WikiLeaks seeded its database of documents by intercepting traffic through a TOR node they were operating.

This article at Wired highlights an almost buried section of this New Yorker interview with one of the founders of WikiLeaks.

Before the WikiLeaks site went live, the founders noticed that hackers were transferring stolen government documents over the TOR network. They captured over a million of these documents to form the initial core of the WikiLeaks archive.

This shows once again what I have been saying for a long time. Any privacy system that allows any untrusted and unknown person to become part of the infrastructure and have access to cleartext information is fundamentally flawed.

Any person with malicious intent can easily set up a TOR node and begin exactly the same kind of data collection that the WikiLeaks folks practiced.

Reputation is everything in this business. It is not practical for typical individuals to properly vet their providers. Track record, reputation, and respected third party endorsements are your best bet when choosing a privacy or security provider. Look for those for everyone who has access to your information.

John Gruber at Daring Fireball posted this interesting article on the growing practice of websites intercepting your attempts to copy text from their pages. They are actually modifying the contents of your clipboard and tracking the fact that you have clipped the information.

The referenced cases seem to be doing it for marketing and informational purposes, but there are many ways this could be used in more aggressive ways.

Imagine a site with sample code which (when copied) inserted some damaging code in to the middle of a large block.

I am worried that this capability exists at all within browsers. It seems like a major security vulnerability to me.

On May 26th Facebook announced new privacy controls. The EFF has a nice tutorial on how to properly configure these new settings to best protect your privacy.

Unfortunately these new settings options are being rolled out slowly. At this point I still don’t have the ability to use the new settings at all. If you are lucky enough to have been moved to the new system, update those settings ASAP.

I am very excited to be organizing a couple of panels at this year’s “Computers Freedom and Privacy” (CFP) Conference in San Jose June 15-18.

Historically the conference has focused on personal privacy / freedom issues, technologies, and policies. That was certainly my focus as well when I started Anonymizer. Over time I have become aware of some other aspects to the privacy issue that I have not seen discussed. In addition to corporations impacting privacy of their customers, users, employees, etc. they also have issues and needs for privacy themselves.

Companies activities are monitored, analyzed, blocked, misinformed, and censored. While these have analogs in the personal privacy world, the details, impacts and scale, and solutions to the problems are often very different.

I am organizing a panel to discuss these issues at the conference and would love to hear from others who may have experienced these kinds of issues and would be willing and able to share them at this conference.

Read this post from IntelFusion. It makes a very strong case for why I worry about any privacy system run by operators you can’t really trust, investigate, and verify. In this case it is an investigation of Glype servers. They can be configured to do significant logging, and the author has been able to remotely retrieve the logs from many of the Glype servers. The results show many users from within sensitive US Government organizations and would provide the ability for an attacker to gather all kinds of useful intelligence to find soft targets to exploit.

On the personal privacy side, it is an easy way for attackers to intercept usernames, passwords, travel plans, personal information and more for use in, identity theft, burglary, and hacking among other things.

For a long time I have been saying that storage is cheap and that one should assume that anything put out on the Internet will live forever. It looks like that is even being institutionalized. The US Library of Congress recently announced that it will be creating a public archive of every tweet sent since the founding of Twitter.

This kind of resource will keep tabloids in business for decades to come. Generations of celebrities yet undiscovered should be concerned about their old unguarded, but now professionally preserved, brain droppings.

For the record, I am not opposed to this archiving. It is happening anyway in private databases. This just makes the issue more visible and helps to raise awareness. It is similar in many ways to The Internet Archive project.

Lauren Weinstein’s Blog: Saving Internet Anonymity — The Struggle is Joined

I strongly encourage anyone with a commitment to Internet anonymity to read this blog post. An organized opposition to the existence of such anonymity is growing. Of course, like attempt to clamp down on cryptography, it will only impact the law abiding while criminals use bots and other tools to circumvent the restrictions.

Between this and the push to remove the expectation of privacy from all stored emails, I am very concerned.

Google Runs Into Chinas Great Firewall - WSJ.com

This article reports on an outage experienced by Google users in China. At first Google thought it was due to a technical issue, but now think that it was an intentional outage caused by the Great Firewall of China. It seems likely that this was a retaliation to punish Google for its statements and actions.

From the Official Google Blog (follow link for the whole post):

So earlier today we stopped censoring our search services—Google Search, Google News, and Google Images—on Google.cn. Users visiting Google.cn are now being redirected to Google.com.hk, where we are offering uncensored search in simplified Chinese, specifically designed for users in mainland China and delivered via our servers in Hong Kong. Users in Hong Kong will continue to receive their existing uncensored, traditional Chinese service, also from Google.com.hk. Due to the increased load on our Hong Kong servers and the complicated nature of these changes, users may see some slowdown in service or find some products temporarily inaccessible as we switch everything over.

I would expect to see China censor Google.cn very quickly (which would prevent the re-direct to Google.hk). It will be interesting to see if China will then take the next step of censoring Google.hk and possibly other Google properties around the world. It would be easy for Google to set up any or all of them to return results in chinese if the browser is detected to be configured in that language.

In this article “I don’t bleepin’ believe it” ComputerWorld reports on a UK insurer raising rates on social network users. The reason points back to something I have been talking about for some time. People post travel information to their social network sites. They say when they will be away from home, and for how long. This is perfect fodder for thieves, who can typically also collect enough information about the posters to identify them and find where they live.

This is why I don’t blog, Twitter, or otherwise post about conferences I am going to, even though it would be great to use social networks to connect with folks at the conference or in the conference city.