Norwegian internet browser Opera now includes a free, unlimited VPN natively, meaning that its users “don’t have to download VPN extensions or pay for VPN subscriptions to access blocked websites and to shield your browsing when on public Wi-Fi,” according to the official announcement.
Opera’s blog post reads:
According to Global Web Index*, more than half a billion people (24% of the world’s internet population) have tried or are currently using VPN services. According to the research, the primary reasons for people to use a VPN are:
To access better entertainment content (38%)
To keep anonymity while browsing (30%)
To access restricted networks and sites in my country (28%)
To access restricted sites at work (27%)
To communicate with friends/family abroad (24%)
To access restricted news websites in my country (22%)
According to the research, young people are leading the way when it comes to VPN usage, with almost one third of people between 16-34 having used a VPN.
The in-browser VPN is only available as part of the most recent developer version, but set to arrive in the release version following successful testing and refinement.
Opera’s in-browser VPN follows its native ad-blocker, released as part of its last developer version last month, in an effort to centralise its user’s needs in one package.
Opera 38 developer version can be downloaded here.
The Uber mobile application which allows smart phone users to travel to another location by an accredited driver has revolutionized transport and caused a great deal of anger from taxi drivers. These people feel they can’t earn a living due to the huge taxi license expense and lower fees consumers face when using Uber. Clearly, Uber has modernized the taxi system for the interconnected world and offered consumers an additional choice. Recently, the company publicly released a transparency report which discloses how much information is shared with authorities. The data shows Uber shared information on 13 million users including passengers and drivers with the US government. The majority of these requests stem from U.S. transportation regulators. Once the findings were unveiled, Uber released a statement on their thoughts about data requests which reads:
“Regulators will always need some amount of data to be effective, just like law enforcement. But in many cases they send blanket requests without explaining why the information is needed, or how it will be used,”
“And while this kind of trip data doesn’t include personal information, it can reveal patterns of behavior—and is more than regulators need to do their jobs.”
“We hope our Transparency Report will lead to a public debate about the types and amounts of information regulated services should be required to provide to their regulators, and under what circumstances,”
Rightfully so, Uber believes the huge scale of these requests isn’t right and it does seem like interference from government bodies. Personal information should be protected if you’re using a commercial service. There’s no reason for the government to get involved and it looks like all they want to do is monitor the behaviour of its citizens. Hopefully, transparency reports like this can help raise the issue of privacy and how many requests are made by government authorities.
In a recent press conference with some of Apple’s engineers, the company stated that they had the ‘most effective security organization in the world’. It wasn’t just an idle statement either, with them revealing a number of the security features that are packed into their iPhone both on the hardware and software levels.
The conference itself was a highly technical affair, with the attending engineers going to great lengths to detail the security protocols they have in place. More than just being a podium for Apple to grandstand, this conference was a show of clear defiance against the revived effort by the US government to unlock the iPhones of criminals with them restating the point that making the popular smartphone less secure for them would risk compromising the privacy and security of their customers.
Unlike Android and the numerous companies developing Android devices, Apple control all aspects of their phone’s development which allows them to bake security into every level of their device, from hardware to firmware to software. The features employed in order to make the device so secure include a number of both industry-standard and Apple-specific features, which, when employed together secure the device at all levels, making it impossible to even flash the device with a hacked version of iOS or similar super-low-level attacks. They also believe that the chance of a bug occurring at a low enough level to cause a major compromise is small.
Getting users to ensure their phones run the latest version of iOS is another important step to keep devices secure, as each new iteration of the mobile operating system includes new security improvements and bugfixes. Some of the ways that Apple have employed to increase the adoption rate of the newest versions of their software include shrinking the size of the operating system from 4.6GB in iOS 8 to just 1.3GB in iOS 9 and also offering “while you were sleeping” update options, both of which seem to be effectual, with iOS 9 having an adoption rate of 80% so far.
It is plain to see how important Apple believe that security and encryption are to our future by the effort they put into ensuring their devices are secure. Their struggle to convince governments that slackening of security and precedents to force companies to unlock devices would have long-term damage is likely far from over, but we can be assured that Apple (and many other tech firms) will continue to struggle against these demands and ensure a safer and more secure digital future.
Virtual reality headsets have the potential to revolutionize the way we enjoy various entertainment forms and even help train apprentices to learn new skills in a more practical manner. This year has already been significant for developing VR technology and bringing it the consumer market. However, the early adopter pricing for both the Oculus Rift and HTC Vive are well out of the reach of most users. Despite this, VR technology allows developers to start making unique games and there should be a fantastic library when devices become more affordable. Facebook’s acquisition of Oculus raised some questions about the headset’s target audience and possible emergence of social media advertising.
