CyberOSINT banner

Anonymity Not Always Secured for Tor and Dark Web Users

January 28, 2016

From the Washington Post comes an article pertinent to investigative security technologies called This is how the government is catching people who use child porn sites. This piece outlines the process used by the FBI to identify a Tor user’s identity, despite the anonymity Tor provides. The article explains how this occurred in one case unmasking the user Pewter,

“In order to uncover Pewter’s true identity and location, the FBI quietly turned to a technique more typically used by hackers. The agency, with a warrant, surreptitiously placed computer code, or malware, on all computers that logged into the Playpen site. When Pewter connected, the malware exploited a flaw in his browser, forcing his computer to reveal its true Internet protocol address. From there, a subpoena to Comcast yielded his real name and address.”

Some are concerned with privacy of the thousands of users whose computers are also hacked in processes such as the one described above. The user who was caught in this case is arguing the government’s use of such tools violated the Fourth Amendment. One federal prosecutor quoted in the article describes the search processes used in this case as a “gray area in the law”. His point, that technology is eclipsing the law, is definitely one that deserves more attention from all angles: the public, governmental agencies, and private companies.

 

Megan Feil, January 28, 2016

Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

 

 

Oscobo: A Privacy Centric Web Search System

January 7, 2016

Before you get too excited, the Oscobo service uses results from Bing. Yep, that is the search engine which uses Baidu in China and Yandex in Russia for results.

The Oscobo search system is about privacy for its users, not about the dreary precision, recall, and relevance issues. “Oscobo Is An Anonymous Search Engine Targeting Brits” reports that the system reminded the article’s author of DuckDuckGo and Hulbee, both working to ensure the privacy of their users.

The results are filtered to cater to the needs of the UK online search it seems.

According to the write up, Oscobo’s business model

is simple paid search, based on bare-bones search data (i.e. whatever string a user is searching for) and their location — given the product is serving the U.K. market this is assumed to be the U.K., but whatever search string they input may further flesh out a more specific location.

There is no definition of “paid search”, however. You can check out the system at https://oscobo.co.uk/.

Stephen E Arnold, January 7, 2016

Google and Students: The Quest for Revenue

January 7, 2016

The Alphabet Google thing is getting more focused in its quest for revenue in the post desktop search world. I read “Google Is Tracking Students As It Sells More Products to Schools, Privacy Advocates Warn.” I remember the good old days when the Google was visiting universities to chat about its indexing of the institutions’ Web sites and the presentations related to the book scanning project. This write up seems, if Jeff Bezos’ newspaper is spot on, to suggest that the Alphabet Google thing is getting more interested in students, not just the institutions.

I read:

More than half of K-12 laptops or tablets purchased by U.S. schools in the third quarter were Chromebooks, cheap laptops that run Google software…. But Google is also tracking what those students are doing on its services and using some of that information to sell targeted ads, according to a complaint filed with federal officials by a leading privacy advocacy group.

The write up points out:

In just a few short years, Google has become a dominant force as a provider of education technology…. Google’s fast rise has partly been because of low costs: Chromebooks can often be bought in the $100 to $200 range, a fraction of the price for a MacBook. And its software is free to schools.

Low prices. Well, Amazon is into that type of marketing too, right? Collecting data. Isn’t Amazon gathering data for its recommendations service?

My reaction to the write up is that the newspaper will have more revelations about the Alphabet Google thing. The security and privacy issue is one that has the potential to create some excitement in the land of online giants.

Stephen E Arnold, January 7, 2015

New Years Resolutions in Personal Data Security

December 22, 2015

The article on ITProPortal titled What Did We Learn in Records Management in 2016 and What Lies Ahead for 2016? delves into the unlearnt lessons in data security. The article begins with a look back over major data breaches, including Ashley Madison, JP Morgan et al, and Vtech and gathers from them the trend of personal information being targeted by hackers. The article reports,

“A Crown Records Management Survey earlier in 2015 revealed two-thirds of people interviewed – all of them IT decision makers at UK companies with more than 200 employees – admitted losing important data… human error is continuing to put that information at risk as businesses fail to protect it properly…but there is legislation on the horizon that could prompt change – and a greater public awareness of data protection issues could also drive the agenda.”

The article also makes a few predictions about the upcoming developments in our approach to data protection. Among them includes the passage of the European Union General Data Protection Regulation (EU GDPR) and the resulting affect on businesses. In terms of apps, the article suggests that more people might start asking questions about the information required to use certain apps (especially when the data they request is completely irrelevant to the functions of the app.) Generally optimistic, these developments will only occur of people and businesses and governments take data breaches and privacy more seriously.

 

Chelsea Kerwin, December 22, 2015

Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

 

Internet Sovereignty, Apathy, and the Cloud

December 21, 2015

The OS News post titled Dark Clouds Over the Internet presents an argument that boils down to a choice between international accord and data sharing agreement, or the risk of the Internet being broken up into national networks. Some very worked up commenters engaged in an interesting discussion that spanned government overreaching, democracy, data security, privacy, and for some reason, climate change. One person summarized their opinion thusly:

“Best policy: don’t store data with someone else. There is no cloud. It’s just someone else’s computer.”

