Privacy Digest

Chinese Skype Client Hands Confidential Communications to Eavesdroppers - Via EFF.org Updates:

This Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only blocks keywords from chat conversations, but also spies on and remotely reports the contents of Skype users' private text conversations. This directly contradicts Skype's previous assurances that "full end-to-end security is preserved and there is no compromise of people’s privacy", even on the customized Chinese client.

This special breached version of Skype, distributed by the Chinese portal company TOM Online, has long been known to block certain contentious phrases from instant message conversations. IWM's Nart Villeneuve's research shows that when these keywords are mentioned in conversations, the client software also sends an encrypted message to one of eight remote servers hosted in China.

Due to poor security on these servers, Villeneuve was able to uncover what was being sent: extensive logs on user activity, including archives of more than 166,000 censored messages from 44,000 users.  read more »

Huge System for Web Surveillance Discovered in China - Via NYTimes.com :

SAN FRANCISCO — A group of Canadian human-rights activists and computer security researchers has discovered a huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words.

The system tracks text messages sent by customers of Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype, an online phone and text messaging service.

The discovery draws more attention to the Chinese government’s Internet monitoring and filtering efforts, which created controversy this summer during the Beijing Olympics. Researchers in China have estimated that 30,000 or more “Internet police” monitor online traffic, Web sites and blogs for political and other offending content in what is called the Golden Shield Project or the Great Firewall of China.

The activists, who are based at Citizen Lab, a research group that focuses on politics and the Internet at the University of Toronto, discovered the surveillance operation last month. They said a cluster of eight message-logging computers in China contained more than a million censored messages. They examined the text messages and reconstructed a list of restricted words.  read more »

Chinese Skype Software Secretly Logs Political Chat Messages - Via Threat Level:

Editor: Interesting graphic removed. Go to original site for that [...]

A Chinese-language version of Skype scans users' chat messages for keywords such as "democracy," and sends a copy of the offending message to the company's servers, according to a report released Thursday by a Canadian online human rights group.

That's despite adamant claims by the Ebay-owned company that its software offers encrypted, safe communication.

Nart Villeneuve of the University of Toronto's Citizen Lab found that a Chinese version of the popular chat and internet phone-call software sent the full text of millions of messages with 'sensitive' keywords to servers controlled by Skype's Chinese partner TOM Online.

Captured messages discuss sensitive topics such as Taiwanese independence, tainted milk and the banned Falun Gong group.  read more »

Why MPAA Should Lose Against RealDVD - Via EFF.org Updates:

Earlier this week, the motion picture industry sued RealNetworks over its RealDVD software. The MPAA companies also asked for an immediate temporary restraining order (TRO) to block Real from distributing the product, which allows consumers to copy their DVDs onto their personal computers for later playback.

There are many obvious reasons why this is a short-sighted and futile gesture by the studios (as Jon Healey of the L.A. Times points out), but let's focus just on the fatal flaws in their legal theory. (We've posted the key legal documents, including TRO briefs, for those who want to read them and form their own opinions.)  read more »

Police 'find' author of notorious virus - Via Techworld.com :

The infamous Gpcode 'ransomware' virus that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld.

The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.

Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack - and probably earlier attacks in 2006 and 2007 - using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.  read more »

And Walmart Makes Three: Another Music Service Plans to Shut Down DRM Support - Via EFF.org Updates:

Following in the footsteps of MSN Music and Yahoo! Music, Walmart has notified customers that it will be shutting off its DRM servers in less than two weeks. Walmart's been selling DRM-free music since February, but anyone who bought music before that date will not be able to transfer those songs to “unauthorized computers,” or access the songs after changing operating systems. Walmart, like MSN and Yahoo!, advises customers to back up their music to a CD if they want to be able to access it in the future. So, Walmart customers get to invest more time, labor and money in order to continue to enjoy the music for which they have already paid.