The Oculus Rift’s terms and conditions contains a number of interesting clauses about user data. According to The Guardian, Facebook is able to collect:
“Information about your physical movements and dimensions when you use a virtual reality headset”,
Facebook also added:
“We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services,” “We also use this information to measure how users respond to our marketing efforts.”
This means Facebook can use location data to monitor your position and collect information on how you use the Oculus Rift. More worryingly, the terms clearly state that your personal information can be passed onto “related companies”. This refers to other parts of the Facebook brand such as WhatsApp. Consumers concerned about their privacy will find these terms rather intrusive and might be enough to deter them from making a purchase. Facebook’s ability to use the data for advertising purposes isn’t ideal and something which many people anticipated when the company took the helm. Admittedly, it’s fairly common for companies to outline similar data gathering policies but this doesn’t make it acceptable.
Are you concerned by the Oculus Rift’s terms or feel they are being blown out of proportion?
In the recent Apple vs the FBI case, the concern was raised about what would happen if the FBI managed to get Apple to unlock the device. People were worried that this one high-profile phone could open the floodgates to requests to unlock the hundreds of iPhones that are in police custody. Initially, we were told that this wouldn’t be the case but as events unfolded this clarification seemed to fade away and we were left with the answer we had expected from the start, an answer that seems to be confirmed by the FBI already helping others unlock iPhones.
In a letter to local authorities, the FBI promise that “we are in this together” and that they would help local authorities unlock iPhones and even iPods where they can legally. In fact, they already have, in a case for Arkansas prosecutors, the FBI have already agreed to unlock both an iPhone and an iPod.
It doesn’t stop there, according to the Washington post, the FBI are looking at if it would be possible to share the tool with local law enforcement. With the firm that helped the FBI create the tool charging only a one-time flat fee, the FBI could offer the tool as long as it retains its classified tool, an issue which has already hampered and raised issues with devices such as the Stingray.
Since recovering an iPhone from one of the San Bernardino shooters on December 3, 2015, the FBI sought methods to gain access to the data stored on it. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention generated by the litigation with Apple, others outside the U.S. government continued to contact the U.S. government offering avenues of possible research. In mid-March, an outside party demonstrated to the FBI a possible method for unlocking the iPhone. That method for unlocking that specific iPhone proved successful.
We know that the absence of lawful, critical investigative tools due to the “Going Dark” problem is a substantial state and local law enforcement challenge that you face daily. As has been our longstanding policy, the FBI will of course consider any tool that might be helpful to our partners. Please know that we will continue to do everything we can to help you consistent with our legal and policy constraints. You have our commitment that we will maintain an open dialogue with you. We are in this together.
Office of Partner Engagement
We all love the idea of virtual reality and augmented reality, the idea that technology can send us to the deepest parts of the earth or the farthest reaches of space inspires us to enjoy things we will never get to do in the real world, all from the comfort of our sitting rooms. The question is how much we are willing to give in exchange for this “freedom”, with the enjoyment the Oculus Rift requiring you to pay with your privacy.
The full section regarding “information collected about you when you use our services” states:
Information Automatically Collected About You When You Use Our Services. We also collect information automatically when you use our Services. Depending on how you access and use our Services, we may collect information such as:
Information about your interactions with our Services, like information about the games, content, apps or other experiences you interact with, and information collected in or through cookies, local storage, pixels, and similar technologies (additional information about these technologies is available at https://www.oculus.com/en-us/cookies-pixels-and-other-technologies/);
Information about how you access our Services, including information about the type of device you’re using (such as a headset, PC, or mobile device), your browser or operating system, your Internet Protocol (“IP”) address, and certain device identifiers that may be unique to your device;
Information about the games, content, or other apps installed on your device or provided through our Services, including from third parties;
Location information, which can be derived from information such as your device’s IP address. If you’re using a mobile device, we may collect information about the device’s precise location, which is derived from sources such as the device’s GPS signal and information about nearby WiFi networks and cell towers; and
Information about your physical movements and dimensions when you use a virtual reality headset.
Worrying parts about this is the mention of “pixels” in the first section, stating that they could find out what you are viewing and even go so far as to take a copy of your interaction. Full information about the games and everything you install are also fair and open to them with information going so far as your physical movements and dimensions being tracked as well, these seem a little bit further than just idle curiosity.
The policy continues to state how this information is used, with one section clarifying their marketing approach with this information:
To market to you. We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services. We also use this information to measure how users respond to our marketing efforts.
With Oculus now in partnership with Facebook, a move that raised concerns when it was first announced, people were concerned about privacy and tracking, something these conditions seems to allow. Going further the agreement states that “third parties may also collect information about you through the Services”, meaning that the agreement doesn’t limit but, in fact, allows apps to be created on the basis of tracking and monitoring your actions.
