Privacy

Hacking the US Prescription System 47

Posted by timothy
from the quite-a-dose-you're-taking dept.
An anonymous reader writes: It appears that most pharmacies in the US are interconnected, and a breach in one leads to access to the other ones. A security advisory released [Friday] shows how a vulnerability in an online pharmacy granted access to prescription history for any US person with just their name and date of birth. From the description linked above: During the signup process, PillPack.com prompts users for their identifying information. In the end of the signup rocess, the user is shown a list of their existing prescriptions in all other pharmacies in order to make the process of transferring them to PillPack.com easier. ... To replicate this issue, an attacker would be directed to the PillPack.com website and choose the signup option. As long as the full name and the date of birth entered during signup match the target, the attacker will gain access to the target's full prescription history.
Mozilla

Mozilla Begins To Move Towards HTTPS-Only Web 308

Posted by Soulskill
from the driving-web-privacy dept.
jones_supa writes: Mozilla is officially beginning to phase out non-secure HTTP to prefer HTTPS instead. After a robust discussion on the mailing list, the company will boldly start removing capabilities of the non-secure web. There are two broad elements of this plan: setting a date after which all new features will be available only to secure websites, and gradually phasing out access to browser features for non-secure websites, especially regarding features that pose risks to users' security and privacy. This plan still allows for usage of the "http" URI scheme for legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the "http" scheme can be automatically translated to "https" by the browser, and thus run securely. The goal of this effort is also to send a message to the web developer community that they need to be secure. Mozilla expects to make some proposals to the W3C WebAppSec Working Group soon.
Government

NSA Reform Bill Backed By Both Parties Set To Pass House of Representatives 118

Posted by Soulskill
from the don't-stop-yelling dept.
HughPickens.com writes: The NY Times reports that after more than a decade of wrenching national debate over the intrusiveness of government intelligence agencies, a bipartisan wave of support has gathered to sharply limit the federal government's sweeps of phone and Internet records. A bill that would overhaul the Patriot Act and curtail the metadata surveillance exposed by Edward Snowden overwhelmingly passed the House Judiciary Committee by a vote of a 25-2, and is heading to almost certain passage in the House of Representatives. An identical bill in the Senate — introduced with the support of five Republicans — is gaining support over the objection of Senate Majority Leader Mitch McConnell, who is facing the prospect of his first policy defeat since ascending this year to majority leader. "The bill ends bulk collection, it ends secret law," says Rep. Jim Sensenbrenner, the original author of the Patriot Act who has now helped author the Freedom Act. "It increases the transparency of our intelligence community and it does all this without compromising national security."

The Patriot Act is up for its first reauthorization since the revelations about bulk data collection. The impending June 1 deadline for reauthorization, coupled with an increase of support among members of both parties, pressure from technology companies and a push from the White House, have combined to make changes to the provisions more likely. The Snowden disclosures, along with data breaches at Sony Pictures, Target and the insurance giant Anthem, have unsettled voters and empowered those in Congress arguing for greater civil liberties protection — who a few years ago "could have met in a couple of phone booths," says Senator Ron Wyden. The Freedom Act very nearly passed both chambers of Congress last year, but it failed to garner the 60 votes to break a filibuster in the Senate. It fell short by two votes.

However some say the bill doesn't go far enough. The bill leaves intact surveillance programs conducted by the Drug Enforcement Agency and levies high penalties against those offering "material support" to terrorists. It also renews the expiring parts of the Patriot Act through 2019. "This bill would make only incremental improvements, and at least one provision – the material-support provision – would represent a significant step backwards," says American Civil Liberties Union Deputy Legal Director Jameel Jaffer. "The disclosures of the last two years make clear that we need wholesale reform."
Security

Once a Forgotten Child, OpenSSL's Future Now Looks Bright 75

Posted by samzenpus
from the shot-in-the-arm dept.
Trailrunner7 writes: Rarely does anything have a defined turning point in its history, a single day where people can point and say that was the day everything changed. For OpenSSL, that day was April 7, 2014, the day that Heartbleed became part of the security lexicon. Heartbleed was a critical vulnerability in the venerable crypto library. OpenSSL is everywhere, in tens of thousands of commercial and homespun software projects. And so too, as of last April, was Heartbleed, an Internet-wide bug that leaked enough memory that a determined hacker could piece together anything from credentials to encryption keys.

