Colbert's Word: Control-Self-Delete: Via EFF.org Updates.

Just a few weeks after his interview with EFF Legal Director Cindy Cohn, American hero Stephen Colbert has returned to the subject of digital rights. And he's come up with a great solution to the problem of privacy and online social networks: Control-Self-Delete. [ Read more ... ]

Facebook bug could give spammers names, photos: Via PC World.

Facebook is scrambling to fix a bug in its website that could be misused by spammers to harvest user names and photographs.

It turns out that if someone enters the e-mail address of a Facebook user along with the wrong password, Facebook returns a special "Please re-enter your password" page, which includes the Facebook photo and full name of the person associated with the address.

The feature helps people understand if they've mistyped their e-mail address at login, but it could be misused by spammers to get information on Facebook's 500 million users. [ Read more ... ]

Biometric and Other Locks Fail to Foil Hackers at DefCon: Via Threat Level.

LAS VEGAS — It wouldn’t be DefCon without a noted lock hacking team demonstrating the gross insecurity of some of the latest security locks, such as a biometric lock that could be easily cracked with a paper clip. [ Read more ... ]

Hacker Spoofs Cell Phone Tower to Intercept Calls: Via Threat Level.

LAS VEGAS — A security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.

The device tricks the phones into disabling encryption and records call details and content before they’re routed on their proper way through voice-over-IP.

The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area.

“If you have the ability to deliver a reasonably strong signal, then those around are owned,” Paget said. [ Read more ... ]

Welcome to Airport Security. A "Wizard" Will Be With You Shortly to Engage in Racial Profiling and Violate Your Privacy.: Via Blog of Rights: Official Blog of the American Civil Liberties Union.

Let's talk about a little known program being deployed across the nations' airports called SPOT, Screening Passengers by Observation Technique. According to an article in Nature News, by Sharon Weinberger, America's Transportation Security Administration (TSA) has trained 3,000 officers to detect and infer future behavior, in what can only be described as a psychic effort, to determine an individual's intent. The TSA claims that these screeners are trained to observe and identify people who appear to be deceptive and planning hostile acts.

How, you ask?

In the 1970's psychologist Paul Ekman codeveloped the 'facial action coding system', for analyzing human facial expressions. He is now capitalizing on this theory by teaching people he calls "wizards" how to link those expressions to hidden emotions, including the intent to deceive. I would caution travelers against tensing your lips or raising your brow while waiting in an airport security line. You may end up in cuffs. [ Read more ... ]

Hack AT&T Voicemail With Android: Via Slashdot.

An anonymous reader writes "It is shockingly easy to gain access to an AT&T customer's voicemail using caller ID spoofing techniques. What's worse is that AT&T knows about it. On your Android phone, download one of the two caller ID spoofing programs. Input the number of your target as the destination number and then enter the same number as the spoofed caller ID. Then connect your call. If the target has not added a voicemail password (the default is no password), you will be dropped into a random menu of their voicemail and eventually can drill up or down to get what you want. You can change greetings, erase messages, send voicemails out of the target account, and much more. How many politicians up in arms about Google Wi-Fi sniffing will want to know more about this?"

Read Original Article:(Via Slashdot.)

Encrypt the Web with the HTTPS Everywhere Firefox Extension: Via Electronic Frontier Foundation.

Today EFF and the Tor Project are launching a public beta of a new Firefox extension called HTTPS Everywhere.

This Firefox extension was inspired by the launch of Google's encrypted search option. We wanted a way to ensure that every search our browsers sent was encrypted. At the same time, we were also able to encrypt most or all of the browser's communications with some other sites: [ Read more ... ]

The SSD Project | EFF Surveillance Self-Defense Project: Via Electronic Frontier Foundation (EFF).

The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.

Surveillance Self-Defense (SSD) exists to answer two main questions: What can the government legally do to spy on your computer data and communications? And what can you legally do to protect yourself against such spying?

After an introductory discussion of how you should think about making security decisions — it's all about risk management — we'll be answering those two questions for three types of data: [ Read more ... ]

Free Facebook privacy scanners help you lock down your account: Via Workers' Edge - CNET News.