Facebook have been keen on allowing countries access to Free Basics, their low-cost internet system designed at giving people the ability to create a Facebook account and access a limited number of sites at no cost. Free internet sounds great doesn’t it? Some countries don’t believe so, with India already banning the platform and the system being suspended within Egypt, over what now seems to be because the government was denied the ability denied the ability to spy on users.
The Free Basics platform in Egypt was suspended officially on December 30th, 2015, with sources now stating the reason for the suspension was that Facebook wouldn’t allow the government to circumvent the systems security, thereby allowing surveillance to be conducted on users of the platform. Etisalat, the mobile carrier that provided the service when it started in October 2015, hasn’t responded to comment while Facebook has declined to comment while the Egyptian government has declined to say what kind of surveillance or changes they wanted to be made to the service.
Officially the line given is that the service was considered “harmful to companies and their competitors”, a tale that while believable may be as well be an April fools joke to cover what can only be considered a request to invade and monitor everyone’s internet access. With limited access already and concerns about net neutrality for the scheme, if it was found to provide monitoring and tracking the “free” basics program would almost certainly see counties drop the system.
The legal case of the year is over already. Apple vs the FBI is over in a court case that saw the question of security vs privacy raised on a national, and even global, level. After cancelling a court hearing with Apple, the FBI have officially closed the court case.
It would seem that even without their assistance, the FBI claim to have managed to break into and access the data required on the iPhone in question. In their response, the FBI stated that the new hack was “sufficiently plausible” to a point where they could stop pursuing Apple’s assistance.
Currently, there is no information about who performed the hack or how many iPhones the hack works against. With so little information about the hack, it’s hard to tell if the court case could reemerge in the future with over a hundred phones in government control still locked.
In their response the Department of Justice reminded us that they would continue to gather information from encrypted devices, saying that “It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety”, and then there is a small reminder that with or without help, “either with cooperation from relevant parties or through the court system”.
We all love downloading that new app. Be it a game or something more practical for everyday use, we love exploring it and finding out what it does. Seems like some Apps may be returning the favour and not even telling us about it as several apps could be invading your privacy.
The Federal Trade Commission (FTC) have warned several developers for mobile software that their apps may, in fact, be invading their customers privacy without even their notice. The Silverpush framework and several overs don’t request permission to use your microphone but still do. It only gets worse as it appears that the apps are capable of “producing a detailed log of the television content viewed while a user’s mobile device was turned on for the purpose of targeted advertising software and analytics”. So by having your phone near you when you watch TV means you could be advertising your favourite shows to third parties without even knowing it!
Silverpush is already known to listen for ultrasonic sounds to check for multiple devices within the vicinity such as your laptop or tablet. By knowing what devices you have around you the company is able to pick up and generate more detailed advertising profiles, some of which you are never even aware was being generated.
Silverpush, an India-based company, states that the techniques aren’t used domestically but the FTC want apps having to specifically request access to your device’s microphone.
In this day and age, we like to think that our information is well protected. We know that isn’t always true though with companies like TalkTalk and even children’s toy company VTech having their data exposed in hacks. So what about the people who have access to our information? Well, it would seem that Denver police could be in trouble after it was revealed that some of their officers have used their access to information for personal gain.
The report outlining this was created by independent monitor Nicholas Mitchell and lists not just one but multiple “wrongful searches” where an officer used their access to find out information beyond work needs. An example of this was when a female hospital employee spoke with an officer, only to return home and find a message on her personal phone. To make matters worse she had never given her contact details to the officer, who it turns out, used their access to the database to find out her contact details.
In another example, an officer received a call from a woman who was in a custody dispute with her boyfriend over their teenage daughter. The women learned that her ex and their daughter had been given a lift by another individual and asked an officer to run the licence plate of the individual, even providing the women with information from the search. The women in question than rang the individual and revealed that she had personal information, including his home address.
What is the worst part about all of these situations? It would appear that the officers in question were never truly punished, with the most someone suffered because of this was a few days suspension without pay. The misuse of government property and information, and, in fact, breaching people’s data privacy and security, is by all means criminal in nature and goes to show that sometimes when people are afraid of who has access to their data, they have more than a right to be worried.
Ever since it’s introduction, the EU’s right to be forgotten has been controversial and misguided to say the least. Under the law, Google and other search providers are forced to delist links to new stories that are no longer considered relevant or in the public interest. As if censoring information in just the EU domains is not enough, it looks like pressure is on Google to expand the delisting. According to Google, European regulators have compelled Google to delist links on all Google search domains, not just the EU ones.
According to Google’s blog post, the new strategy is to delist links when a user exposes geolocation data from an EU location. This means EU users will no longer have the option of using Google.com for instance, to easily bypass the delisting. In order to gain access to an uncensored version of Google, users will have to use a non-EU VPN though that may not be safe if regulators have their way.
