Tag Archive for EFF

| December 4, 2014
Comments Off on Privacy for Drivers

Privacy for Drivers

Privacy for DriversFord Motor Company (F) Global Marketing Director Jim Farley touched off a privacy storm when he told an audience at the Consumer Electronics Show that the automaker is tracking their travels thanks to their in-car navigation systems. He told the crowd in Las Vegas that the automaker tracks driver behavior, “We know everyone who breaks the law, we know when you’re doing it.

automaker are tracking travelsThe auto manufacturers have installed “black boxes” on most modern cars. The black boxes are capable of tracking, gathering, and storing vehicle information. In fact, the Fed has proposed that such tracking technology become standard equipment on all cars.

Privacy firestorm

Even though Ford quickly backed down from Mr. Farley’s claims, the comments created a privacy firestorm. As a result, TheDetroitBureau.com reports that privacy advocates accelerated increased pressure on manufacturers to reveal what info that collects on “black box’s” they’re doing with the personal data they do collect – and put limits on how it can be used.

black-boxes are capable of tracking, gathering and storing vehicle information.

In response, a group of 19 automakers has gotten together to lay down some ground rules, which they hope will assuage fears about the accessibility and use of the material. According to the article, the makers say the information won’t be given to government officials or law enforcement agencies without a court order, sold to insurance companies or other companies without their permission.

The automakers agreeing to the “rules,” which they submitted to the Federal Trade Commission, include Aston Martin, BMW, Chrysler (STLA),  Ferrari, Ford, General Motors (GM), Honda (HMC) Hyundai, Kia, Maserati, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen, and Volvo.

Self-imposed data collection “rules”

Future carThe author speculates that the automakers are willing to abide by the self-imposed “rules” because they believe actual laws could become onerous. Sen. Edward Markey, D-MA is skeptical of the impact of the “rules.” He called them “an important first step,” but said it remains unclear “how auto companies will make their data collection practices transparent beyond including the information in vehicle manuals.”

Senator Markey noted that the automakers did not offer consumers an opt-out option for whether sensitive information is collected in the first place. He plans to legislate an answer. He said in a statement, “I will call for clear rules — not voluntary commitments — to ensure the privacy and safety of American drivers is protected,” Markey said in a statement.

The automakers also committed to “implement reasonable measures” to protect personal information from unauthorized access. Privacy experts are concerned that in recent years many vehicles have had a variety of GPS and mobile communications technology built into them.

Cloud securityThe TheDetroitBureau explains these devices record and sends all types of information which privacy advocates are afraid the data could be used by the government against the owners of vehicles. Some worry that many three-letter agencies and law enforcement will use data from the device to track citizens. Marc Rotenberg, executive director of the Electronic Privacy Information Center said that legislation is needed to ensure automakers don’t back off their self-imposed “rules” when they become inconvenient. He said,

You just don’t want your car spying on you. That’s the practical consequence of a lot of the new technologies that are being built into cars.

Pop-up ads on in-car touch screens

The black boxes now installed in new vehicles could also be a safety issue for drivers. The article speculates that the rising level of interactivity of cars could open the door for pop-up ads in cars. These automakers’ “rules” do not end the possibility that Pop-up ads could appear on the touch screens of cars, trucks, and SUVs as folks are motoring down the road.

One loophole in the guidelines identified in the blog, if customers agree at the time they buy the car, they could receive messages from advertisers who want to target motorists based on their location and other personal data according to the author. Some safety advocates are concerned about pop-up ads possibly popping up on in-car touch screens while drivers are behind the wheel. Henry Jasny of Advocates for Highway and Auto Safety warned the Associated Press.

