, simply because that’s my place and like others who run a blog, I get to decide what stays and what goes. After a nasty incident some years back, I created a page titled Comments on troyhunt.com which I link to just next to the comments section on each blog post. The bottom line is that if someone is abusive then I’ll delete the comment and likely ban them. I’ve already clarified what I mean by abuse and in blog comments it’s often insults or cheap shots without even an attempt to add something constructive to the discussion. I don’t have any moderation before a comment goes live because I want people to come to my blog and discuss the content there, but when the goal of the comment is purely to antagonise without adding value to the content then that’s it – it’s gone.

When I look back at how I’ve handled previous incidents of online abuse, there are times where I wish I hadn’t engaged. Perhaps the person was literally having the worst day of their life or had gone through a few too many glasses of the merlot or maybe they were just proverbially kicking the dog. There were occasions where my engaging with them didn’t work out well for either of us; for me because I wasted time debating with them when I could have been doing useful things, for them in various other ways which they likely now regret.

By pure coincidence, after writing this but before publishing, I read this about Robert Scoble:

Nasty comment about Robert Scoble

This is just nasty. I’d stop short of calling it abusive, but it’s the sort of behaviour that makes the guy look like a dick. No qualification of what it is about Robert he doesn’t like, nothing constructive or insightful, just a nasty comment that many people would find hurtful. That’s not out of the ordinary, but it’s Robert’s response that really resonated:

Robert Scoble responding like a pro - and a gentleman

And this is precisely the point: there will be whingers who for no apparent reason just want to rant. No matter how well-regarded you become at what you do (or perhaps because of it), this stupid behaviour will appear and you can’t help but feel a little bit sorry for the individual who resorts to it. I’m secure enough that I can happily ignore it and I’m not going to devote emotional energy to them which could be used to actually do good things.

Also, read both the cranky guy’s comments and Robert’s response – you actually come away from that with a greater respect for Scoble despite the original negative comment. In fact, for the vast majority of us, cranky guy has caused precisely the opposite effect to what he set out to achieve; he looks like a dick and his target comes out looking level-headed and having earned a new degree of respect from a bunch of people, myself included.

Here’s a question to ask yourself if you recognise your own behaviour in any of this: would you willingly approach me face to face at a conference and say the same thing? Would you look me in the eye and repeat the abuse with the same conviction as you do – often anonymously – from behind the keyboard? If the answer is “no” then think about how invested you really are in your views and if perhaps it’s something you shouldn’t be saying in the first place.

Often these individuals are just exercising bravado that deserts them once they’re away from either anonymity or the perceived invisibility that being on the other end of an internet connection gives them. Their better judgement and common decency is put aside in ways it simply wouldn’t be were they not behind those veneers. But whilst they’re behind the “protection” of an IP address and feeling as though they have no accountability, there’s very little point in debating things; rational conversation is the last thing they’re interested in.

It’s literally a small fraction of 1% of people I interact with who decide to behave in this way and that’s likely representative of most people at the receiving end of this sort of behaviour. So for me – and my advice to others as well – is that the right approach is unless it becomes an issue you simply can’t avoid confronting, do your utmost to ignore it and move on. Angry or antagonistic people like an audience, better you don’t give them one and they go elsewhere to find it.

The best defence: go and do awesome things!

There will always be cranky people who just want to get under your skin. We’ve no doubt all had that in the school yard before and many of us have had it in the workplace too. Online is a different story though and one of the best possible things you can do is drown out the negative noise with positive things.

I can’t recall who I heard originally say it, but I distinctly recall a quote very similar to this:

You can’t remove all negative things about you from the internet, the best thing you can do is to flood the web with positive things

And that’s precisely what I intend to keep doing. In fact the abuse is motivation to go out and do great things that people love and want to share positive feedback about; more talks, more courses, more support for data breach victims via Have I been pwned – all of this makes the 99.x% of people I interact with on the web happy and that remaining fraction of a percent will simply need to accept that their abuse is being drowned out to the point where very often, I simply never even know it’s occurred.

