« First...102030...2,4982,4992,5002,5012,502...2,5102,520...Last »

How App Developers Leave the Door Open to NSA Surveillance

Posted on by

U.S. and U.K. surveillance of smartphone users has been helped by mobile developersfew of whom bother to adopt basic encryption.

News that the National Security Agency has for years harvested personal data leaked from mobile apps such as Angry Birds triggered a fresh wave of chatter about the extent of the NSAs reach yesterday. However the NSA and its U.K. equivalent, GCHQ, hardly had to break much technical ground to hoover up that data. Few mobile apps implement encryption technology to protect the data they send over the Internet, so the agencies could trivially collect and decode that data using their existing access to Internet networks.

Documents seen and published by the New York Times and Guardian newspapers show that the NSA and GCHQ can harvest information such as a persons age, location, and sexual orientation from the data sent over the Internet by apps. Such personal details are contained in the data that apps send back to the companies that maintain and support them. This includes data sent to companies that serve and target ads in mobile apps.

This is evidence of negligent levels of insecurity by app companies, says Peter Eckersly, technology projects director for the Electronic Frontier Foundation. Eckersly says his efforts to persuade companies to secure Web traffic shows widespread disregard for the risks of sending peoples data over the Internet without protections against interception. Most companies have no legitimate reason not to secure that data, says Eckersly. Often the security and privacy of their users is so far down the priority list that they havent even thought about doing it.

A 2012 study of 13,500 Android apps by researchers in Germany found that only 0.8 percent used encrypted connections exclusively, and that 43 percent use no encryption at all. Last week mobile app security company MetaIntell reported that 92 percent of the 500 most popular Android applications communicated some data insecurely.

It is often difficult to tell whether an app is using encryption or not to transmit data. Web browsers show a padlock icon next to a sites Web address if it is using encryption, but there is no such equivalent for mobile apps. Manually checking whether a mobile app is securing data transfers involves inspecting network logs to examine how an app is connecting to servers.

The documents published on Monday single out Google Maps as leaking particularly useful data for surveillance purposes. Documents from both the NSA and GCHQ note how search queries intercepted from this app can reveal a persons movements. A 2008 document from GCHQ states that a system set up to intercept that data effectively means that anyone using Google Maps on a smartphone is working in support of a G.C.H.Q. system.

Google made encryption the default for its Web search last September but does not publicize which of its mobile apps use encryption. A company spokesperson told MIT Technology Review that current versions of the Google Maps app use encryption to protect data sent back to the companys servers. That suggests intelligence agencies can no longer see the places people are searching for by intercepting Internet traffic.

The leaked documents also highlight how ad targeting technology built into many apps can leak personal information. Many app companies make use of technology from third party ad companies that collect and transmit ad-tracking and ad-targeting data (see Mobile-Ad Firms Seek New Ways to Track You and Get Ready for Ads That Follow You from One Device to the Next).

That data often contains profile data about a person, such as gender, approximate age, and location. A 2012 GCHQ report details technology designed to pluck such profiles from the data transmitted by the game Angry Birds. MetaIntells analysis of the current Android version of that app found that it sends unencrypted data to AdMob, the mobile ad company owned by Google. The 2012 report also singles out ad company Millennial, which compiles profiles that can also include a persons ethnicity, marital status, and sexual orientation. A spokesperson for Millennial told MIT Technology Review that the company only gets to see data that its partners have permission to collect from their users and that ads are not targeted based on sexual orientation.

Here is the original post:
How App Developers Leave the Door Open to NSA Surveillance

A Beginner’s Guide To Encryption: What It Is And How To Set It Up

Posted on by

Keep on hearing about encryption but still not sure what it involves? Heres a basic introduction to encryption, when you should use it, and how to set it up.

Images by Vector Icon (Shutterstock), Pixel Embargo (Shutterstock) and von_hedwig

Encryption is a method of protecting data from people you dont want to see it. For example, when you use your credit card on Amazon, your computer encrypts that information so that others cant steal your personal data as it is being transferred. Similarly, if you have a file on your computer you want to keep secret only for yourself, you can encrypt it so that no one can open that file without the password. Its useful for everything from sending sensitive information to securing your email, keeping your cloud storage safe, and even hiding your entire operating system.

Encryption, at its core, is similar to those decoder rings you played with when you were younger. You have a message, you encode it using a secret cipher, and only other people with the cipher can read it. Anyone else just sees gibberish. Obviously, this is an incredibly simplified explanation. The encryption in your computer is far more complex and there are different types of encryption that use multiple decoder rings but thats the basic idea.

There are also different levels of security when it comes to encryption. Some types, for example, are more secure but take longer to decode. Few, if any, encryption methods are 100 per cent foolproof. If you want a more detailed explainer on how encryption works, check out this article from the How-To Geek and this article from HowStuffWorks. They explain a few different kinds of encryption and how they keep you safe online.

