Major ISPs Help Fund BitTorrent User Tracking Research: Via Slashdot YRO.

An anonymous reader writes "I was scanning conference proceedings to come up with ideas for a reading group I run at my workplace, and I noticed an interesting paper from the new IEEE WIFS forensics conference. Researchers from the University of Colorado have published a technique for tracking BitTorrent users (PDF) by joining and actively probing torrent swarms using low-cost cloud computing services. They claim their methods allowed them to monitor the entire Pirate Bay torrent set for as little as $13/mo using EC2. But that's not even the interesting part. Their work appears to have been 'funded in part through gifts from PolyCipher' — a broadband ISP consortium. That's right; three major national ISPs funded this round of BitTorrent tracking research, not the MPAA/RIAA. Could this be evidence of ISP support for ACTA and a global three-strikes law?"

Read Original Article:(Via Slashdot.)

How To Manage (and Protect) Your Online Reputation: Via Forbes.com .

When Megan Maloney lost her job at a Detroit auto supplier last April, she made sure her online reputation was as strong as the image she would present in person to prospective employers. She Googled herself to check for unflattering links. Then she changed her Facebook privacy setting so no one could see beyond her profile picture. She updated her profile on LinkedIn.

Maloney's instinct was right: When she landed a job in September, her new bosses admitted they had researched her online. They told me that they had checked Facebook," says Maloney, 32, now a business development manager in Milwaukee. "I had posted a photo of me wearing a T-shirt that said 'Unemployed,' and they thought that I showed the right kind of personality for a sales job. They liked that I was on LinkedIn, because it's helpful for leads and networking."

Managing your online reputation is a critical step in landing a new job. According to a recent survey by business networking organization ExecuNet, 90% of recruiters used a search engine to learn more about candidates and 46% of recruiters had eliminated a candidate based on information they found online. Self-Googling isn't an act of narcissism; it's a smart way to determine whether your online personality jives with how you want the world to view you. [ Read more ... ]

Cell phones show human movement predictable 93% of the time: Via Ars Technica.

We'd like to think of ourselves as dynamic, unpredictable individuals, but according to new research, that's not the case at all. In a study published in last week's Science, researchers looked at customer location data culled from cellular service providers. By looking at how customers moved around, the authors of the study found that it may be possible to predict human movement patterns and location up to 93 percent of the time. These findings may be useful in multiple fields, including city planning, mobile communication resource management, and anticipating the spread of viruses. [ Read more ... ]

The Spy at Harriton High: Via Stryde Hax blog.

This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the toolchain used to accomplish spying. Taking a look at the LMSD Staff List, Mike Perbix is listed as a Network Tech at LMSD. Mr. Perbix has a large online web forum footprint as well as a personal blog, and a lot of his posts, attributed to his role at Lower Merion, provide insight into the tools, methods, and capabilities deployed against students at LMSD. Of the three network techs employed at LMSD, Mr. Perbix appears to have been the mastermind behind a massive, highly effective digital panopticon.
PanoMasterMind

The primary piece of evidence, already being reported on by a Fox affiliate, is this amazing promotional webcast for a remote monitoring product named LANRev. [ Read more ... ]

U.S. Intel Wants Super-Sensitive Human Lie-Detectors: Via Danger Room.

The U.S. intelligence community wants to master the art of BS-detection. But instead of improving on pre-existing methods, like polygraph tests or voice stress analysis, they want to amplify our own, intuitive, “pre-conscious human assessment of trustworthiness.”

Iarpa, the intelligence community’s out-there research unit, are behind the effort to overcome even the sneakiest deceivers. Last year, Iarpa held a researchers conference to discuss a little idea they call TRUST, short for “Tools for Recognizing Useful Signals of Trustworthiness.” Now, Iarpa has started soliciting proposals for the project, which they envision as a five-year, three-phased overhaul of current deception-detection technology. [ Read more ... ]

Spying on User Web Browsing Histories for Fun and Profit!: Via Lauren Weinstein's Blog.

Greetings. A bit over a year ago, I reported here about a commercial firm using JavaScript tricks to pry into the site browsing history of unsuspecting Web users, and I discussed the serious negative implications of such spying.