October 17, 2016 at 09:43AM
via Troy Hunt’s Blog http://ift.tt/2enGpXo

Where WhatsApp Went Wrong: EFF’s Four Biggest Security Concerns

Where WhatsApp Went Wrong: EFF’s Four Biggest Security Concerns
By Bill Budington and Gennie Gebhart

After careful consideration, we have decided to add additional warnings and caveats about using WhatsApp to our Surveillance Self Defense guide.

No technology is 100 percent secure for every user, and there are always trade-offs among security, usability, and other considerations. In Surveillance Self Defense (SSD), we aim to highlight reliable technologies while adding caveats to explain how their various strengths and weaknesses affect user privacy and security. In the case of WhatsApp, it is getting harder and harder to adequately explain its pitfalls in a way that is clear, understandable, and actionable for users. This is especially true since WhatsApp’s announcement that it would be changing their user agreement regarding data sharing with the rest of Facebook’s services.

This is unfortunate precisely because of WhatsApp’s security strengths. Under the hood, WhatsApp uses the best-in-breed for encrypted messaging: the Signal Protocol. This gives a high assurance that messages between you and your contacts are encrypted such that even WhatsApp can’t read them, that your contacts’ identities can be verified, and that even if someone steals your encryption keys and is able to tap your connection, they can’t decrypt messages you’ve already sent. In crypto parlance, these guarantees are termed end-to-end encryption, authenticity, and forward secrecy.

We take no issue with the way this encryption is performed. In fact, we hope that the protocol WhatsApp uses becomes more widespread in the future. Instead, we are concerned about WhatsApp’s security despite the best efforts of the Signal Protocol. Every application includes various components: the user interface, the code that interacts with the operating system, the business model behind the whole operation—and secure messaging apps are no exception. The changes in this surrounding functionality are where we have identified various places where a user can dangerously overestimate WhatsApp’s security.

Below we describe our four greatest concerns in more detail.

Unencrypted backups

WhatsApp provides a mechanism to back messages up to the cloud. In order to back messages up in a way that makes them restorable without a passphrase in the future, these backups need to be stored unencrypted at rest. Upon first install, WhatsApp prompts you to choose how often you wish to backup your messages: daily, weekly, monthly, or never.  In SSD, we have advised users to never back up their messages to the cloud, since that would deliver unencrypted copies of your message log to the cloud provider. In order for your communications to be truly secure, any contact you chat with must do the same.

Key change notifications

If the encryption key of a contact changes, a secure messaging app should notify you and prompt you to accept the change. On WhatsApp, however, if your contact changes keys, this fact is hidden away by default. To be notified, users have to search for the setting “Security Notifications” (found under “Security” in the “Account” section of your user settings) and manually switch it on.

Key verification is critical to prevent a Man in the Middle attack, in which a third party pretends to be a contact you know. In this attack scenario, the third party sits in the middle of your connection and convinces your device to send messages to them instead of your contact, all the while decrypting those messages, possibly modifying them, and sending them along to your original, intended recipient. If your contact’s key changes suddenly, this could be an indication that you are being man-in-the-middled (though typically it’s just because your contact has bought a new phone and re-installed the app).

Web app

WhatsApp provides an HTTPS-secured web interface for users to send and receive messages. As with all websites, the resources needed to load the application are delivered each and every time you visit that site. So, even if there is support for crypto in the browser, the web application can easily be modified to serve a malicious version of the application upon any given pageload, which is capable of delivering all your messages to a third party. A better, more secure option would be to provide desktop clients in the form of extensions rather than a web interface.

Facebook data sharing

WhatsApp’s recent privacy policy update announced plans to share data with WhatsApp’s parent company Facebook, signalling a concerning shift in WhatsApp’s attitude toward user privacy. In particular, the open-ended, vague language in the updated privacy policy raises questions about exactly what WhatsApp user information is or is not shared with Facebook. WhatsApp has publicly announced plans to share users’ phone numbers and usage data with Facebook for the purpose of serving users more relevant friend recommendations and ads. While existing WhatsApp users are given 30 days to opt out of this change in their Facebook user experience, they cannot opt out of the data sharing itself. This gives Facebook an alarmingly enhanced view of users’ online communications activities, affiliations, and habits.

Ways forward

WhatsApp and Facebook could take some simple steps to restore our confidence in their product.

