Your car, tracked: the rapid rise of license plate readers [Ars Technica]
A look at one of the less-known technologies that the government uses to spy on people.
An Analysis of Apple’s FileVault 2.
This is an analysis of Apple’s disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn’t break it. (Presumably, the version in Mountain Lion isn’t any different.)
[Schneier on Security]
This is good news, but of course it’s important to keep in mind that FileVault 2 security can be compromised by accepting the option (on by default, as I recall) to send a recovery key to Apple. The best security in the world is useless if you give the keys to someone who will give them up the first time some thug points a gun at him.
Apple holds the master decryption key when it comes to iCloud security, privacy [Ars Technica]
The folks at Ars Technica noticed the same thing I did about their earlier article and actually investigated.
Ask Ars: how safe is my data stored in iCloud? [Ars Technica]
An interesting article which ultimately concludes that it’s “safe enough.” However, right there in the article is something which contradicts its conclusion:
As far as your Safari bookmarks or iPhone photos, however, that information is only given out when required by law, such as when it’s required by court order. “We may also disclose information about you if we determine that, for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate,” Apple wrote in its privacy policy.
In other words, it’s not really safe at all. If it were, it would be impossible for Apple to ever disclose anything, for any reason, because they wouldn’t be able to get to it to disclose it.
Hackers ‘steal entire 2011 census’ [The Telegraph]
Most of the article is a slightly confused report on whether or not LulzSec actually claimed to have gotten the UK census database. However, I think the real story is this bit here:
“The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have no evidence to suggest that any such compromise has occurred.” The US defence contractor Lockheed Martin, which collected the 2011 census data, was also preparing a statement. The compulsory national survey was carried out in march and gathered data including full names, dates of birth and addresses for everyone in the UK.
“The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have no evidence to suggest that any such compromise has occurred.”
The US defence contractor Lockheed Martin, which collected the 2011 census data, was also preparing a statement. The compulsory national survey was carried out in march and gathered data including full names, dates of birth and addresses for everyone in the UK.
So the oh-so-secure personal data for everyone in the UK was gathered by a US defense contractor? Not just an appendage of the Evil Empire, but a tightly integrated part of the Imperial Military? In what universe is that secure? There’s the evidence of your compromise right there!
Cheap GPUs are rendering strong passwords useless Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack? [ZDNet]
Yes, that’s really how the author defines a “strong password.” Fortunately I, not being a complete idiot, would only use such a simple password if I wanted other people to know it and be able to remember it easily. Here’s an example of what I consider a strong password, in this case generated by 1Password:
VbNwGIzrJWzccJMKJaQKCWXr4^mlWjglMQ*ZkcyMdyDOJrp9Kh
EFF Publishes Study On Browser Fingerprinting. Rubinstien writes “The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to ‘device fingerprinting’ via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we’ve discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far.” [Slashdot]
I visited the test site with my default browser with Tor and NoScipt on, and it had this to say:
Within our dataset of several million visitors, only one in 10,791 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 13.4 bits of identifying information.
Within our dataset of several million visitors, only one in 10,791 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 13.4 bits of identifying information.
However, it reports the user agent incorrectly, as Tor is set to lie about what browser I’m using. When I turned Tor off and reloaded the test page, I got this instead:
Within our dataset of several million visitors, only one in 21,435 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 14.39 bits of identifying information.
Within our dataset of several million visitors, only one in 21,435 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 14.39 bits of identifying information.
If I’m not mistaken, this means that the test site thinks I’m in the first group of browsers when I’m actually in the second group.
Flaws in Tor anonymity network spotlighted. At the Chaos Computer Club Congress in Berlin, Germany on Monday, researchers from the University of Regensburg delivered a new warning about the Tor anonymizer network, a system aimed at hiding details of a computer user’s online activity from spying eyes.
The attack doesn’t quite make a surfer’s activity an open book, but offers the ability for someone on the same local network—a Wi-Fi network provider, or an ISP working at law enforcement (or a régime’s) request, for example—to gain a potentially good idea of sites an anonymous surfer is viewing. [Ars Technica]
There are things users can do to protect themselves. From the article:
Users themselves can guard against this type of fingerprint-based eavesdropping relatively easily, Herrmann noted. Downloading or requesting more than one site at a time through the network will muddy the pattern enough that certainty will be very difficult for the eavesdropper to establish.
And from one of the comments:
This attack should be significantly less effective as well if the target in question is a fully functional and quality relaying node. In that case other people accessing through the node would randomize things significantly, and their access would be impossible to differentiate from a local user without the kind of physical access that makes the entire thing moot.
A few days ago I found the notice on the left in the photo above in my apartment building. The notice states that someone from the local government will be conducting an illegal search of my apartment building tomorrow. This isn’t the first time something like this has happened. About ten years ago, a similar notice appeared and I took the day off from work to keep the “inspector” from getting into my apartment without a search warrant–which, naturally, he didn’t have. After a bit of the expected veiled threats and attempts at intimidation and trickery that inspector gave up and left, and I’m hoping that the one tomorrow will go as well.
The two pages of Korean text next to the notice are a translation of the Bill of Rights, with the Fourth Amendment highlighted. I found this on the website of a civil rights organization called Jews for the Preservation of Firearms Ownership, which has translations of the Bill of Rights into many different languages. Most of my neighbors were born in Korea, and many speak no English, so I figured it was likely they wouldn’t be aware that they have the right to refuse warrantless searches of their homes. Hopefully reading the translation of the relevant US law will help at least some of them stand up for themselves and their liberty.
Update: This time around the inspector took “get a warrant” quickly and without making a fuss.
Cryptography Success Story. From Brazil: the moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files. [Schneier on Security]
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil. The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil’s Globo newspaper reports.
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil.
The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil’s Globo newspaper reports.
I use TrueCrypt to protect the Windows laptop I use for work. Unfortunately, the Mac version doesn’t support whole disk encryption.
