June 22nd, 2009 by Lance Cottrell
The Proxy Fight for Iranian Democracy - Renesys Blog
This is an article worth reading and understanding. The gist is that the use of proxies to evade censorship in Iran is failing. They are now getting blocked faster than they can be created. This is a basic flaw in the idea of simply deploying a proxy and promoting it. One must assume that the Iranian censors are monitoring the same channels you are trying to use to promote the proxy. After all, a proxy no one knows about is of little use. Public open proxies are similarly doomed because the Iranian censors can use the same discovery tools you do to find such proxies. Also, once you try to let people know about them, the same problem applies as with new proxies.
Distribution of a given proxy address to only a small number of people solves that problem, but it is very limiting. It takes tremendous numbers of proxies to serve a large population, and only those with contacts who have set up proxies are protected.
There are solutions to these problems, but they require substantial technical skills and resources to implement.
If you have contacts within Iran, do what you can to set up closed proxies that they can use to bypass censorship. In the short run, it is an effective action you can take right now. A good place to start would be here.
- Lance Cottrell
June 17th, 2009 by Lance Cottrell
50 Best Blogs for Privacy Nuts by e-Justice Blog
I am really pleased to see “The Privacy Blog” listed #1 on this list of ”50 Best Blogs for Privacy Nuts”.
The other blogs on the list are worth checking out.
- Lance Cottrell
April 19th, 2009 by Lance Cottrell
YouTube Korea squelches uploads, comments | Digital Media - CNET News
I am very pleased that Google is taking a stand against Korean anti-privacy laws. The law in question requires large Internet services (like YouTube) to collect real name information about any user posting content or comments. In response, Google has completely cut off any posting or commenting through the Korean version of the site. The solution Google proposes is that users should simply log in to a non-Korean version of the site and post away. This way Google never needs to capture identifying information.
It will be interesting to see if Korea responds by trying to block access to all non-Korean versions of YouTube. Obviously anonymity tools provide an excellent end run around this kind of restriction.
I find myself of two minds on how to feel about this action. On the one hand, it respects Korea’s right to set its own laws within its borders, without allowing any one country to dictate how the rest of the world will use such tools. On the other hand, I find such anti-privacy policies so repugnant, I would like to see companies simply refuse to comply and pull hardware out of that country while continuing to provide the service.
- Lance Cottrell
April 18th, 2009 by Lance Cottrell
Doug Feaver - Listening to the Dot-Comments - washingtonpost.com
I am quite impressed with this article by a former executive editor of the Washington Post. He makes a strong case for the importance of anonymous comments. Attribution immediately leads to self censorship. Anonymous comments give a much better picture of what people really think rather than what they would like to be seen to be thinking. It is not pretty, but it is reality.
- Lance Cottrell
March 8th, 2009 by Lance Cottrell
Careless in the Cloud: Google Accidentally Shares Some Docs — Seeking Alpha
The article above documents a recent security breach in the on-line Google Docs system. Google Docs allows people to create and edit documents, presentations, and spreadsheets in a manor similar to the Microsoft Office software suite. Unlike Office, the Google Docs system is free and provided through a web interface. The documents are actually stored and edited within Google’s servers. That is the core of the issue.
Google provides the ability to share your documents with collaborators. In this breach, Google accidently made a number of documents available to people who were not authorized. While the fraction of documents affected was very small, it is a real wake up call. To get my documents off my computer, you need to specifically breach my computer. A breach of the Google systems could yield the sensitive documents of an enormous number of people. They are a big target. Even accidental releases like this could put huge numbers of people at risk.
This vulnerability is not specific to Google, it applies generally to any provider of cloud computing capabilities. I personally avoid cloud computing when I can because I have high security needs, and because I find that I often need to work on my documents when I am off-line. Google is starting to do a good job of addressing the second issue, but the first is going to be harder.