Some people don't mind strangers rummaging through their Facebook friends lists, wall posts, status updates, and other details of their online selves. The rest of us attempt to control who has access to our Facebook information. The recent revamp of the Facebook privacy settings makes it simpler to adjust the many settings that determine whether and how people contact you, and how much of your information they can access.

Two free online scanners put your Facebook privacy settings to the test, though they take very different approaches to how they generate their ratings. ReclaimPrivacy.org gives you a Facebook security grade in seconds without asking for any information or permissions. You have to install Connect in Private's Secure My Profile Facebook app and allow the program to access your information and settings. [ Read more ... ]

Facebook Addresses Several Privacy Problems: Via Blog of Rights: Official Blog of the American Civil Liberties Union.

Facebook has come under withering fire recently for its recent string of privacy-unfriendly practices, from its “privacy transition” that took away privacy controls to “instant personalization” that instantly shares personal information with third party pages without the user's consent.

These failings led over 80,000 people to sign ACLU petitions demanding that Facebook give users control over all of the information they share via Facebook and ensure that user information is not shared with any third party without our own opt-in consent. Oddly, that sounds a lot like two of the principles that CEO Mark Zuckerberg expressed on Monday: “You have control over how your information is shared” and “We do not share your personal information with people or services you don't want.”

Too often, however, these principles have been left by the wayside, as Facebook's “eroding privacy policy” demonstrates. That's why we were skeptical (and we were not the only ones) about Mr. Zuckerberg's promises to listen and “do better.”

But Facebook deserves a lot of credit for its latest changes. [ Read more ... ]

How to Get More Privacy From Facebook's New Privacy Controls: Via EFF.org Updates.

Today, Facebook announced new privacy controls and settings in response to the tremendous public outcry over its April changes. Here we explain step-by-step how to take advantage of the new settings and maximize your privacy on Facebook.

This is important because you must take affirmative steps to adjust your settings in order to take full advantage of the revised privacy practices. While some information, such as your name, profile picture and gender, will remain publicly available, these steps are designed to provide as much privacy as Facebook's new system allows. Please enjoy our video, which goes through each of the steps detailed below. [ Read more ... ]

Google Offers Choice to Opt Out of Web Analytics: Via Threat Level.

Google is offering a way for web users to opt out of being tracked around the web by its popular Google Analytics tool used by publishers to track traffic and trends on their websites.

Publishers like Wired.com insert a simple line of Google Analytics Javascript on their site and then can see on a dashboard which pages are popular and what search terms lead users to their site. But Google also gets much of that user information in aggregate, so it has a bird’s eye of the internet, thanks to all the sites reporting back to it. It knows more about a user’s activities across multiple sites than any individual site knows. It uses that data to improve its own services.

Google Analytics is now letting users opt out of having your information, including your IP address, sent to Google’s central servers if you install a browser plug-in for IE 7 or 8, Google Chrome and Mozilla’s Firefox. Google Analytics program manager Amy Chang described the new tool as a way to “provide even more choice and transparency for both website owners and users.” [ Read more ... ]

Facebook App Brings Back Data: Via Gadgetwise Blog - NYTimes.com .

People who are in despair about Facebook’s recent removal of personal information from their profiles can dry their tears.

There’s an app to get it back.

The social-networking juggernaut has been removing freestyle prose that users had added to their profiles about favorite activities, interests, music, books, movies and TV shows — sometimes painstakingly over years — and putting in its place links to related public pages.

The change, decried by some as a blow to both free expression and privacy, [ Read more ... ]

A Handy Facebook-to-English Translator: Via EFF.org Updates.

At last week's "f8" Facebook developer conference, Mark Zuckerberg's notable quotable was that Facebook is "building a Web where the default is social." To our ears, that sounds like "a Web where exposure is the norm." To achieve this, Facebook is rolling out technologies that essentially put Facebook features on other sites, while those sites share data back to Facebook.

Despite the voluminous buzz, many commentators have missed the most confusing announcement of all — new Facebook jargon. So, in the interests of helping users understand what's going on, we've put together a rough Facebook-to-English translator. Think of it as a handy phrase-book that could help you navigate through the more common situations you'll find yourself in.