From Google’s perspective, this isn’t much different from what they do now as geo-location data is already collected when a user goes to Google. Instead of triggering the delisting based on which Google search domain is used, the delisting is triggered by geo-location data. The one benefit from this is that instead of deleting from all EU Google domains, the deleting only occurs if the searcher geolocation data is from the same country as the requestee of the delisting.
Fire OS 5 has lacked encryption since its release in the autumn of 2015, however due to how quietly it was removed, the change was only noticed when the rollout of the OS to older devices took place. This removed the option of encryption even on devices that had originally shipped with the feature from an older version of Fire OS. As expected, this news did not go down well with many consumers, especially the most security conscious users, many seeing it as them giving up the fight for encryption and privacy before it had even begun for them.
Amazon re-adding encryption to Fire OS 5 is hardly surprising. The backlash against disabling the feature on any device using the OS could cost them both in reputation and profits. Also, as the feature was removed before the FBI/Apple encryption battle began, there was far less attention to its presence, which has now become an issue considered in the tech community worldwide.
For many, the lack of encryption would have been a deal-breaker in the purchase of their products. Are you glad to see Amazon reversing their course on the topic, or would you have bought an Amazon tablet regardless?
With the likes of Microsoft and Facebook supporting them, Apple is gearing up for their battle against the FBI over the iPhone unlock case from the San Bernadino shooting. In a surprise move, Apple has gained an unlikely and important supporter in their fight against the US government. In a letter filed with the court, Salihin Kondoker, an IT consultant whose wife was shot 3 times in the attack is backing Apple’s stance.
In his letter, Kondoker notes that he initially did not side with Apple but after learning more about the case, realized it there was more to it than simply unlocking one phone. He doesn’t believe that security is a worthwhile benefit for losing privacy and realizes the ramifications of Apple bending to the FBI’s will. Kondoker also notes as many other have, that the attacker’s work iPhone would be unlikely to contain any important information, as the county could have accessed it at any time prior to the attacks. Here are some excerpts from the letter.
When I first learned Apple was opposing the order I was frustrated that it would be yet another roadblock. But as I read more about their case, I have come to understand their fight is for something much bigger than one phone. They are worried that this software the government wants them to use will be used against millions of other innocent people. I share their fear.
I support Apple and the decision they have made. I don’t believe Tim Cook or any Apple employee believes in supporting terrorism any more than I do. I think the vicious attacks I’ve read in the media against one of America’s greatest companies are terrible.
Finally, and the reason for my letter to the court, I believe privacy is important and Apple should stay firm in their decision. Neither I, nor my wife, want to raise our children in a world where privacy is the tradeoff for security. I believe this case will have a huge impact all over the world.
You will have agencies coming from all over the world to get access to the software the FBI is asking Apple for. It will be abused all over to spy on innocent people.
America should be proud of Apple. Proud that it is an American company and we should protect them not try to tear them down.
In addition to Kondoker’s support, Apple has also been backed by the former heads of the NSA, the FBI, and Homeland Security, noting that the case is more complex than the FBI makes it out to be. They all warn against the loss of trust and privacy that would occur and that acting on fear and public opinion would lead down the wrong path.
In its recent arguments against the FBI, Apple has found companies rallying behind its arguments that you can’t force a company to break its own protection without risking others. Even Microsoft have come out saying that forcing Apple to do so would set a dangerous precedent for technology companies everywhere. Their latest support is a little bit different, with the former heads of the NSA and Homeland supporting encryption in this case.
Michael Chertoff was the head of Homeland Security and is one of the people who helped author the Patriot Act. Mike McConnell is the former head of the NSA and both of these people, former professionals within governments security sector, have come forward expressing support for encryption technologies.
In a panel, Chertoff stated that “if we [the people and governments] ask private sector to be in control of security, then we have to allow them to have tools to carry out that mission”. Chertoff then continued to say that trust is the fundamental basis of the “internet economic engine” and that “if we don’t come to an agreement with the majority of the world [around privacy] we could end up with multiple internets and lose the value of an interconnected world”.
McConnell on the other hand, suggested that a reasonable method to address the problem wouldn’t be the public flinging match that the FBI are keen to use to their advantage but instead to form “a legislatively direction commission of leading experts to have an informed dialog with all clearances to make reasonable recommendations”. He suggests that the public and even Congress don’t have the knowledge regarding cyber security matters to make an informed decision and that public opinions and fear could lead to decisions which will do nothing but harm companies government and people alike.