We’ve warned music fans for years that they could lose their DRM-wrapped music if vendors decided to withdraw support for it. So we're not surprised that three major vendors have done just that. What is surprising is that Walmart has not learned from MSN Music and Yahoo! Music's experience and made some effort to make things right with its customers.  read more »

Bavarian Police Seeking Skype Trojan Informant - Via Slashdot: Your Rights Online:

Andreaskem writes "Bavarian police searched the home of the spokesman for the German Pirate Party (Piratenpartei Deutschland) looking for an informant who leaked information about a government Trojan used to eavesdrop on Skype conversations. (The link is a Google translation of the German original.) There is a high probability that the Trojan is used illegally. A criminal law specialist said, 'The Bavarian authorities worked on the Trojan without a legitimate basis and now try to silence critics.' The informant need not worry since 'every information that could be used to identify him' is protected against unauthorized access by strong encryption. The Trojan is supposedly capable of eavesdropping on Skype conversations and obtaining technical details of the Skype client being used. It is deployed by e-mail or in place by the police. A Pirate Party spokesman said, 'Some of our officials seem to want to install the Big Brother state without the knowledge of the public.'"

(Read Original Article - Via Slashdot: Your Rights Online.)

Hollywood Control of DVD-Copying at Crossroads - Via Threat Level:

RealNetworks caught Hollywood by surprise when it privately informed the studios two weeks ago that it was releasing, by month's end, a $30 application called RealDVD allowing movie fans to easily make copies of their DVDs with their computer.

As expected, heads spun as executives began to wonder whether the studios were losing even more control of the coveted DVD and its $16 billion in annual sales.

Hollywood is already reeling from open source DVD decryption software that is free on the internet. It also says it's losing billions in sales because of BitTorrent tracking services like The Pirate Bay that allow users to upload and download decrypted movies and other content for free.

With RealDVD, Kaleidescape and other mainstream services, Hollywood's already loosening grip on the DVD is at a crossroads.  read more »

The Latest on DVD Copying - Via EFF.org Updates:

Real Networks has received quite a bit of attention thanks to the launch of its Real DVD software, designed to allow people to copy their DVDs to their hard drives for later playback. (Why is that a big deal? Because Hollywood DVDs are encrypted with CSS, and if you decrypt them without permission, the motion picture industry's lawyers may come a-callin'.)

Today there are two approaches for those who want to make and distribute DVD copying tools. First, you can just build a DVD decryptor, the U.S. court cases that have held that the distribution of those products violates the DMCA notwithstanding. Despite those legal precedents, there is no shortage of free, easy-to-use tools that take this approach, including Handbrake (Win/Mac/Lin), DVD Shrink (Win), or MacTheRipper (Mac). (The motion picture studios argue that anyone who uses these tools violates the DMCA, as well.)

The other approach is the one pioneered by Kaleidescape:  read more »

Technology's Toll on Privacy and Security: In-Depth Reports in Scientific American's Special Issue - Via Scientific American:

Computers, databases and networks have connected us like never before, but at what cost?

SciAm's issue on Privacy. Our jittery state since 9/11, coupled with the Internet revolution, is shifting the boundaries between public interest and "the right to be let alone"

A cold wind is blowing across the landscape of privacy. The twin imperatives of technological advancement and coun­terterrorism have led to dramatic and possibly irreversible changes in what people can expect to remain of private life. Nearly 10 years ago Scott McNealy of Sun Microsystems famously pronounced the death of privacy. “Get over it,” he said. Some people, primarily those younger than about 25, claim to have done just that, embracing its antithesis, total public disclosure. And of course in many cases—determining the whereabouts of a terrorist or the carrier of a disease—public interest has an overwhelming claim on information that is usually private.