Important to note: Facebook makes frequent changes to its features. We believe this post is to be accurate at the time of publishing, but please understand that Facebook may change some or all of these definitions beyond recognition before long. In addition, be aware that Facebook operates differently in Europe than it does in the USA, because European nations tend to have stronger privacy-protection laws. [ Read more ... ]

How to Opt Out of Facebook’s Instant Personalization: Via EFF.org Updates.

Yesterday, Facebook announced Instant Personalization, whereby select websites would "personalize your experience using your public Facebook information." The initial sites are Pandora, Yelp and Microsoft Docs. As Facebook CEO Mark Zuckerberg explained, this means that when you visit "Pandora for the first time, it can immediately start playing songs from bands you've liked." Pandora, and other partners, can also link your real name and other Facebook information with everything you do on their site.

More specifically, these sites "may access any information you have made visible to Everyone ... as well as your publicly available information. This includes your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages." On Monday, Facebook announced a transition where a "new type of Facebook Page" will make the "current city, hometown, education and work, and likes and interests sections of your profile" publicly available after you go through the transition tool (or those items will be deleted).

By default, the "Allow" checkbox for Instant Personalization is checked on your privacy settings. If you don't want the websites that you or your Facebook friends visit to know your information, you must opt out. Since this process is a bit complicated, we have made a quick video showing step by step how to do so. [ Read more ... ]

Needle-in-a-Haystack Problems: Via Freedom to Tinker.

Sometimes the same idea comes flying at you from several directions at once, and you start seeing that idea everywhere. This has been happening to me lately with needle-in-a-haystack problems, a concept that is useful but often goes unrecognized.

A needle-in-a-haystack problem is a problem where the right answer is very difficult to determine in advance, but it's easy to recognize the right answer if someone points it out to you. Faced with a big haystack, it's hard to find the needle; but if someone tells you where the needle is, it's easy to verify that they're right. [ Read more ... ]

Video: Solving Your Facebook Privacy Problems in 2.5 Minutes (with a Bit Of Style): Via Lauren Weinstein's Blog.

Greetings. Privacy-related concerns surrounding Facebook continue to escalate. Now anxiety levels are boosting even more rapidly with the unveiling of Facebook's new "Instant Personalization" system and its potential for massive expansion of personal information gathering from -- and sharing with -- other sites. Meanwhile, many observers feel that managing Facebook's convoluted array of privacy settings is just too opaque and unnecessarily complex for many users.

But this really isn't being fair to Facebook. While it may not be obvious, Facebook does provide a procedure -- if you know where to find it and how to use it -- that can fairly quickly limit your Facebook personal information to acceptable levels, at least to the extent that other sites don't already have that data within their grasps. [ Read more ... ]

Opt Out of Behavioral Advertising - Network Advertising Initiative: Via Network Advertising InitiativeOpt Out of Behavioral Advertising

The NAI Opt-out Tool was developed in conjunction with our members for the express purpose of allowing consumers to "opt out" of the behavioral advertising delivered by our member companies.

Using the Tool below, you can examine your computer to identify those member companies that have placed an advertising cookie file on your computer.

To opt out of an NAI member's behavioral advertising program, simply check the box that corresponds to the company from which you wish to opt out. [ Read more ... ]

Geek Reading: Evan Ratliff on How to Disappear (or Not) in the Digital World: Via EFF.org Updates.

While researching a story for Wired Magazine about people who fake their own deaths, journalist Evan Ratliff began to wonder: How hard would it be to disappear in today's digital world? Email, online banking, mobile phones and other ubiquitous technologies leave traces of ourselves that can be easily tracked. If you wanted to disappear while using these tools, could you?

To find out the answer, he went underground himself, and issued a challenge to his readers: find Evan and win $5000. While continuing to use the Internet, mobile phones — and a variety of disguises — Evan managed to stay on the run for a total of 25 days before obsessive fans tracked him down in New Orleans. The whole story is documented in the fascinating piece he published in the December 2009 issue of Wired.

