Comments

Anonymous CowardOctober 29, 2014 2:46 PM

It is also a good time to mention Microsoft Windows.

1) Bitlocker keys are uploaded by 'device encryption'.

"Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.

...

If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created."

http://technet.microsoft.com/en-us/library/dn306081.aspx

2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones.

"BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices."

http://technet.microsoft.com/en-us/library/dn306081.aspx#BKMK_Encryption

3) The tech media and feature articles recognise this.

"... because the recovery key is automatically stored in SkyDrive for you."

http://www.zdnet.com/surface-bitlocker-and-the-future-of-encryption-7000024613/

4) Here's how to recover your key from Sky/OneDrive.

"Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to ...onedrive.com..."

http://windows.microsoft.com/en-us/windows-8/bitlocker-recovery-keys-faq

5) SkyDrive (now named OneDrive) is onboarded to PRISM.

http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide-Documents-Uncompressed.pdf

PhilSOctober 29, 2014 3:09 PM

Well now that Adobe address receiving the data [192.150.16.235] has been revealed -- how about a DoS attack.

WaelOctober 29, 2014 4:08 PM

Doesn't surprise me a bit. I already experienced this when I noticed something strange on my network, although with a different reader (It's under the subtitle "Different topic", towards the bottom of the link.) So now Apple, Amazon, and Adobe collect this sort of information. Strange that they all start with the letter "A" :)
I am thinking many other readers will have this "peeping tom" sort of feature... I mean productivity and convenience feature that we can't imagine living without...

What surprised me was the same link talks about "complexity" in the first half! I guess I get to keep my word (saying a thing or two about complexity) after all, @Clive Robinson... Explain this to me, @Nick P ;)

bit strongOctober 29, 2014 4:45 PM

It's the fallback to the terms that worries me. They can change it anytime they want. I notice many websites are now flagging visitors as soon as they land, that continued use is interpreted as agreement (to anything they say). I noticed CNN the first time just today.

Nick POctober 29, 2014 5:45 PM

@ Wael

Easy: you cherry picked a link that mentioned complexity. Probably as a joke. :P

A d'oh beOctober 29, 2014 5:56 PM

While encryption will protect the data in transit, it also removes a key method of auditing. Since the program is closed source, we have to trust Adobe that they're only collecting what they say they are.

Clive RobinsonOctober 29, 2014 6:43 PM

In all honesty can anyone say they are realy shocked or surprised by this?

It's becoming clear that even when you pay for a service you are still the product to be wrapped up and sold to whom so ever wishes to negotiate a price.

It does not matter if there are clear laws to stop this kind of abuse, the companies will ignore them and add some "phony bolony" terms to the End User Licence Agreement. And if you should go to court and win the chances are you will not get the company to change it's ways it will either change the licence or find some other legal worm hole to crawl through.

It's this sort of "tradesman's entrance" abuse that has become compleatly insidious in closed source software that it won't be long before their legal vultures will be able to claim "excepted custom and practice" as a defence.

Sadly it appears that even some "open source" products are going that way in the name of "being helpfull" to users...

And people wonder why all my systems are air-gapped and some even built into safes...

WaelOctober 29, 2014 8:09 PM

@Clive Robinson,

And people wonder why all my systems are air-gapped and some even built into safes...
In all honesty, I have participated in the air-gap threads out of interest in the academic discussion. At times I was going to ask the question, why go through all this trouble -- What do you guys have to hide? Then now I am changing my mind, and I think I'll start considering it more seriously. Why would someone need to know what page on the book I am currently reading, or what book-marks I added, or what notes and highlights I am interested in? Then with other Operating Systems that steal the data that I did not even save? What if I am working on an idea or an IP? That's appalling!