Tor is an open network that looks to fight against tracking analysis, just one way of monitoring and identifying people online. Using systems like Tor you are able to hide your identity online, a feature that some governments seem less than keen on letting happen due to the risks that people may use it for less than noble intentions. CMU previously responded saying, well not much at all to be honest, regarding the rumours it would now appear a judge has revealed it all; sorry FBI, looks like it wasn’t you.
It has now been revealed that it was in fact the Department of Defence (DOD) that funded the project. The information comes out as part of a court case against Brian Farrell, one of Silk Road 2.0’s administrators. Once again online privacy is being raised, with the argument that if you are looking to hide your activity you are attempting to create a sense of privacy, something which online tracking would then breach.
With technology and the law going head to head in the court on a daily basis, will the laws and governments of the world ever be in step with the ways that we work every day or will we always be hearing about the constant game of catch up that the law seems to follow currently?
Despite Apple’s firm stance against the FBI’s recent requests to unlock a criminal’s iPhone having won them the support of many who believe in digital privacy, a recently published Pew survey reports that the majority of the US public is not on their side. In a phone survey over the weekend, which reached 1000 respondents, Pew researchers reported that 51% of their respondents believed that Apple should comply with the FBI’s demands to unlock the iPhone used by the perpetrator of the San Bernardino attacks as part of their investigation. With 51% in favour of the FBI, this left only 38% of the respondents in support of Apple, with the remaining 11% remaining undecided.
No matter how the sample was split, the numbers were always in the FBI’s favour. The numbers were closest in the 18-29 age group, reaching a 47-43 split in favour of the FBI, meanwhile amongst those 65+, the division hit 54-27 to the FBI. In groups that owned a smart phone, the numbers were closer, and even more so amongst those who own an iPhone themselves, but those with another brand of smart phone swung the numbers even further from the Cupertino tech giant.
Whether this public perception towards Apple could affect their business remains to be seen, it could certainly be a deciding point in the case should opinion swing even further against them. Apple is yet to issue an official response to the FBI’s court orders, however, CEO Tim Cook urged employees to stand firm against the FBI in the case.
It’s been well-known for a while now that information, online and offline, has always been searched for and monitored. From GCHQ to the NSA, it sometimes seems like the entire alphabet is watching your every move online. With items like the ‘snooper charter’ making changes to digital monitoring, many countries are yet to see eye to eye when it comes to whom and what people should be able to see.
Sunday came and went without an agreement between American and European officials regarding how data should be transferred between the two areas. With information on the internet being sent around the world before reaching you at your computer, handling private and sometimes confidential information is a sensitive topic.
One of the key areas of debate is how European’s data would be protected against surveillance from the American government, with legal support for anyone to settle disputes in the American courts relating to their information.
With big companies like Facebook and Google operating around the world, although with large bulks of their companies based in America, you can see why they are interested in how this discussion will end.
This negotiation began three months ago, with a 15-year-old data transfer pact (also known as a safe harbour agreement), being invalidated due to Europeans data not being protected well enough when transferred to the United States.
With some people arguing that the standards in the US match those present in Europe, the deadline for a resolution is slowly creeping in, putting pressure on every party involved to resolve the matter.
With the jump to Windows 10, Microsoft also hoped to say goodbye to their old Internet Explorer browser, one often berated by the tech savvy. In Edge, they included many features that were already staples among rival browsers, one such feature being the InPrivate browsing mode. It has come to light, however, that InPrivate may not be as private as it seems.
Researcher Ashish Singh found that the history of websites visited while using the InPrivate mode can be found by examining the WebCache file on the user’s hard drive. In fact, the browsing history of InPrivate can be found in the same “Container_n” table that stores browsing history from conventional tabs. As a result, if an attacker were able to access the table, they would be able to access the entire browsing history of a user, whether their browsing was done InPrivate or not. Singh wrote in Forensic Focus that “The not-so-private browsing featured by Edge makes its very purpose seem to fail.” The fact remains that this process would be difficult to perform by a regular user or attacker, and anyone wishing to uncover this ‘private’ browsing history would likely need to be skilled in the field and have local access to the target’s hard drive.
Edge is far from the first browser to employ a private browsing mode that is not fully secure and private browsing does often not ensure security. Private browsing features are a privacy feature first-and-foremost, and that one cannot fully protect against the most dedicated of attacks is perhaps unsurprising. The Verge has reported that Microsoft is investigating the results of Singh’s research into Edge “and we are committed to resolving this as quickly as possible.”
A new video was released yesterday, which featured an encrypted message that supposedly contained plans for a future attack to be committed by ISIS or another group aligned with their goals. The video also featured shots of the gunmen behind last year’s attack in Paris and graphic shots of executions by radicals. The video also featured clips of London and RAF fighter aircraft, ending with a shot of David Cameron and the words “Whoever stands in the ranks of kufr (unbelievers) will be a target for our swords and will fall in humiliation.” As Edward Snowden was quick to point out on Twitter, the ‘encrypted email’ shown in the video was clearly fake.
