Archive for the ·

Privacy

· Category...

Privacy – A great opertunity for Free software, and funny news

Comments Off

It has been an entertaining week in the privacy and security headlines. Since the NSA stories broke last week, protecting ourselves from state surveillance suddenly became mainstream. We’ll see if that lasts, but at the very least the topic is on the table now. Security and privacy is no longer the domain of conspiracy theorist, but one of many points in a cost/benefit analysis of which service or software to use.

Perhaps the best to come out of this story is the raised awareness of alternative software and services which put users Freedoms first. A critical part of that is Free software, which allows users to inspect the software which run on their device and control who is given access to what. Taking that to the Internet, there are many solutions which give users greater control, security and privacy than do central providers.

The site prism-break.org has been set up to list some of these alternatives. However, it seems it has become so popular, that it often fails to load. Other privacy centric services has also seen significant user increase, like the search engine DuckDuckGo, which promises not to track user’s search queries.

Other headlines have been more on the funny or cute side: As expected, somebody called for impeachment of Obama (at least he didn’t smoke cigars). Then there was the Mozilla letter which asks congress to “stop watching us”. It is of course a valid request, but it might have been taken a bit more seriously if it wasn’t for the teenage troll-board 4chan listing as its first signer (due to alphabetically listing the organizations, and numbers listing before letters). Finally, there’s the hero at the centre, a 29-year old with the cool name Snowden. He was the NSA contractor who revealed the awfully designed PowerPoint presentations, and has now fled to Hong Kong. As somebody pointed out: Never had I believed I would live to see that day when an American citizen would seek political asylum in China.

Comments Off

NSA surveillance – business as usual

1 comment

This week saw two interesting, and supposedly shocking, stories about the scale of the US government’s Internet surveillance. Starting Thursday with the news that the phone operator Verizon had been ordered to hand over all meta-data on its customers’ communications to the NSA. The following day, a different program was revealed, leaked by the means of a terribly amateurishly looking PowerPoint slide deck, which showed that the NSA had direct access to all customer data and content from all the major Internet service providers, including Google, Facebook, Microsoft, and more.

The reaction to the first story is interesting in that it involves only meta-data. The same type of data collection was enacted in law by the EU in the 2006 Data Retention Directive. This directive was no secret at the time, and the scrimmage in individual member countries which started to implement it a few years back was mostly around who would pay for it; the Internet and phone providers or the government. At any rate, by now any EU citizen should expect this kind of system to be in place. It is therefore somewhat ironic when the US press pretends that there are stronger privacy protections in place on their side. The last decade has for the most shown the opposite to be true.

The second story, around the full content access, should be no big surprise either. A similar story broke seven years ago, although it was and still is considered “warrantless”. Another example from the post-911 area is the Information Awareness Office, which despite heavy criticisms in 2002, still lives on. And even before that, it has always been speculated that the US government, through CIA, NSA, FBI or other TLAs, was listening in on phone and Internet communication. Take for example the ECHELON project, which probably has been around since the cold war area. It was investigated by a committee of the European Parliament, which amongst other things concluded: “the existence of a global system for intercepting communications, operating by means of cooperation proportionate to their capabilities among the USA, the UK, Canada, Australia and New Zealand under the UKUSA Agreement, is no longer in doubt”.

So why the outrage just now? We don’t have to look further than The Guardian’s summary: “Obama defends secret NSA surveillance programs – Insists surveillance is essential for national security.” In that light, it no longer seems like a coincidence that two completely separate NSA programs were leaked on two consecutive days. As a political cheap shot, it seems to have worked very well. What’s more, Obama took the bait, and swallowed it hook, line and sinker.

So even though these stories are akin to declaring water wet, from a privacy and security point of view, it is useful that more people are made aware of and start to ponder the risks of the information systems we surround ourselves with. We just have to make sure that the outrage is directed towards the right institutions, and that any change is implemented where users need it. Voting, joining a political party, and working for change within that system is definitely a noble goal, however, it will unfortunately not protect your data any time soon. Asking the various ISP and service providers to improve their security, encrypt our data, and not hand it over to the government is also appropriate. It’s just that they are required by law to hand over data, so we cannot trust that to not happen.

The only way to make sure your own data is secure from government hands, and be aware of any requests that might be made against it, is to store it yourself. If you are storing something they are after, that will of course not stop them from knocking on your door, but at the very least you will know.