"Two years ago, it was a night-and-day difference. Two years ago, aside from our loyal user community, we were invisible. No one knew we existed," says Steve Marquess, cofounder, president and business manager of the OpenSSL Foundation, the corporate entity that handles commercial contracting for OpenSSL. "OpenSSL is used everywhere: hundreds, thousands of vendors use it; every smartphone uses it. Everyone took that for granted; most companies have no clue they even used it." To say OpenSSL has been flipped on its head—in a good way—is an understatement.

Heartbleed made the tech world realize that the status quo wasn't healthy to the security and privacy of ecommerce transactions and communication worldwide. Shortly after Heartbleed, the Core Infrastructure Initiative was created, uniting The Linux Foundation, Microsoft, Facebook, Amazon, Dell, Google and other large technology companies in funding various open source projects. OpenSSL was the first beneficiary, getting enough money to hire Dr. Steve Henson and Andy Polyakov as its first full-timers. Henson, who did not return a request to be interviewed for this article, is universally known as the one steady hand that kept OpenSSL together, an unsung hero of the project who along with other volunteers handled bug reports, code reviews and changes.
Encryption

FBI Slammed On Capitol Hill For "Stupid" Ideas About Encryption 170

Posted by samzenpus
from the stupid-is-as-stupid-does dept.
blottsie writes: At a hearing in Washington, D.C., on Wednesday, the FBI endured outright hostility as both technical experts and members of Congress from both parties roundly criticized the law enforcement agency's desire to place so-called back doors into encryption technology. "Creating a technological backdoor just for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), a Stanford University computer science graduate. "That's just stupid. Our founders understood that an Orwellian overreaching government is one of the most dangerous things this world could have," Lieu said.
Encryption

Why Crypto Backdoors Wouldn't Work 105

Posted by Soulskill
from the because-math dept.
An anonymous reader writes: Your devices should come with a government backdoor. That's according to the heads of the FBI, NSA, and DHS. There are many objections, especially that backdoors add massive security risks.

Would backdoors even be effective, though? In a new writeup, a prominent Stanford security researcher argues that crypto backdoors "will not work." Walking step-by-step through a hypothetical backdoored Android, he argues that "in order to make secure apps just slightly more difficult for criminals to obtain, and just slightly less worthwhile for developers, the government would have to go to extraordinary lengths. In an arms race between cryptographic backdoors and secure apps, the United States would inevitably lose."
Privacy

New Privacy Threat: Automated Vehicle Occupancy Detection 140

Posted by Soulskill
from the shades-of-minority-report dept.
An anonymous reader writes: The Electronic Frontier Foundation is warning against a new potential privacy threat: cameras that look inside cars and try to identify how many people are inside. This technology is a natural combination of simpler ones that have existed for years: basic object recognition software and road-side cameras (red light cameras, speeding cameras, license plate readers — you name it). Of course, we can extrapolate just a bit further, and point out that as soon as the cameras have high enough resolution, they can start running face recognition algorithms on the images, and determine the identities of a vehicle's occupants.

"The San Diego Association of Governments (SANDAG), a government umbrella group that develops transportation and public safety initiatives across the San Diego County region, estimates that 15% of drivers in High Occupancy Vehicle (HOV) lanes aren't supposed to be there. After coming up short with earlier experimental projects, the agency is now testing a brand new technology to crack down on carpool-lane scofflaws on the I-15 freeway. ... In short: the technology is looking at your image, the image of the people you're with, your location, and your license plate. (SANDAG told CBS the systems will not be storing license plate data during the trial phase and the system will, at least for now, automatically redact images of drivers and passengers. Xerox's software, however, allows police the option of using a weaker form of redaction that can be reversed on request.)"
The Courts