Now comes a handy "do it yourself" guide detailing the kinds of obnoxious techniques involved, under the name "Sniff browser history for improved user experience" -- a quintessential example of how to portray (that is, spin) an obvious privacy invasion as if it were a user-friendly value proposition.

It's not terribly surprising that the author of the piece devotes only a couple of words to even the possibility that such techniques could be used for "evil" purposes. [ Read more ... ]

Researchers find huge weakness in European payment cards: Via Computerworld Security News.

Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.

The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.

European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.

But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered. [ Read more ... ]

Using Google Buzz? Here’s a privacy checklist: Via PC World- msnbc.com .

If you've heard of Google Buzz, chances are you've also heard about some of the privacy concerns that surround it. The social media service offers some cool ways to share photos, links, status messages, and more with fellow Google Buzz users. But if you're not careful, you may end up sharing more than you expect.

Silicon Alley Insider raised some very real privacy concerns about Google Buzz this week, noting that the service ends up exposing many of your e-mail contacts by default. That's a problem if you have e-mail contacts you'd rather not make public.

You also can't hide your e-mail contacts without cutting them off from your Buzz network. [ Read more ... ]

Film Premiere: 10 Rules for Dealing with Police: Via Cato Institute .

FILM PREMIERE
Friday, February 12, 2010 (rescheduled to a new date yet to be determined)
Cato Institute 
1000 Massachusetts Ave., N.W. 
Washington, D.C.

With comments from William "Billy" Murphy, Attorney and 10 Rules Narrator and Neill Franklin, Law Enforcement Against Prohibition. Moderated by Tim Lynch, Director, Project on Criminal Justice, Cato Institute.

Editor: Due to the weather conditions, we are unable to hold the film premiere. The event will be rescheduled for a future date and new invitations will be sent. You can also check back here at cato.org for updates. [ Read more ... ]

Identifying John Doe: It might be easier than you think: Via Freedom to Tinker.

Imagine that you want to sue someone for what they wrote, anonymously, in a web-based online forum. To succeed, you'll first have to figure out who they really are. How hard is that task? It's a question that Harlan Yu, Ed Felten, and I have been kicking around for several months. We've come to some tentative answers that surprised us, and that may surprise you.

Until recently, I thought the picture was very grim for would-be plaintiffs, writing that it should be simple for "even a non-technical Internet user to engage in effectively untraceable speech online." I still think it's feasible for most users, if they make enough effort, to remain anonymous despite any level of scrutiny they are practically likely to face. But in recent months, as Harlan, Ed, and I have discussed this issue, we've started to see a flip side to the coin: In many situations, it may be far easier to unmask apparently anonymous online speakers than they, I, or many others in the policy community have appreciated. Today, I'll tell a story that helps explain what I mean. [ Read more ... ]

The top 5 mistakes of privacy awareness programs: Via Computerworld Privacy News.

Privacy consultant Jay Cline identifies the errors companies often make when trying to educate employees about data protection.

The Health Insurance Portability and Accountability Act requires it. The Payment Card Industry Data Security Standard requires it. The ISO 27001 standard requires it. In fact, every regulation that mandates that reasonable measures be taken to protect information implicitly requires companies to set up training programs to help employees understand what those measures are.

But what does training actually mean?

Many corporations have adopted a check-box approach toward compliance with this obligation. Here are five shortcuts I see them taking instead of using the opportunity to ensure that employees really know how to protect information. [ Read more ... ]

Can you trust Chinese computer equipment?: Via ITworld.

China may not only be breaking into Google's network, but giving people deliberately bugged technology gear. Can we trust any technology that comes from China?

As you surely know, Google has accused China of hacking into its systems and is considering pulling out of China altogether. The U.S. government is taking this seriously, and Google has partnered with the NSA (National Security Agency) to get to the bottom of this. What you may not know is that the United Kingdom's MI5 -- Americans can think of this as a combination of the FBI and CIA -- has reported that the Chinese government has been giving UK executives electronics with built-in security holes.

