infosec

Each cookie--so long as you don't take action to remove one, as I did in my experiment--is returned to the server that left it on your browser. If you use a different browser, the server doesn't know you're the same person, and if a family member uses your browser to visit the same server, it doesn't know you're different people. Because the browser returns the cookie only to servers from the same domain--say, yahoo.com--that sent the cookie, your identity is automatically segmented. Whatever yahoo.com knows about you, oreilly.com and google.com do not. Servers can also subdivide domains, so that mail.yahoo.com can use the cookie to keep track of your preferred mail settings while weather.yahoo.com serves meteorological information appropriate for your location.

Facebook treats that information — along with your name, profile picture, current city, gender, networks, and the pages that you are a "fan" of — as "publicly available information" or "PAI."

An Introduction WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks. WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.

hen the privacy question appears, Google likes to talk about the people asking the questions. But the problem lies elsewhere: with the millions upon millions blissfully unaware of the questions. If you're concerned about your online privacy, you can always put the kibosh on Google's tracking cookies. You can avoid signing in to Google accounts. And, yes, you can avoid using Google for anything Eric Schmidt thinks you shouldn't be doing. But most web users don't even realize Google is hoarding their data. CNBC asks Schmidt: "People are treating Google like their most trusted friend. Should they be?" But he answers by scoffing at those who don't trust Google at all.

"The darkweb"; "the deep web"; beneath "the surface web" – the metaphors alone make the internet feel suddenly more unfathomable and mysterious. Other terms circulate among those in the know: "darknet", "invisible web", "dark address space", "murky address space", "dirty address space". Not all these phrases mean the same thing. While a "darknet" is an online network such as Freenet that is concealed from non-users, with all the potential for transgressive behaviour that implies, much of "the deep web", spooky as it sounds, consists of unremarkable consumer and research data that is beyond the reach of search engines. "Dark address space" often refers to internet addresses that, for purely technical reasons, have simply stopped working.

A report in 2007 by the lobbying group Privacy International placed Britain in the bottom five countries for its record on privacy and surveillance, on a par with Singapore. But the intrusions visited on Jenny Paton, a 40-year-old mother of three, were startling just the same. Suspecting Ms. Paton of falsifying her address to get her daughter into the neighborhood school, local officials here began a covert surveillance operation. They obtained her telephone billing records. And for more than three weeks in 2008, an officer from the Poole education department secretly followed her, noting on a log the movements of the “female and three children” and the “target vehicle” (that would be Ms. Paton, her daughters and their car).

For example, contestants in Netflix’s competition to improve its recommendation software received a training data set containing the movie preferences of more than 480,000 customers who had, as they say in the trade, been “de-identified.” But as part of a privacy experiment, a pair of computer scientists at the University of Texas at Austin decided to see if it was possible to re-identify those unnamed movie fans.

Finally, a bit more from the Penn-Berkeley study: "While privacy advocates have lambasted behavioral targeting for tracking and labeling people in ways they do not know or understand, marketers have defended the practice by insisting it gives Americans what they want: advertisements and other forms of content that are as relevant to their lives as possible. Contrary to what many marketers claim, most adult Americans (66%) do not want marketers to tailor advertisements to their interests. Moreover, when Americans are informed of three common ways that marketers gather data about people in order to tailor ads, even higher percentages -- between 73% and 86% -- say they would not want such advertising."

Most recently, I've been able to obtain status feeds, even for users who have very tight privacy settings, although I had to tweak my own application's privileges to do so. I don't know how far into the past these go, but they also come with likes information, and comments. This gives me a wealth of information on the strength and types of relationships people have. A person who comments a lot on another user's posts probably finds that user interesting. If I descended into keyword and text analysis, I may even be able to determine how they find that user interesting.

Digital immigrants tend to think about privacy as the ability to conceal information from others. Digital natives instead share information within certain contexts, and with granular privacy controls on that information. And according to a new study on behavioral advertising, it is precisely the 18-24 year old age bracket that cares most about how information is used to make decisions about them to deliver news, advertisements, or discounts. In fact, one of the survey’s authors told the New York Times that it’s likely that young adults care more about their privacy and how companies use their information than expected.