In response, a user named Alfman replied that companies are to blame for the current lack of data security, or more precisely, people are generally to blame for allowing this state of affairs to exist,

The privacy issues we’re now seeing are a direct consequence of corporate business models pushing our data into their central silos. None of this is surprising except perhaps how willing users have been to forgo their own privacy. Collectively, it seems that we are very willing to give up our rights for very little in exchange… makes it difficult to achieve critical mass around technologies promoting data independence.”

It is hard to argue with the apathy factor, with data breaches occurring regularly and so little being done by individuals to protect themselves. Good thing these commenters have figured it all out. Next up, solving climate change.

Chelsea Kerwin, December 21, 2015

Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

 

Big Brother GPS

September 9, 2014

With rising living costs, people are trying to cut back on their expenses. One of the ways they are reducing costs is by allowing their auto insurance companies to monitor their driving habits for a discount. Science Daily highlights a Rutgers University study called “How Fast You Drive Might Reveal Exactly Where You Are Going.” What these drivers do not know is that they are revealing where they are driving. Cue the privacy concerns.

The study found that even without a GPS device, a driver reveals where they are going based off how fast they drive. When you put dollar signs in someone eyes, however, they will probably forego some of their privacy rights. Companies claim they are not compromising privacy, but the data they track can be extrapolated to show a driver’s destination.

“The technique, dubbed “elastic pathing,” predicts pathways by seeing how speed patterns match street layouts. Take for example, a person whose home is at the end of a cul-de-sac a quarter mile from an intersection. The driver’s speed data would show a minute of driving at up to 30 miles per hour to reach that intersection. Then if a left turn leads the driver to a boulevard or expressway but a right turn leads to a narrow road with frequent traffic lights or stop signs, you could deduce which way the driver turned if the next batch of speed data showed a long stretch of fast driving or a slow stretch of stop-and-go driving. By repeatedly matching speed patterns with the most likely road patterns, the route and destination can be approximated.”

The article argues that insurance companies are not doing anything wrong, but they should not advertise that the speed devices are not collecting private information. It is even suggested that insurance companies consider using alternative speedometer readings for better privacy protection. Just wait a few years for this to make more headlines or a court case could subpeona the information. It is only a matter of time.

Whitney Grace, September 09, 2014
Sponsored by ArnoldIT.com, developer of Augmentext

Hidden from Google: Interesting but Thin

July 15, 2014

I learned about the Web site Hidden from Google. You can check out the service and maybe submit some results that have disappeared. You may not know if the deletion or hiding of the document is a result of the European Right to Be Forgotten action, but if content disappears, this site could be a useful checkpoint.

Here’s what the service looks like as of 9 21 am Eastern on July 15, 2014.

image

According to the Web site:

The purpose of this site is to list all links which are being censored by search engines due to the recent ruling of “Right to be forgotten” in the EU. This list is a way of archiving the actions of censorship on the Internet. It is up to the reader to decide whether our liberties are being upheld or violated by the recent rulings by the EU.

I noticed that deal old BBC appeared in the list, a handful of media superstars, and some Web sites unknown to me. The “unknown” censored search term is intriguing, but I was not too keen on poking around when I was not sure what I was seeking. Perhaps one of the fancy predictive search engines can provide the missing information or not.

When I clicked on the “source” link sometimes I got a story that seemed germane; for example, http://bbc.in/1xhjKyK linked to one of those tiresome banker misdeed stories. Others pointed to stories that did not seem negative; for example, a guardian article that redirected to a story in Entrepreneur Magazine. http://bit.ly/1jukI7T. Teething pains I presume or my own search ineptness.

I did some clicking around and concluded that the service is interesting but lacks in depth content. I looked for references to the US health care Web sites. I am interested in tracking online access to RFPs, RFQs, and agreements with vendors. These contracts are fascinating because the contractors extend the investigative capabilities of certain US law enforcement entities. Since I first researched the RAC, MIC, and ZPIC contractors, among others, I have noticed that content has become increasingly difficult to find. Content I could pinpoint in 2009 and 2010 now eludes me. Of course, I may be the problem. There could be latency issues when spiders come crawling. There can be churn among the contractors maintaining Web sites. There can be many other issues, including a 21st century version of Adam Smith’s invisible hand. The paw might be connected to an outfit like Xerox or some other company providing services to these programs.

Several questions:

First, if the service depends on crowdsourcing, I am not sure how many of today’s expert searchers will know when a document has gone missing. Unless I had prior knowledge of a Medicare Integrity Contractor statement of work, how would I know I could not find it? Is this a flaw the site will be able to work around.

Second, I am not sure the folks who filled out Google’s form and sent proof of their wants an archive of information that was to go into the waste basket. Is there some action a forgotten person will take when he or she learns he or she is remembered?

Third, the idea is a good one. What happens when Google makes its uncomfortable to provide access to data that Google has removed? Maybe Mother Google is toothless and addled with its newfound interest in Hollywood and fashionable Google Glass gizmos. On the other hand, Google has lots of attorneys in trailers not too far from where the engineers work.

