Some students have released a version of Tor for Android phone. Tor is the most known anonymity system when using the Internet. In theory, through a complex routing scheme, it is impossible to trace back the issuer. With TorProxy, you can now anonymously surf on the net with your Andoid mobile phone.
The open source product is available at http://www.cl.cam.ac … rch/dtg/android/tor/
The French engineering school Epitech published a survey on this topic. They polled 1032 persons.
Sorry, the report is in French. Nevertheless, the most interesting out comes:
I was more pessimistic. People seem more aware of privacy and security issues on Internet then I thought. Unfortunately, we do not see the job categories of the polled people.
Would the data in other countries be similar?
In the security newsletter #5, Frédéric Lefebvre presented the research works of Jessica Fridrich. Through analyzing the noise of pictures, she attempts to uniquely fingerprints a camera. Each CCD generates a unique template of noise. Thus, it should be possible to detect if pictures were taken by a given camera.
It seems that this work has been spotted by the community and raised some fears. The site instructables proposes a process “anonymizing” the pictures. Obviously, the author has no serious knowledge of signal processing theory. Some of the tricks are more than questionable. Nevertheless, he is serious. he did not forget the most obvious steps 1 and 6. In step 1, he removes the metadata attached to a picture (How many people ignore or forget that Microsoft documents embed identification metadata?. In step 6, he suggests to use TOR to anonymize the Internet postings.
The lesson is that the community check the latest works of the academic world. Although, they do not necessarily understand the scientific details (thus they may have a wrong estimation of the maturity), they clearly understand the potential consequences and outcomes.
An occasion to read the latest results from Jessica Fridrich? :Wink: Thanks Bertrand
Next sequel in YouTube-Viacom litigation. You tube was requested by a judge to handover Viacom the IP address and list of viewed clips of each viewer. (See Blog of 10th July) Fortunately, YouTube and Viacom reached an agreement. The data will be anonymized before to be passed to Viacom.
This is at least true for normal users. Viacom maintains the requests of these identified data for YouTube’s employees. The objective is to prove that YouTube was aware of these infringements. In retaliation, YouTube will ask the same data for Viacom’s employees who browsed YouTube. The objective is to detect eventual Viacom’s people posting copyrighted clips.
Let’s wait next movement. Nevertheless, we can applause two companies that found an agreement on a legal decision that preserves privacy.
The Center for Democracy & Technology (CDT) issued an interesting paper titled “Privacy principles for digital watermarking“. CDT published similar principles of other technologies such as RFID or DRM.
The document proposes eight principles:
1. Privacy by design; Interestingly in this principle, CDT recommends that the digital watermark technology providers imposes, by contract binding, to the application designer to respect privacy issues. This is highly ethical but is it realistic in business environment?
2. Avoid embedding independently useful identifying information directly in watermark; in other words the payload should look random without access to relevant information
3. Provide notice to end-users; CDT provides an interesting rationale to inform end users if the watermark is used against copyright infringement. End user should secure his/her content to avoid theft by third parties; else they may suffer from legal actions.
4. Control access to reading capability
5. Respond appropriately when algorithms are compromised; Their recommendations is not to renew the algorithms as technologists would recommend. Rather, CDT recommends to publish a notice if the hack allows watermark forging. I am not sure that this will be loved by technology provider
6. Provide security and access control for back-end databases
7. Limit uses for secondary purposes
8. Provide reasonable access and correction procedures for personally identifiable information
The principles are sound and many of them apply to other security related techniques. Of course, in view of the goal of its editor, some recommendations are Utopian. This document is worth reading.
Last year, Pfizer had a serious security breach. Personal records of 17,000 employees and previous employees were available on a peer-to-peer (P2P) network. The wife of a Pfizer employee installed a file sharing software on her husband’s company laptop. The configuration was badly set and confidential information leaked. This type of leakage is rather common. In Security Newsletter n°4, I reported a virus using P2P software to distribute random file of a hard disk. Japanese defense plans leaked!
The first-thought recommendations would be to ban P2P software from company’s computers. This recommendation has limits:
Thus, the best recommendation I would give is to encrypt all confidential files on the laptop. This answers this threat, because what is shared is encrypted data, i.e. useless, and answers many other threats such as theft of laptops. Obviously the choice of the encryption tool is important (We will report on the latest hack on encryption tools in next security newsletter to be published in a fortnight)
It is also important to remember that you are also at risk at home with your private data. If ever you, or your relatives, use P2P software on your personal computer, check carefully its configuration to strictly sandbox the sharing space. Hoping that there is no backdoor that allows changing it :Wink:
In the referenced article, I found also interesting the data mining performed on queries on P2P network. Privacy is even leaking on P2P network usage :Amazed:
Recently Facebook enhanced its privacy controls on the information. Users are supposed to be able to control who can access personal data for instance personal pictures. Nevertheless, a hole in security allowed to access personal pictures independently from their control rules. Journalist from Associated Press (AP) was able to browse among personal pictures (see AP news) Facebook quickly fixed the hole.
Once more, this news rises the question about privacy and social networks. Social networks are not different from traditional web sites. Data stored on their server are vulnerable and may be exposed. Social networks, due to their social role, increase the problem. Information posted on these networks are by nature personal thus potentially sensitive.
Data on social networks (or any other type of sites) have two characteristics:
The consequences are:
Thus, a rule: Do never post a personal information that you do not want to become one day public It may become public.