@Nick P,

Easy: you cherry picked a link that mentioned complexity. Probably as a joke. :P
I didn't have the freedom to choose whatever thread that contained "complexity"! I chose the thread that talked about an incident related to Adobe, which was the Kindle reader. It happened to contain "complexity" -- so your answer is... Never mind! You are still a genius, that's the most outstanding answer I've ever heard! You must have an IQ of a 160! You are gifted :)


Nick POctober 29, 2014 11:05 PM

@ Wael

In that case, it falls into category of "maybe interesting coincidence." Depends on how often complexity pops up in your links or discussions. Far as movie reference (LMAO), I instantly knew what you were parodying. One of funniest parts of the movie.

re your realization on air gaps

" I have participated in the air-gap threads out of interest in the academic discussion. At times I was going to ask the question, why go through all this trouble -- What do you guys have to hide? Then now I am changing my mind, and I think I'll start considering it more seriously. "

We did it out of necessity. That's both to reduce the power potential surveillance has over us, reduce risk of more direct attacks from more serious opponents, and to know we're in control of our devices. People said it was overkill or something only criminals would worry about. Snowden leaks showed the NSA considered everyone an "adversary" until proven otherwise by pervasive surveillance/vulnerability and was accomplishing this. More nation states are doing this all the time, some competitors to private interests. Some people/companies now realize they might need to make sacrifices to protect their valuable secrets, assets, freedom, or lives.

You are now among them. Just keep thinking on it and improving your response to the situation.

WaelOctober 29, 2014 11:24 PM

@Nick P,

Far as movie reference (LMAO), I instantly knew what you were parodying...
I knew you would know before you clicked the link. You've got me pinned and can read me like an eBook... If I work on a project or a new idea, it'll be on an air-gapped device. And if I need to copy things to it say using a USB disk (like the ones I find in parking lots), then I'll check that USB disk on a second non-sensitive air-gapped device first. Can't be too careful now!

Chief Michael Airic White SrOctober 29, 2014 11:40 PM

Part of being part of the team is not fighting surveillance as a matter of fact its not surveillance really at all when you agree to it... Its more like conjoined note taking. When you have a website you are open to readers reading your material who have the proper security clearance so to speak. I encourage everyone to participate in group projects especially those who have something to share... e.g. educated or gifted creators.

P.s. dont think encryption is going to protect you. If you dont want someone to know something - DONT TELL THEN

FigureitoutOctober 29, 2014 11:41 PM

What do you guys have to hide?
Wael
--Don't really think you're being serious, just being silly as you already know the answer... :p I honestly don't give much a crap about someone spying anymore ie: just looking, on me anymore. It'll be boring as hell guaranteed, look at my dick or listen to my sh*ts; I don't care lol. It's when they inject malware, or by spying they *take* my ideas or IP or work. That's it for me personally, injecting malware that both reduces functionality of my computer or carves out a space where log files of all activities are stored and exfiltrated. One won't get it until they get hacked so much and witness the malware crossing gaps.

So a simple (guaranteed already used) method to beat this way of spying is using LiveCD TAILS on dedicated netbook (NO HDD attached) to download and a long distance wifi antenna (which I'll layout an easy build in due time, already plenty of info online), move the file via dedicated USB to PC hardrive that's been airgapped its entire life (and you don't care about malware in PDFs), wipe/encrypt/wipe USB on either same or separate device (maybe a RasPi). If Adobe is storing malware somehow on USB sticks that'll be a great revelation. My investigations into a "net-tap" and "data-diodes" will hopefully come up w/ a better solution (adobe can't retrieve info of previously stored PDF's from different sources) I can simplify to an easy yet hopefully fun project. It gets really fun when things start to click and patterns emerge.

You can also simply type all the info you need from the web-based PDF reader into .txt file nearly every big browser now if you're feeling "like a real man". :p

WaelOctober 30, 2014 12:03 AM

@Figureitout,

Don't really think you're being serious, just being silly as you already know the answer.
Well, was half serious and hence I didn't really ask the question! I think if you are working on something you need to protect, it must be made physically isolated from the network -- period. And that's a minimum as other air-gap comments showed the device needs to be environment-gapped, because air is a sound conductor.

WaelOctober 30, 2014 12:46 AM

@Chief Michael Airic White Sr,
Your comments require a line-by-line response...

Part of being part of the team is not fighting surveillance as a matter of fact its not surveillance really at all when you agree to it
1- And what team would that be? The whole world? The unknown -- a team with an anonymous member list that's only available to the supervisor?
2- It is still surveillance, otherwise tell me what the stressed "it" refers to!