According to the Sunday Times, "A leaked MI5 document says that undercover intelligence officers from the People's Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of 'gifts' and 'lavish hospitality.' The gifts -- cameras and memory sticks -- have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users' computers." [ Read more ... ]

Know Before You Go: Tickets May Come at a Higher Price Than You Realize: Via EFF.org Updates.

As part of our Terms of Ab(use) project, we pay close attention to the fine print of online agreements for provisions that are potentially dangerous to consumers. We've noticed a troubling change in the way event planners restrict the rights of individuals who attend their shows. Where once these limitations had to fit on the back of a ticket, increasingly event organizers have moved their fine print online, where they are able to use even more contract law to avoid the limits of trademark and copyright law and actively control what ticket holders can say or do even after the event is over.

These burdensome terms can show up in some pretty unexpected places. Last year we noted how the Burning Man Organization (BMO) used online ticket terms to require participants to assign to BMO—in advance—the copyright to any pictures they took on the playa. Tickets for the 2010 event went on sale in mid-January, and we hoped the new terms would acknowledge the concerns we had expressed. Sadly, the new terms are just as onerous as before. [ Read more ... ]

Cisco's wiretapping system open to exploit, says researcher: Via Law & Disorder Section - Ars Technica.

To meet the needs of law enforcement, most telecommunications equipment includes hardware and software that allow for the monitoring of traffic originating with the targets of investigations. The precise capabilities are often dictated by formalized standards, which allow any hardware maker to implement a compliant system. Unfortunately, these standards often leave the hardware wide open to various attacks that leave regular users vulnerable, and provide savvy surveillance targets the opportunity to evade the snooping. An IBM researcher has put Cisco's system under the microscope at a Black Hat Conference, and found it comes up short. [ Read more ... ]

Busting an iPhone thief: Via (Twitter via @clarinette02 @technollama) How to catch an iPhone thief Blog at BlogSpot.com .

The whole thing started when my plane landed in Los Angeles on Monday afternoon at 2:55pm coming from Cabo San Lucas. The guy sitting next to me on the plane asked me to loan him a pen so that he could fill out his customs form. I watched him fill out the form and clearly remember his birth year of 1984, but am a bit unsure about his name. I think it was -----, but in this story, we will refer to him as Pinche.

[...]

When I got to my office, I pulled up the MobileMe site and used the Find My Phone feature. To my surprise, the phone was in Sun Valley at a Daniel's Taco Stand!!! My conclusion was that the phone had actually fallen in Pinche’s bag and he was driving around without knowing that he has my phone!

Why did I assume this? Because if I were to steal an iPhone, I would unload it fast. I would not want to drive around with homing device after committing a crime! I wrote down the address in Sun Valley. [ Read more ... ]

Indiscrete web browsers assist de-anonymisation: Via The H Security: News and Features.

A test on browser fingerprinting by the Electronic Frontier Foundation (EFF) has shown how uniquely identifiable a user's browser is on the web. What that test is unable to do is to identify individual users. This, however, is the goal of an experiment by the International Secure Systems Lab (Isec Lab). Originally founded by the Vienna University of Technology (TUV), Isec Lab is now a collaborative venture between TUV, Eurécom and the University of California in Santa Barbara. The test makes use of Xing, a platform widely-used in Europe on which many millions of users have published profiles.
[...] [ Read more ... ]

Help EFF Research Web Browser Tracking: Via EFF.org Updates.

What fingerprints does your browser leave behind as you surf the web?

Traditionally, people assume they can prevent a website from identifying them by disabling cookies on their web browser. Unfortunately, this is not the whole story.

When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. But how effective would this kind of online tracking be?

EFF is running an experiment to find out. Our new website Panopticlick will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of five million other configurations. Then, it will give you a uniqueness score — letting you see how easily identifiable you might be as you surf the web. [ Read more ... ]

More flash drive firms warn of security flaw; NIST investigates: Via Computerworld Security News.

The drives were certified to meet NIST standards

SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.

The hole could allow unauthorized access to encrypted data on a USB flash drive by circumventing the password authorization software on a host computer.

