Schneier on Security

Information not only "wants" to be free, it will be free.

For example in this "security-elevated world I have recently seen an unnamed phone vendor taking its customer registration at a local mall and just tossing the triplicate carbon forms in a plain old trash can. No shredding, nothing to stop anyone passing by to pick up the bag filled with SSNs, mobile numbers, credit card info, home info, photocopies of CDLs... nothing.

Information will is free, and if it isn't it will be.

Israel Torres

So what's your opinion on web logs and the search strings people use to find web pages? Should those be considered private? I have people access my website with google search strings like: "how+to+make+a+bomb+to+blow+up+a+school" and "I+want+to+bomb+America+can+somebody+help". Should those people have a reasonable expectation that knowledge of their browsing on my site will not make it to law enforcement?

See also some of my blog postings as I struggle with what to do:

http://blog.joehuffman.org/archive/2004/12/26/702.aspx
http://blog.joehuffman.org/archive/2005/01/08/805.aspx
http://blog.joehuffman.org/archive/2005/01/18/965.aspx

And finally, my solution:

http://blog.joehuffman.org/archive/2005/01/19/981.aspx

Which turns out to be unpopular with some people.

@Joe
Good point. This is important news but not exactly "new" since it has been the subject of intense debate for at least the past five years and especially following the expansion of government powers for search/seizure via the Patriot Act. Bruce, I believe we even discussed it on your blog regarding Carnivore since the new laws seem to mean that if data is stored for even a milisecond on a system, then anyone with access to that system (presumably anyone with wiretap authority) can monitor it.

Perhaps most disturbing of all are the new "download accelerator" companies. If you install their software, they actually redirect all your traffic through their systems so they can actively track your behavior and cache your passwords. Read the User License Agreements. I think you would be (rightfully) disgusted that people are unwittingly (who actually reads the ULA?) sacrificing their own privacy, including financial passwords and sensitive identity information, to slick marketing companies.

When will we really define a "bad guy" on the Internet such that users have protection? Spammers and spyware companies still claim they are doing legit business.

@Bruce
Sorry, I see what you mean by "new" now. I missed your reference to eWeek.

When I first heard about this a couple of months back, the cracker claimed to have accessed cellphone camera photos taken by celebrities.

Not that their privacy is any more important than ours, but being Demi Moore or Paris Hilton makes them more desirable targets.

Hmmm. All quiet on this topic...sorry for posting three times in a row (bad form, I know) but this just seems like a convenient continuation of where we left off discussing Cyveillance and Carnivore over the past few weeks.

On that note, I think California Senate Bill 1386 is showing how government regulation that can make a difference with regard to our data:
http://www.msnbc.msn.com/id/6969799/

To make a long story short, forget about high-tech security when the very basic stuff is completely broken. The article says "about 50 fake companies had been set up and then registered with ChoicePoint to access consumer data."

It is now a crime that consumer information is so exposed by companies, but just as troubling is the fact (similar to T-Mobile) that "ChoicePoint has no way of knowing whether anyone's personal information actually has been accessed".

Again, SB1386 is invaluable in helping consumers fight careless data warehousing and identity theft. The market is not quick enough to drive companies to setup controls to authorize, authenticate, and account for access. Consumers must turn to the government to help weigh in on their behalf.

And finally, I do not know how you could call this a purely legal issue, since the solution requires consideration of the current availability of technology that qualifies as "reasonable" precautions.

Without technical details of a solution available, or even possible, the law becomes toothless. I mean, can you actually have the Supreme Court decide what constitutes "reading email at an ISP" without any discussion of even the high-level technical issues regarding present-day data routing?

Thanks for pushing on the legal aspects though. We need more of that, for sure. Governments need to seriously consider rapidly adopting and clarifying personal identity information laws (e.g. SB1386 and AB1950) as well as privacy/wiretap protection based on technical details such as "reasonable" information security practices.

@Rich
The entire T-Mobile system was compromised for many months (March to October of 2003). The reporters claimed that everything, including sensitive data, was exposed.

It is vital to not forget that the incident was discovered during a broad Secret Service investigation called "Operation Firewall," directed at closing down criminal groups such as Shadowcrew, Carderplanet and Darkprofits.

So, although celebrity pictures might have been an incidental target, it appears that the personal financial harm and national security issues actually drove the Secret Service to investigate . They were trying to quickly resolve leaks that exposed identity information and official documents with highly sensitive information.

Back to my point above, I think this is as much a technical issue as a legal one and neither one will do much good on its own without the other.

And how about only California having a law on the books forcing companies to disclose any of this intrusions. It just happens that only people in California need be notified. Everyone else has no right to know. I kindda like the European model for personal information a bit better.

It's odd, but this is a problem I've solved by:
a. not owning a cellular phone
b. refusing to purchase items online (send them a check-would an extra day kill you?)
c. retaining a tape recording answering machine.
d. not using online banking.
e. never using my social security number as identification.

