Roger Halbheer on Security » Privacy

Internet Personalization–and How I Never Looked at It…

Roger Halbheer — Wed, 15 Jun 2011 14:09:39 +0000

This is actually a great speech but very, very, very scary:

and the scariest part is that I never looked at it that way but he is right

Roger

iPhone saves you the trouble of reporting your working time

Roger Halbheer — Wed, 20 Apr 2011 20:06:14 +0000

You might know the problem if you are working in consulting: You have to fill out the report, form whom you spent your time. And then you forgot to fill in the tool and all of a sudden you have a hard time figuring out where you have been.

There is a revolution: iPhone solves this problem! According to the Guardian in the UK, iPhone keeps track of your location, stores this in a secret file and even downloads it to your PC. You just need a tool now, which visualizes this. This might be an example:

Picture from the original blog on the Guardian

Oh, you are worried about your privacy? You do not know what Apple does with this data? Why should you? Come on…

And you do not care about losing your phone, do you? Well is you lose it, it might be fairly easy to figure out, where you live (the biggest concentration of location data), where the favorite playground of your kids is (the second highest concentration) etc. And as your calendar is on your phone, they even know when you are on vacation or when your kids will play on the playground…. But your iPhone is secure, it takes at least 5 minutes to break it!

Read the whole article: iPhone keeps record of everywhere you go

To me, this is fairly significant…

Roger

How to Do an Online Background Check for Free

Roger Halbheer — Wed, 16 Feb 2011 13:51:26 +0000

Well, basically this title attracted my attention: How to Do an Online Background Check for Free. I had to try it with myself. So I started, following the sites and suggestions in the article:

I clicked on the first link and landed on 9 Sites That Find People and Their ‘Sensitive’ Information – cool. Let’s try them:

Whitepages.com: No records on me (well, I do not live in the US…)
Peoplefinders: No success (well, I do not live in the US…)
FriendFeed: That has to be successful. It searches Twitter and Facebook – I am there. The search finds all my Twitter posts and all the references. Wow, that’s cool. I guess Twitter would have achieved the same directly…
iSearch then, maybe they are the right ones as the claim to be the world’s leading People Search Engine: Five hits. One shows my Facebook and Blog profile picture (very impressive as a result) and the rest is simply useless (as it just shows a link) or wrong (my title is completely wrong, I never even had that one; my address is wrong, there is a typo in the right title…) but what they at least figured out was my gender: Roger Halbheer – Gender: Male – impressive and even correct!
Facebook: Well, that was easy. That’s where I would start first (besides bing and Twitter and Linkedin and Xing).

So, I went back to the initial article and am trying my luck there as they have a few good links:

OpenBook.org: They claim to search Facebook and the like – no results for me…

And then I started to skip the rest.

It was kind of interesting to see: Probably if you live in the US, the amount of public information available on the web is huge. If you are living in Europe, it immediately becomes much harder as we handle privacy differently. That you can get access to an address – if you decide to make your phone number public, which you do not have to – is kind of obvious (well, why? If you are looking for a phone number you do not need the address…) but criminal records? Come on…

If you look me up at Bing, you get something around 2300 entries, which is obvious as I blog, I speak at public events, I use Twitter etc. but the whole rest at least if partly hidden. I try hard as well that there are no public pictures of my kids on the web… That’s not necessary.

Anyway, that was an interesting experience to me.

Roger

Fighting Crime and Protecting Privacy–a Contradiction?

Roger Halbheer — Wed, 02 Feb 2011 07:35:31 +0000

I was reading an article today called Does Your ISP Care About Protecting Your Privacy?. An interesting question. The ISPs in the article are even thinking of VPNing all the traffic to avoid the necessity for keeping the logs (or probably better, NATing the whole network). So it seems that the ISPs in this article are trying to do their best to protect your privacy.

Isn’t that great? Well, not really as there is a second aspect to this: I was recently talking to Michel van Eeten from the Delft University of Technology in the Netherlands. He did with some other academics a study for the OECD called The Role of Internet Service Providers in Botnet Mitigation (based on spam data), which came to the conclusion that there are ISPs which do a good job and others which do not. If you look at this graph you will see that if we could reduce the spam from the top 50 ISPs (the worst ones) we would get rid of almost 50% of the spam worldwide:

Additionally they found out that over the years (2006-2009) at least half of the ISPs (when it comes to the number of infected machines per subscriber) remained the same in the Top 50.

