spider.io is talking about a bug they discovered in Microsoft Internet Explorer versions 6-10. Evidently the bug allows tracking of your mouse movement even if the browser window has been minimized and you have a different application active.

They say that at least two companies providing display ad analytics are already using this exploit to improve their analysis.

OUCH! Yet another good reason to use any browser but IE.

browser · security · vulnerability

From Declan’s article on CNET.

The fight over the “do not track” flag continues.

In the latest version of Internet Explorer (version 10), Microsoft has made “do not track” the default setting. This makes tracking by websites an “opt in” rather than an “opt out” proposition. Privacy advocates have long favored this approach, but advertisers don’t like it.

Yahoo feels so strongly about this that they say that they will ignore the Do Not Track (DNT) flag when coming from IE 10 browsers. The open source Apache web server is also going to come configured to ignore the IE 10 DNT flag.

So, even if you explicitly want Do Not Track, and would have gone in and manually enabled it, you will be tracked by Yahoo anyway.

Ironically, this means that if you actually want to not be tracked, you need to use a different browser and manually enable the setting.

I do appreciate the effort Microsoft, and shame on you Yahoo.

do not track · IE · Privacy · yahoo

Despite all the work on dual factor authentication and other new security methodologies, in general our passwords are the keys to the kingdom.

In many cases, such at ATMs, we are limited to 4 digit numeric PINs.

This post to DataGenetics does a good job of analyzing how bad we are at picking PINs and how easy we make things for the attackers.

It is worth a read.

Short answer: you can hack a over 10% of accounts by guessing “1234″.

computer security · passwords

In this CNET article by Declan McCulagh, he reports that the DoJ is planning to request mandatory data retention by Internet providers. Their argument is that the lack of data retention is interfering with law enforcement’s ability to investigate cases. This implies some kind of shift in the balance of privacy vs. access. No such shift has taken place.

I think that they are more frustrated by the fact that a huge potential gold mine of information is out there to which they don’t have access. Prior to the various modern technological revolutions people used pay phones, sent letters, and paid cash for toll roads.

Now they use Twitter, SMS, Facebook, Email, cell phones, electronic toll payment etc. There is way more information available to law enforcement now than before. The fact that this data retention is only on the Internet may make people feel better, but one would certainly learn more about me from my Internet activities than from following me around physically.

Lets look at what is being asked for with a real world analogy. This is like saying that the US Postal Service should photograph and database the address, and return address, on every letter which goes through the system. Physically is it like saying the cell phone company should record and retain my GPS location at all times. Either of those would actually be much less intrusive than monitoring how I use the Internet at all times.

Lets not get in to the cost of maintaining these records or the issues with leaks or hackers. Consider the Chinese attacks on dissident Google accounts. This plan would ensure that such information was much more widely maintained.

At this point it appears to be a only a request. I am curious to see how this evolves over the congressional term.

data retention · law enforcement · Privacy · surveillance

India to Monitor Google and Skype – WSJ.com.

As an extension of their policy of pushing for access to encrypted communications on RIM BlackBerry devices, they are now demanding access to data from both Google and Skype. India is demanding that Skype and Google install servers within India so the government can access the information on Indian users.

Obviously bad guys can trivially bypass this through the use of VPNs and by taking care to use servers located outside of India. The real impact will be to open all legitimate Internet users to universal surveillance.

No tags