The most obvious flaw he pointed out was in regards to the encrypted email’s key ID “1548OH76”, which is not a valid Hexadecimal string, being invalidated by the O and H. Further, the creation date on the PGP supposedly used to decrypt the instructions for both the Paris attacks and this new attack was the 16th of November 2015, after the Paris attacks. This could mean that the instructions for the attack on Paris were re-encrypted along with this new unknown message, which is implied to be the plans for a new attack.
Does #ISIS see advantage in West limiting access to strong security? Juxtaposing "spooky" fake crypto with anti-crypto Cameron implies yes.
Even taking into regard these flaws, the real question is what the video’s creators intend to achieve by showing this. Is it really plans for the next attack, or simply scare tactics designed to get the world’s intelligence agencies to crack it? More frighteningly, it could be an attempt by terrorist groups to spur on the adoption of encryption backdoors or bans by government agencies. Such groups would certainly have a lot to gain from the crippling of encryption, from potentially being able to access the backdoors themselves to them disregarding the requirements and continuing to use strong cryptography undeterred, causing even more grief for groups thinking they have all the backdoor keys. I have no doubt that this video should be taken seriously, as should any terrorist threat, but any influence it may have on cryptography should be taken with a pinch of salt.
In 2013, the dark web email service Tormail was seized by the FBI and the contents of their servers taken with them. It was also suspected that the FBI had made use of a network investigative technique (NIT), an FBI term for a hacking tool to compromise some users of the service. A report by the Washington Post on the FBI’s use of NITs confirmed these suspicions but also opened many more questions, such as the scope of the hacking.
Prior to its takedown by the FBI, the Tormail service ran on the dark web, only accessible through the Tor network. Such hidden email services are typically used by those in need to privacy, whether for legitimate reasons, such as journalism, or less than legal activities such as drug dealing, trading on Silk Road and other activities that could draw the attention of the FBI. The agency had supposedly obtained a warrant to hack the accounts of certain people thought to be associated with the distribution of child pornography.Despite this, at the time Freedom Hosting, a web host providing dark web services including Tormail, was seized by the FBI anyone accessing a page hosted by Freedom Hosting was served an error page. This error page was designed to serve malicious code that took advantage of a security flaw in the Firefox browser to transmit the user’s real IP address to a Virginia server.
An ex-user of TorMail told Motherboard that the error page and malicious code “appeared before you even logged in.” This brings into question whether the FBI was acting within its claims of targeting specific users if the real IP address of every single person to access TorMail was reported to them. And while there were certainly criminals making use of the service, many users were not engaging in criminal activity, regardless of their reason for wanting privacy.Christopher Soghoian,
Christopher Soghoian, a technologist for the American Civil Liberties Union, told Motherboard “If the government, in fact, delivered an NIT to every single person who logged into TorMail, then the government went too far.” Not to mention, if the FBI were hacking everyone accessing the service with the only justification being their usage of a privacy service, it could be considered unreasonable and may not respect boundaries for international users. And with NIT orders not being publicly released, even years after the fact, there is no concrete information as to what the judge actually authorized the FBI to do.
Cases like this are worrying to anyone who is concerned about online privacy. With Tor recently suspected to be compromised by the FBI and their director decrying the use of encryption without backdoors, it is unclear where the power of the FBI truly reaches. This lack of public accountability could be a threat to those who desire privacy for innocent reasons and may harm unbiased journalism should the tools it uses put it under threat.
Encryption is currently under threat, somecountries already requiring backdoors and other compromising measures to be put in place. The debate on the effects of allowing encryption rages on in many nations, with institutions such as the FBI insisting on the ability to crack it even as tech industry giants warn them against it. An organization often thought to threaten cyber privacy, the NSA have staked out a pro-encryption stance.
The maelstrom of debate surrounding the crippling of encryption has centered on the idea that encryption would allow criminals and terrorists to hide more easily from police and governments. Allowing state powers access to all encrypted devices and transmissions has the key flaw that it could allow illicit groups access to any person’s data should the backdoor be leaked or cracked.
“Encryption is foundational to the future,” was what NSA Director Adm. Mike Rogers reported to the Atlantic Council, a Washington, D.C. think tank. He believes that the cybersecurity battles that could be in the near future would hinge on more widespread encryption, with massive hacks on government and corporate systems potentially leaking vital data only becoming more likely with worsened encryption. Compared to other figures like FBI Director James Comey, a crusader for encryption backdoors, Rogers doesn’t think that “security is the imperative and that ought to drive everything.” Instead, proper and widespread encryption should be an accepted thing and instead, intelligence organizations should work out the best way to deal with it. Rogers is not the first NSA director to support encryption either, with former NSA boss Mike McConnell and Michael Hayden, the NSA Director before him taking the same position.