The right response to these stories is not blind rage, resignation, or declaring defeat. Rather it should be to decentralize: Avoid large scale, single point of failure, services. Build and maintain your own systems, based on free and open source software, so you can be confident that no warrantless access is granted. Make sure data is encrypted, communication is encrypted and signed, and nothing flies in plain-text over the Internet. If you are dealing with sensitive information, maybe as a lawyer, as a doctor, or a secret business deal, anything else is simply incompetent, or possibly gross neglect.

USB Smart Card Reader

Comments Off

Just got another shipment from Deal Extreme. This time a USB Smart Card Reader. It’s for reading my soon to arrive Free Software Foundation Europe fellowship card. However, all I had to try out with so far were old redundant bank cards. And that seemed to work without problems.

The reader came with a cute mini-CD with Linux drivers, but they were not required to get it running. Following the page at FSFE, the reader was up in minutes. Confirm that these two are installed; in my case they were:

yum install libusb pcsc-lite

Add the udev rules and group as indicated by the FSF howto, and restart X if necessary.

I also installed yum installed pcsc-tools, and could detect cards by running

pscs_scan

Comments Off

The Right to Read

Comments Off

There is something depressing and chilling when the most dystopian prophecies come true. Especially, when those dystopian prophecies are written by Richard Stallman, who has spent the better part of his life trying to tell the world it’s going in the wrong direction. Yet, his writing is spot on, only 15 years before its time.

Last week, Joseph Henry Vogel was granted a US patent that aims to prevent students from sharing textbooks or copying pages. Of course all in the name of protecting the authors and publishers. It almost seems as if Vogel got the idea from Stallman’s 1997 essay, The Right to Read. He just didn’t understand that this was a cautionary tale. The patent itself is actually an interesting read, and touches on problems like universities and professors which “facilitate piracy by placing texts in the library reserve where they can be photocopied”. To avoid the loss of revenue from this, students will have to pay for access to a discussion forum, and participation here is part of the final grade. I believe Stallman could claim prior art here, and invalidate the patent. That would of course not help much, as the greed does not go away.

However, maybe not everything is lost. In Stallman’s story, the young has been indoctrinated to believe that “sharing books was nasty and wrong – something that only pirates would do“. At least the comment threads from Reddit and Torrent Freak show that somebody cares and calls out the emperor’s new clothes.

On a side note, the class identifiers for the patent gives further interesting patents. 705/51 – Usage protection of distributed data files, and the sub-class 705/57 – Copy protection or prevention. Some people just want to watch the world burn.

Comments Off

Cell phone privacy guide for Android

1 comment

The Pirate Party of Canada has a nice list of applications and add-ons for Android phones which enhance security and privacy. It boils down to

Anonymous, Decentralized and Uncensored File-Sharing

Comments Off

The file-sharing landscape is slowly adjusting in response to the continued push for more anti-piracy tools, the final Pirate Bay verdict, and the raids and arrests in the Megaupload case“, starts a recent TorrentFreak article. It goes on to introduce Tribler, and RetroShare, which “[creates] a private space on the Internet. A social collaboration network where you can share anything you want. A space that is free from the prying eyes of governments, corporations and advertisers. This is vitally important as our freedom on the Internet is under increasing threat. RetroShare is free from censorship: like Facebook banning ‘obscene’ breast-feeding photographs. A network that allows you to use any pseudonym, without insisting on knowing your real name. A network where you will not face the threat of jail, or being banned from entry into a country for an innocent tweet“.

For RetroShare, there are pre-compiled installs for several OSes and GNU/Linux distributions, however not for Fedora. So I downloaded the source, and tried to compile with a bit of help from this page. First, some dependencies:

yum install qt-devel gpgme-devel libgpg-error-devel libupnp-devel libssl-devel libgnome-keyring-devel openssl-devel glib2-devel libXScrnSaver-devel

It turns out there is an old, widly published bug in the glib-2.0 include path dependencies. To work around it, edit the file libretroshare/src/libretroshare.pro, find these lines, and add the third line, marked in blue:

# These two lines fixe compilation on ubuntu natty. Probably a ubuntu packaging error.
INCLUDEPATH *= /usr/lib/x86_64-linux-gnu/glib-2.0/include/
INCLUDEPATH *= /usr/lib/i386-linux-gnu/glib-2.0/include/
INCLUDEPATH *= /usr/lib64/glib-2.0/include

