Friday, January 09, 2009

Crazy little thing called Privacy (1)

Privacy is such a crazy little thing. We love it, we ache for it at times, yet we throw it away like garbage every day on the internet.

To most people it has become clear that the internet isn't a sunny day at the beach without worries. In the past year we've all read the stories about identity theft, complete identities and credit cards to go with it for sale for a few bucks in Russia and what have you got.

Most of these stories we quickly forget and the ones that cling to us are the tales about children getting framed and abused through chatrooms. Mostly the discussion afterwards centers on how we need to teach our kids to be carefull on the internet, which is fine, but not good enough.

I posed the following thought on LinkedIn a few months back to ponder this idea:

"The failure of maintaining a shred of privacy is not the carelessness of the internet-generation. Primarily it is the ignorance of pre-internet generations failing to guide teenagers growing up with the net and secondly a flaw in the design of the internet"

It led to a number of interesting reactions

Interesting concept. The internet, like any consumable product, should come with a warning label "caveat emptor", but it doesn't. The pre-internet generation (the bulk of my end user community) don't generally comprehend the basics of internet use much less the imminent security concerns with using this public domain. They can't teach their children what they don't know but I do have to believe that any generation would chose to protect their offspring to the best of their ability. Going forward from here, the watchful eye of a parent certainly should be on minors using the internet and there are enough support and information tools out there to guide the less internet saavy.

Secondly, to comment on a flawed design of the internet - I have to revert back to the original intent of the internet being to provide a highly secure network for Government and use only. In designing that infrastructure it would be unreasonable to have thought that the internet would become so readily available. Clearly, the internet was never planned to grow as it has (as noted with the consumption of IP addresses leading to the IPv6 addressing plans). Perhaps flawed may not be the right word - outgrown may be better.

Liz Dowie Manager - Information Management Systems

In summary, the majority of organisations have been aware of the privacy issue for years but has taken the hard-nosed decision that it is not a priority. Even in states where there is a formal system of laws and regulations requiring adequate security, such regulations are routinely ignored and data security is compromised. I fear there is no likely change in this reality in the foreseeable future.

David Marshal Legal Consultant

The reduction in privacy in today's world (and not just on the internet) is happening because...

  • most people have no realistic idea of the degree to which it is happening and only the faintest grasp (if any!) of the technologies that make this possible.
  • in the past privacy of information was often the "default" state simply because it was too hard to do otherwise (compare and contrast the problem of opening, reading, re-sealing and forwarding millions of letters with the ease of storing and data mining hundreds of millions of e-mails)
  • too many people believe in the fallacious "if you have nothing to hide, you have nothing to fear" argument

It's not a design flaw in the internet. Technologies exist to protect much about you when surfing (Tor Project, cookie management softwarecetc.) and strong encryption for e-mail has been around for ever - just that hardly anyone bothers to use it.

Teaching children to act prudently on the internet is simply an extension of decent parenting into the modern world. And, as another has observed, the "risks" they face because of the internet are often as nothing compared with other risks they face and, I believe, often grossly exaggerated.

David Dingley IT Consultant

If communication passes from one place to another, and some part of that communication is neither protected (e.g. via encryption) nor destroyed (e.g. stored in a log), the privacy of the communicators is dependent only on the ethical integrity of both ends. When one end is a company, privacy depends on the integrity of every current and former employee at that company who has/had access to the data.

Since the Internet was not designed to hide the source or recipient of a network packet (i.e. via TCP/IP), this information is very difficult to obscure without a long series of trusted network proxies.

Sadly, most products - Internet or otherwise - that involve some level of communication are not designed with the privacy of the communicators in mind. This is true of everything from messages sent between national leaders in the ancient world to the original telegraph to the modern Internet. After all, communication is pointless if you don't know who you're communicating with.

As for teenagers on the web, most modern "social" websites encourage listing of personal information. After all, I can't "friend" you on MySpace or Facebook unless I know your real name, or at least your email address. Teenagers are usually aware that there will be some loss of privacy upon signing up for these services, but either accept the risk or do not recognize it exists. To their credit, these services do a decent job protecting those who do not want to be found. Hiding somebody who wants to be found, while still allowing them to be found by those who legitimately should find them is a difficult problem.

The use of aliases, which ensures some level of privacy via Instant Messenger, represents a severe hindrance to any real social networking. This would be analogous to you and all of your adult friends going to a bar, wearing black hooded robes and voice manipulators, and then referring to yourself only by ever-changing code names.