Texas Admonishes Judge For Posting Facebook Updates About Her Trials 95

Posted by samzenpus
from the was-that-wrong? dept.
An anonymous reader writes: Michelle Slaughter, a Galveston County judge, says she will appeal a public admonition from state officials that criticized her Facebook posts about cases brought before her court. From the article: "The State Commission on Judicial Conduct ordered Michelle Slaughter, a Galveston County judge, to enroll in a four-hour class on the 'proper and ethical use of social media by judges.' The panel concluded that the judge's posts cast 'reasonable doubt' on her impartiality. At the beginning of a high-profile trial last year in which a father was accused of keeping his nine-year-old son in a six-foot by eight-foot wooden box, the judge instructed jurors not to discuss the case against defendant David Wieseckel with anyone. 'Again, this is by any means of communication. So no texting, e-mailing, talking person to person or on the phone or on Facebook. Any of that is absolutely forbidden,' the judge told jurors. But Slaughter didn't take her own advice, leading to her removal from the case and a mistrial. The defendant eventually was acquitted of unlawful-restraint-of-a-child charges."
Privacy

Supreme Court To Consider Data Aggregation Suit Against Spokeo 62

Posted by samzenpus
from the getting-the-numbers-right dept.
BUL2294 writes: Consumerist and Associated Press are reporting that the Supreme Court has taken up the case of Spokeo, Inc. v. Robins — a case where Spokeo, as a data aggregator, faces legal liability and Fair Credit Reporting Act violations for providing information on Thomas Robins, an individual who has not suffered "a specific harm" directly attributable to the inaccurate data Spokeo collected on him.

From SCOTUSblog: "Robins, who filed a class-action lawsuit, claimed that Spokeo had provided flawed information about him, including that he had more education than he actually did, that he is married although he remains single, and that he was financially better off than he actually was. He said he was unemployed and looking for work, and contended that the inaccurate information would make it more difficult for him to get a job and to get credit and insurance." So, while not suffering a specific harm, the potential for harm based on inaccurate data exists. Companies such as Facebook and Google are closely watching this case, given the potential of billions of dollars of liability for selling inaccurate information on their customers and other people.
Government

Indian Telecom Authority Releases a Million Email IDs, Taken Down By Hackers 21

Posted by samzenpus
from the naming-names dept.
knwny writes: In a bizarre move that threatens the privacy of over a million internet users in India, the Telecom Regulatory Authority of India (TRAI) has released the list of email IDs from which it received responses regarding net neutrality. Most of these responses were sent by the general public following a massively popular online campaign to protect Internet neutrality in India. The regulatory body says that it has received large number of comments from the stakeholders on its Consultation paper on "Regulatory Framework for OTT services". So to aid the reading of comments, it has divided them into three blocks — "comments from the service providers," "comments from the service providers' association" and "comments from other stakeholders'"(this includes individuals, organizations, consulting firms etc). In the meantime, the TRAI website remains inaccessible after a DDoS attack by Anonymous India, the hacker collective, apparently in retaliation for the data release.
Google

Google Executive Dan Fredinburg Among Victims of Everest Avalanche 164

Posted by samzenpus
from the rest-in-peace dept.
alphadogg writes: Dan Fredinburg, privacy director for the company's Google X team, and an engineer who worked on many of Google's most exciting projects during his 8 years with the company, died over the weekend in an avalanche on Mount Everest. The 33-year-old worked on projects such as Google Loon, the company's balloon-based Internet access effort and self-driving car. He also was involved in Google Street View Everest, leading expeditions to gather imagery of the Khumbu region around Mt. Everest. Fredinburg's career began in a much less glamorous fashion as a "dock rat" and as a farm hand in Arkansas.
United States

Declassified Report From 2009 Questions Effectiveness of NSA Spying 56

Posted by Soulskill
from the moving-at-the-speed-of-government dept.
schwit1 writes: With debate gearing up over the coming expiration of the Patriot Act surveillance law, the Obama administration on Saturday unveiled a 6-year-old report examining the once-secret program code-named Stellarwind, which collected information on Americans' calls and emails. The report was from the inspectors general of various intelligence and law enforcement agencies.