- Lance Cottrell
February 8th, 2009 by Lance Cottrell
Video: Hacker war drives San Francisco cloning RFID passports - Engadget
The law of unintended consequences strikes again. In an attempt to improve national security, the U.S. Government has been pushing hard for the widespread adoption of RFID tags in passports around the world. They are already in U.S. passports. The problem is that they are easily scanned from a distance (as shown in the video), and can be cloned. If the RFID chip in the passport is trusted by the authorities, then the security situation is actually worse, not better. Getting real passport information from someone used to be hard. It generally involved actually stealing the passport. With the scanner, one could produce large numbers of clones while simply standing around the airport with the antenna in ones roller luggage (staying out side of security).
The long range readable RFID tags also make possible all kinds of other tracking and identification. The video talks about correlating personal information from RFID enabled credit cards with the passport number to produce even better fakes.
Distribution of such devices around a city would provide much better and more accurate and automated tracking of a population than cameras with their resolution, and facial recognition issues.
- Lance Cottrell
December 18th, 2008 by Lance Cottrell
For many years privacy advocates have claimed that if users were fully informed and aware of privacy policies then they would vote with their feet. Privacy policies would become part of the free market decision making process, in addition to price, brand, reputation, convenience, etc.
It appears this process is actually starting to take place in one industry: search engines. It is likely that they have been the first because of the significant public focus on privacy issues around search over the last few years.
First Google said they would “anonymize” their logs after 18 months, which they later shortened to 9. Yahoo countered with 13 months and has now gone to 90 days. I talked about Google’s 18 month policy back in March 2007. In August 2007 I mentioned a CNET Report on privacy ratings for Search engines.
This tit for tat shortening of the identifiable log retention policies suggests that pressure around this issue is meaningful to the search engine giants. What is somewhat less clear is whether the pressure is from the market, or from the media / politicians / government.
It is still the case that the logs are not actually deleted, but rather the source IP address and user ID cookies are stripped out. There is a good Wikipedia article on the scandal around a release of “anonymized” AOL search information, and how it was still possible to identify individual users in the data.
The real proof of this trend towards privacy policy competition will be when we see elements of privacy policies being promoted front and center on diverse websites as part of their competitive positioning / marketing.
- Lance Cottrell
November 13th, 2008 by Lance Cottrell
Argentine judge: Google, Yahoo must censor searches | Latest News in Politics and Law - CNET News
There is a disturbing trend towards increasing regulation of the Internet. In this case, Argintine judges have ordered Google and Yahoo to remove certain search results related to various individuals. This appears to be a back door way of removing the content without actually having to go after all the sites hosting the objectionable content. The concept is that information that can’t be found is almost the same as information that does not exist at all.
Because a few search engines dominate the market, they become an easy leverage point for achieving broad objectives. Countries like China and Iran have long understood the power of censoring the search engines to block access to information they don’t have easy reach to censor directly.
- Lance Cottrell
October 2nd, 2008 by Lance Cottrell
Surveillance of Skype Messages Found in China - NYTimes.com
Activists at Citizen Lab, a research group at the University of Toronto, have discovered a massive program of surveillance against Skype in China. Specifically the Chinese are monitoring instant message traffic on Tom-Skype, a joint venture between eBay (the owner of Skype) and a Chinese wireless operator.
It looks like all of the text messages passing through the service are scanned for key words of interest to the Chinese government. This program captures both messages within the Tom-Skype network and between that network and the rest of the Skype network.
This is yet another compelling argument for using strong encryption to prevent interception of message content. People in China can avoid this surveillance by using the non-chinese version of Skype, and using a VPN to get the communications safely out past the Chinese scanners.
- Lance Cottrell
September 24th, 2008 by Lance Cottrell
There have been a lot of articles lately talking about the fact that the person who hacked in to Sarah Palin’s Yahoo! account used “an anonymizer”. The articles also say that the privacy provided was compromised.
The unfortunate misuse of Anonymizer’s registered trademark has created some confusion. The person who hacked the account used a privacy service, but not one connected in any way to Anonymizer Inc.
- Lance Cottrell