Its more like conjoined note taking
More or less! It's more like a person sitting next to you in an exam copying the solutions from you without your knowledge. It's more like cheating, less like note taking

When you have a website you are open to readers reading your material who have the proper security clearance so to speak.
Swell! So all of a sudden, my personal computer, that's not running Apache, now became a Web Site? That's just great. And who gave them this security clearance, so to speak? Besides, if it were a Web Site, then I would have control on access to the material, what to share and what not to share. The only control you are suggesting here is not to use the computer.

I encourage everyone to participate in group projects especially those who have something to share... e.g. educated or gifted creators.
What do you have to say to people who don't believe in sharing and think sharing is an abstract concept when it comes to their confidential material?

If you dont want someone to know something - DONT TELL THEN
"Don't tell" in this context means don't type a thing on your computer. I'd like to see that in the terms and conditions!

65535October 30, 2014 12:58 AM

Adobe's data collection policies are very invasive and disturbing:

[Nakedsecurity]

"User GUID
"Device GUID
"Certified App ID
"IP number
"Time spent reading
"Percentage of eBook Read
"Metadata of eBook. E.g. ISBN, title, author."

http://nakedsecurity.sophos.com/2014/10/27/adobe-updates-its-e-reader-drm-data-no-longer-transmitted-insecurely/

Arstechnica notes the same list but highlights the hot-button issue of geo-location:

'Device IP address: for geo-location, "since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication," Adobe's spokesperson said.”' -Arstechnica

If the e-books geo-location indicates you are in a Muslim country or even a in a city such as Dearborn Michiagan do you get put on a “list” from the NSA or similar TLA? This could cause an e-book customer to have his phone and internet spy upon buy the NSA.

Wikipedia:

“The Supreme Court has also held in Smith v Maryland (1979) that citizens have no Fourth Amendment expectation of privacy in the business records (sometimes termed metadata) of their communications. This means that the court can subpoena data such as the numbers that an individual has phoned, when and, to a limited degree, where (subject to Jones v. United States) the phone conversation occurred, although a full judicial warrant would be required for the government to acquire or admit audio content from the telephone call. Under Section 215 of the PATRIOT act, the FBI can subpoena some or all such records from a business record holder using a warrant applied for in the Foreign Intelligence Surveillance Court.”

See 50% down Fourth Amendment issues:
https://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy#Fourth_Amendment_issues

It is terrible that Adobe sent this data under the guise of DRM compliance in clear text. Yet, encrypting this data is problematic. Adobe’s business partners and compliance department must decrypt the data at some point and distribute it to an unknown number of people [probably including the NSA].

As Clive has noted this behavior could become “standard business practice” with negative consequences. It looks like other e-book reader makers are doing the same.

[The Digital Reader comment section]

Swâ… Petara… says:

“Adobe is (unfortunately) not the only one…3 But the finest still is to come:
“Information Received… The software will provide Pocketbook with data about your Pocketbook reading device and its interaction with the Service (such as available memory, up-time, log files, and signal strength). The Software will also provide Pocketbook with information related to the Digital Content on your Pocketbook reading device and Supported Devices and your use of it (such as last page read and content archiving). Information provided to Pocketbook, including annotations, bookmarks, notes, highlights, or similar markings you make using your Pocketbook reading device or Reading Application, may be stored on servers that are located outside the country in which you live. [...] BY USING THE POCKETBOOK READING DEVICE YOU AUTOMATICALLY ACKNOWLEDGE AND AGREE THAT POCKETBOOK MAY COLLECT, STORE, PROCESS, TRANSMIT, PROVIDE AND/OR SELL ANY INFORMATION AVAILABLE ABOUT YOU AND THE READING DEVICE(S) THAT YOU ARE USING TO ANY THIRD PARTIES. THIS INFORMATION MAY BE USED BY POCKETBOOK AT ITS SOLE DISCRETION FOR ANY LAWFUL PURPOSES AND IN ANY MANNER OTHER THAN PROHIBITED BY APPLICABLE LAWS, WITHOUT LIMITATION.
Pocketbook reading device and software preinstalled or subsequently installed on it provides Pocketbook with details of the Pockebook reading device used by you and certain actions performed by you on it such as: – Orientation of the Pocketbook reading device (portrait or landscape); – the language of Digital Content; – file size in bytes; – DRM type (Adobe, Pocketbook, none); – Digital Content opened for the first time or not; – the application that you use for reading; – time between the opening starts and finishes in milliseconds; – functions of keys; – the interface language; – the reading device model; – the identifier of the Pockebook reading device to establish whether data have been collected from one or different Pocketbook reading devices (not the serial number); – version of software installed; [...] Your agreement to be bound by these Terms of Use is voluntary and implies your unconditional consent to all and any data processing conditions estyablished herein..."