Yet in many contexts—banking, commerce, diplomacy, medicine—private com­­munications are essential. The founding fa­­thers of the Republic put great stock in personal privacy; privacy is embodied (though, as we are often reminded, not stated) in the Bill of Rights. In her keynote essay Esther Dyson clarifies what “privacy” means by reminding us what it is not: several important issues commonly labeled dilemmas of privacy are better understood as issues of security, health policy, insurance or self-pre­sentation.  read more »

Gmail HTTPS Doesn't Protect Account, New Setting Does - Via Threat Level:

Just paranoid-enough Gmail users have long known that logging in via https://mail.google.com keeps the entire emailing session wrapped in cozy,128-bit encryption -- leaving would-be Wi-Fi snoops at a cafe staring at the electronic equivalent of a blended latte.

It's a simple rule: https is your friend, especially when it comes to checking your webmail in a cafe. Without it the contents of your email are readable by anyone running a simple-to-find Wi-Fi monitoring program (if you are using a Wi-Fi connection, that is).

But it turns out that's not enough.  read more »

A Good Reason To Go Full-Time SSL For Gmail - Via Slashdot :

Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."

(Read Original Article - Via Slashdot.)

MIT Students Still Gagged by Federal Court - Via EFF.org Updates:

A federal court judge in Boston Thursday refused to lift an unconstitutional gag order against three students from the Massachusetts Institute of Technology (MIT) who uncovered vulnerabilities in Boston's transit fare payment system. In an editorial today, the Boston Globe wrote that Judge O'Toole "ought to lift it." Instead, the judge continued the hearing until Tuesday, and left the temporary restraining order in place.

EFF began representing the students in this case on Friday, when the Massachusetts Bay Transit Authority (MBTA) sued the students in federal court. On Saturday, a judge issued the gag order in violation of the students' First Amendment right to discuss their important research.  read more »

MIT Students' Response to MBTA Statements - Via EFF.org Updates:

Yesterday, the Massachusetts Bay Transportation Authority issued a statement to CNET that misrepresents the facts leading up to the MBTA's lawsuit against three MIT students. The statement said:

A week ago, the MBTA learned about the presentation to be made at the conference, and immediately contacted MIT. At a meeting last Tuesday involving all the parties, MIT staff and the students agreed to provide the MBTA with a copy of the presentation. After several days passed without getting any information from MIT, the MBTA had no choice but to seek assistance from a federal court judge on Friday. At 4:30 a.m. on Saturday, the presentation was finally provided to the MBTA. Staff is thoroughly reviewing the information to determine if there is any degree of substance to the claims being made by the students.

The MIT students would like to clarify a few facts:  read more »

The DefCon 16 Mystery Challenge - Via Threat Level:

LAS VEGAS -- Hackers like nothing more than solving complex problems.  One of the most difficult contests at DefCon is known as the Mystery Challenge.  Teams compete to solve a series of riddles and cryptographic challenges in order to win respect as well as a black badge, granting them DefCon admission for life.

The Mystery Challenge started out months before DefCon with the contest organizer, Lost, leaking hints on the DefCon forums.  read more »

Audio From Subway Hacking Hearing - Via Threat Level:

"I don't think that I'm unfairly going on the record to recognize that the MBTA, like most public transportation systems, faces real cash issues," says U.S. District Judge Douglas Woodlock, in an audio recording from Saturday's hearing in Boston, in which the judge granted a temporary restraining order stopping a planned DefCon talk on vulnerabilities in the Boston subway's fare card system.

Kim Zetter obtained the audio from the 90-minute hearing, in which EFF argued unsuccessfully against the extraordinary gag order. Despite the EFF's defense of the First Amendment, the judge was persuaded by lawyers for the Massachusetts Bay Transportation Authority to dole out a little prior restraint.

"Someone who opens a mechanism to defraud [MBTA] wrongfully of their revenues is acting in violation of the public interest, and it is in the public interest to enjoin such activity," the judge concluded.

Here's the audio in Windows Media format, as an mp3 and an ogg

(Read Original Article - Via Threat Level.)