Forgot your password?
typodupeerror

Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

Privacy

Uber's Android App Caught Reporting Data Back Without Permission 152

Posted by timothy
from the distinguish-from-government dept.
Zothecula writes Security researcher GironSec has pulled Uber's Android app apart and discovered that it's sending a huge amount of personal data back to base – including your call logs, what apps you've got installed, whether your phone is vulnerable to certain malware, whether your phone is rooted, and your SMS and MMS logs, which it explicitly doesn't have permission to do. It's the latest in a series of big-time missteps for a company whose core business model is, frankly, illegal in most of its markets as well.
Bitcoin

Bitcoin Is Not Anonymous After All 111

Posted by samzenpus
from the pulling-back-the-curtain dept.
Taco Cowboy points out a new study that shows it is possible to figure out the IP address of someone who pays for transactions anonymously online using bitcoins. "The Bitcoin system is not managed by a central authority, but relies on a peer-to-peer network on the Internet. Anyone can join the network as a user or provide computing capacity to process the transactions. In the network, the user's identity is hidden behind a cryptographic pseudonym, which can be changed as often as is wanted. Transactions are signed with this pseudonym and broadcast to the public network to verify their authenticity and attribute the Bitcoins to the new owner. In their new study, researchers at the Laboratory of Algorithmics, Cryptology and Security of the University of Luxembourg have shown that Bitcoin does not protect user's IP address and that it can be linked to the user's transactions in real-time. To find this out, a hacker would need only a few computers and about €1500 per month for server and traffic costs. Moreover, the popular anonymization network "Tor" can do little to guarantee Bitcoin user's anonymity, since it can be blocked easily."
United Kingdom

New Snowden Docs Show GCHQ Paid Telcos For Cable Taps 89

Posted by Soulskill
from the hands-in-the-cookie-jar dept.
Advocatus Diaboli sends word of a new release of documents made available by Edward Snowden. The documents show British intelligence agency GCHQ had a deep partnership with telecommunications company Cable & Wireless (acquired later by Vodafone). The company allowed GCHQ to tap submarine cables around the world, and was paid millions of British pounds as compensation. The relationship was so extensive that a GCHQ employee was assigned to work full time at Cable & Wireless (referred to by the code name “Gerontic” in NSA documents) to manage cable-tap projects in February of 2009. By July of 2009, Cable & Wireless provided access to 29 out of the 63 cables on the list, accounting for nearly 70 percent of the data capacity available to surveillance programs. ... As of July of 2009, relationships with three telecom companies provided access to 592 10-gigabit-per-second pipes on the cables collectively and 69 10-gbps “egress” pipes through which data could be pulled back. The July 2009 documents included a shopping list for additional cable access—GCHQ sought to more than triple its reach, upping access to 1,693 10-gigabit connections and increasing egress capacity to 390. The documents revealed a much shorter list of "cables we do not currently have good access [to]."
Social Networks

Revisiting Open Source Social Networking Alternatives 85

Posted by timothy
from the looking-for-entertainment dept.
reifman writes Upstart social networking startup Ello burst on the scene in September with promises of a utopian, post-Facebook platform that respected user's privacy. I was surprised to see so many public figures and media entities jump on board — mainly because of what Ello isn't. It isn't an open source, decentralized social networking technology. It's just another privately held, VC-funded silo. Remember Diaspora? In 2010, it raised $200,641 on Kickstarter to take on Facebook with "an open source personal web server to share all your stuff online." Two years later, they essentially gave up, leaving their code to the open source community to carry forward. In part one of "Revisiting Open Source Social Networking Alternatives," I revisit/review six open source social networking alternatives in search of a path forward beyond Facebook.
Communications

Slack Now Letting Employers Tap Workers' Private Chats 78

Posted by Soulskill
from the will-save-BOFH-the-trouble-of-keylogging-you dept.
itwbennett writes: Chat app maker Slack is hoping to make inroads in the enterprise with a new paid plan that will include an optional feature called Compliance Exports that will let administrators access their team's communications, encompassing public and private messages. The tool is far-reaching, potentially including the edit history for workers' messages as well as messages workers have marked for deletion, if the supervisor so desires.
United States