Devin Rosenbauer Software Engineer

There is privacy on the Internet depending on the choices you make. In most cases an online transaction be that purchasing something online, joining a social network or sending emails has privacy as an element of that transaction. In order to buy those goods you surrender your privacy surrounding your personal details to recieve those goods, you also probably use a credit card which means that you transactions are noted by your credit card issuer and finally sites may keep track of your activity to suggest recommended goods on your next visit.

This is no different from the physical world where you purchase items by credit card and perhaps use a loyalty card in the store. Joining a social network, e.g. Linkedin, also has its privacy transaction costs. You want the benefits of a social network then you need to surrender your personal details to become part of that network. In real life you join social clubs, meet friends in public places where you also trade part of your privacy to take part in the group.

Some will argue that governments monitoring of Internet usage etc. is a breach of privacy, e.g. EU Data Retention Directive and that your ISP knows all your activity from their system logs, e.g. the recent Phorm controvery in the UK.

This is true but you can still take measure to protect your privacy online using various techniques such as anonymous proxies, never using your real name online, never purchasing items online and not joining any social networks or forums. You can control your privacy on the web, the question needs to be asked, at what cost?

Brian Honan CERT Team head

(All respondends agreed to be named in this article)

As I realize this piece is getting longer than anyone wants to read on the internet I'll go into these responses in follow up posts. I also would like to dig into the phenomenon of lifebloggers like iJustine who have a near 24/7 internet presence and what impact that has on privacy.

Meanwhile, I'd like to invite you to comment and add your thoughts on Privacy on the internet.

Labels: , , ,

Friday, January 02, 2009

How to crack online banking

It's time to check your bank if you are banking online. With a bit of bad luck, it isn't safe anymore. Last week I ran into an article on Dutch Tech Magazine Emerce on a security breach in SSL.

SSL Certificate Security Breach

To most people, SSL sounds like a privacy guarantee on the web. Sites like webshops and banks have a secure connection to the internet and have an SSL certificate issued by a CA (Certification Authority) like Verisign or DigiNotar. Hoewever, a team of researchers from the Dutch University of Eindhoven, the CWI (Center of Mathematics and Computer Science), EPEL in Switzerland and independent researchers from California have discovered how to crack the code. They discovered

...that one of the standard cryptographic algorithms, which is used to check digital certificates is subject to abuse. The algorithm in question is the MD5 algorithm. Malicious persons may create a file with a digital signature which is trusted by all major web browsers. The researchers made this use of advanced mathematics and a cluster of more than two hundred game computers.

and

The researchers discovered the security breach which, in combination with the known KAMINSKY vulnerability in the Domain Name System (DNS), can make it difficult to detect phishing attacks.

Crunching Fortis all the way.

In short, if your bank uses an MD5 based SSL certificate, your privacy may be compromised. A quick survey of the methods used by Dutch banks learns that most of them already use the SHA encryption. One of the few exceptions is the troubled Fortis Bank. Fortis is going to a lot of bad weather ever since the acquired (part of) the ABN Amro bank. They were the first Dutch bank to get in trouble due to the credit crunch and the Dutch and Belgian parts have been separated, the Dutch part being taken over by the Dutch Government. They also had to settle for nearly a billion dollar in the Dutch mortgage scandal and also lost about a billion in the Madoff fraud.

MD5 and SHA algorithms

To most of the digitally educated it has been clear for some time that the MD5 encryption in passwords for instance isn't the best practise on the web anymore and have moved over to the more secure SHA-2 and the upcoming SHA-3 encryption algorithms.

  • Read the original Emerce article in Dutch here.
  • Read the Google translation here.

Labels: , , , , , ,

Tuesday, December 16, 2008

Experts on The Future of the Internet (1)

Timing is everything, but I see I get fed interesting news at wrong times all the time. Just as I was about to hit the sack early, @malburns put up another interesting link on twitter on a recently published report by the Pew Research Center.

A survey of internet leaders, activists and analysts shows they expect major technology advances as the phone becomes a primary device for online access, voice-recognition improves, artificial and virtual reality become more embedded in everyday life, and the architecture of the internet itself improves.They disagree about whether this will lead to more social tolerance, more forgiving human relations, or better home lives.

Here are the key findings in a new report based on the survey of experts by the Pew Internet & American Life Project that asked respondents to assess predictions about technology and its roles in the year 2020.

The overview and report is filled with captains of industry in the internet market, and I do believe they put up a likely scenario, but it's the wrong scenario. To be blunt, it's crap.

Why is it a likely scenario?

It is a likely scenario as most of the experts questioned are making a ton of money from the way the internet works right now. They have everything to gain in keeping the way things are. Just slight improvements, no big changes.

Why is it a wrong scenario?

Let's have a look at a few remarks from the report. I hope I'll find the time somewhere to get into these in detail later.