Furthermore, there are a couple of missing library dependencies:

Edit retroshare-gui/src/RetroShare.pro, find the “## Linux ##” section, and add the last three libraries marked in blue:

LIBS += ../../libretroshare/src/lib/libretroshare.a
LIBS += -lssl -lgpgme -lupnp -lixml -lXss -lgnome-keyring -lcrypto -ldl -lX11

Then the make steps should work fine:

cd libbitdht/src
qmake-qt4 && make
cd libretroshare/src
qmake-qt4 && make
cd retroshare-gui/src
qmake-qt4 && make

And to start up:
retroshare-gui/src/RetroShare

Comments Off

DRM on harddisk and flash sticks

Comments Off

CNet is covering a press release from Western Digital which announced a new consortium called Secure Content Storage Association (SCSA) to create standards for transferring restricted / locked contented between storage and playback devices. From those two articles, it’s difficult to say what details might be, but the UltraViolet (UV) keyword gives a clue:

“UltraViolet (UV) is a digital rights authentication and cloud-based licensing system that allows consumers [...] to stream and download purchased content to multiple platforms and devices.

UltraViolet content is downloaded (or streamed) in the Common File Format, using the Common Encryption (CENC) system.

However, currently it seems UV is all cloud and streaming based, with no option to transfer locked contented off-line. Enter Western Digital. Presumably, they will provide special hard-drives which can store and restrict the content, and only allow read and copy operations under certain conditions. Possibly using TPM or similar technology, but embedded in the drive itself.

Further down in the Wikipedia article, this bit is interesting, and again, the storage aspect is the noticable missing piece:

“UltraViolet selected five DRM technologies allowing restrictions management on a broad range of devices: televisions, set-top-boxes, DVD & Blu-ray players, games consoles, PC, tablets and smartphones. The selected DRM technologies are:

  • Google Widevine DRM, chosen for its strong position on set-top boxes
  • Marlin DRM, chosen for its compatibility with many Connected TVs
  • OMA CMLA-OMA v2, chosen for its strong position on mobile devices
  • Microsoft PlayReady, chosen for its wide availability on PC and CE devices
  • Adobe Flash Access 2.0, chosen for its wide availability on PC”

It’s also interesting to see the rest of the list of companies supporting this, in the Digital Entertainment Content Ecosystem (DECE LLC) is a consortium. Nothing too surprising there, I guess, except for Tesco. (What will happen if your veggies are digitally restricted?)

Comments Off

Low end hosting

Comments Off

I recently found this great overview of cheap and simple hosting and Virtual Hosting solutions: lowendbox.com. It includes many providers of cheap hosting solutions for private and small business use.

If you are able to manage your own server, e-mail and web site, there are many reasons you should take matters in your own hands. For the most basic use case, family e-mail and a small web site, it does not have to be expensive or take much time. Including your own domain, you should end up under 200 Euros / year.

For only e-mail, or only web hosting, you might get by on the smallest of boxes offered, which is usually 128 MB of RAM. However, if you need both on the same machine, 256 MB is rather tight. For disk, somewhere between 10 and 20 GB should be sufficient. And the traffic / month limits are usually more than enough, often as high as 100 GB / month or more. CPU is usually never a limiting factor for a basic setup.

So register a domain, rent some space, and become an Internet householder and landowner.

Comments Off

Pirate Party Enters Berlin Parliament

Comments Off

From TorrentFreak:

“For the first time in history a Pirate Party has managed to enter a state parliament. With an estimated 9 percent of the total vote the Pirate Party exceeded the 5% floor needed to enter the Berlin parliament with several seats. For the international Pirate Party movement this is the second major success after the European elections of 2009.

piratenThe German Pirate Party has scored a massive win in the elections for the Berlin state parliament today. Two hours after the voting booths closed the first results show the Pirates achieving 9 percent of the counted votes. This translates into 15 parliament seats.”

Comments Off

WordPress for Android – Privacy Edition

Comments Off

I like WordPress, and I like Android. However, I do not like the attitudes some of their developers have towards privacy. It seems to be “everything goes, as long as it benefits us”. In particular, the phone-home, and remote kill features, which many developers feel entitled to include, rub me the wrong way. Sorry, but it doesn’t fly on my device. I like your application, and want it to do its job well. Nothing more, nothing less.