DHS Set To Destroy "Einstein" Surveillance Records 71

Posted by samzenpus
from the nothing-to-see-here dept.
schwit1 sends word that The Department of Homeland Security plans on disposing of all the records from a 3-year-long surveillance program without letting the public have access to them. The Department of Homeland Security is poised to ditch all records from a controversial network monitoring system called "Einstein" that are at least three years old, but not for security reasons. DHS reasons the files — which include data about traffic to government websites, agency network intrusions and general vulnerabilities — have no research significance. But some security experts say, to the contrary, DHS would be deleting a treasure chest of historical threat data. And privacy experts, who wish the metadata wasn't collected at all, say destroying it could eliminate evidence that the government wide surveillance system does not perform as intended. The National Archives and Records Administration has tentatively approved the disposal plan, pending a public comment period.
Privacy

Judge Unseals 500+ Stingray Records 162

Posted by Soulskill
from the going-for-the-high-score dept.
An anonymous reader sends this excerpt from Ars Technica: A judge in Charlotte, North Carolina, has unsealed a set of 529 court documents in hundreds of criminal cases detailing the use of a stingray, or cell-site simulator, by local police. This move, which took place earlier this week, marks a rare example of a court opening up a vast trove of applications made by police to a judge, who authorized each use of the powerful and potentially invasive device

According to the Charlotte Observer, the records seem to suggest that judges likely did not fully understand what they were authorizing. Law enforcement agencies nationwide have taken extraordinary steps to preserve stingray secrecy. As recently as this week, prosecutors in a Baltimore robbery case dropped key evidence that stemmed from stingray use rather than fully disclose how the device was used.
Privacy

Top NSA Official Raised Alarm About Metadata Program In 2009 110

Posted by Soulskill
from the should-have-listened dept.
An anonymous reader sends this report from the Associated Press: "Dissenters within the National Security Agency, led by a senior agency executive, warned in 2009 that the program to secretly collect American phone records wasn't providing enough intelligence to justify the backlash it would cause if revealed, current and former intelligence officials say.

The NSA took the concerns seriously, and many senior officials shared them. But after an internal debate that has not been previously reported, NSA leaders, White House officials and key lawmakers opted to continue the collection and storage of American calling records, a domestic surveillance program without parallel in the agency's recent history.
United States

Greenwald Advises Market-Based Solution To Mass Surveillance 157

Posted by samzenpus
from the you-get-what-you-demand dept.
Nicola Hahn writes In his latest Intercept piece Glenn Greenwald considers the recent defeat of the Senate's USA Freedom Act. He remarks that governments "don't walk around trying to figure out how to limit their own power." Instead of appealing to an allegedly irrelevant Congress Greenwald advocates utilizing the power of consumer demand to address the failings of cyber security. Specifically he argues that companies care about their bottom line and that the trend of customers refusing to tolerate insecure products will force companies to protect user privacy, implement encryption, etc. All told Greenwald's argument is very telling: that society can rely on corporate interests for protection. Is it true that representative government is a lost cause and that lawmakers would never knowingly yield authority? There are people who think that advising citizens to devolve into consumers is a dubious proposition.
Privacy

Amnesty International Releases Tool To Combat Government Spyware 94

Posted by timothy
from the doing-the-right-thing dept.
New submitter Gordon_Shure_DOT_com writes Human rights charity Amnesty International has released Detekt, a tool that finds and removes known government spyware programs. Describing the free software as the first of its kind, Amnesty commissioned the tool from prominent German computer security researcher and open source advocate Claudio Guarnieri, aka 'nex'. While acknowledging that the only sure way to prevent government surveillance of huge dragnets of individuals is legislation, Marek Marczynski of Amnesty nevertheless called the tool (downloadable here) a useful countermeasure versus spooks. According to the app's instructions, it operates similarly to popular malware or virus removal suites, though systems must be disconnected from the Internet prior to it scanning.
Communications

WhatsApp To Offer End-to-End Encryption 93

Posted by timothy
from the trend-worth-extending dept.
L-One-L-One (173461) writes In a surprise move, nine months after being bought by Facebook, WhatsApp has begun rolling out end-to-end encryption for its users. With true end-to-end encryption data becomes unaccessible to admins of WhatsApp or law enforcement authorities. This new feature first proposed on Android only has been developed in cooperation with Open Whisper Systems, based on TextSecure. With hundreds of million users, WhatsApp becomes by far the largest secure messaging application. FBI Director James Comey might not be pleased. Do you have a current favorite for encrypted online chat?
Republicans