  • Simplify WhatsApp’s user interface for turning on strong privacy. A slider that would switch on all of the protective options—such as disabling backups, enabling key change notifications, and opting out of aspects of data sharing—would make it far easier for users to take control of their security.

  • Make a public statement about exactly what kinds of data will be shared between WhatsApp and Facebook and how it will be used. WhatsApp needs to take certain future uses of its data permanently off the table by defining what it will—and, just as importantly, will not—do with the user information it collects.

Until such changes are made, we have to warn users to take extra caution when deciding whether and when to communicate using WhatsApp. If you decide to use WhatsApp, see our SSD guides for Android and iOS for more information on how to change your settings to protect your security and privacy.

October 13, 2016 at 06:03PM
via Deeplinks http://ift.tt/2e0Hqa9

Remember: Yahoo helped the US government spy on users for years, and they can’t be the only ones

Remember: Yahoo helped the US government spy on users for years, and they can’t be the only ones
By Caleb Chen

Yahoo spied on users, even American citizens, at the behest of the United States government. As everyone hopefully already knows, according to Reuters sources, a NSA (and/or FBI) backed surveillance program was implemented at Yahoo that actively searched the content of every email passing through its servers. That means everything you sent to or received from a Yahoo email has been screened at least once by this point. Sources claim that an already-implemented child pornography screening program was adapted to screen for keywords related to terrorism and national security.

Yahoo has been helping the government spy on email users for years

In the past, Yahoo has been found to do some very shady things in as many loopholes as possible at the behest of the US government. In one instance, a drug conviction was upheld after it was revealed that when a user deletes an email from Yahoo… Yahoo doesn’t actually delete all the copies of that email: A copy is still kept by the company, despite a cleverly worded privacy policy that seems to say contrary, for law enforcement archiving and searching purposes. Now (years ago really), they have leveled up from searching old records of messages to peeping at your communications in real-time.

They aren’t really denying it

Articles about the Yahoo incident, which also appeared (ironically) on Yahoo Finance, states that:

“The article is misleading. We narrowly interpret every government request for user data to minimize disclosure. The mail scanning described in the article does not exist on our systems.”

Of course, choosing to use the word misleading instead of incorrect means that there was some truth to the story, and the statement seems like all but admission that such mail scanning as “described in the article” did exist on their systems at some point.

According to press, there are further revelations coming out from internal sources at Yahoo which reveal that CEO Marissa Meyer had hidden this massive spying project from key people. Former security head at Yahoo left, in part due to this spying scandal, and is now working at Facebook. The truth of this horrendous privacy scandal has yet to fully come to light, but calls for more information have been growing ever loud.

The EFF has called for Yahoo to make public the gagged court order that lead to all this. Senator Wyden has also joined that call. Considering that Yahoo made history earlier this year by releasing two national security letters to the public once the federal gag order had expired, you’d think Yahoo would be all over this.

They aren’t the only ones

The current legal structure allows, and perhaps even encourages, government agencies such as the NSA and FBI to use Internet companies to engage in practices that would otherwise be unconstitutional. It is, as always, up to individual tech companies toNSA whistleblower Edward Snowden, who perhaps understands the issue at hand better than most, had stark warning words for the public following The Intercept’s release:

Only a few email services sought to assuage their users – and none of them were particularly convincing. Twitter, Microsoft, and Google were among the companies that answered Snowden’s call.

The post Remember: Yahoo helped the US government spy on users for years, and they can’t be the only ones appeared first on Privacy Online News.


October 13, 2016 at 09:44PM
via Privacy Online News http://ift.tt/2dnCUBo

Scotland Yard, Terrorism, and Encryption: How wording of charges contain hidden layers designed to shape public opinion

Scotland Yard, Terrorism, and Encryption: How wording of charges contain hidden layers designed to shape public opinion
By Rick Falkvinge

Several people objected to the claim that “Scotland Yard says HTTPS is terrorism” by asserting that Scotland Yard is following the law to the letter. Maybe they are, but that wasn’t the point of the rather harsh (and admittedly oversummarizing) headline the other day – the point is that the terrorism case discussed has very nasty undertones that need to be understood, addressed, and countered. This is best understood through examples from other times.