The short answer: yes. Things can be stolen even if you dont share your computer. All someone needs is a few minutes in front of the keyboard to retrieve anything they want. A login password wont protect you, either breaking into a password-protected computer is insanely easy.

So should you encrypt your sensitive files? Yes. But theres a bit more to it than that. You have two big choices when it comes to encryption: do you just encrypt the important files , or do you encrypt your entire drive? Each has pros and cons:

We generally recommend against average users encrypting their entire drive. Unless you have sensitive files all over your computer, or have other reasons for encrypting the entire thing, its easier to encrypt the sensitive files and call it a day. Full disk encryption is more secure, but can also much more problematic if you dont put in the work to keep everything backed up safely (and then encrypt those backups as well).

That said, well show you how to do both in this guide. Well talk a bit more about each situation in their individual sections below.

If you need to keep just a few files safe from prying eyes, you can encrypt them with the free, open-source, cross-platform TrueCrypt. These steps should work on Windows, Mac and Linux. Note that if youre encrypting files to send them over the internet, you can also use this previously mentioned 7-Zip method.

Continue reading here:
A Beginner's Guide To Encryption: What It Is And How To Set It Up

Lavabit case highlights legal fuzziness around encryption rules

Posted on by

While privacy advocates may see Lavabit as bravely defending U.S. privacy rights in the online world, federal judges hearing its appeal of contempt-of-court charges seem to regard the now defunct encrypted email service as just being tardy in complying with government court orders.

Attorneys from both Lavabit and the U.S. government agreed that the legal issues between them could have been resolved before heading to court, though neither party seemed to have an adequate technical answer of how Lavabit could have successfully passed unencrypted data to a law enforcement agency in order to meet the governments demands.

Three judges from the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, on Tuesday heard Lavabits appeal of a contempt-of-court ruling, which it had incurred for not turning over to the government unencrypted data of a single user, presumably Edward Snowden.

Judges Roger Gregory, Paul Niemeyer and Steven Agee presided over the hearing.

For the proceedings, the judges actively listened to and questioned the arguments of both sides, though they seemed wary of turning the case away from the specifics of why Lavabit did not comply with court orders to turn over data on one of its users, and towards the larger issues that Lavabit raised in its highly publicized defense of what scope the government should have over those parties who hold SSL (secure socket layer) keys to encrypted data.

The case had been blown out of proportion with all these contentions, particularly around the use and possible misuse of the SSL keys, Niemeyer said. Theres such a willingness to believe that the keys will be misused and that the government will spy on everyone, he said.

Gregory had stated that the encryption issue was a red herring, one that drew attention away from Lavabits non-compliance.

The judges had noted that the case revolved around the validity of court orders, rather than the statutes that provide the basis for the court orders.

In June of last year, secure email service Lavabit was issued a court order to set up a U.S. Federal Bureau of Investigation pen trap in order to collect all routing data for one of its customers, thought to be Snowden. Snowden had just come to international attention for leaking classified documents from the U.S. National Security Agency. According to reports, he had used the service to alert the media of a press conference he was about to hold.

A pen trap is software that records all routing, addressing or signalling information between electronic communications, in this case email. Before the judges, Lavabit attorney Ian Samuels argued that Lavabit founder Ladar Levison agreed to set up the pen trap; the company had complied to at least one other similar court order in the past.

Link:
Lavabit case highlights legal fuzziness around encryption rules

Microsoft cloud server designs for Facebook’s Open Compute Project

Posted on by

Microsoft is contributing the designs of the cloud servers that run some of its services like Bing and Windows Azure to the Open Compute Project, in a bid to help standardize and reduce hardware costs.

The Redmond, Washington, tech company is also contributing system management source code to the project. It said it aimed to create an open source software community in the Open Compute Project.

By promoting its hardware specification in the data center, Microsoft could be looking for an opportunity for its server software as against Linux which has been the favorite of many Web companies.

My belief is that they are trying to have a voice in a community that they havent had a voice before, said Patrick Moorhead, founder and president of research firm Moor Insights & Strategy. The Open Compute Project is largely geared towards open source and doing things yourself, which goes against Microsofts business model of proprietary software and paid services, he said.

By joining the Open Compute Project, it is unlikely that Microsoft will win over Web companies to its own server software, Moorhead said.

The Microsoft servers offer improvements over traditional enterprise server designs, including up to 40 percent server cost savings, 15 percent power efficiency gains and 50 percent reduction in deployment and service times, Bill Laing, corporate vice president for cloud and enterprise at Microsoft, said in a blog post Monday.

The server designs are also expected to be environment friendly as they reduce network cabling by 1,100 miles (1,770 kilometers) and metal by 10,000 tons across Microsofts base of 1 million servers.