So, it seems that the ISPs stick to their practices – good or bad.

Which leads me back to my initial question: What do we want? If an ISP would encrypt the traffic to protect our privacy completely, it would not be possible to find the bots and help the consumer to clean. If we want them to completely address the problem, they would most probably have to do at least a certain level of traffic inspection. So, what to we want? How far are we willing to give up a certain level of privacy to allow law enforcement to go after the bad guys?

I think we should come to the point, where we get a more balanced view on such issues. The biggest challenge, however, will be that the answer to the question will be different from culture to culture but the problem is global. So, we kind of need a culture-agnostic answer/solution, which will be very hard to achieve.

Oh, I think I owe you one thing. Based on the study there were a few simple things, which the best ISPs do. I quote the findings of the study:

That ISPs (as opposed to other types of players, such as hosting providers or corporations operating a network with its ASN) play a central role in botnet activity was already discussed, as was the great variability among ISPs. In addition to these findings, our data indicate the following (see Asghari 2010 for a more detailed discussion):

There is a widely held belief that larger ISPs show worse security performance, as they face much less peer pressure. For instance, Moore, Clayton, and Anderson (2009) state that “…very large ISPs are effectively exempt from peer pressure as others cannot afford to cut them off. Much of the world’s bad traffic comes from the networks of these ‘too big to block’ providers.” In contrast to this belief, our dataset indicates that, while larger ISPs emit more spam in absolute numbers, relative to size their performance is on average slightly better than that of smaller ISPs.

Another claim is that lower average revenue per user (ARPU) is a sign of higher financial pressure that might result in less attention to security. Our data suggests that ARPU and relative security performance are unrelated.

Given differences in networking technology and user base, one might hypothesise that cable service providers can enhance their security performance easier than DSL providers. Our data indicates an 8 % lower incidence of unique sources for cable companies. The volume of spam, however, is similar for both types of providers. This might reflect that cable subscriptions have higher average bandwidths than DSL subscriptions, that cable providers use more Network Address Translation technology, or that they more often block port 25.

Bivariate analysis indicates that ISPs in countries that have joined the London Action Plan (LAP) have, on average, fewer bot infections. Likewise, operating in a country that has signed the Council of Europe’s Convention on Cybercrime is negatively correlated with botnet infections. Neither of these initiatives targets botnets directly. However, one could argue that membership of LAP is a proxy for the activity of a country’s regulatory entities in the area of cybersecurity, whereas membership of the Convention on Cybercrime is a proxy for the activity of law enforcement institutions in a country. These memberships, we assume, are associated with a broader set of measures undertaken by the governments in those countries. Earlier research by Wang and Kim (2009) provided some evidence in support of this effect, though they presume a somewhat tenuous direct causal link between the Convention and cybercrime incidents, rather than interpreting membership of the Convention as a proxy variable. However, factors correlated with a country’s willingness to sign these agreements could also be at work both for the Convention as well as the LAP.

Roger

When Identity Theft and Privacy Meet

Roger Halbheer — Thu, 14 Oct 2010 16:39:26 +0000

It is always bad, if comics have a significant portion of truth:

and then

and finally

hmm…. too much truth for me to cope with

Roger

What is More Important to You? Privacy or Safety?

Roger Halbheer — Wed, 29 Sep 2010 06:54:25 +0000

I want to start upfront: I do not want to take a position here. I have an opinion as a person in my cultural context but I understand that this opinion is by far not the only one which is right or wrong.

This morning I read this article: FBI Drive for Encryption Backdoors Is Déjà Vu for Security Experts. This is definitely not new and we had it before. If there is a backdoor in encryption for the good guys, there will be one for the bad guys as well. However, if something bad happens to you and you want the criminals to be arrested, you will want the police to have the right means available to track the criminal down and send him/her to prison if necessary. This is kind of a dilemma.

I was once having a discussion with a former police man who said: “We can deliver an almost crime-free society – if we are willing to give up all our privacy.” And the idea is fairly simple: If a crime happens and we could immediately see who did it, the risk of committing the crime is so high, that you probably would think about it more than twice. But this is not what we want. I want my privacy – but where is the right balance? This is a discussion which is fairly old and a discussion which has to be re-visited over time and a discussion which will yield to different results in in different cultures: the US (see the laws after 9/11), in Europe, in the Middle East, in Africa or in Asia – and this is good.