"It's really onerous. It's a stupid crypto mistake and they screwed up, and they should be rightfully embarrassed for making it," said cryptographer and computer security specialist Bruce Schneier. [ Read more ... ]

FIPS 140-2 Level 2 Certified USB Memory Stick Cracked: Via Schneier on Security.

Kind of a dumb mistake:

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers' nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations -- and this is the case for all USB Flash drives of this type.

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program's RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

Nice piece of analysis work.

The article goes on to question the value of the FIPS certification: [ Read more ... ]

HOW TO: Erase Your Online Past [HUMOR]: Via Mashable .

These days, it’s getting tougher and tougher to keep a good name unbesmirched. Surveys indicate that as many as half of hiring managers use search engines to screen job applicants, and 1 in 10 have rejected potential employees because of damaging information on the web. Even if there’s no one out to get you, it’s likely that you’ve left your own e-trail of embarrassment: Facebook photos, blog comments, cached web pages, YouTube videos — all these things can provide the world with evidence of your previous poor judgement and wrongdoing.

Here’s how to combat that, and purge your online past.

Read Original Article:(Via Mashable.)

How To Stop Facebook From Publishing Recent Activity To The News Feed: Via allfacebook.com .

Are you tired of your friends knowing about every group you’ve joined or every Facebook Page you’ve become a fan of? Do you want to RSVP for an event without your friends knowing that you are attending? Sometimes users just want to keep things private and after numerous emails in my inbox, I thought it would be useful to post a short guide on how to prevent Facebook from publishing stories about every single activity you make on the site. With the removal of news feed settings in December, many users have become confused about blocking information from their profile. This guide will tell you how!

Read Original Article:(Via allfacebook.com .)

Underground Services Let Virus Writers Check Their Work: Via Threat Level.

I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products.

That pooling of intelligence on new threats also serves to make the free scanning services less attractive to virus authors, who would almost certainly like nothing more than to freely and simultaneously test the stealth of their new creations across a wide range of security software. Still, there is nothing to stop an enterprising hacker from purchasing a license for each of the anti-virus tools on the market and selling access to a separate scanning service that appeals to the virus-writing community.

Enter upstart file-scanning services like av-check.com and virtest.com, which bank on the guarantee that they won’t share your malware with the anti-virus community. [ Read more ... ]

Quantum Cryptography Cracked: Via Schneier on Security.

Impressive:

This presentation will show the first experimental implementation of an eavesdropper for quantum cryptosystem. Although quantum cryptography has been proven unconditionally secure, by exploiting physical imperfections (detector vulnerability) we have successfully built an intercept-resend attack and demonstrated eavesdropping under realistic conditions on an installed quantum key distribution line. The actual eavesdropping hardware we have built will be shown during the conference.

While I am very interested in quantum cryptography, I have never been optimistic about its practicality. And it's always interesting to see provably secure cryptosystems broken.

Read Original Article:(Via Schneier on Security.)

Hackers show it's easy to snoop on a GSM call: Via Computerworld Security News.

Computer security researchers say that the GSM phones used by the majority of the world's mobile-phone users can be listened in on with just a few thousand dollars worth of hardware and some free open-source tools.

In a presentation given Sunday at the Chaos Communication Conference in Berlin, researcher Karsten Nohl said that he had compiled 2 terabytes worth of data -- cracking tables that can be used as a kind of reverse phone-book to determine the encryption key used to secure a GSM (Global System for Mobile communications) telephone conversation or text message.

While Nohl stopped short of releasing a GSM-cracking device -- that would be illegal in many countries, including the U.S. -- he said he divulged information that has been common knowledge in academic circles and made it "practically useable." [ Read more ... ]

NORAD TRACKS SANTA 2008 - International (English, Deutsch, Espanol, Italiano, Francais, 中文, 日本語, ): Via The North Pole

All the preparations for this year are in place! Return on Christmas Eve to track St. Nick on his magical flight around the world!

Until then, come back each day to receive updates from the North Pole and to discover new surprises in the Kids' Countdown.

And you can get a little history about this from Wikipedia. And for those of you who prefer making phone calls the official hotline: 1-877-HI-NORAD Google Analytics also has some details about this tracking program. [ Read more ... ]