http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/comment-page-1/#comment-660884

That’s a horribly large amount of “meta-data” to be collected. If this trend continues the entire e-book market will become a huge spy machine.

@ Anonymous Coward

“It is also a good time to mention Microsoft Windows… 1) Bitlocker keys are uploaded by 'device encryption'… 5) SkyDrive (now named OneDrive) is onboarded to PRISM."

Yes, this is a big problem. I note the link to the data mining/spying occurs via the use of various cloud service companies [like the Apple syncing problem discussed recently]. If this trend continues consumers will shun American/Five-eyes cloud service companies. The financial loss to American cloud providers could be very large.

Andrew_KOctober 30, 2014 2:01 AM

This will be slightly off-topic.


What do you guys have to hide?
--Wael

I wouldn't take this as easy as Figureitout did. When I try to raise my social environment's awareness for INFOSEC/OPSEC (and no, I do not use these terms then), I am confronted with exactly this answer (tough often rephrased to "Why should I care about Adobe/Microsoft/Apple/Gvmt knowing these things about me? I did not do anything wrong, I have nothing to hide!").
This is sad reality. And it is how they can get away with it. Those protecting their privacy must have dark secrets to hide. Just like freemanson members.

This may also pose the answer to how things can change: It's not the revelations about mass observation. It's relevations about police officers trading nude pictures that will change public opinion; it will be relevations about analysts collecting and trading nude pictures. Let there be one CCTV-snipplet of an analyst taking care of himself using some unwitting cuples' sex tape (yes, the reference to the movie is intended) as inspiration. Why would this help changing things? Because in this case abuse is so obvious that "I have nothing to hide" is just out of reach. No one seriously wants restrictions on what to photograph at home.

Andrew_KOctober 30, 2014 2:13 AM

Back on topic:

A German-speaking friend was kind enough to translate a bit of what Samsung is showing in their software update agreement:


2. On use of personal data
We will use you personal data as necessary to use our services or parts of it including our web site and [...].
Especially, we use your personal data for (if this is legal):
[...]
* Investigations in case you send us a job application

Link to original screenshot, Link to according blog post. Can anyone of the German native speakers validate the translation?

If the translation is correct, it reads to me as if Samsung can and will add anything you did on your phone to your job application.

Clive RobinsonOctober 30, 2014 2:37 AM

@ Wael,

I think if you are working on something you need to protect, it must be made physically isolated from the network -- period

The problem is, if you are of an inventive mind, you never know when some thought you jot down is going to become a project or IP...

Thus all such "throw away thoughts" should be protected, unfortunatly that is difficult. Because most such thoughts give rise to a "quick search" which to another domain expert would be very revealing. Think how much such a search by a major drugs company senior researcher would be worth to a competitor or investor... I'll give you an example of a "throw away thought" in my reply to @65535.

On the lighter side of things, you say,

And that's a minimum as other air-gap comments showed the device needs to be environment-gapped, because air is a sound conductor.

It's not just air that conducts "sound" the bottle of a vacuum flask does as well which means you need "mechanical issolation" as well :-(

So based on all the extra work involved over "ordinary air-gapping" how long do you think it will be before we get a new verb? So instead of "air-gapping" we have say "blackhole-ing"...