There is going to be a huge amount of metadata that companies would like to mine to send advertisements to you in your vehicle … We don’t want pop-up ads to become a distraction.

rb-

Who is listeningThe road to hell is paved with good intentions and full of pot-holes. I covered Cisco’s try at monetizing driver data here. Industry officials say they want to assure their customers that the information that their cars stream from the vehicle’s computers to automakers (or Feds) via OnStar. Sync, Automatic, In-Drive, or Car-Net won’t be handed over to authorities without a court order, sold to insurance companies, or used to bombard them with ads for pizza, gas stations, or other businesses they drive past, without their permission.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: , , , , , , , , , , , , , , , ,
| August 12, 2014
Comments Off on Who Needs Two-Factor Authentication

Who Needs Two-Factor Authentication

Who Needs Two-Factor AuthenticationThe recent epidemic of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, most users depend on the same passwords. So what are we to do? One solution is Two-Factor Authentication.

John Shier at SophosNaked Security blog provided a primer on multi-factor authentication. Two-Factor Authentication is a subset of Multi-factor authentication (MFA).  MFA is an authentication process where two of three recognized factors are used to identify a user:

  • Sommulti-factor authenticationething you know – usually a password, passphrase, or PIN.
  • Something you have – a cryptographic smartcard or token, a chip-enabled bank card, or an RSA SecurID-style token with rotating digits
  • Something you are – fingerprints, iris patterns, voiceprints, or similar

How two-factor authentication works

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).

Data breachThe author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the secure token appended to a PIN. Home users can use a sort of two-factor authentication using SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).

Two-factor authentication makes it harder

SPAM emailParker Higgins at the EFF, says normal password logins, which use single-factor authentication, just check whether you know a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.

Online two-factor authentication brings the same concept to your services and devices by using your phone—which means that even if your password is compromised by a keylogger in an Internet café, or through a company’s security breach, your account is safer according to the EFF.

That’s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.

APhishings two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn’t have to be a difficult trade-off of convenience for security. Major services like Twitter, Google (GOOG), LinkedIn (LNKD), Facebook (FB), Dropbox, Apple (AAPL), Microsoft (MSFT). GitHub, Evernote, WordPressYahoo (YHOO) Mail and Amazon (AMZN) Web Services have enabled two-factor authentication.

rb-

Users should get used to two-factor authentication. 2FA is not available everywhere but many of the most popular sites and services on the internet use the technology.  Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.

In the wake of recent POS attacks (which I covered here), DHS has recommended 2FA for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. All users will need Two-Factor-Authentication Authentication.

Related articles
  • Fending off automated attacks with two-factor authentication (cloudentr.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| November 21, 2013
Comments Off on Son of SOPA

Son of SOPA

Son of SOPAThere is a secret treaty that has wound its way through global governments. The secret treaty is called TPP. What is TPP? TPP is short for the secret Trans-Pacific Partnership trade agreement, or the evil Son of SOPA. The TPP agreement is between Australia, Brunei, Chile, Canada, Malaysia, Mexico, New Zealand, Peru, Singapore, Japan, Vietnam, and the United States.

The secret treaty was even kept from the U.S. Congress. However, the Washington Post reports that Verizon (VZ) and Cisco (CSCO) have had access to the secret treaty and they seem to be supporters. Many argue that a number of the terms that the U.S. inserted are unreasonable.

Trans-Pacific Partnership trade agreement

InfoSecurity-Magazine.com explains that a detailed analysis of the intellectual property chapter of the secret Trans-Pacific Partnership trade agreement is similar or worse than SOPA or ACTA. SOPA (Stop Online Piracy Act) and ACTA (Anti-Counterfeiting Trade Agreement) were halted largely by popular activism.

Copyright owners

The author says the common factor in both was the potential for copyright owners to force their will on the internet. Two of the key issues were to make ISPs liable for infringing content, and the ability to suspend the internet accounts of repeat infringers. A further criticism of ACTA is that it was negotiated in secret, and both the public and the national parliaments expected to simply accept the deal.