Microsoft looks forward to commercial offerings in the near future from its partners who develop products for the company based on the specifications, said Kushagra Vaid, general manager for server engineering at Microsoft, in a blog post.

Initiated by Facebook to drive down the cost of the hardware it uses, the Open Compute Project is a collaborative project that aims to share specifications and best practices for making hardware designs more efficient and innovative. Its goal is to develop servers and data centers following a model traditionally associated with open source software projects. The Open Compute Project Foundation has executives of tech companies like Intel and Rackspace, and user company Goldman Sachs on its board.

Facebook said in August that the Open Compute Project, for example, is working on an open network switch design for Internet data centers.

Continue reading here:
Microsoft cloud server designs for Facebook's Open Compute Project

Microsoft Open Sources Its Internet Servers, Steps Into the Future

Posted on by

For nearly two years, tech insiders whispered that Microsoft was designing its own computer servers. Much like Google and Facebook and Amazon, the voices said, Microsoft was fashioning a cheaper and more efficient breed of server for use inside the massive data centers that drive its increasingly popular web services, including Bing, Windows Azure, and Office 365.

It only made sense. Typically, when you run a web service the size of Bing, needing tens of thousands of machines to keep the thing going, traditional server hardware becomes far too expensive. But when this phenomenon was discussed in public, Microsoft typically stayed mum. In designing its own servers, it was moving away from commercial machines sold by the likes of Dell and HP hardware makers that have long worked hand-in-hand with Microsoft in so many areas of the computer game and it seemed that Steve Ballmer and company were wary of offending their longtime allies.

Microsoft will not only lift the veil from its secret server designs. It will open source these designs, sharing them with the world at large.

Not anymore. This morning, in San Jose, California, Microsoft will not only lift the veil from its secret server designs. It will open source these designs, sharing them with the world at large so that other online outfits can use them inside their own data centers. Were trying to drive hardware innovation in cloud computing, says Bill Laing, the Microsoft corporate vice president who will reveal the designs at this weeks Open Compute Summit, a conference dedicated to the free exchange of hardware know-how.

Its yet another sign that the worldwide market for data center hardware is changing in enormous ways. In the past, if you needed servers or data storage gear or networking hardware, you simply bought what was available from American hardware vendors like Dell and HP and Cisco. Now, massive web outfits like Google and Facebook and Amazon and even Microsoft are designing their own hardware, partnering with manufacturers in Asia and other foreign locales to build this hardware on the cheap, and in some cases helping others take the same route.

Facebook galvanized this movement in 2011, when it open sourced its first server designs and founded the Open Compute Project, the not-for-profit foundation behind this weeks summit. The aim was to foster a vast community of companies that would freely trade their hardware designs and bootstrap a more efficient means of getting these designs built. Now, nearly three years later, this idea was come into its own.

Microsofts move towards the Open Compute Project is particularly telling. Its not just that the company is a traditional ally of Dell and HP, with these hardware makers selling its Windows operating system on all sorts of computers, from desktops and laptops to servers. Its that, for so many years, Microsoft was staunchly opposed to sharing its intellectual property with outsiders. It avoided open source software and even actively battled against those who built the stuff. Now, its embracing open source in both the hardware and the software world.

Al Gillen

As it released its server designs, the company also open sourced the software it built to manage the operation of these servers.

But this isnt mere altruism. By sharing its designs and software, Microsoft can push the web forward, helping others build more efficient data centers. But it can also boost its own cause, expanding the market for this custom-built gear and driving down its hardware costs even further.

More:
Microsoft Open Sources Its Internet Servers, Steps Into the Future

Prominent cryptography and security researchers deplore NSA’s surveillance activities

Posted on by

Some of the most prominent cryptography and security researchers in U.S. academia have condemned the U.S. National Security Agencys surveillance practices and called for change.

Media reports since last June have revealed that the US government conducts domestic and international surveillance on a massive scale, that it engages in deliberate and covert weakening of Internet security standards, and that it pressures US technology companies to deploy backdoors and other data-collection features, the researchers said in an open letter published Friday. As leading members of the US cryptography and information-security research communities, we deplore these practices and urge that they be changed.

The letter was signed by 53 people, most of them professors at top U.S. universities and research institutions. The list includes some of the biggest names in computer science, technology policy and cryptography like Hal Abelson, professor at the Massachusetts Institute of Technology and founding director of Creative Commons and the Free Software Foundation; Edward Felten, the director of the Center for Information Technology Policy at Princeton University and former chief technologist for the U.S. Federal Trade Commission; MIT professor Ronald Rivest, a pioneer of modern public-key cryptography and of one the creators of the widely used RSA encryption algorithm; and renowned cryptographer Bruce Schneier.