So we have to understand how much privacy we are willing to give up to help the policy to combat child porn, hacking, and other illegal activities on the Internet. It will be interesting to see, where the discussion leads in the US as well as in other countries.

Finally, I am convinced that backdoors in crypto do not help to solve the problem: You will catch the stupid criminal anyway in one way or another without backdoor. The smart one will use a software to encrypt without backdoor and then the whole requirement does not help anymore…

Roger

Do We Really Want Privacy?

Roger Halbheer — Thu, 26 Aug 2010 07:59:52 +0000

I really love reading Kim Cameron’s Identity Weblog. Fairly often it is thought provoking…

He recently wrote about his experience with the new iPhone privacy policy: Apple giving out your iPhone fingerprints and location. He was one (probably of the very few) reading the privacy policy and found the following statement:

Collection and Use of Non-Personal Information
We also collect non-personal information – data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are some examples of non-personal information that we collect and how we may use it:

We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising.

So, basically this says that they might collect everything from you, link it to your device identifier and do whatever they want with it. This is called “Privacy” policy.

What strikes me is, that a lot of people do not really see the challenges and risks behind this as this story shows: Non-Personal Information – like where you live?. If I know your device ID and if I have access to the location data of your device, how hard is it to find out who your are? Not really hard. You will be in certain locations more often than in others. In my case you could at least reduce it to four people living in the same household.

So, there is no such thing like “not being able to link a device ID to a person”. This is simply the price we seem to be willing to pay for our constant eagerness to get the coolest app and the best service. Does the consumer really care about privacy when he/she has to balance privacy vs. functionality? Unfortunately I think the more the less…

Roger

Am I Too Paranoid?

Roger Halbheer — Wed, 18 Aug 2010 21:03:42 +0000

Sometimes I wonder whether I am too paranoid. I just got a call, which went like that:

Caller:	“Hello, we are doing a health insurance survey and have just three questions for you, would you mind to join in? Just 20 seconds. We do it for Health Insurance statistics.”
Me:	Was in a very good mood “Sure, shoot”
Caller:	“What is your health insurer?”
Me:	Gave her the name
Caller:	“In which year were you born?”
Me:	“What exactly do you need this data for?”
Caller:	Slightly upset ”As I said: for Health Insurance statistics!”
Me:	“And what company are your working for?”
Caller:	Hang up

She did not even say goodbye

Am I too paranoid with such things? This is my data and I was fairly surprised that she was unable (or unwilling) to answer the questions

Roger

Strong Authentication and Privacy – A Contradiction in Terms?

Roger Halbheer — Wed, 17 Mar 2010 18:00:35 +0000

You know that I am not a big fan of the requirement for having all Internet users authenticate strongly. There are people in the security arena who think that this is the only way to fight cybercrime – and in parallel accept that they would kill freedom of speech.

I recently had a good discussion where somebody gave the following example: Would we be able to get completely rid of crime? Probably yes, if we would be ready to give up all our privacy and accept a 24*7 surveillance of everybody (I am not sure whether it would even work then but we could get close to). However, this is socially definitely not acceptable – not in the physical world, nor on the Internet. Nevertheless we want to have a certain level of assurance if we offer some service.

This is, where U-Prove comes in. We just announced the availability of the U-Prove CTP at RSA. This by itself is great news. However, when I talked about the concept, people sometimes failed understanding, what this really means – now I think we have a great showcase:

The German government will offer its citizens the possibility to apply for an eID starting in November. Additionally the Fraunhofer institute worked on leveraging U-Prove together with the German eID. An awesome case. Look at the video:

From my point of view, this technology is something you should think about and think about how to leverage it.

Roger

Data Protection Heat Map

Roger Halbheer — Wed, 10 Mar 2010 09:00:46 +0000

I was looking at some research done by Forrester which could be interesting for you as well. They try to lay out the landscape with regards to data protection for you and it looks fairly compelling. So if you are interested in the situation of the different Privacy laws across the globe and how Forrester sees them, the map you can access there is fairly good (even though I cannot judge whether the content is accurate).

The real interactive map can be found here: Do You Know Where Your Data Is In The Cloud?

Roger