Two days ago, I posted about Scotland Yard’s case against an alleged terrorist, and how part of the terrorism charges were for the act of “developing an encrypted version of a blog site”, which sounds like publishing a WordPress over HTTPS. It probably is publishing a WordPress over HTTPS, but even if it weren’t, those charges could easily describe that act going forward, once this case is settled.

Let’s look at the charge as listed again.

Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 [name redacted], with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryption programme, developing an encrypted version of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.

Those who objected to my interpretation are pointing out – and are justified in doing so – that in legalese, this should be read with the intent to perform actions that aid and abet as the primary crime of terrorism, and the description of the actual actions secondary, as such (my highlights):

Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 [name redacted], with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryption programme, developing an encrypted version of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.

Rearranging a few words, this becomes “engaged in preparation for giving effect to assisting another or others to commit acts of terrorism”, which is easier on the eyes.

In thus objecting, these people are therefore entirely correct, but are missing the point: for if the above is true, if the above wording is sufficient, why isn’t that what Scotland Yard lists as the charge, instead of a charge, instead choosing something much more wordy? Why all those extra words? Is it just a courtesy to the understimulated Court, to give them some more material to read? No, obviously not. This is hard to see in one’s own context, so let’s instead compare to how the charge would read if it had been presented in the 1920s, and concerned aiding and abetting by providing entertainment (my highlights, changes, and redactions):

Count 3: Preparation for terrorism. Between 31 December 1925 and 22 September 1926 [name redacted], with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by listening to samples of jazz music, composing jazz versions of classical music, and performing jazz music in front of an audience. Contrary to section 5 Terrorism Act 1926.

It becomes clearer now, doesn’t it? The above specifications of acts should have read just “preparing entertainment sessions” or something similar. There are certain words, that are typical for the era and what the establishment dislikes in that era, that just don’t belong in the description of what’s criminal – in this case, jazz.

(As a side note before moving forward, I’m not entirely sure that it’s correct to state that an intent to aid and abet terrorist acts is sufficient to be prosecuted for terrorism – it usually requires some sort of material assistance toward a specific deed; the thought alone is insufficient. Then again, there has have been a barrage of “anti-terrorism” laws in the past decade, none of which make terrorism more illegal in any way, shape, or form; they are better described as “anti-due-process-for-people-we-don’t-like” laws. This barrage erodes many of the usual assumptions you could normally make about criminal law, presumption of innocence, and the burden of proof, so it’s possible Scotland Yard is legally in the right as the letter of the law stands today even if something isn’t, but can be claimed to possibly be used for terrorism, or something similar. Side note.)

So here’s what Scotland Yard is communicating in the second layer, in the undertones (my highlights and redactions):

Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 [name redacted], with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryptionprogramme, developing an encryptedversion of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.

Again, it becomes clearer now, doesn’t it? Scotland Yard really is saying that encryption is terrorism — but not overtly. It’s more hinting at it. It’s creating associations. Quite deliberately. This is how PR works; this is literally “shaping public opinion 101”.

In comparison, this is how somebody from the net generation who don’t see encryption best practices as something odd, harmful, or plain undesirable would probably have worded the same thing:

Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 [name redacted], with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching appropriate communications channels, developing and deploying communications channels, and providing instructions for using said communications channels. Contrary to section 5 Terrorism Act 2006.

You will notice that this wording contains the same material acts, but omits the unnecessary word encryption as it’s simply best practice to apply it in all those cases – encryption is and should be the default in all communications, with its opposite cleartext pointed out instead. So, no. Scotland Yard included the word encryption in the charge for a very deliberate reason, and a court processing the charge is going to pick up on that word and consider it being an aggravating factor, just as Scotland Yard intended – just as would have been the case with jazz music in the 1920s.

It’s not supposed to work that way, but it does work that way.

Privacy remains your own responsibility. Encrypt.

The post Scotland Yard, Terrorism, and Encryption: How wording of charges contain hidden layers designed to shape public opinion appeared first on Privacy Online News.

October 13, 2016 at 10:13AM
via Privacy Online News http://ift.tt/2dLEmOH