The respondents’ aversion to tailored ads increased once they learned about targeting methods. In addition to the original 66 percent that said tailored ads were “not O.K.,” an additional 7 percent said such ads were not O.K. when they were tracked on the site. An additional 18 percent said it was not O.K. when they were tracked via other Web sites, and an additional 20 percent said it was not O.K. when they were tracked offline. The survey company also asked about customized discounts and customized news. Fifty-one percent of respondents said that tailored discounts were O.K., and 58 percent said that customized news was fine.

Are consumers appropriately aware of what is being done? Are the self-regulation principles adequate? Do consumers have "notice and choice", and taking it a step further, do they consent and have access and visibility into the data being collected? Is the quid pro quo balanced?

The result, according to the report, is that most social networking site users "are vulnerable to having their ... identity information linked with tracking cookies." For instance, an ad network could serve an impression to a Web user while he/she is at, say, the page Facebook.com/John. The ad network could then theoretically tie the anonymous cookie on that user's browser to the Facebook URL and piece together the user's identity. But the process doesn't appear to be foolproof. A Facebook representative says that the referring URL, in this scenario Facebook.com/John, doesn't indicate whether the visitor is John or another user who clicked on that page.

Potential Gold Mine for Marketers There's no denying LBS could also become a gold mine for marketers. "Context awareness is critical when you want to buy something, and advertisers get higher targeting based on our patterns and social contexts," says Massachusetts Institute of Technology researcher Nadav Aharony. Yet as the space crowds with LBS players, the challenge will be to protect users' privacy, find ways to make marketing pitches relevant, and separate useful sites from also-rans. Executives at Brightkite take security concerns seriously and give users the option not to broadcast their whereabouts. "A real sense of privacy is important, and we spend a lot of time thinking about it," says Brightkite CEO and co-founder Jonathon Linner. "Privacy has to be transparent—in the setting menu and the post screen. It has to be very explicit." Twitter plans to make its location services opt-in, also letting users choose whether to tell others where they are

"The government needs to get its own cybersecurity house in order first before it tries to tell the private sector what to do," said Gregory T. Nojeim, senior counsel for the Center for Democracy and Technology.

The new contest is going to present the contestants with demographic and behavioral data, and they will be asked to model individuals’ “taste profiles,” the company said. The data set of more than 100 million entries will include information about renters’ ages, gender, ZIP codes, genre ratings and previously chosen movies. Unlike the first challenge, the contest will have no specific accuracy target. Instead, $500,000 will be awarded to the team in the lead after six months, and $500,000 to the leader after 18 months. The payoff for Netflix? “Accurately predicting the movies Netflix members will love is a key component of our service,” said Neil Hunt, chief product officer.

Using data from the social network Facebook, they made a striking discovery: just by looking at a person’s online friends, they could predict whether the person was gay. They did this with a software program that looked at the gender and sexuality of a person’s friends and, using statistical analysis, made a prediction. The two students had no way of checking all of their predictions, but based on their own knowledge outside the Facebook world, their computer program appeared quite accurate for men, they said. People may be effectively “outing” themselves just by the virtual company they keep.

"“Even if you don’t affirmatively post revealing information, simply publishing your friends’ list may reveal sensitive information about you, or it may lead people to make assumptions about you that are incorrect,” said Kevin Bankston, senior staff attorney for the Electronic Frontier Foundation, a nonprofit digital rights organization in San Francisco. “Certainly if most or many of your friends are of a particular religious or political or sexual category, others may conclude you are part of the same category - even if you haven’t said so yourself.” The project, given the name “Gaydar” by the students, Carter Jernigan and Behram Mistree, is part of the fast-moving field of social network analysis, which examines what the connections between people can tell us. The applications run the gamut, from predicting who might be a terrorist to the likelihood a person is happy or fat. The idea of making assumptions about people by looking at their relationships is not new, but the sudden availability of information online means the field’s powerful tools can now be applied to just about anyone" - mediaeater from Bookmarklet

My research interests are in information privacy and in computer and networks security. In particular, I study security and privacy aspects of emerging mobile and distributed computing systems, such as location-based services, delay-tolerant networks, and online voting. Some sample topics that I have worked on are:

While Web site owners usually review the ads they run for quality control and security reasons, many online ads are sold and distributed through middlemen known as ad networks. As a result, ads can appear on a site that its operators have not directly approved, and they may be pulled into its pages from computer servers that it does not control. About half of the ads delivered to The Times’s Web site come from ad networks. As reports of strange activity came in over the weekend, the technical and advertising staff at The Times began to suspect that a rogue ad had slipped through this way, and they moved to stop displaying such ads, said Diane McNulty, a spokeswoman for the Times Company. But it now appears that the ad was approved by the site’s advertising operations team, Ms. McNulty said. People visiting nytimes.com continued to complain about the pop-up ads throughout the weekend.

the software also monitored consumers' online secure sessions - including sessions on third parties' Web sites - and collected consumers' personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails.

