Entries Tagged "privacy"

Page 62 of 145

Trying to Value Online Privacy

Interesting paper: “The Value of Online Privacy,” by Scott Savage and Donald M. Waldman.

Abstract: We estimate the value of online privacy with a differentiated products model of the demand for Smartphone apps. We study the apps market because it is typically necessary for the consumer to relinquish some personal information through “privacy permissions” to obtain the app and its benefits. Results show that the representative consumer is willing to make a one-time payment for each app of $2.28 to conceal their browser history, $4.05 to conceal their list of contacts, $1.19 to conceal their location, $1.75 to conceal their phone’s identification number, and $3.58 to conceal the contents of their text messages. The consumer is also willing to pay $2.12 to eliminate advertising. Valuations for concealing contact lists and text messages for “more experienced” consumers are also larger than those for “less experienced” consumers. Given the typical app in the marketplace has advertising, requires the consumer to reveal their location and their phone’s identification number, the benefit from consuming this app must be at least $5.06.

Interesting analysis, though we know that the point of sale is not the best place to capture the privacy preferences of people. There are too many other factors at play, and privacy isn’t the most salient thing going on.

Posted on January 29, 2014 at 12:26 PMView Comments

The Politics of Fear

This is very good:

…one might suppose that modern democratic states, with the lessons of history at hand, would seek to minimize fear ­ or at least minimize its effect on deliberative decision-making in both foreign and domestic policy.

But today the opposite is frequently true. Even democracies founded in the principles of liberty and the common good often take the path of more authoritarian states. They don’t work to minimize fear, but use it to exert control over the populace and serve the government’s principle aim: consolidating power.

[…]

However, since 9/11 leaders of both political parties in the United States have sought to consolidate power by leaning not just on the danger of a terrorist attack, but on the fact that the possible perpetrators are frightening individuals who are not like us. As President George W. Bush put it before a joint session of Congress in 2001: “They hate our freedoms: our freedom of religion, our freedom of speech, our freedom to vote and assemble and disagree with each other.” Last year President Obama brought the enemy closer to home, arguing in a speech at the National Defense University that “we face a real threat from radicalized individuals here in the United States“—radicalized individuals who were “deranged or alienated individuals ­- often U.S. citizens or legal residents.”

The Bush fear-peddling is usually considered the more extreme, but is it? The Obama formulation puts the “radicalized individuals” in our midst. They could be American citizens or legal residents. And the subtext is that if we want to catch them we need to start looking within. The other is among us. The pretext for the surveillance state is thus established.

Posted on January 29, 2014 at 6:24 AMView Comments

TAWDRYYARD: NSA Exploit of the Day

Back in December, Der Spiegel published a lot of information about the NSA’s Tailored Access Operations (TAO) group, including a 2008 catalog of hardware and software “implants.” Because there were so many items in the catalog, the individual items didn’t get a lot of discussion. By highlighting an individual implant every day, my goal is to fix that.

Today’s item:

TAWDRYYARD

(TS//SI//REL TO USA,FVEY) Beacon RF retro-reflector. Provides return when illuminated with radar to provide rough positional location.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) TAWDRYYARD is used as a beacon, typically to assist in locating and identifying deployed RAGEMASTER units. Current design allos it to be detected and located quite easily within a 50′ radius of the radar system being used to illuminate it. TAWDRYYARD draws as 8 mu;A at 2.5V (20mu;W) allowing a standard lithium coin cell to power it for months or years. The simplicity of the dsign allows the form factor to be tailored for specific operational requirements. Future capabilities being considered are return of GPS coordinates and a unique target identifier and automatic processing to scan a target area for presence of TWDRYYARDs. All components are COTS and so are non-attributable to NSA.

Concept of Operation
(TS//SI//REL TO USA,FVEY) The board generates a square wave operating at a preset frequency. This square wave is used to turn a FET (field effect transistor) on and off. When the unit is illuminated with a CW signal, the illuminating signal is amplitude-modulated (AM) with the square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the clock signal. Typically, the fundamental is used to indicate the unit’s presence, and is simply displayed on a low frequency spectrum analyzer. TAWDRYYARD is part of the ANGRYNEIGHBOR family of radar retro-reflectors.

Unit Cost: $30

Status: End processing still in development.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 28, 2014 at 2:13 PMView Comments

US Privacy and Civil Liberties Oversight Board (PCLOB) Condemns NSA Mass Surveillance

Now we know why the president gave his speech on NSA surveillance last week; he wanted to get ahead of the Privacy and Civil Liberties Oversight Board.

Last week, it issued a report saying that NSA mass surveillance of Americans is illegal and should end. Both EPIC and EFF have written about this.