Republicans Block Latest Attempt At Curbing NSA Power 441

Posted by Soulskill
from the and-everybody-will-have-forgotten-about-it-in-two-years dept.
Robotron23 writes: The latest attempt at NSA reform has been prevented from passage in the Senate by a margin of 58 to 42. Introduced as a means to stop the NSA collecting bulk phone and e-mail records on a daily basis, the USA Freedom Act has been considered a practical route to curtailment of perceived overreach by security services, 18 months since Edward Snowden went public. Opponents to the bill said it was needless, as Wall Street Journal raised the possibility of terrorists such as ISIS running amok on U.S. soil. Supporting the bill meanwhile were the technology giants Google and Microsoft. Prior to this vote, the bill had already been stripped of privacy protections in aid of gaining White House support. A provision to extend the controversial USA Patriot Act to 2017 was also appended by the House of Representatives.
Privacy

NYT: Privacy Concerns For ClassDojo, Other Tracking Apps For Schoolchildren 66

Posted by Soulskill
from the won't-somebody-other-than-advertisers-think-of-the-children dept.
theodp writes: The NY Times' Natasha Singer files a report on popular and controversial behavior tracking app ClassDojo, which teachers use to keep a running tally of each student's score, award virtual badges for obedience, and to communicate with parents about their child's progress. "I like it because you get rewarded for your good behavior — like a dog does when it gets a treat," was one third grader's testimonial. Some parents, teachers and privacy law scholars say ClassDojo (investors) — along with other unproven technologies that record sensitive information about students — is being adopted without sufficiently considering the ramifications for data privacy and fairness. "ClassDojo," writes Singer, "does not seek explicit parental consent for teachers to log detailed information about a child's conduct. Although the app's terms of service state that teachers who sign up guarantee that their schools have authorized them to do so, many teachers can download ClassDojo, and other free apps, without vetting by school supervisors. Neither the New York City nor Los Angeles school districts, for example, keep track of teachers independently using apps."

A high school teacher interviewed for the article confessed to having not read ClassDojo's policies on handling student data, saying: "I'm one of those people who, when the terms of service are 18 pages, I just click agree." And, if all this doesn't make you parents just a tad nervous, check out this response to the "Has anyone ran a data analysis on their CD data?" question posed to the Class Dojo Community: "I needed to analyze data in regards to a student being placed on ADHD medicine to see whether or not he made any improvements. I have also used it to determine any behavioral changes depending on if a student was with mom/dad for a custody review. I use dojo consistently, so I LOVE getting to use the data to evaluate and share with parents, or even administrators."
Privacy

Tor Eyes Crowdfunding Campaign To Upgrade Its Hidden Services 106

Posted by samzenpus
from the price-of-privacy dept.
apexcp writes The web's biggest anonymity network is considering a crowdfunding campaign to overhaul its hidden services. From the article: "In the last 15 months, several of the biggest anonymous websites on the Tor network have been identified and seized by police. In most cases, no one is quite sure how it happened. The details of such a campaign have yet to be revealed. With enough funding, Tor could have developers focusing their work entirely on hidden services, a change in developer priorities that many Tor users have been hoping for in recent years."
Networking

Can the US Actually Cultivate Local Competition in Broadband? 135

Posted by timothy
from the but-what-we-really-want-is-more-rules dept.
New submitter riskkeyesq writes with a link to a blog post from Dane Jasper, CEO of Sonic.net, about what Jasper sees as the deepest problem in the U.S. broadband market and the Internet in general: "There are a number of threats to the Internet as a system for innovation, commerce and education today. They include net neutrality, the price of Internet access in America, performance, rural availability and privacy. But none of these are the root issue, they're just symptoms. The root cause of all of these symptoms is a disease: a lack of competition for consumer Internet access." Soft landings for former legislators, lobbyists disguised as regulators, hundreds of thousands of miles of fiber sitting unused, the sham that is the internet provider free market is keeping the US in a telecommunications third-world. What, exactly, can American citizens do about it? One upshot, in Jasper's opinion (hardly disinterested, is his role at CEO at an ISP that draws praise from the EFF for its privacy policies) is this: "Today’s FCC should return to the roots of the Telecom Act, and reinforce the unbundling requirements, assuring that they are again technology neutral. This will create an investment ladder to facilities for competitive carriers, opening access to build out and serve areas that are beyond our reach today."
Google