The author claims that "This isn't a technology problem, it's a legal problem", and urges the court to protect our private data even when it's held by others.

It would certainly be wise for the courts to legally protect private data stored with third parties, but there can also be a technological solution to at least a subset of the problem.

For situations where ISPs or other data carriers are acting only as conduits and repositories for your private data (e.g., email, voicemail, file storage, etc), there is no good reason why the entity storing the data should be able to read it. End-to-end encryption of email, and encryption of stored files, can make it useless to swipe data from ISP storage.

Of course, encryption can't solve the problem of "generated data", where purchase habits and history are created through your interaction with a vendor, or the safety of private data legitimately held by a company, for, say billing purposes. However, in the less-IT-laden past, there were also no protections for data of this sort that could be collected by other people. (Although, in fairness, it has now become vastly easier to collect this data, and vastly easier for it to be compromised on a large scale).

Go forth and encrypt your email!

Agree with arendt, except for the online banking - I am reasonably satisfied with the banks with which I'm doing business. My least protected data are probably my email. maiken makes a good point - ISPs could and should employ encryption to protect customers' data. It's a pity, by the way, so few people are using PGP.

Latest update on SecurityFocus:
"T-Mobile hacker pleads guilty"
http://www.securityfocus.com/news/10516?ref=rss

There is a way to own a cell phone without compromising your privacy. In the US at least, there are several prepaid mobile providers, which do not require any personal information. If you buy the phone and the minutes in cash, it should be pretty untraceable. Of course, don't discuss anything sensitive, as it is still on the air.

And you can use either a digital or tape answering machine as long as it's in your home. Unless and until they come up with a way to hack digital answering machines.

Another update on T-Mobile:
http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html

Anyone check msnbc.com... Someone hacked into Paris Hilton and Vin Diesel's T-Mobile accounts. Thank God I have Verizon.

You write:
"We should be able to control our own data, regardless of where it is stored"

But you don't distinguish between "your data" and "data about you".

My webmail inbox is my data, stored on my behalf by a service provider I engaged to do the job. If the police need a warrant to open my safe deposit box in my bank, then logically they should need one to see my email.

Account history at Amazon, say, is Amazon's data. It concerns me, and there are legitimate questions as to how it can be distributed or used without my permission, but to my mind it is not the same situation as my data which happens to be stored outside my home.

in reply to:
t's odd, but this is a problem I've solved by:
a. not owning a cellular phone
b. refusing to purchase items online (send them a check-would an extra day kill you?)
c. retaining a tape recording answering machine.
d. not using online banking.
e. never using my social security number as identification.

a. what, you use pay phones? great. im sure whatever disease you catch from one will be fun.
b. have fun when someone steals that check from the mailbox, spanky... 'cause check fraud is still the #1 form of identity theft in the world.
c. um. no comment, other than most tape recording answering machines use one of 12 different 3 digit passwords to be listened to remotely.
d. have fun when someone sticks a rusty steak knife in your ribs at the corner ATM while you're trying to do a transfer to cover the money jacked from you when some dude stole your check.
e. who the fuck does? but no matter... any idea how easy it is to get the SSN of someone? own property? oh, guess what? it's amazing how much info you can get from a simple trip to the public records office.

way to go, sport... by sticking in the archiac times, you're not only just as easy of a target... you're not enjoying the modern conveniences...

I believe I was a victim. I've been through 3 T Mobile phones, 2 SIM Cards, local engineers to visit Houston, 50% dropped call rate, pictures altered, and endless customer service calls.
Last week, I talked to 38 T-Mobile Mgrs who could not explain why this was happening and suggested a new carrier. I explained it was if someone tapped into my phone, jammed up my line. Anyone have advice on who (besides t mobile) I can report this to?
Heather

Forgot to mention, be sure to disable remote access to your answering machine. They're remarkably easy to break into.

PS: Is it just me who's having trouble posting comments?

Anything that seems possible these days, is actually becomming possible. Sorry to break it to you all but I don't think that fraud and internet googling to find answers to free supliences, and things we have to pay for, it will not be stopped. As the saying goes, "Where theres a will, there is a way" I believe that is true. Criminals, hackers, any one who actually can access a computer with the internet has any chance to be unlocking codes and stealing rights off mobiles, credit cards, pretty much anything. This cannot be stopped. Thats just my point of view anyway.

-15 yrs old, australia.

it is quiet knowledgeble to know about hacking,I just want to know that my mobile balance is automatically decreased is it somekind of hacking and if yes how can i protect my mobile?

How to haking mobile for Internet wesite

send me PDF file Acrobat file

hi

How can one use(spend balance) of others without using others mobile? i.e. How to talk with one sim & using the balance of other sim?