Stephen E Arnold, July 15, 2014

People Are Uncomfortable With Google Glass

May 1, 2014

Not only is Google Glass a fashion faux pas; it is also a privacy concern. In CNET’s article,” 72 Percent Say No To Google Glass Because of Privacy,” a poll from Toluna reported that 72 percent of people did not want to buy the Google accessory because of privacy concerns. People are worried about filming, photography, hacking, distraction, and also being mugged (the device has a hefty price tag).

There are many instances where Google Glass wearers have been asked to remove the device, refused, and were met with hostile actions. In response, Google released a guide to help wearers not be Glassholes (the new term for these trend setters). Others are more worried that Google Glass poses a threat to the ever-increasing distractions people are facing with their phones and tablets.

The article proposes this idea:

“Perhaps it’s just another instance of a tech company putting a product out there in the hope — or zealous insistence — that it will be well-received, rather than considering some of the real consequences when it comes up against the beliefs and habits of real people.”

So are people ready for a device like the Google Glass? Will it become one of those old technology devices you find at thrift stores and have to explain to your children what it was used for? Or is it the start of a new trend that people will come to accept within time? Oh Google Glass, all the problems you are causing!

Whitney Grace, May 01, 2014
Sponsored by ArnoldIT.com, developer of Augmentext

DuckDuckGo Swimming Pretty Following Privacy Revelations

February 10, 2014

A fellow online water-fowl has seen a huge jump in usage since last year’s revelations about NSA activity. At least someone is benefiting from the whole kerfuffle. The Independent reports, “DuckDuckGo Hits 1Bn Annual Searches: Non-Tracking Search Engine Boosted by Privacy Fears.” The emphasis the search service has always placed on anonymity almost seems presentient now. Did they know it was just a matter of time?

Writer James Vincent tells us that last year was, by far, DuckDuckGo‘s biggest year to date with over a billion searches performed. He shares a chart that tracks Ducky usage from July 2010 to January of this year. The leap from July ’13 to present is impressive; usage more than doubled in the months following Snowden’s famous efforts. The folks at the site are seizing the limelight, and say that this year they plan to incorporate user feedback into the site’s functionality. That’s a good thing; frankly, I only use the site when researching sensitive information, like health or financial issues. I find that, usually, Google and Bing are more likely to give me the info I’m looking for. Maybe it’s just me.

I think it is important to recognize that privacy is not the only reason to use an anonymous search service. The other reason (and the one I’m more concerned about) is the fight against the rapidly-multiplying, conformation-bias-promoting echo chambers that have infected our society’s discourse in recent years. The article explains:

“[DuckDuckGo CEO Gabriel] Weinberg notes that when a search engine tracks users’ queries, the information not only created profiles to sell to advertisers but also shapes results to fit their own natural bias. This effect is known as the ‘filter bubble’. For example, if a user searches for new stories regarding recent events they might consistently click on reports from sites with a particular political bias. A search engine would take note that these sites are more popular and stop offering other results. ‘That is being trapped in a filter bubble and seeing only points of view that one agrees with, and less and less opposing viewpoints,’ said Weinberg.”

Vincent observes that the search site has a long, long way to go before it is a direct threat to Google, which processes over a billion searches per day. Still, the growing concern over privacy should not be taken lightly.

Cynthia Murrell, February 10, 2014

Sponsored by ArnoldIT.com, developer of Augmentext

Users Seek Private Search Options After NSA Revelations

November 20, 2013

This is certainly no surprise. CSO reveals, “People Flock to Anonymizing Services After NSA Snooping Reports.” Writer Grant Gross highlights several anonymous search services that have seen usage soar since certain NSA practices have come to light. DuckDuckGo is on the list, as well as Tor and mobile solution Silent Circle. The brand new Disconnect Search saw over 400,000 searches within four days of its launch. Clearly, many people are beginning to cover their virtual tracks. But is it pointless, after all? The article points out:

Disconnect Search’s FAQ includes information about possible government searches. ‘The reality is the U.S. government may force us to begin logging the search queries of a particular user or group of users,’ the FAQ said. ‘If served with a court order that includes a non-disclosure provision, we may not be able to tell our users about this change for some period of time, possibly forever. And the U.S. government may also have other methods of monitoring user searches which Disconnect Search cannot prevent.'”

Though we now know several prominent firms quietly complied with NSA demands to fork over their records, at least one search service has elected to fold rather than cave. Lavabit made the tough choice to shut down their decade-old organization rather than comply with. . . something. Owner Ladar Levison’s explanation, which is all that is left of the site, laments that he can’t tell us exactly what was demanded of him, but his frustration and ire are apparent in the strongly worded note. He writes:

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise.”

So, there’s that. Not exactly encouraging for fans of privacy. Lavison seems to hold at least a sliver of hope for a favorable verdict as Lavabit takes their fight to court. Is even that too optimistic?

Cynthia Murrell, November 20, 2013

Sponsored by ArnoldIT.com, developer of Augmentext

Next Page »