What frustrates me about all of this—this report, the president’s speech, and so many other things—is that they focus on the bulk collection of cell phone call records. There’s so much more bulk collection going on—phone calls, e-mails, address books, buddy lists, text messages, cell phone location data, financial documents, calendars, etc.—and we really need legislation and court opinions on it all. But because cell phone call records were the first disclosure, they’re what gets the attention.

EDITED TO ADD (1/28): I should add links to yesterday’s story that the NSA is collecting data from leaky smart phone apps.

Posted on January 28, 2014 at 12:39 PMView Comments

SPARROW II: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

SPARROW II

(TS//SI//REL) An embedded computer system running BLINDDATE tools. Sparrow II is a fully functional WLAN collection system with integrated Mini PCI slots for added functionality such as GPS and multiple Wireless Network Interface Cards.

(U//FOUO) System Specs

Processor: IBM Power PC 405GPR

Memory: 64MB (SDRAM), 16MB (FLASH)

Expansion: Mini PCI (Up to 4 devices) supports USB, Compact Flash, and 802.11 B/G

OS: Linux (2.4 Kernel)

Application SW: BLINDDATE

Battery Time: At least two hours

(TS//SI//REL) The Sparrow II is a capable option for deployment where small size, minimal weight and reduced power consumption are required. PCI devices can be connected to the Sparrow II to provide additional functionality, such as wireless command and control or a second or third 802.11 card. The Sparrow is shipped with Linux and runs the BLINDDATE software suite.

Unit Cost: $6K

Status: (S//SI//REL) Operational Restrictions exist for equipment deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 27, 2014 at 8:06 PMView Comments

PHOTOANGLO: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

PHOTOANGLO

(TS//SI//REL TO USA,FVEY) PHOTOANGLO is a joint NSA/GCHQ project to develop a new radar system to take the place of the CTX4000.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) The planned capabilities for this system are:

  • Frequency range: 1 – 2 GHz, which will be later extended to 1 – 4 GHz
  • Maximum bandwidth: 450 MHz.
  • Size: Small enough to fit into a slim briefcase.
  • Weight: Less than 10 lbs.
  • Maximum Output Power: 2W
  • Output:
  • Video
  • Transmit antenna
  • Inputs:
  • External oscillator
  • Receive antenna

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) TS//SI//REL TO USA,FVEY) The radar unit generates an un-modulated, continuous wave (CW) signal. The oscillator is either generated internally, or externally through a signal generator or cavity oscillator. The unit amplifies the signal and sends it out to an RF connector, where it is directed to some form of transmission antenna (horn, parabolic dish, LPA, spiral). The signal illuminates the target system and is re-radiated. The receive antenna picks up the re-radiated signal and directs the signal to the receive input. The signal is amplified, filtered, and mixed with the transmit antenna. The result is a homodyne receiver in which the RF signal is mixed directly to baseband. The baseband video signal is ported to an external BNC connector. This connects to a processing system, such as NIGHTWATCH, an LFS-2, or VIEWPLATE, to process the signal and provide the intelligence.

Unit Cost: $40k (planned)

Status: Development. Planned IOC is 1st QTR FY09.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 24, 2014 at 2:09 PMView Comments

NIGHTWATCH: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

NIGHTWATCH

(TS//SI//REL TO USA,FVEY) NIGHTWATCH is a portable computer with specialized, internal hardware designed to process progressive-scan (non-interlaced VAGRANT signals).

(U) Capability Summary
(TS//SI//REL TO USA,FVEY) The current implementation of NIGHTWATCH consists of a general-purpose PC inside of a shielded case. The PC has PCI digitizing and clock cards to provide the needed interface and accurate clocking required for video reconstruction. It also has:

  • horizontal sync, vertical sync and video outputs to drive an external, multi-sync monitor.
  • video output
  • spectral analysis up to 150 kHz to provide for indications of horizontal and vertical sync frequencies.
  • frame capture and forwarding
  • PCMCIA cards for program and data storage
  • horizontal sync locking to keep the display set on the NIGHTWATCH display.
  • frame averaging up to 2^16 (65536) frames.

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) The video output from an appropriate collection system, such as a CTX4000, PHOTOANGLO, or general-purpose receiver, is connected to the video output on the NIGHTWATCH system. The user, using the appropriate tools either within NIGHTWATCH or externally, determines the horizontal and vertical sync frequencies of the targeted monitor. Once the user matches the proper frequencies, he activates “Sync Lock” and frame averaging to reduce noise and improve readability of the targeted monitor. If warranted, the user then forwards the displayed frames over a network to NSAW, where analysts can look at them for intelligence purposes.

Unit Cost: N/A

Status: This system has reached the end of its service life. All work concerning the NIGHTWATCH system is strictly for maintenance purposes. This system is slated to be replaced by the VIEWPLATE system.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 23, 2014 at 2:39 PMView Comments

NIGHTSTAND: NSA Exploit of the Day

Today’s device from the NSA’s Tailored Access Operations (TAO) group implant catalog:

NIGHTSTAND

(TS//SI//REL) An active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible.