“Spending time arguing about ‘hey, encryption is bad and we ought to do away with it’ … that’s a waste of time to me.” – Mike Rogers
The NSA defending encryption and privacy is certainly a good thing, but when you consider the information on them leaked by whistleblowers like Edward Snowdon, is there more to it than this? It is clear that the NSA have very advanced hacking and spying tactics, so maybe they don’t believe that encryption would impair them from getting the data they need. Rogers spoke nothing on the matter, so any discussion is idle speculation.
So far, the US Federal government has no intention of pursuing legislation against encryption, despite a small number of states already proposing bills that could compromise it. Maybe the NSA speaking out on the topic could cause a rethink on the matter and deter the US and other nations from ruining this key technology through law out of fear.
Created by Brendan Eich, co-founder and ex-CEO of Mozilla, yesterday revealed the new “Brave” browser, which disables all online ads and their associated tracking. This may sound too good to be true for users of ad blockers, and in a way, it is.
The crucial selling point of the Brave browser is to fight the privacy concerns raised with typical online ads, but replacing them with their own served ads. While this may just seem like trading one evil for another, Eich argues that Brave addresses the privacy concerns raised by targeted ads and those used to track users. Instead, all of Brave’s advertisements are anonymous and served from a private cloud in response to the browser’s requests, which share no user related information beyond there being an ad space to fill. Eich believes that websites that serve ads to their users in exchange for content cause an agency dilemma, making decisions for their users. Brave solves this issue as Brave users knowingly view their ads and do not have their data unwillingly shared.
The Brave browser is currently in version 0.7, meaning it is still an incomplete product aimed for use by developers and early adopters, a final launch date is yet to be determined. Brave is available for both Windows and Mac OSX as well as a mobile version for Android. Interestingly, despite Eich’s background with Mozilla, the desktop versions of Brave are based on Google’s open-source Chromium project.
Whether Brave’s appeal to privacy can win it a market share in the highly competitive browser market arena remains to be seen. With Eich’s strong credentials on the topic of the web, Brave could just be the next big thing with privacy becoming a more and more contested topic.
For those who are privacy conscious or live in countries where the Facebook service is censored, the social media giant’s Android application has long been unusable. This has changed with the latest version of the Facebook app, which includes the option for the app to route its traffic through the Tor network.
The experimental new feature can be enabled through the app’s settings, depending on a separate app called Orbot to function as a proxy for routing the traffic through the Tor network. Due to the nature of the Tor network, enabling this feature does have the side effect of disabling the use of push notifications. As long as a user makes sure to manually check for updates frequently, this is hardly a big loss for the privacy aware.
Tor’s service works by routing traffic through a series of random nodes or relays in its network. This ensures that no one system in the chain can know the true origin and source of the packets sent and received. Only the initial node will know the packet’s source and the final node sending the packet onto the public internet, or exit point, knows the destination. The packets are also encrypted in such a way that the nodes are unable to snoop on the data sent. The value of this approach is that it masks the sites and services that you are accessing from your ISP and any nodes en-route as well as hiding your IP from the destination.
Facebook’s site has been available via Tor since 2014 via facebookcorewwwi.onion, a version of the site only accessible through the Tor service. Traffic to this address never passes back to the public internet to reach the regular Facebook site, so no Tor exit points or public internet relays are traversed. Sadly the app currently relies on Facebook’s public servers even when Tor is enabled, but it is to be expected that support for their .onion Tor service is in the app’s future.
The Investigatory Powers Bill (IP Bill for short) goes by another name, the Snooper Charter. The bill is aimed to help extend and update the government’s legislation surrounding their surveillance powers, this extension though is gaining more than a little public notice with more than a few people expressing how worried they are about these new powers. Google, Microsoft, Facebook, Yahoo and Twitter can now be added to this list of people that have issues with the current bill.
Listing their concerns, they state they understand the responsibilities of Governments to protect people and privacy, they continue by saying that they believe a legal framework can protect people, companies and the Government. They cite their membership to the “Reform Government Surveillance” (RGS) coalition before continuing in saying that any surveillance must be lawful, necessary, transparent and proportionate.
Current proposals look to force ISP’s to retain at least a years worth of data about sites you visit, an action that has raised concerns by ex-NSA director Bill Binney. The primary areas that they wished to bring into notice are the conflicting laws between the proposal and international law. Continuing on to state that an international framework, as suggested by Sir Nigel Sheinwald, should be established to help with issues and prevent the use of warrants on people based within the UK to attempt to extract information from a branch of the company in a different country.