"You cannot stop a tide with a spoon. Cracking technology will always be several steps ahead of DRM and content will be redistributed on anonymous networks."

- Giulio Prisco, chief executive of Metafuturing Second Life, formerly of CERN

Cracking technology will always be several steps ahead of DRM as long as record labels sell content at rip off prices. Consumers, music lovers and fans will very likely to be willing to pay reasonable prices for works of art, directly to the artists. As long as record companies take in the motherload and throw a few pennies to the artists, no wonder we'll see piracy till the end of days. Music and other IP-protected material will likely to be distributed at fair prices through social networks in 2020.

"Viciousness will prevail over civility, fraternity, and tolerance as a general rule, despite the build-up of pockets or groups ruled by these virtues. Software will be unable to stop deeper and more hard-hitting intrusions into intimacy and privacy, and these will continue to happen."

- Alejandro Pisanty, ICANN and Internet Society leader and director of computer services at Universidad Nacional Autonoma de Mexico.

This is so true when you make money of the current internet architecture. ICANN stands for The Internet Corporation for Assigned Names and Numbers and is the organisation responsible for domain name registrations, a business worth 25 Billion dollars a year. Sure you won't give away your source of income if it would benefit the world and the safety of your children?

The group of experts is sure the internet will not be redesigned, they have a Laissez faire mentality to the architectural faults of the internet when it comes to privacy, protecting our children from evil as it is a multi billion dollar industry that gets into their own pockets. Alternatives are readily available, for instance the Handle architecture, orginally designed by Dr. Robert (Bob) Kahn who invented the TCP protocol and worked out the IP protocol along with Vint Cerf, hence, in creating the TCP/IP protocol laid the foundation for the current internet.

Almost every answer given in the Pew Research Report on the Future of the Internet III (and I must admit I skimmed the report due to the late hour) is the obvious answer. Obvious from the line of work the respondents are in, but failing to take a few things into consideration.

The most important oversight is that the outcome of the report is an extrapolation of current trends without paying attention to the equivalently growing deficits. Yes sure, it's easy to predict that the web will get more and more mobile, it is a trend that has already started. However, take into account that more and more we hear about Identity Theft and abuse of personal data. Take into consideration another trend that Governments and Social Networking platforms alike are tying together more and more databases and more of our real and digital identities will be up for grabs. Take into consideration the safety of your children from perverted souls and all screams for a redesign, a place which is focussed and built upon protection of your personal data. This is the plug in the ocean that needs to be pulled.

As said, it's getting late and I hope I'll find time to explore this report some more. Take care andtake heed ;)


Labels: , , , , , , ,

Thursday, December 11, 2008

Personal Data Expiry

Today the Dutch technology Magazine Emerce published an interesting article on privacy and expiration date of personal data:

It's time for marketeers, banks and other institutions to consider the disposal of personal data says Tom Kok of the DDMA. According to Tom not all collected data is always needed to serve customers.

"There must be a principal discussion about the clearance and clean up of databases. Actually I prefer talking about a clean up duty. That discussion is not limited to one single sector, such as Direct Marketing but across multiple sectors."

This is said by a former CEO of a Dutch insurance company, FBTO and former D66 Party Chairman Tom Kok in an interview with Emerce. Currently he is the chairman of the DM-DDMA organisation.

Read the Google translation of the full article here, or the original Dutch version here.

The DDMA is a Dutch Direct Mail branche organisation which also launched a new privacy code recently, effective January 2009. I think this is a very important issue. We leave tons of personal data all over the web, often without thinking, or without remembering. These bits and pieces can be pried together quite easily and lead to identity theft.

Just recently I was confronted with this issue when I received an update from Fortune City, where I registered an account in the early 90's. I haven't used that account since 2001, but they still have my data and just recently send me a mail to keep their records up to date.

Same goes for domain registration. I received an email earlier this month by a US Based registration company with the offer to renew a domain registration. The specific domain name was registered by me in 1997 when I was thinking of setting up a business directory on the internet and ended the registration in 2000. I registered with a completely different company, here in the Netherlands, but the email I received this month contained my full address and all sorts of personal detail. Okay, they didn't know I had moved, and I sure as hell didn't tell them, but it's been over 8 years, and still my personal data lurks in dark database corners across the ocean.

It doesn't take an expert in computer forensics or information security to piece things together and sell your identity for a couple of bucks on a Russian site. So first and foremost, think about where you leave your private data in signing up, secondly, the industrie needs to take a first step to clean up obsolete data a lot sooner than 8 years but eventually a whole new concept of identity management needs to be applied to the internet and online identities.

Labels: , , , ,