If you don’t want people to see something, don’t photograph it.

If you have a look at the pics (Links: photo1 photo2) you’ll note that she appears to have taken them herself using her mobile phone.  While I certainly don’t have any inside knowledge of the case, my bet would be that the sender or recipient’s email account was compromised, not the phone itself.  Of course for that to be the case, she would have had to email the images to someone, which bring us to my next bit of advice:

Don’t email photos that you don’t want people to see.

Of course there’s always the publicity angle.  Leak nude pics of yourself. Benefit from the exposure, but deny intent.  Then play up the victim angle, collect some sympathy votes, and keep the story alive.  Ah, Hollywood.

Added 2011-09-20:  I linked to the photos in the original article because of their relevance to the story — they showed her holding the camera herself. I did not copy the images to avoid a copyright infringement.  It appears that they have been taken offline or access blocked.

There is good reason that high-end cryptographic devices offer features such as maintaining a constant data rate independent of the data being encrypted. It sounds like Skype might want to also incorporate some of those features.

April 27, 2011

Apple Q&A on Location Data

Apple would like to respond to the questions we have recently received about the gathering and use of location information by our devices.

1. Why is Apple tracking the location of my iPhone?
Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

2. Then why is everyone so concerned about this?
Providing mobile users with fast and accurate location information while preserving their security and privacy has raised some very complex technical issues which are hard to communicate in a soundbite. Users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date.

3. Why is my iPhone logging my location?
The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

4. Is this crowd-sourced database stored on the iPhone?
The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone. This cache is protected but not encrypted, and is backed up in iTunes whenever you back up your iPhone. The backup is encrypted or not, depending on the user settings in iTunes. The location data that researchers are seeing on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone. We plan to cease backing up this cache in a software update coming soon (see Software Update section below).

5. Can Apple locate me based on my geo-tagged Wi-Fi hotspot and cell tower data?
No. This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.

6. People have identified up to a year’s worth of location data being stored on the iPhone. Why does my iPhone need so much data in order to assist it in finding my location today?
This data is not the iPhone’s location data—it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.

7. When I turn off Location Services, why does my iPhone sometimes continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database?
It shouldn’t. This is a bug, which we plan to fix shortly (see Software Update section below).

8. What other location data is Apple collecting from the iPhone besides crowd-sourced Wi-Fi hotspot and cell tower data?
Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.

9. Does Apple currently provide any data collected from iPhones to third parties?
We provide anonymous crash logs from users that have opted in to third-party developers to help them debug their apps. Our iAds advertising system can use location as a factor in targeting ads. Location is not shared with any third party or ad unless the user explicitly approves giving the current location to the current ad (for example, to request the ad locate the Target store nearest them).

10. Does Apple believe that personal information security and privacy are important?
Yes, we strongly do. For example, iPhone was the first to ask users to give their permission for each and every app that wanted to use location. Apple will continue to be one of the leaders in strengthening personal information security and privacy.

Software Update
Sometime in the next few weeks Apple will release a free iOS software update that:

• reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
• ceases backing up this cache, and
• deletes this cache entirely when Location Services is turned off.

In the next major iOS software release the cache will also be encrypted on the iPhone.

If our operating systems and applications were designed with privacy in mind, we could simply tell them that we don’t want to retain any browsing history, that our web cache and cookies should be deleted when we close our browser, that we aren’t interested in being presented with a list of our most recently used files, and that the last date/time a file was read isn’t necessary information.  We could also tell it to overwrite disk space when it’s done with it.

The technical reasons behind some of these issues were originally performance related, but given the speed of computers these days, there is no good reason that our computer needs to keep notes on what we’ve been using it for.

Of course when one brings up these issues, there are those who ask, “What do you have to hide?”  Child pornography is an often-quoted example of why computer forensics is a good thing, and I certainly agree that child pornographers should receive an express ticket to jail (or worse).  But I’m not willing to give up fundamental privacy rights and live in digital glass houses in order to make it easier to catch criminals.

