Page 489
It’s called stylometry, and it’s based on the analysis of things like word choice, sentence structure, syntax and punctuation. In one experiment, researchers were able to identify 80% of users with a 5,000-word writing sample.
Download tools here, including one to anonymize your writing style.
The genetic data posted online seemed perfectly anonymous - strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had no part in the study —identifying nearly 50 people.
[…]
Other reports have identified people whose genetic data was online, but none had done so using such limited information: the long strings of DNA letters, an age and, because the study focused on only American subjects, a state.
Ever since the launch of Kim Dotcom’s file-sharing service, I have been asked about the unorthodox encryption and security system.
I have not reviewed it, and don’t have an opinion. All I know is what I read: this, this, this, this, and this.
Please add other links in the comments.
EDITED TO ADD (1/24): Also this.
There has been an enormous amount written about the suicide of Aaron Swartz. This is primarily a collection of links, starting with those that use his death to talk about the broader issues at play: Orin Kerr, Larry Lessig, Jennifer Granick, Glenn Greenwald, Henry Farrell, danah boyd, Cory Doctorow, James Fallows, Brewster Kahle, Carl Malamud, and Mark Bernstein. Here are obituaries from the New York Times and Economist. Here are articles and essays from CNN.com, The Huffington Post, Larry Lessig, TechDirt, CNet, and Forbes, mostly about the prosecutor’s statement after the death and the problems with plea bargaining in general. Representative Zoe Lofgren is introducing a bill to prevent this from happening again.
I don’t have anything to add, but enough people have sent me their thoughts via e-mail that I thought it would be good to have a thread on this blog for conversation.
EDITED TO ADD (1/23): Groklaw’s legal analysis. Secret Service involvement.
EDITED TO ADD (1/29): Another.
EDITED TO ADD (2/28): The DoJ has admitted that Aaron Swartz’s prosecution was political.
EDITED TO ADD (3/4): This profile of Aaron Swartz is very good.
Google is working on non-password authentication techniques.
But for Google’s password-liberation plan to really take off, they’re going to need other websites to play ball. “Others have tried similar approaches but achieved little success in the consumer world,” they write. “Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”
So they’ve developed a (as yet unnamed) protocol for device-based authentication that they say is independent of Google, requires no special software to work—aside from a web browser that supports the login standard—and which prevents web sites from using this technology to track users.
The great thing about Google’s approach is that it circumvents the really common attack that even Google’s existing mobile-phone authentication system can’t prevent: phishing.
They have enough industry muscle that they might pull it off.
Another article.
This essay is worth reading:
Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn’t mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent.
Online, obscurity is created through a combination of factors. Being invisible to search engines increases obscurity. So does using privacy settings and pseudonyms. Disclosing information in coded ways that only a limited audience will grasp enhances obscurity, too. Since few online disclosures are truly confidential or highly publicized, the lion’s share of communication on the social web falls along the expansive continuum of obscurity: a range that runs from completely hidden to totally obvious.
[…]
Many contemporary privacy disputes are probably better classified as concern over losing obscurity. Consider the recent debate over whether a newspaper violated the privacy rights of gun owners by publishing a map comprised of information gleaned from public records. The situation left many scratching their heads. After all, how can public records be considered private? What obscurity draws our attention to, is that while the records were accessible to any member of the public prior to the rise of big data, more effort was required to obtain, aggregate, and publish them. In that prior context, technological constraints implicitly protected privacy interests. Now, in an attempt to keep pace with diminishing structural barriers, New York is considering excepting gun owners from “public records laws that normally allow newspapers or private citizens access to certain information the government collects.”
The essay is about Facebook’s new Graph search tool, and how its harm is best thought of as reducing obscurity.
This is big news:
The U.S. Transportation Security Administration will remove airport body scanners that privacy advocates likened to strip searches after OSI Systems Inc. (OSIS) couldn’t write software to make passenger images less revealing.
This doesn’t mean the end of full-body scanning. There are two categories of these devices: backscatter X-ray and millimeter wave.
The government said Friday it is abandoning its deployment of so-called backscatter technology machines produced by Rapiscan because the company could not meet deadlines to switch to generic imaging with so-called Automated Target Recognition software, the TSA said. Instead, the TSA will continue to use and deploy more millimeter wave technology scanners produced by L-3 Communications, which has adopted the generic-outline standard.
[…]
Rapiscan had a contract to produce 500 machines for the TSA at a cost of about $180,000 each. The company could be fined and barred from participating in government contracts, or employees could face prison terms if it is found to have defrauded the government. In all, the 250 Rapiscan machines already deployed are to be phased out of airports nationwide and will be replaced with machines produced by L-3 Communications.
And there are still backscatter X-ray machines being deployed, but I don’t think there are very many of them.
TSA has contracted with L-3, Smiths Group Plc (SMIN) and American Science & Engineering Inc. (ASEI) for new body-image scanners, all of which must have privacy software. L-3 and Smiths used millimeter-wave technology. American Science uses backscatter.
This is a big win for privacy. But, more importantly, it’s a big win because the TSA is actually taking privacy seriously. Yes, Congress ordered them to do so. But they didn’t defy Congress; they did it. The machines will be gone by June.
More.
Now that videographers have bagged a giant squid, the search turns to the colossal squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Good essay by Matt Blaze and Susan Landau.
Last week, a story broke about how Nokia mounts man-in-the-middle attacks against secure browser sessions.
The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections—including social networking accounts, online banking, email and other secure sessions—in order to compress the data and speed up the loading of Web pages.
The basic problem is that https sessions are opaque as they travel through the network. That’s the point—it’s more secure—but it also means that the network can’t do anything about them. They can’t be compressed, cached, or otherwise optimized. They can’t be rendered remotely. They can’t be inspected for security vulnerabilities. All the network can do is transmit the data back and forth.
But in our cloud-centric world, it makes more and more sense to process web data in the cloud. Nokia isn’t alone here. Opera’s mobile browser performs all sorts of optimizations on web pages before they are sent over the air to your smart phone. Amazon does the same thing with browsing on the Kindle. MobileScope, a really good smart-phone security application, performs the same sort of man-in-the-middle attack against https sessions to detect and prevent data leakage. I think Umbrella does as well. Nokia’s mistake was that they did it without telling anyone. With appropriate consent, it’s perfectly reasonable for most people and organizations to give both performance and security companies that ability to decrypt and re-encrypt https sessions—at least most of the time.
This is an area where security concerns are butting up against other issues. Nokia’s answer, which is basically “trust us, we’re not looking at your data,” is going to increasingly be the norm.
Sidebar photo of Bruce Schneier by Joe MacInnis.