I recommend reading through their concerns if you are interested and keep listening out for more information as it develops on the “Snooper Charter”, as no matter how you use technology, this law will impact everyone.
The controversial Cybersecurity Information Sharing Act Bill hit the desk of US President Obama yesterday, and he promptly signed off on it. The move is hardly a surprise since CISA was bundled with vital Federal funding legislation as part of an ‘omnibus’ bill that, if denied, would rob the Federal government of its $1.1 trillion budget.
“There’s some things in there that I don’t like, but that’s the nature of legislation and compromise, and I think the system worked,” President Obama said at his year-end news conference, as reported by The Associated Press (via WHDH). “It was a good win.”
The “compromise” that Obama is referring to seems to be the protection of immigration laws, Planned Parenthood, and ObamaCare – all challenged by Tea Party-affiliated lawmakers across 2015 – in exchange for his support of CISA. Following Obama’s enactment, the bill will sent back to Congress, which will reconvene in January 2016.
While CISA is being championed primarily by Republicans, two of the GOP’s Presidential candidates, Sens. Ted Cruz of Texas and Rand Paul of Kentucky, voted against CISA.
“These unacceptable surveillance provisions are a black mark on a worthy package that contacts the biggest tax cut for working families in decades, an accomplishment I fought for in weeks of negotiations.”
“Unfortunately, this misguided cyber legislation does little to protect Americans’ security, and a great deal more to threaten our privacy than the flawed Senate version. Americans demand real solutions that will protect them from foreign hackers, not knee-jerk responses that allow companies to fork over huge amounts of their customers’ private data with only cursory review.”
I voted against the omnibus because it contained CISA.
Pointblank: CISA harms security & liberty. I could not vote for that.
There are lots of ways people try to protect their privacy in the modern world, where techniques like encryption are under fire. While hiding message content can be effective, the ability to collect a mass of metadata can be just as invasive to your privacy if a company, government body or nefarious element were able to gain access to when, where and to whom you communicated with. A team of researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have come up with a system named “Vuvuzela”, after the popular (and annoying) plastic horn, that adds noise to any messages sent, rendering them untraceable.
Vuvuzela relies on a number of nodes to function, similar to Tor router for internet traffic, it relies on fewer nodes and more traffic. A sender deposits an encrypted message in a secure “dead drop” server, which can then be retrieved by its receiver. On top of that, traffic is not controlled by the user sending a message, instead message circulation takes place over 10-20 seconds, so as not to allow attackers to detect and track messages being sent. A user stopping sending or joining a chat may also cause hackers to be able to trace activity based on the number of messages sent. This is where the spam comes into effect. All of the server nodes that are part of Vuvuzela send junk messages to random inboxes at the same time that messages are propagated normally, hiding the activity of normal users. It is even resilient against a server being compromised or knocked offline, as the noise can be enough to obfuscate messages even with only a few nodes remaining. As a result, the only data that Vuvuzela exposes is the amount of nodes engaged in a chat.
It may seem like the holy grail of privacy at this point, but the assurance of data being hidden comes at a price, namely speed. Vuvuzela, while still in early development, is incredibly slow due to the timed sending of messages. In a test run by the researchers at MIT, they simulated 1 million users generating 15,000 messages per second. With this volume of data, the average time for a message to be delivered was 44 seconds, a time that many would consider unacceptable for every day or commercial use. For those in high-risk situations where their communication privacy is paramount, a small delay is not a massive trade-off.
On Friday, a number of Twitter users received a notification from the social networking platform, explaining that their accounts had been the target of state-sponsored actors. Unsurprisingly, the supposed targets of these attacks were mass surveillance researchers and security professionals.
The incident was surprising for users of Twitter, as until the notifications went out at 17:30 EST, Twitters notification service regarding state-sponsored attacks had never before been seen, let alone mentioned by Twitter. Fortunately for those affected, Twitter assures in the notification email that they believe that only email addresses, IP addresses, and phone numbers could have been taken by a breach, and even then, could not confirm that any data had been taken. The compromising of a single social media account can be a big deal though, with some users holding multiple Twitter accounts for different purposes, and using personal details and account credentials could yield access to other sites too.
Twitter is yet to release any further information beyond the notification letter, however people have begun theorizing what could be taking place, with Jacob Appelbaum, a key member of the Tor Project taking the effort to keep up a list of sorts of the individuals receiving the notifications. He questioned in a tweet whether Twitter had been “owned” or hacked. More information and theorycrafting on the topic has come under the hashtag #StateSponsoredActors which also discusses Twitter’s blocking of a number of accounts used through the Tor service.
Twitter is not the only online service with warnings against incidents with state attackers, with Google having one in place and Facebook having launched theirs back in October, which immediately identified attacks on US Government employees.