I’ve written before about hard drive encryption, and full drive encryption remains the best way to safeguard your privacy.  The enhanced BitLocker functionality in Windows 7 combined with the TPG chip in many new computers are a move in the right direction. The open source TrueCrypt project is great, but they need to quick adapt to new realities in Windows 7.

Self-encrypting hard drives appear to be a promising technology, but while vendors brag about them, they aren’t readily available and technical information remains marginal at best. If — as a security professional and writer — I can’t get my hands on one to test, I have to conclude that they’re not a viable option at this time.

Then there are software products that perform tasks such as wiping free space and deleting unwanted browser histories.  From a functional security perspective, products like Evidence Eliminator can perform a nice clean-up of your computer, deleting temporary files, browser artefacts, and wiping unused hard drive space to eliminate ‘deleted’ data.  But “Evidence Eliminator” is a really bad idea.

From a security perspective, this product (and to be fair many others in the same category) often creates a bigger problem than it solves:  While they do a good job of removing unwanted data, they also do a fantastic job of creating evidence that you ran “Evidence Eliminator”. It quite amusing to read of people attempting to explain in court that they didn’t delete data pertaining to the matter in front of the court when they ran “Evidence Eliminator”.  By definition, if you’re eliminating evidence, you look guilty.

Ironically, by calling the product “Evidence Eliminator”, the vendor has made performing clean-up tasks that may be quite reasonable in many circumstances look like a criminal act.

Imagine you’re at work and someone you know emails a URL.  You download a file you expect contains something humours and end up with porn on your work computer.  Sure we can discuss why you shouldn’t have downloaded it in the first place, but there are countless scenarios that could result in you having some type of data on your drive that you don’t want.

In the physical world, you could toss it in the shredder bin, take it home and put it in the fireplace, or otherwise dispose of it. We should have the same ability with data.  But it’s just real deletion that we want, not evidence elimination.

On the off chance that enterprising developers are reading, there are two products missing from the market – or at least I can’t find them!

The first is a clean-up product that runs entirely from a USB stick and does not require installation on the PC.  Running it would clean up the hard drive, overwrite browser artefacts, temporary files, wipe free hard drive space, etc. In fact, it would do most of the things that Evidence Eliminator does – except the purpose would be to clean up the computer and protect privacy – not destroy evidence.

The second is an installable package that monitors system use and cleans up after the user automatically.  In short, it would protect privacy by doing what the operating system and applications should offer to do by itself really deleting stuff.

Thoughts?  Questions?  Ideas?

Let’s hear ‘em!

The first is how much or little someone knows about you.  For example, if you know what I look like, I don’t feel completely anonymous.  But I feel more anonymous than if you also know my name.  Perhaps that’s because I’m a 6’7” bald guy and if you went around Ottawa asking security professionals if they knew a tall bald security/writer/photographer guy chances are that my name would come up pretty quick.  Or, perhaps, it’s because my name is only part of my identity.

The other axis is how difficult it is to breach someone’s anonymity. For example, it might not be too hard to get the clerk at a small-town store to tell you the name of the customer that was in front of you in line.  But getting information from other sources is more difficult.

So, when I think of anonymity, I picture a quadrant.  In the upper right corner you know nothing about me and it would be really hard to find out who I am.  In the lower left corner my name, address, telephone number and photo are on the front page of the Ottawa Sun.

Privacy is even more complex because it is hard to define.  For example, it has been defined as:

• The right to be left alone;
• The right to exercise control over one’s personal information; and,
• A set of conditions necessary to protect our individual dignity and autonomy.

When it comes to telemarketers, the right to be left alone appeals to me. I’d also like to stop businesses from selling my name to other businesses (or telemarketers). And I’d prefer some privacy when I’m in the washroom too, thank you very much!

Anonymity and privacy are obviously related. But the interesting debate is whether anonymity is required to achieve privacy.  In some cases it certainly helps: When I buy a coffee from Starbucks and pay cash, I have a relatively high level of anonymity, at least until they install cameras with face recognition software that links back to that one time I pulled out my debit card. (Of course if it expedited my mocachino with an extra shot of espresso I might not feel too violated.) But other privacy controls exist, including legislation, corporate policy and the desire to avoid negative publicity.