They found that while many senior intelligence officials believe the program filled a gap by increasing access to international communications, others including FBI agents, CIA analysts and managers "had difficulty evaluating the precise contribution of the [the surveillance system] to counterterrorism efforts because it was most often viewed as one source among many available analytic and intelligence-gathering tools in these efforts."

"The report said that the secrecy surrounding the program made it less useful. Very few working-level C.I.A. analysts were told about it. ... Another part of the newly disclosed report provides an explanation for a change in F.B.I. rules during the Bush administration. Previously, F.B.I. agents had only two types of cases: "preliminary" and "full" investigations. But the Bush administration created a third, lower-level type called an "assessment." This development, it turns out, was a result of Stellarwind.
Businesses

Good: Companies Care About Data Privacy Bad: No Idea How To Protect It 77

Posted by samzenpus
from the we've-tried-everything-that-doesn't-cost-us-money dept.
Esther Schindler writes: Research performed by Dimensional Research demonstrated something most of us know: Just about every business cares about data privacy, and intends to do something to protect sensitive information. But when you cross-tabulate the results to look more closely at what organizations are actually doing to ensure that private data stays private, the results are sadly predictable: While smaller companies care about data privacy just as much as big ones do, they're ill-equipped to respond. What's different is not the perceived urgency of data privacy and other privacy/security matters. It's what companies are prepared (and funded) to do about it. For instance: "When it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training. However, even though smaller companies are equally concerned about the subject, that concern does not trickle down to the employees quite so effectively. Half of the midsize businesses offer no such training; just 39% of organizations with under 100 employees regularly train employees on data privacy."
Communications

New Privacy Concerns About US Program That Can Track Snail Mail 66

Posted by timothy
from the ask-not-what-your-country-can-do-to-you dept.
Lashdots writes: A lawyers' group has called for greater oversight of a government program that gives state and federal law enforcement officials access to metadata from private communications for criminal investigations and national security purposes. But it's not digital: this warrantless surveillance is conducted on regular mail. "The mail cover has been in use, in some form, since the 1800s," Chief Postal Inspector Guy J. Cottrell told Congress in November. The program targets a range of criminal activity including fraud, pornography, and terrorism, but, he said, "today, the most common use of this tool is related to investigations to rid the mail of illegal drugs and illegal drug proceeds." Recent revelations that the U.S. Postal Service photographs the front and back of all mail sent through the U.S., ostensibly for sorting purposes, has, Fast Company reports, brought new scrutiny—and new legal responses—to this obscure program.
United States

Except For Millennials, Most Americans Dislike Snowden 685

Posted by samzenpus
from the no-sir-I-don't-like-him dept.
HughPickens.com writes: Newsmax reports that according to KRC Research, about 64 percent of Americans familiar with Snowden hold a negative opinion of him. However 56 percent of Americans between the ages of 18 and 34 have a positive opinion of Snowden which contrasts sharply with older age cohorts. Among those aged 35-44, some 34 percent have positive attitudes toward him. For the 45-54 age cohort, the figure is 28 percent, and it drops to 26 percent among Americans over age 55, U.S. News reported. Americans overall say by plurality that Snowden has done "more to hurt" U.S. national security (43 percent) than help it (20 percent). A similar breakdown was seen with views on whether Snowden helped or hurt efforts to combat terrorism, though the numbers flip on whether his actions will lead to greater privacy protections. "The broad support for Edward Snowden among Millennials around the world should be a message to democratic countries that change is coming," says Anthony D. Romero, executive director of the American Civil Liberties Union. "They are a generation of digital natives who don't want government agencies tracking them online or collecting data about their phone calls." Opinions of millennials are particularly significant in light of January 2015 findings by the U.S. Census Bureau that they are projected to surpass the baby-boom generation as the United States' largest living generation this year.
United States