@ 65535,

A "throw away line" in your above post,

This means that the court can subpoena data such as the numbers that an individual has phoned... ...although a full judicial warrant would be required for the government to acquire or admit audio content from the telephone call.

has triggered an idea.

I used to work for a company where you could only "direct dial" local numbers, long distance and international calls had to be placed for you by the company receptionist who wrote the details in a log book.

Well voice recognition has reached the point now where the recognition of numbers is very good, so the receptionist could now be a computer not a human. If this was coupled with a VoIP system with dial out lines then you would "voip-in" and it would "dial-out" and connect you.

However, the courts reach is jurisdictional and thus has limited reach, so if the voice channel is properly encrypted and the VoIP System is in one or more countries then the only meta data they could get would be you calling the foreign service... Which means they would have to use some other "end run" technical solution which is probably even less admissible in court...

65535October 30, 2014 3:34 AM

@Clive

“…voice recognition has reached the point now where the recognition of numbers is very good, so the receptionist could now be a computer not a human. If this was coupled with a VoIP system with dial out lines then you would "voip-in" and it would "dial-out" and connect you… the courts reach is jurisdictional and thus has limited reach, so if the voice channel is properly encrypted and the VoIP System is in one or more countries then the only meta data they could get would be you calling the foreign service... Which means they would have to use some other "end run" technical solution which is probably even less admissible in court... –Clive

That is an interesting idea.

I gather you are saying construct a “Virtual Switch Board operator machine” in a non-five eyes country to then connect one’s encrypted sensitive phone calls [local, long distance or international] via that virtual operator – sort of a quasi voip Tor solution.

That is a good idea. I think it could be used in a chained Virtual Operator fashion to avoid the 2 hop rule the NSA/CIA/FBI uses.

What exact software and hardware would be needed to accomplish this task? Can Commercial Over-The-Counter equipment be used? What are risks?


WaelOctober 30, 2014 3:37 AM

@Clive Robinson,

you need "mechanical issolation" as well...
You mean like this sort of isolation?

Thus all such "throw away thoughts" should be protected, unfortunatly that is difficult.
Yes! Getting our ideas stolen before they are saved, or through analyzing strings we search for doesn't exactly help to protect us! Your "throw away" idea example is nice.

@Andrew_K,

Why should I care about Adobe/Microsoft/Apple/Gvmt knowing these things about me? I did not do anything wrong, I have nothing to hide
This is taken a little out of context. I was asking myself, do I need to go to this much trouble to air-gap a device? What sort of information do I have to warrant the need to go to this level of protection?

This is a little different than what you said. I am not using the lame argument: If you have nothing to hide, it's ok for anyone to peek at your data. It's a two way street; one has to put the appropriate defense mechanisms in place, and complian about products that violate privacy.

Andrew_KOctober 30, 2014 4:41 AM

@ Wael

I did not want to put this in your mouth, the sentence just triggered me recalling that reaction. No offense meant :)

Clive RobinsonOctober 30, 2014 5:00 AM

@ 65535,

What exact software and hardware would be needed to accomplish this task? Can Commercial Over-The-Counter equipment be used? What are risks?

I'm not sure these days it's been a while since I was involved with setting up an Astrix box with a Stunnel VPN. Back then it only needed POTS cards a PC at either end on the respective local LANs with firewalls on the gateways to --for then-- a wide data bandwidth Internet connection and QoS to reduce problems.

So with modern PCs and almost ubiquitous low latency wide data bandwidth Internet connections, the real problem might be getting the POTS connections in many parts of the world.

However five years ago I was playing with easily available mobile phone modules for use with PCs. Today you can by a Raspberry Pi, an Adrino mobile phone shield and WiFi USB card for under 100USD all of which would fit comfortably in a small IP67 box with a couple of SMA connectors and a power supply that could be hidden in some ceiling space in a public accessable building with free WiFi somewhere with little difficulty (think the toilet in your local Star*ucks or MuckyDs or Mom&Pop equivalent). If WiFi is not possible/reliable use a second mobile phone shield with a good data plan. Obviously pay for the phone service using an anonymous Pre-Pay credit card that can be topped up via cash machine or over the counter cash payment.