The article goes on to analyze the TPP IP chapter provided by WikiLeaks. The analysis shows that TPP is following a similar, but potentially more severe, path to that of ACTA or SOPA. Dr. Monica Horten, a visiting fellow at the London School of Economics & Political Science says the secret treaty, is the Holy Grail for big content.

Hoolywood's Holy Grail…the Holy Grail for Hollywood and the Motion Picture Association of America (MPAA).’ “It’s what they tried to do with the EU Telecoms Package, as well as in ACTA and in SOPA. It is Hollywood’s Holy Grail for online copyright enforcement”

Secret proposal

The blog reports that the U.S. and Australian government’s secret proposal supports efforts to make ISPs primarily responsible for removing copyrighted content from the internet. But the secret proposal also includes search engines, linking sites, and possibly even cloud computing services. Dr. Horten says TPP enforcement would be carried out by,

…disconnection of users (termination of Internet accounts), blocking and disabling of content, and even some level of monitoring obligation.

The US proposals also include a demand, that upon request, (rb- not surprisingly) any ISP would be obligated to provide details on their customers. Michael Geist, a Canadian law professor at the University of Ottawa told the author, “would require an overhaul of Canadian copyright law and potential changes to privacy law.”

Extending corporate copyrights

120 years oldThe U.S. is also planning to change copyright laws to benefit big pharma. TPP would extend corporate copyrights up to 120 years. Through manipulation of the process, big pharma could prevent affordable medications from ever being available to treat cancer, AIDS/HIV, or the common cold.

Opposition to TPP

Thankfully InfoSecurity Magazine says the secret TPP is not yet a done deal. Dr. Horton points out a brewing Internet cold war between the US and Canada. “The Canadians oppose it,” she added. “… Canada seems to be joined at least partially by an assortment that includes Mexico and Malaysia.

Canadian flagMeanwhile, 80 U.S. law professors sent a letter to President Obama, Congress, and Ambassador Michael Froman to object to the secrecy of the TPP. The lawyers warn that the “TPP is following a process even more secretive than ACTA, which is amplifying public distrust and creating an environment conducive to an unbalanced and indefensible final product.

Internet freedom advocacy group The EFF analyzed the TPP also. The EFF’s review of the “temporary copies” language found the U.S. proposal would make anyone who ever views content on their device could potentially be found liable of infringement. The TPP language follows:

EFFEach Party shall provide that authors, performers, and producers of phonograms have the right to authorize or prohibit all reproductions of their works, performances, and phonograms, in any manner or form, permanent or temporary (including temporary storage in electronic form).

The Free Press said, The chief negotiators are congregating in Utah on Nov. 19–24 to hammer out key details — and President Obama has signaled his intention to move the treaty forward.

rb-

Click here to tell Congress and the White House to reject the TPP.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| September 17, 2013
Comments Off on Did NSA Subvert IPv6 Security?

Did NSA Subvert IPv6 Security?

Did NSA Subvert IPv6 Security?Cryptographer and Electronic Frontier Foundation (EFF) board member Bruce Schneier has given advice on how to be as secure as possible. “Trust the math,he says. “Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

subverting the implementations of encryption

All UR emails R mine

Mr. Schneier confirms to Infosecurity that the growing consensus is that Bullrun‘s greatest success is in subverting the implementations of encryption and not in the ability to crack the encryption algorithms themselves. The general belief is that the NSA has persuaded, forced or possibly even tricked companies into building weaknesses or backdoors into their products that can be exploited later.

Infosecurity says the bottom line, however, is that the fabric of the internet can no longer be trusted. Meanwhile, John Gilmore, co-founder of EFF and a proponent of free open source software, has raised a tricky question: has NSA involvement in IPv6 and IPSEC discussions effectively downgraded its security? IPSEC is the technology that would make IP communications secure.

EFF.orgMr. Gilmore told the author that he was involved in trying to make IPSEC “so usable that it would be used by default throughout the internet.” But “NSA employees participated throughout, and occupied leadership roles in the committee and among the editors of the documents.