McConnell Introduces Bill To Extend NSA Surveillance 209

Posted by samzenpus
from the lets-see-what-you're-doing dept.
jriding sends word that the majority leader of the U.S. Senate has introduced a bill that would extend the surveillance provisions of the Patriot Act until 2020: Senate Majority Leader Mitch McConnell introduced a bill Tuesday night to extend through 2020 a controversial surveillance authority under the Patriot Act. The move comes as a bipartisan group of lawmakers in both chambers is preparing legislation to scale back the government's spying powers under Section 215 of the Patriot Act. It puts McConnell (R-Ky.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.), the bill’s co-sponsor, squarely on the side of advocates of the National Security Agency’s continued ability to collect millions of Americans’ phone records each day in the hunt for clues of terrorist activity.
Advertising

German Court Rules Adblock Plus Is Legal 279

Posted by Soulskill
from the non-crazy-software-judgments dept.
An anonymous reader writes: Following a four-month trial, a German court in Hamburg has ruled that the practice of blocking advertising is perfectly legitimate. Germany-based Eyeo, the company that owns Adblock Plus, has won a case against German publishers Zeit Online and Handelsblatt. These companies operate Zeit.de, Handelsblatt.com, and Wiwo.de. Their lawsuit, filed on December 3, charged that Adblock Plus should not be allowed to block ads on their websites. While the decision is undoubtedly a big win for users today, it could also set a precedent for future lawsuits against Adblock Plus and any other tool that offers similar functions. The German court has essentially declared that users are legally allowed to control what happens on their screens and on their computers while they browse the Web.
Privacy

UK Police Chief: Some Tech Companies Are 'Friendly To Terrorists' 230

Posted by Soulskill
from the arguments-that-are-getting-old dept.
An anonymous reader points out comments from Mark Rowley, the UK's national police lead for counter-terrorism, who thinks tech companies aren't doing enough to prevent terrorists from using their services. He said, "[The acceleration of technology] can be set up in a way which is friendly to terrorists and helps them ... and creates challenges for law enforcement and intelligence agencies. Or it can be set up in a way which doesn't do that." Rowley wouldn't name which companies in particular he's talking about, but he added, "Snowden has created an environment where some technology companies are less comfortable working with law reinforcement and intelligence agencies and the bad guys are better informed. We all love the benefit of the internet and all the rest of it, but we need their support in making sure that they're doing everything possible to stop their technology being exploited by terrorists. I'm saying that needs to be front and center of their thinking and for some it is and some it isn't."
Privacy

Baltimore Police Used Stingrays For Phone Tracking Over 25,000 Times 81

Posted by Soulskill
from the i-don't-remember-that-episode-of-The-Wire dept.
An anonymous reader writes The Baltimore Police Department is starting to come clean about its use of cell-phone signal interceptors — commonly known as Stingrays — and the numbers are alarming. According to recent court testimony reported by The Baltimore Sun, the city's police have used Stingray devices with a court order more than 25,000 times. It's a massive number, representing an average of nearly nine uses a day for eight years (the BPD acquired the technology in 2007), and it doesn't include any emergency uses of the device, which would have proceeded without a court order.
Privacy

The Upsides of a Surveillance Society 254

Posted by timothy
from the you-mean-it's-not-all-upside? dept.
theodp writes Citing the comeuppance of ESPN reporter Britt McHenry, who was suspended from her job after her filmed ad-hominem attack on a person McHenry deemed to be beneath her in terms of appearance, education, wealth, class, status went viral, The Atlantic's Megan Garber writes that one silver lining of the omnipresence of cameras it that the possibility of exposure can also encourage us to be a little kinder to each other. "Terrible behavior," Garber writes, "whether cruel or violent or something in between, has a greater possibility than it ever has before of being exposed. Just as Uber tracks ratings for both its drivers and its users, and just as Yelp can be a source of shaming for businesses and customers alike, technology at large has afforded a reciprocity between people who, in a previous era, would have occupied different places on the spectrum of power. Which can, again, be a bad thing — but which can also, in McHenry's case, be an extremely beneficial one. It's good that her behavior has been exposed. It's good that her story going viral might discourage similar behavior from other people. It's good that she has publicly promised 'to learn from this mistake.'"