(TS//SI//REL) NIGHTSTAND – Close Access Operations • Battlefield Tested • Windows Exploitation • Standalone System

System Details

  • (U//FOUO) Standalone tool currently running on an x86 laptop loaded with Linux Fedora Core 3.
  • (TS//SI//REL) Exploitable Targets include Win2k, WinXP, WinXPSP1, WINXPSP2 running Internet Explorer versions 5.0-6.0.
  • (TS//SI//REL) NS packet injection can target one client or multiple targets on a wireless network.
  • (TS//SI//REL) Attack is undetectable by the user.

(TS//SI//REL) Use of external amplifiers and antennas in both experimental and operational scenarios have resulted in successful NIGHTSTAND attacks from as far away as eight miles under ideal environmental conditions.

Unit Cost: Varies from platform to platform

Status: Product has been deployed in the field. Upgrades to the system continue to be developed.

Page, with graphics, is here. General information about TAO and the catalog is here.

Presumably, the NSA can use this “injection tool” in all the same ways it uses QUANTUM. For example, it can redirect users to FOXACID servers in order to attack their computers.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 22, 2014 at 2:15 PMView Comments

Questioning the Efficacy of NSA's Bulk-Collection Programs

Two reports have recently been published questioning the efficacy of the NSA’s bulk-collection programs. The first one is from the left-leaning New American Foundation (report here, and one-page tabular summary here).

However, our review of the government’s claims about the role that NSA “bulk” surveillance of phone and email communications records has had in keeping the United States safe from terrorism shows that these claims are overblown and even misleading. An in-depth analysis of 225 individuals recruited by al-Qaeda or a like-minded group or inspired by al-Qaeda’s ideology, and charged in the United States with an act of terrorism since 9/11, demonstrates that traditional investigative methods, such as the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus for investigations in the majority of cases, while the contribution of NSA’s bulk surveillance programs to these cases was minimal. Indeed, the controversial bulk collection of American telephone metadata, which includes the telephone numbers that originate and receive calls, as well as the time and date of those calls but not their content, under Section 215 of the USA PATRIOT Act, appears to have played an identifiable role in initiating, at most, 1.8 percent of these cases. NSA programs involving the surveillance of non-U.S. persons outside of the United States under Section 702 of the FISA Amendments Act played a role in 4.4 percent of the terrorism cases we examined, and NSA surveillance under an unidentified authority played a role in 1.3 percent of the cases we examined.

The second is from Marshall Erwin of the right-leaning Hoover Institute (report here, and summary here).

My conclusion is simple: neither of these cases demonstrates that bulk phone records collection is effective. Those records did not make a significant contribution to success against the 2009 plot because at the point at which the NSA searched the bulk records database, the FBI already had sufficient information to disrupt the plot. It is also unlikely that bulk collection would have helped disrupt the 9/11 attacks, given critical barriers to information sharing and as demonstrated by the wealth of information already available to the intelligence community about al-Mihdhar.

Posted on January 22, 2014 at 6:41 AMView Comments

LOUDAUTO: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:

LOUDAUTO

(TS//SI//REL TO USA,FVEY) Audio-based RF retro-reflector. Provides room audio from targeted space using radar and basic post-processing.

(U) Capabilities
(TS//SI//REL TO USA,FVEY) LOUDAUTO’s current design maximizes the gain of the microphone. This makes it extremely useful for picking up room audio. It can pick up speech at a standard, ofice volume from over 20′ away. (NOTE: Concealments may reduce this distance.) It uses very little power (~15 uA at 3.0 VDC), so little, in fact, that battery self-discharge is more of an issue for serviceable lifetime than the power draw from this unit. The simplicity of the design allows the form factor to be tailored for specific operation requirements. All components at COTS and so are non-attributable to NSA.

(U) Concept of Operation
(TS//SI//REL TO USA,FVEY) Room audio is picked up by the microphone and converted into an analog electrical signal. This signal is used to pulse position modulate (PPM) a square wave signal running at a pre-set frequency. This square wave is used to turn a FET (field effect transistor) on and off. When the unit is illuminated with a CW signal from a nearby radar unit, the illuminating signal is amplitude-modulated with the PPM square wave. This signal is re-radiated, where it is picked up by the radar, then processed to recover the room audio. Processing is currently performed by COTS equipment with FM demodulation capability (Rohde & Schwarz FSH-series portable spectrum analyzers, etc.) LOUDAUTO is part of the ANGRYNEIGHBOR family of radar retro-reflectors.

Unit Cost: $30

Status: End processing still in development

Page, with graphics, is here. General information about TAO and the catalog is here.

This one is kind of cool, I think.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on January 21, 2014 at 2:11 PMView Comments

1 60 61 62 63 64 145

Sidebar photo of Bruce Schneier by Joe MacInnis.