The result was “so complex that every real cryptographer who tried to analyze it threw up their hands and said, ‘We can’t even begin to evaluate its security unless you simplify it radically‘” – something that never happened EFF’s Gilmore observed.

Mr. Gilmore doesn’t explicitly say that the NSA sabotaged IPSEC, but the fact remains that in December 2011, IPSEC in IPv6 was downgraded from ‘must include’ to a ‘should include.’ He does, however, make very clear his belief in NSA involvement in other security standards.

Discussing cellphone encryption, the EFF co-founder says “NSA employees explicitly lied to standards committees” leading to “encryption designed by a clueless Motorola employee.

To this day, Mr. Gilmore notes that “no mobile telephone standards committee has considered or adopted any end-to-end (phone-to-phone) privacy protocols.  This is because the big companies involved, huge telcos, are all in bed with NSA to make damn sure that working end-to-end encryption never becomes the default on mobile phones.

 rb-

Following the Snowden leaks revealing Bullrun – the NSA program to crack the world’s encryption – the article states that there is an emerging consensus that users can no longer automatically trust any security.

Other articles say that NSA has compromised SSL so the NSA has access to credit cards and your 4G phones. This is another unnecessary attack on US e-commerce business who is going to buy something online when your account numbers are in the hands of US government hackers.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| August 7, 2012
Comments Off on Anti-Patent Troll Bill Introduced

Anti-Patent Troll Bill Introduced

A newAnti-Patent Troll Bill Introduced bill introduced in the House of Representatives attempts to deter frivolous patent litigation. The bill would force unsuccessful patent plaintiffs to cover defendants’ legal costs according to Daily Wireless. Introduced by Rep. Peter DeFazio (D-OR) and co-sponsored by Rep. Jason Chaffetz (R-UT), the Saving High-Tech Innovators from Egregious Legal Disputes (SHIELD) Act is limited to patents related to computer hardware and software.

House of RepresentaivePatent trolls don’t create new technology and they don’t create American jobs,” DeFazio said in a news release. “They pad their pockets by buying patents on products they didn’t create and then suing the innovators who did the hard work and created the product.”

The article explains that patent trolls often buy broad patents. The purchase allows them to file flimsy lawsuits against multiple companies for infringement. Despite very thin evidence to back their lawsuits, companies are often forced to settle. They settle because going to court can easily cost over $1 million in legal costs even if the company prevails, explained DeFazio in a press release.

Loser pays

Electronic Frontier FoundationThe Electronic Frontier Foundation explains the idea behind the SHIELD Act is simple. A plaintiff needs to believe that a defendant actually infringes a valid patent before it sues. If it doesn’t, then the plaintiff could be on the hook for the costs of litigation. They would also have to cover the winning party’s attorneys’ fees (which can cost hundreds of thousands of dollars in some cases).

Fee shifting, often called “loser pays,” is not a new idea. It’s long existed in copyright law, it allows a court to award the winning party costs and fees in certain cases. In patent litigation, the EFF says this type of provision would help tilt the playing field slightly more in favor of the good guys. Fee shifting would empower innovators to fight back while discouraging trolls from threatening lawsuits to start.

The EFF has set up a website defendinnovation.org to lead the battle against patent trolls and reform the U.S. Patent Office.

rb-

Voter apathySigh – Today is primary election day here in the U.S. and I just got back from voting and a whopping 417 people in my neighborhood had voted. There are almost 17,000 people 18 years or old.

Voter apathy has everything to do with everything about where the US is today, including patent reform. Who are the politicians going to listen to?  I have covered the patent mess for a while here, here, here, and here. I doubt the political clout me and my 416 other neighborhood voters even matter when compared to the millions of dollars that Apple, Google, ATT, and the rest spend on lobbyists in Washington and Lansing to buy the legislation they want.

Have a nice day!

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
« Older Entries   Recent Entries »