For Some Would-Be Google Glass Buyers and Devs, Delays May Mean Giving Up 154

Posted by timothy
from the you're-going-to-like-the-clip-on-tie-version dept.
ErnieKey writes with a Reuters story that says Google's Glass, not yet out for general purchase, has been wearing on the patience of both developers and would-be customers: "After an initial burst of enthusiasm, signs that consumers are giving up on Glass have been building.' Is it true that Google Goggles are simply not attractive to wear? Or perhaps it's the invasion of privacy that is deterring people from wearing them. Regardless, Google needs to change something quickly before they lose all their potential customers. From the article: Of 16 Glass app makers contacted, nine said that they had stopped work on their projects or abandoned them, mostly because of the lack of customers or limitations of the device. Three more have switched to developing for business, leaving behind consumer projects. Plenty of larger developers remain with Glass. The nearly 100 apps on the official website include Facebook and OpenTable, although one major player recently defected: Twitter. "If there was 200 million Google Glasses sold, it would be a different perspective. There's no market at this point," said Tom Frencel, the chief executive of Little Guy Games, which put development of a Glass game on hold this year and is looking at other platforms, including the Facebook-owned virtual-reality goggles Oculus Rift. Several key Google employees instrumental to developing Glass have left the company in the last six months, including lead developer Babak Parviz, electrical engineering chief Adrian Wong, and Ossama Alami, director of developer relations.
AT&T

AT&T Stops Using 'Super Cookies' To Track Cellphone Data 60

Posted by timothy
from the turns-out-people-hate-that dept.
jriding (1076733) writes AT&T Mobility, the nation's second-largest cellular provider, says it's no longer attaching hidden Internet tracking codes to data transmitted from its users' smartphones. The practice made it nearly impossible to shield its subscribers' identities online. Would be nice to hear something similar from Verizon.
Communications

81% of Tor Users Can Be De-anonymized By Analysing Router Information 136

Posted by timothy
from the keep-him-on-the-line dept.
An anonymous reader writes A former researcher at Columbia University's Network Security Lab has conducted research since 2008 indicating that traffic flow software included in network routers, notably Cisco's 'Netflow' package, can be exploited to deanonymize 81.4% of Tor clients. Professor Sambuddho Chakravarty, currently researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology, uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records generated by Netflow (or equivalent packages from other router manufacturers) to individuate the 'victim' client. In laboratory conditions the success rate of this traffic analysis attack is 100%, with network noise and variations reducing efficiency to 81% in a live Tor environment. Chakravarty says: 'it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods [] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection.'
Privacy

Carmakers Promise Not To Abuse Drivers' Privacy 98

Posted by timothy
from the how-far-can-you-throw-this-vehicle? dept.
schwit1 provides this excerpt from an Associated Press report: "Nineteen automakers accounting for most of the passenger cars and trucks sold in the U.S. have signed onto a set of principles they say will protect motorists' privacy in an era when computerized cars pass along more information about their drivers than many motorists realize. The principles were delivered in a letter Wednesday to the Federal Trade Commission, which has the authority to force corporations to live up to their promises to consumers. Industry officials say they want to assure their customers that the information that their cars stream back to automakers or that is downloaded from the vehicle's computers won't be handed over to authorities without a court order, sold to insurance companies or used to bombard them with ads for pizza parlors, gas stations or other businesses they drive past, without their permission. The principles also commit automakers to 'implement reasonable measures' to protect personal information from unauthorized access." Also at the Detroit News. Adds schwit1: "It's a meaningless gesture without being codified into law. A greedy car manufacturer or NSL trumps any 'set of principles'." The letter itself (PDF) isn't riveting, but it's more readable than some such documents, and all the promises it makes are a good reminder of just how much data modern cars can collect, and all the ways that it can be passed on.
United States

Senate May Vote On NSA Reform As Soon As Next Week 127

Posted by samzenpus
from the stop-looking-at-me dept.
apexcp writes Senate Majority Leader (for now) Harry Reid announced he will be taking the USA FREEDOM Act to a floor vote in the Senate as early as next week. While the bill, if passed, would be the first significant legislative reform of the NSA since 9/11, many of the act's initial supporters have since disavowed it, claiming that changes to its language mean it won't do enough to curb the abuses of the American surveillance state

That does not compute.

Working...