@ Wael,

Sadly yes, as I've said before, the energy has to go somewher in some form, and the best you can hope for is to get a very low bandwidth on the resulting side channel. With regards the tin foil hat, even that might not be sufficient, as used to be in ancient times, the system designer and builders might require air-gaping twixt shoulders and head... I think it was Benji Franklin who made the comment about the only way for two people to keep a secret was for one to kill the other, hence the modern version of answering a question with "I could tell you but... then I'd have to kill you!".

wiredogOctober 30, 2014 5:27 AM

Amazon and B&N are both very upfront about this. It's how they sync between devices.

65535October 30, 2014 5:33 AM

@Clive

“Today you can by a Raspberry Pi, an Adrino mobile phone shield and WiFi USB card for under 100USD all of which would fit comfortably in a small IP67 box with a couple of SMA connectors and a power supply that could be hidden in some ceiling space in a public accessable building with free WiFi somewhere with little... If WiFi is not possible/reliable use a second mobile phone shield with a good data plan. Obviously pay for the phone service using an anonymous Pre-Pay credit card that can be topped up via cash machine or over the counter cash payment.” –Clive

The small Raspberry Pi and Adrino mobile phone, hidden power supply [and prepaid cards] carefully placed sound like a good idea.

I’ll study Astrix Box and the Stunnel software because I am not familiar with them. But, your idea certainly has merit. Keep up the good ideas!

I got to go for now.

paulOctober 30, 2014 8:42 AM

@Andrew_K:

As a not-quite-native speaker of german, I have to say there's an ambiguity in that text (albeit it's still pretty invasive). Rather than searching your whole phone if you apply for a job and making use of whatever is legally allowed (and somehow unseeing the things that aren't legal for them to know in some jurisdictions), it could be interpreted simply as saying that they get to use phone data to verify information in the application, e.g. that your name and address are what you say they are, that the contact info you give for references is actually of those people and not your best friends, that you work at the place you say you work. It's still pretty darn weird though.

WaelOctober 30, 2014 9:51 AM

@Andrew_K,

No offense meant :)
None taken!

Correction to a previous post:
Seems like air-gapped computers need to be vacuum gapped, magnetically gapped, heat gapped (hosted in a thermose), vibration gapped (floating in air)
Corrected to:
Seems like air-gapped computers need to be vacuum gapped, magnetically gapped, heat gapped (hosted in a thermose), vibration gapped (floating in vaccum) because it's "vacuum-gapped".

BoppingAroundOctober 30, 2014 10:38 AM

Clive,

> Sadly it appears that even some "open source" products are going that way in the name of "being helpfull" to users...

Which ones?

re: Amazon and B&N are both very upfront about this. It's how they sync between devices.

So, is there any info on e-readers that *don't* indulge in this kind of stuff?

jonesOctober 30, 2014 11:35 AM

From the article:

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.

If the data is sent as cleartext then it is susceptible to snooping by organizations like the NSA, which have had direct access to telcos for some time now.

http://en.wikipedia.org/wiki/Mark_Klein

I bet some application at the NSA just files those details into some automated psychological profile database, incorporating "open source intelligence" that typical users publicly make available about themselves through services like FaceBook.

And, I bet data like that with a system like this

http://en.wikipedia.org/wiki/Synthetic_Environment_for_Analysis_and_Simulations

can help win elections, among other things...

kronosOctober 30, 2014 11:49 AM

@ 65535
The financial loss to American cloud providers could be very large.

I think that this, more than anything else, will push large American I.T. companies to drag their feet and/or push Congress to change the laws. Complying with federal agencies in spying on customers will directly affect their bottom line and it is all about the dollars. When possible, foreign companies will cater to the do-not-spy-on-me crowd.

Clive RobinsonOctober 30, 2014 12:07 PM

@ BoppingAround,

The current example is the 13.10 release of Ubunto, in order to be "user friendly" to those coming from an commercial platform various searches on Amazon and Google happen with out the user directly actioning them. Often with weird or bizzar results comming up, whilst the searches can be disabled by those more familiar with the likes of Unity there are complaints that,

1, they were made defaults in the first place.
2, it's not immediately obvious how to turn them off.

