Companies Not Saving Your Data

There's a new trend in Silicon Valley startups; companies are not collecting and saving data on their customers:

In Silicon Valley, there's a new emphasis on putting up barriers to government requests for data. The Apple-FBI case and its aftermath have tech firms racing to employ a variety of tools that would place customer information beyond the reach of a government-ordered search.

The trend is a striking reversal of a long-standing article of faith in the data-hungry tech industry, where companies including Google and the latest start-ups have predicated success on the ability to hoover up as much information as possible about consumers.

Now, some large tech firms are increasingly offering services to consumers that rely far less on collecting data. The sea change is even becoming evident among early-stage companies that see holding so much data as more of a liability than an asset, given the risk that cybercriminals or government investigators might come knocking.

Start-ups that once hesitated to invest in security are now repurposing limited resources to build technical systems to shed data, even if it hinders immediate growth.

The article also talks about companies providing customers with end-to-end encryption.

I believe that all this data isn't nearly as valuable as the big-data people are promising. Now that companies are recognizing that it is also a liability, I think we're going to see more rational trade-offs about what to keep -- and for how long -- and what to discard.

Posted on May 25, 2016 at 2:37 PM7 Comments

Should You Be Allowed to Prevent Drones from Flying Over Your Property?

Good debate in the Wall Street Journal. This isn't an obvious one; there are good arguments on both sides.

Posted on May 25, 2016 at 5:58 AM35 Comments

GCHQ Discloses Two OS X Vulnerabilities to Apple

This is good news:

Communications and Electronics Security Group (CESG), the information security arm of GCHQ, was credited with the discovery of two vulnerabilities that were patched by Apple last week.

The flaws could allow hackers to corrupt memory and cause a denial of service through a crafted app or execute arbitrary code in a privileged context.

The memory handling vulnerabilities (CVE-2016-1822 and CVE-2016-1829) affect OS X El Capitan v10.11 and later operating systems, according to Apple's 2016-003 security update. The memory corruption vulnerabilities allowed hackers to execute arbitrary code with kernel privileges.

There's still a lot that needs to be said about this equities process.

Posted on May 24, 2016 at 2:12 PM15 Comments

Google Moving Forward on Automatic Logins

Google is trying to bring this to Android developers by the end of the year:

Today, secure logins -- like those used by banks or in the enterprise environment -- often require more than just a username and password. They tend to also require the entry of a unique PIN, which is generally sent to your phone via SMS or emailed. This is commonly referred to as two-factor authentication, as it combines something you know (your password) with something you have in your possession, like your phone.

With Project Abacus, users would instead unlock devices or sign into applications based on a cumulative "Trust Score." This score would be calculated using a variety of factors, including your typing patterns, current location, speed and voice patterns, facial recognition, and other things.

Basically, the system replaces traditional authentication -- something you know, have, or are -- with surveillance. So maybe this is a good idea, and maybe it isn't. The devil is in the details.

EDITED TO ADD: It's being called creepy. But, as we've repeatedly learned, creepy is subjective. What's creepy now is perfectly normal two years later.

Posted on May 24, 2016 at 8:35 AM61 Comments

State of Online Tracking

Really interesting research: "Online tracking: A 1-million-site measurement and analysis," by Steven Englehardt and Arvind Narayanan:

Abstract: We present the largest and most detailed measurement of online tracking conducted to date, based on a crawl of the top 1 million websites. We make 15 types of measurements on each site, including stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and the exchange of tracking data between different sites ("cookie syncing"). Our findings include multiple sophisticated fingerprinting techniques never before measured in the wild.

This measurement is made possible by our web privacy measurement tool, OpenWPM, which uses an automated version of a full-fledged consumer browser. It supports parallelism for speed and scale, automatic recovery from failures of the underlying browser, and comprehensive browser instrumentation. OpenWPM is open-source1 and has already been used as the basis of seven published studies on web privacy and security.

Summary in this blog post.

Posted on May 23, 2016 at 5:33 AM48 Comments

Friday Squid Blogging: Squid Kite

Video. Plus an octopus kite, with another squid kite in the background.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on May 20, 2016 at 4:20 PM99 Comments

Detecting Explosives

Really interesting article on the difficulties involved with explosive detection at airport security checkpoints.

Abstract: The mid-air bombing of a Somali passenger jet in February was a wake-up call for security agencies and those working in the field of explosive detection. It was also a reminder that terrorist groups from Yemen to Syria to East Africa continue to explore innovative ways to get bombs onto passenger jets by trying to beat detection systems or recruit insiders. The layered state-of-the-art detection systems that are now in place at most airports in the developed world make it very hard for terrorists to sneak bombs onto planes, but the international aviation sector remains vulnerable because many airports in the developing world either have not deployed these technologies or have not provided rigorous training for operators. Technologies and security measures will need to improve to stay one step ahead of innovative terrorists. Given the pattern of recent Islamic State attacks, there is a strong argument for extending state-of-the-art explosive detection systems beyond the aviation sector to locations such as sports arenas and music venues.

I disagree with his conclusions -- the last sentence above -- but the technical information on explosives detection technology is really interesting.

Posted on May 20, 2016 at 2:06 PM25 Comments

Identifying People from Their Metadata

Jonathan Mayer, Patrick Mutchler, and John C. Mitchell, "Evaluating the privacy properties of telephone metadata":

Abstract: Since 2013, a stream of disclosures has prompted reconsideration of surveillance law and policy. One of the most controversial principles, both in the United States and abroad, is that communications metadata receives substantially less protection than communications content. Several nations currently collect telephone metadata in bulk, including on their own citizens. In this paper, we attempt to shed light on the privacy properties of telephone metadata. Using a crowdsourcing methodology, we demonstrate that telephone metadata is densely interconnected, can trivially be reidentified, and can be used to draw sensitive inferences.

New research, but not a new result. There have been several similar studies over the years. This one uses only anonymized call and SMS metadata to identify people who volunteered for the study.

Four assorted news articles.

Posted on May 19, 2016 at 6:10 AM14 Comments

Primitive Food Crops and Security

Economists argue that the security needs of various crops are the cause of civilization size:

The argument depends on the differences between how grains and tubers are grown. Crops like wheat are harvested once or twice a year, yielding piles of small, dry grains. These can be stored for long periods of time and are easily transported ­ or stolen.

Root crops, on the other hand, don't store well at all. They're heavy, full of water, and rot quickly once taken out of the ground. Yuca, for instance, grows year-round and in ancient times, people only dug it up right before it was eaten. This provided some protection against theft in ancient times. It's hard for bandits to make off with your harvest when most of it is in the ground, instead of stockpiled in a granary somewhere.

But the fact that grains posed a security risk may have been a blessing in disguise. The economists believe that societies cultivating crops like wheat and barley may have experienced extra pressure to protect their harvests, galvanizing the creation of warrior classes and the development of complex hierarchies and taxation schemes.

Posted on May 18, 2016 at 9:11 AM30 Comments

More NSA Documents from the Snowden Archive

The Intercept is starting to publish a lot more documents. Yesterday they published the first year of an internal newsletter called SIDtoday, along with several articles based on the documents.

The Intercept's first SIDtoday release comprises 166 articles, including all articles published between March 31, 2003, when SIDtoday began, and June 30, 2003, plus installments of all article series begun during this period through the end of the year. Major topics include the National Security Agency's role in interrogations, the Iraq War, the war on terror, new leadership in the Signals Intelligence Directorate, and new, popular uses of the internet and of mobile computing devices.

They're also making the archive available to more researchers.

Posted on May 17, 2016 at 6:18 AM82 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.