The problem with such privacy mechanisms is that they are outside the control of the individual.  When I surf the net, I have no way of knowing what companies do with that data. I don’t know for a fact that Google isn’t building a database of every search request from my IP address and that some point in the future they’re not going to acquire (or be acquired by) companies and link my IP address to my credit card information or Facebook profile.  And there are online advertising companies that make it their business to track users across multiple Web sites using cookies of the not-so-tasty variety.

Whether this matters to you or not really depends on who you are and what you do online. You may not care and it might not matter. Or, you might prefer that the only people who have your personal information are those you give it to.

As more people understand these issues, the anonymous Web surfing services will continue to gain popularity.  For example, one of the best known is Anonymizer, started by astrophysicist Lance Cottrell in 1995. He was concerned about online privacy and as an early Internet user saw first-hand how much information could be captured.  And his company was recently acquired by a larger firm that provides anonymous Internet access to corporations, governments and law enforcement agencies.

But before you rush out and buy, it’s important to consider the big picture. Anonymous proxies hide your real IP address, and are a great first-line defense of your online privacy. But, to be effective, you also must control cookies and carefully consider what personal information you give to businesses, including social networking sites. Remaining anonymous on the Internet to protect your privacy requires much more than hiding your IP address.  It requires that you also think before you type.

On the surface, the man’s request seems reasonable. As I understand it, the primary evidence against him is that he exhaled into a box and it displayed a number. And that number was too big.  In fact, everyone who drives, impaired or not, presumably has an interest in the accuracy of the device.

But the manufacturer, CMI, Inc., and the State of Minnesota apparently disagree, and they have convinced both the trial and appeal judges that handing over the source code would be “unreasonably burdensome.” So unless the defendant launches another appeal — or perhaps buys one and sends it to a lab for analysis — he appears to be out of luck.

I’m inclined to believe that the accused is simply looking for any possible way to have the evidence against him excluded. But that’s the way the system works. To be convicted, the accused must be proven guilty beyond a reasonable doubt. He has the right to cross examine human witnesses, so it simply doesn’t make sense that he’s not allowed to examine the functioning of the machine that says he was over the legal limit.

What could go wrong

There are a number of things that could go wrong with an electronic breathalyzer.  Presumably, aging or failing components that change the readings would be picked up during calibrations, so there are likely some procedural safeguards. But what if the developer made a mistake or took shortcuts?  Converting the output of an optical sensor into alcohol in the breath into blood alcohol levels must involve some math. What if there is a bug in the math libraries that hasn’t been discovered?

Then there are issues such as version control. Did the right software get loaded onto the device? Has it been upgraded? Can the vendor reproduce the exact code loaded onto devices sold several years ago? Has it been modified?

The last question should send shivers down a Judge’s spine. The device is in the custody of the same person who laid the charges and, therefore, has an interest in seeing a conviction. While the vast majority of police officers play by the rules, we are obliged to ask the question: What checks and balances are in place to stop that one bad apple from tampering with the device? Without appropriate safeguards, you too could be just one firmware mod away from a criminal conviction.

What should be done

An objective third party can examine all aspects of the software development life cycle, the software, the hardware, field maintenance and related security controls. If the manufacturer has done its job, the third party report will depict a reliable and trustworthy device. In fact, if the manufacturer has done its job, it should welcome the notion of an objective third party doing just that. On the other hand, if the manufacturer hasn’t done its job, we’ll all know that, as well.

According to Bill Collins, sales manager at CMI, the product was thoroughly tested by the National Highway Traffic Safety Administration, part of the United States Department of Transportation, prior to sale to law enforcement agencies. Individual States also test the device and it has been subject to other third party examinations prior to being generally accepted by the courts.  He made another very good point: Source code is only one part of the device and, to draw a meaningful conclusion, one would have to examine the entire device including both hardware and softwar.