Now whilst I can see why Ubunto might want to do what they have done, they are no strangers to controversy in the FOSS world and should have known feathers would be ruffled, thus should have gone to more effort to mitigate things.

Some however see it as the thin edge of the Balkanisation of Linux by Ubunto in order to engratiate themselves with the --supposed-- "Big Hitters" of the commercial side of the Internet, and thus are railing against it.

However, what can be said is a lot of data will head to both Google
and Amazon because of the Ubunto design choice, and it will in many cases cause PII to be leaked to them, and from a security point of view that's neither good or necessary.

Required NameOctober 30, 2014 12:12 PM

@ Clive Robinson, @ 65535,


What you two are talking about sounds like what the telemarketing scammers have been doing the past few years, only they include Caller ID Spoofing (some of them really obvious) and calling times that indicates they are on a different continent and don't know the time in the US.

xqrOctober 30, 2014 1:05 PM

Perhaps they will come with the Google defense: "but but it was all just meant to improve the user experience"

AnonOctober 30, 2014 1:52 PM

@BoppingAround
"So, is there any info on e-readers that *don't* indulge in this kind of stuff?"


I have an old "Kindle 3".
When I purchased it, there was a promotion on it that was called "Kindle with Ads" or something. It had a reduced sale price, which was supposed to be subsidized by the delivery of advertisements to the device.

But, that only happened if you registered it.
Without registration, you did not get the ads.

But, without registration, you could not download books to it using WiFi.
So, you would just need to copy ebooks to it through the USB connection from your PC.

So, what I'm trying to say is, if you want to read ebooks on a device that doesn't report your reading habits, you may need to find an "old school" ebook reading device.


BoppingAroundOctober 30, 2014 6:09 PM

Clive,

Thank you. Actually I do already know about Ubuntu. I thought that something else might have joined this odious path.

Maybe a year ago Canonical (the company behind Ubuntu) also got into a quarrel with a site that provided instructions about disabling this kind of 'functionality.'

http://arstechnica.com/information-technology/2013/11/canonical-abused-trademark-law-to-target-a-site-critical-of-ubuntu-privacy/

Anon,

Thanks for the info. That's a nice starting point to begin with.

AdamOctober 31, 2014 4:23 AM

I wonder if they sent the data in the clear as a plausible deniability ("if we were really spying on purpose would we be this incompetent in doing it?") or actual incompetence. I'm sure they have a lot of traffic for key exchanges etc. that they could bury info within if they wished.

Anyway my interaction with Digital Editions is merely to get stuff onto my device after which I dedrm it on the principle that DE sucks and I want to minimize my interaction and dependence on it.

JoeOctober 31, 2014 10:23 PM

Note that the problem hasn't been fixed, now the data is just encrypted.
They even state that they collect the position in the book and the time spent reading the book, which is nearly all they information that they can collect anyway.

Luckily there is a way to make this backfire on Adobe big time:

Many public libraries use ADE for their ebooks available through overdrive, axis360 and most other vendors.

I urge everyone to write a friendly letter to the director of their public library to let them know that you do not appreciate your tax money being spent to spy on your children.

The libraries are probably violating their own policies + a huge number of laws meant to protect children.

Librarians generally are very sympathetic to privacy issues. Most libraries have strict privacy policies that they are now violating themselves by using ADE.

That means that they have to act either way, either by updating their policies and giving Adobe permission to spy on their customers, or by getting rid of Adobe.
Generally the ebooks are very expensive compared to paper books, and a few friendly letters might very well make the libraries reconsider the choice of their ebook vendors.

Interestingly, overdrive stopped using DRM for audiobooks recently. The now use mp3s only.

This is the perfect chance to give ADE and DRM the death blow. Right now!
Write to the director of your library and let them know that you care about privacy!

BuckOctober 31, 2014 10:32 PM

@Joe

Hmmm... We, the people, probably should start keeping closer track of taxpayer monies that are appropriated for public-space espionage!

Shouldn't we save the children!?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.