On April 13, Evan will talk about his experience in a special Geek Reading event for EFF. Join us at San Francisco's 111 Minna bar for Evan's presentation on the questions of privacy, surveillance, and identity raised by his groundbreaking experiment. [ Read more ... ]

Law Enforcement Appliance Subverts SSL: Via Threat Level.

That little lock on your browser window indicating you are communicating securely with your bank or e-mail account may not always mean what you think its means.

Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds designed to intercept those communications, without breaking the encryption, by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate  from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, [ Read more ... ]

Side-Channel Leaks in Web Applications: Via Freedom to Tinker.

Popular online applications may leak your private data to a network eavesdropper, even if you're using secure web connections, according to a new paper by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. (Chen is at Microsoft Research; the others are at Indiana.) It's a sobering result -- yet another illustration of how much information can be leaked by ordinary web technologies. It's also really clever.

Here's the background: Secure web connections encrypt traffic so that only your browser and the web server you're visiting can see the contents of your communication. Although a network eavesdropper can't understand the requests your browser sends, nor the replies from the server, it has long been known that an eavesdropper can see the size of the request and reply messages, and that these sizes sometimes leak information about which page you're viewing, if the request size (i.e., the size of the URL) or the reply size (i.e., the size of the HTML page you're viewing) is distinctive.

The new paper shows that this inference-from-size problem gets much, much worse when pages are using the now-standard AJAX programming methods, in which a web "page" is really a computer program that makes frequent requests to the server for information. With more requests to the server, there are many more opportunities for an eavesdropper to make inferences about what you're doing -- to the point that common applications leak a great deal of private information. [ Read more ... ]

Major ISPs Help Fund BitTorrent User Tracking Research: Via Slashdot YRO.

An anonymous reader writes "I was scanning conference proceedings to come up with ideas for a reading group I run at my workplace, and I noticed an interesting paper from the new IEEE WIFS forensics conference. Researchers from the University of Colorado have published a technique for tracking BitTorrent users (PDF) by joining and actively probing torrent swarms using low-cost cloud computing services. They claim their methods allowed them to monitor the entire Pirate Bay torrent set for as little as $13/mo using EC2. But that's not even the interesting part. Their work appears to have been 'funded in part through gifts from PolyCipher' — a broadband ISP consortium. That's right; three major national ISPs funded this round of BitTorrent tracking research, not the MPAA/RIAA. Could this be evidence of ISP support for ACTA and a global three-strikes law?"

Read Original Article:(Via Slashdot.)

How To Manage (and Protect) Your Online Reputation: Via Forbes.com .

When Megan Maloney lost her job at a Detroit auto supplier last April, she made sure her online reputation was as strong as the image she would present in person to prospective employers. She Googled herself to check for unflattering links. Then she changed her Facebook privacy setting so no one could see beyond her profile picture. She updated her profile on LinkedIn.

Maloney's instinct was right: When she landed a job in September, her new bosses admitted they had researched her online. They told me that they had checked Facebook," says Maloney, 32, now a business development manager in Milwaukee. "I had posted a photo of me wearing a T-shirt that said 'Unemployed,' and they thought that I showed the right kind of personality for a sales job. They liked that I was on LinkedIn, because it's helpful for leads and networking."

Managing your online reputation is a critical step in landing a new job. According to a recent survey by business networking organization ExecuNet, 90% of recruiters used a search engine to learn more about candidates and 46% of recruiters had eliminated a candidate based on information they found online. Self-Googling isn't an act of narcissism; it's a smart way to determine whether your online personality jives with how you want the world to view you. [ Read more ... ]

Cell phones show human movement predictable 93% of the time: Via Ars Technica.

We'd like to think of ourselves as dynamic, unpredictable individuals, but according to new research, that's not the case at all. In a study published in last week's Science, researchers looked at customer location data culled from cellular service providers. By looking at how customers moved around, the authors of the study found that it may be possible to predict human movement patterns and location up to 93 percent of the time. These findings may be useful in multiple fields, including city planning, mobile communication resource management, and anticipating the spread of viruses. [ Read more ... ]

The Spy at Harriton High: Via Stryde Hax blog.

This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.
PanoMasterMind

The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. [ Read more ... ]