According to the Commission, the software also tracked some computer activities that were not related to the Internet. Only in a lengthy user license agreement, available to consumers at the end of a multi-step registration process, did Sears disclose the full extent of the information the software tracked. The complaint charged that Sears’s failure to adequately disclose the scope of the tracking software’s data collection was deceptive and violates the FTC Act. Under the consent order settling the charges, in addition to destroying information previously collected, if Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears also must disclose whether any data will be used by a third party.

Privacy is a fundamental right in the United States. For four decades, the foundation of U.S. privacy policies has been based on Fair Information Practices: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. Those principles ensure that individuals are able to control their personal information, help to protect human dignity, hold accountable organizations that collect personal data, promote good business practices, and limit the risk of identity theft.

"London, where an estimated £200 million so far has been spent on the cameras. This suggests that each crime has cost £20,000 to detect." - mediaeater from Bookmarklet

"Google actually obtained a waiver of all privacy regulations so that it could track users visiting certain government Web sites." - mediaeater from Bookmarklet

"There is also a different possibility that concerns the researchers: That the program was not designed by a criminal gang, but instead by an intelligence agency or the military of some country to monitor or disable an enemy’s computers. Networks of infected computers, or botnets, were used widely as weapons in conflicts in Estonia in 2007 and in Georgia last year, and in more recent attacks against South Korean and United States government agencies. Recent attacks that temporarily crippled Twitter and Facebook were believed to have had political overtones." - mediaeater from Bookmarklet

"Look for almost a dozen consumer groups and privacy advocates to launch a full-court press on targeted behavioral advertising and online privacy on Capitol Hill next week. According to a source, those groups on Sept. 1 will release a background paper, letters to House members and other documents to make their case for stronger government oversight of online marketing targeted to kids. "A growing number of child advocacy and health groups have called on the FTC and Congress to prohibit the behavioral targeting of both children and teens, next week, many leading consumer and privacy groups will send a letter to congressional leaders calling for similar safeguards," confirms Jeff Chester, executive director of the Center for Digital Democracy. Chester saidd that 10 groups will be involved in the push, and that they will be "pressing Congress to write legislation that truly protects consumer privacy, but enables online marketing to flourish in a more responsible fashion." The effort... more... - mediaeater from Bookmarklet

Internet companies and civil liberties groups were alarmed this spring when a U.S. Senate bill proposed handing the White House the power to disconnect private-sector computers from the Internet. They're not much happier about a revised version that aides to Sen. Jay Rockefeller, a West Virginia Democrat, have spent months drafting behind closed doors. CNET News has obtained a copy of the 55-page draft of S.773 (excerpt), which still appears to permit the president to seize temporary control of private-sector networks during a so-called cybersecurity emergency.

The Obama administration will largely preserve Bush-era procedures allowing the government to search -- without suspicion of wrongdoing -- the contents of a traveler's laptop computer, cellphone or other electronic device, although officials said new policies would expand oversight of such inspections. The policy, disclosed Thursday in a pair of Department of Homeland Security directives, describes more fully than did the Bush administration the procedures by which travelers' laptops, iPods, cameras and other digital devices can be searched and seized when they cross a U.S. border. And it sets time limits for completing searches.

Tax deadbeats are finding someone actually reads their MySpace and Facebook postings: the taxman. State revenue agents have begun nabbing scofflaws by mining information posted on social-networking Web sites, from relocation announcements to professional profiles to financial boasts. In Minnesota, authorities were able to levy back taxes on the wages of a long-sought tax evader after he announced on MySpace that he would be returning to his home town to work as a real-estate broker and gave his employer's name. The state collected several thousand dollars, the full amount due. Meanwhile, agents in Nebraska collected $2,000 from a deejay after ...