Preserving defendant rights

While I sympathize with the company and understand its desire to keep the proprietary source code confidential, impaired driving is a crime and a conviction can have major implications, including restrictions on employment and travel. Criminal defendants must be allowed to examine the evidence against them. Intellectual property concerns are a red herring – courts have long had procedures in place to allow the examination of sensitive information in a controlled manner.

If a defendant wants to retain an expert to conduct such an analysis, he or she must be allowed to do so. If the product is solid, defendants will quickly find out that they are simply throwing their money away. Some American states including Florida agree and have upheld the defendant’s right to examine the code.

In the words of English jurist William Blackstone, “Better that ten guilty persons escape than that one innocent suffer.”  Allowing any black box to produce evidence is a slippery slope that we can’t afford, and product vendors should take note. It won’t be long until other devices like digital recorders are subject to the same scrutiny. Until we illuminate inside, outside and around the box there is no justice.

Facebook (along with other social networking sites) has been around for a few years, and a lot has been written about the security issues involved. Googling “facebook security” yields about 20,500 hits. But what do users really need to know?

Information about Facebook users can be broken down into several categories:

• Personal information: Facebook allows users to enter personal information such as their date of birth, home town, relationship status, sexual orientation, religious views, email address, telephone number, educational background, and employer.
• Friends: The point of social networking is to connect with “friends”. Facebook users send requests to add friends, and if the potential friend agrees, they are connected on facebook. Any user who can view either of the “friends” profiles can see that they are connected. Some people allow anyone to see who their “friends” are, so social networks can be mapped.
• Photos: Facebook users can upload photos and tag people in them. For example, if a friend uploads a photo that you are in, they can tag you in the photo. Another user viewing the photo can see your name associated with the photo.
• Facebook Applications: Facebook applications allow users to post information on their profile, other user’s profiles, etc. Whether other users can see the information depends on your privacy settings (more on that later).
• Third Party Applications: Facebook and third party applications that you enable have access to information in your profile. While there are some privacy restrictions in place, you should assume that all your personal information is available to any application you add.

So how do you stay safe on Facebook? The various applications and privacy settings may be overwhelming, but the answer is simple:

1. Don’t enter unnecessary personal information into Facebook in the first place. While they require that you provide your date of birth (although they have no way to verify that you are providing correct information), virtually all the other personal information is optional. If you wouldn’t be comfortable answering the same question posed by a stranger or at a job interview, don’t type it into Facebook.
2. Do not supply information about your school or employer. While you might not consider your employment details particularly sensitive, doing so may give your employer a legitimate reason to object to what you have written since it may reflect on them. Unless you use Facebook for business purposes, keep your employer out of it.
3. Configure all privacy settings for your profile (Settings > Privacy Settings > Profile) to ‘Only Friends’. This makes it more difficult for people who don’t know you to obtain personal information about you. You can always change this later if there is specific information you wish to share with a wider audience.
4. Don’t blindly accept friend requests. Identity thieves and unscrupulous marketers may send large numbers of friend requests. If you’re not comfortable simply ignoring requests from people you don’t recognize, you can always send them a message back politely asking, “Can you remind me where I know you from?” Just remember that sending someone a message on Facebook gives them access to some information in your profile.
5. Think before you post. As a general rule, don’t post anything on Facebook that you wouldn’t want posted on the Internet. You may think that only your ‘friends’ can read it, and today you might be right. However, your words may hang around Facebook for a long time. Also, you have no way to prevent a ‘friend’ from copying, printing or creating a .pdf and sharing it with others.

Facebook is a great way to keep in touch with friends. By following a few basic rules and considering the potential consequences before giving Facebook information you can keep it safe.

The Privacy Commisioner of Canada has a brief yet thought provoking presentation on social networking that’s worth a few minutes of your time.

Here’s a good one on privacy. You might think it’ seems far fetched, but allow companies to combine information from the right databases, and it’s actually quite easy. It also could be profitable…

http://www.aclu.org/pizza/images/screen.swf