Luckily, the WordPress for Android app is open sourced under GPL. It means I have right to access the source code, modify it, and distribute the modified version as long as I also reveal my code changes. So I did just that, fixing a few issues in the latest version (1.3.8) of WordPress for Android. The changes include:

  • Removing the location based permissions (fine and course grained).
  • Removing phone-home features to wordpress.com by which they collect a lot of identifying information, including the unique device ID.
  • Removing the EULA. The GPL is not an EULA! (More on that in a later post).

The patch is available here, and the APK installer binary built to the Android 2.2 platform (API level 8). However, I would encourage you to download and build the source code yourself. To do that, follow these steps:

  1. Download the source code for WordPress for Android:
    svn checkout http://android.svn.wordpress.org/trunk
  2. Download and apply the patch:
    cd trunk
    wget http://hblok.net/blog_resources/wordpress_android/wordpress_android_1_3_8_p_1_privacy.patch
    patch -p0 -i wordpress_android_1_3_8_p_1_privacy.patch
  3. Build the application in Eclipse. If you have not installed the Android SDK for Eclipse, here is the starting point of the download and install instructions.
  4. Search through the code and look for further privacy violations.
Comments Off

…and on a related note…

Comments Off

The sign reads:

Municipality of Barcelona
Vigilance Zone
in a 500m radius
George Orwell Square

Comments Off

“I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy by Daniel Solove

Comments Off

Abstract:
In this short essay, written for a symposium in the San Diego Law Review, Professor Daniel Solove examines the “nothing to hide” argument. When asked about government surveillance and data mining, many people respond by declaring: “I’ve got nothing to hide.” According to the “nothing to hide” argument, there is no threat to privacy unless the government uncovers unlawful activity, in which case a person has no legitimate justification to claim that it remain private. The “nothing to hide” argument and its variants are quite prevalent, and thus are worth addressing. In this essay, Solove critiques the “nothing to hide” argument and exposes its faulty underpinnings.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565#PaperDownload

Comments Off

Schneier: Who Owns Your Computer?

Comments Off

“It recently came out that the firewall in Microsoft Vista will ship with half its protections turned off. Microsoft claims that large enterprise users demanded this default configuration, but that makes no sense. It’s far more likely that Microsoft just doesn’t want adware — and DRM spyware — blocked by default.”
(…)
“You can fight back against this trend by only using software that respects your boundaries. Boycott companies that don’t honestly serve their customers, that don’t disclose their alliances, that treat users like marketing assets. Use open-source software — software created and owned by users, with no hidden agendas, no secret alliances and no back-room marketing deals.

Just because computers were a liberating force in the past doesn’t mean they will be in the future. There is enormous political and economic power behind the idea that you shouldn’t truly own your computer or your software, despite having paid for it.”

by Bruce Schneier

http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/866

Comments Off

Thought crime in London

3 comments

From David Mery’s accounts in The Gaurdian:

7.10 pm: From my workplace in Southwark, south London, I arrange by text message to meet my girlfriend (…)

7.21 pm: I enter Southwark tube station, passing uniformed police by the entrance, and more police beyond the gate. (…)

· they found my behaviour suspicious from direct observation and then from watching me on the CCTV system;
· I went into the station without looking at the police officers at the entrance or by the gates;
· two other men entered the station at about the same time as me;
· I am wearing a jacket “too warm for the season”;
· I am carrying a bulky rucksack, and kept my rucksack with me at all times;
· I looked at people coming on the platform;
· I played with my phone and then took a paper from inside my jacket.

8.53pm: Arrested for suspicious behaviour and public nuisance, (…)

10:06pm: I am allowed a call to my girlfriend. She is crying (…)

10:30pm: I am put into an individual police cell. (…)

12:25-1:26 am: Three uniformed police officers search my flat and interview my girlfriend. (…)

On August 31 I arrive at the police station at 9 am as required by bail, with my solicitor. A plainclothes police officer tells us they are dropping the charges, and briefly apologises.

So even though the police consider me innocent there will remain some mention (what exactly?) in the PNC and, if they fully share their information with Interpol, in other police databases around the world as well. Isn’t a state that keeps files on innocent persons a police state?