Dutch cryptographer Niels Ferguson is also on the list. Ferguson was one of the two Microsoft employees who in 2007 reported that the Dual_EC_DRBG pseudorandom number generator standardized by the U.S. National Institute of Standards and Technology had a potential backdoor. According to media reports based on documents leaked by former government contractor Edward Snowden, the NSA pushed this flawed random number generator as a standard as part of its efforts to defeat encryption.

Inserting backdoors, sabotaging standards, and tapping commercial data-center links provide bad actors, foreign and domestic, opportunities to exploit the resulting vulnerabilities, the letter said. The choice is not between allowing the NSA to spy or not, but between having a communications infrastructure thats vulnerable to attack at its core and one thats by default secure for all users, they said.

Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life, the researchers said in the letter. We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.

The letter also called for the U.S. government to subject all mass-surveillance activities to public scrutiny, saying that the threat they pose to privacy and democracy is evident, while the value they have in preventing terrorism is unclear. They noted that the five principles described on the reformgovernmentsurveillance.com website that was set up by AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo in response to the NSA surveillance revelations provide a good starting point for finding a way forward.

According to those principles, governments should, among other things, limit surveillance to specific, known users rather than collect Internet communications in bulk; set up an independent court review system that includes an adversarial process; allow companies to publish the number and nature of government demands for user information; and permit the transfer of data across borders, working with other governments to resolve conflicts of legislation governing lawful requests for data.

According to Matthew Green, a cryptography research professor at Johns Hopkins University in Baltimore and one of the people who signed the letter, the joint statement is indicative of the trust the NSA has lost among academics.

Up until 2013 if youd asked most US security researchers for their opinions on NSA, you would, of course, have heard a range of views, Green said Saturday in a blog post. But you also might have heard notes of (perhaps grudging) respect. This is because many of the NSAs public activities have been obviously in everyones interesthelping to fund research and secure our information systems.

Original post:
Prominent cryptography and security researchers deplore NSA's surveillance activities

How Cryptocurrency, Crowdfunding And A Little Internet Altruism Saved Jamaica’s Hopes For Bobsled Gold

Posted on by

Just in case you missed it, a heart-warming story unfolded this week involving an unlikely combination of bobsled, Jamaica, virtual currency, crowdfunding and generosity. It has all the makings of an inspiring Disney movie er, an inspiring Disney sequel. Last Sunday, news began trickling out that a two-man bobsled team from the island nation of Jamaica had qualified for the Olympic Games in Sochi, Russia.

The countrys official Twitter account for the 2014 games announced the news that the team had qualified, including an image that appeared to be a reference to Cool Runnings, the John Candy-led cult film that loosely chronicled Jamaicas debut in bobsled for the 1988 Olympic Games in Alberta, Canada.

The world apparently loves a sequel. In a plot twist seemingly right out of Cool Runnings, despite qualifying for the 2014 Olympics, team captain Winston Watts told the New York Times that the team hadnt been able to raise the necessary funds to make it to Russia. Watts said that he had essentially been self-funding the teams efforts thus far, and had even dug into his personal savings to fly the team to the U.S. for the bobsledding qualifiers. Nevertheless, after finding little help from the Jamaican Olympic Association or private investors, the team was forced to turn elsewhere.

In the world of bobsled, and perhaps sports in general, there has never been a more quintessential underdog story. First of all, the Jamaican bobsled team is from, well, Jamaica. Second, the team is competing against teams with significant some financial backing (and actually hail from more arctic climes). Not only that, Winston Watts came out of retirement to lead the 2014 bobsled team, and if the team were to compete in Sochi, Watts would be second-oldest bobsled pilot in Olympic history at age 46.

Luckily, the citizens of the Internet are sympathetic to an underdog story and were not about to let the team sit this one out due to lack of funding. And thats when Jamaican bobsledding had its first introduction to the altruistic power of both virtual currency and digital crowdfunding proponents alike. Fittingly, it was a joke currency or a virtual currency inspired by a dog meme that came to the rescue. Yes, the very peer-to-peer cryptocurrency loved by Lassie, the worlds pooches and geeks alike, and the very currency that began as a joke but has since been hailed as a potential successor to Bitcoin: The noble, Dogecoin.

In a movement that began on Reddit, the Dogecoin Foundation seized the opportunity to promote its virtual currency on the world stage and help send the Jamaican bobsled team to Sochi. Over a matter of days, the Dogecoin community raised over 27 million Dogecoins, the equivalent of $30,000 for those without a canine cryptocurrency analyst on hand.

That, in and of itself, is something to behold, but the Internet wasnt done yet. Just as the Dogecoin campaign began to hit full steam, word of the Jamaican bobsled teams plight got to the founders of Y Combinator-incubated, group-funding platform, Crowdtilt. A Jamaican bobsled fan launched a campaign on Crowdtilt to pool funds for the team from sympathetic fans and, before long, the startup got wind of the campaign, as did the teams president, Chris Stokes, and founding member of the original Cool Runnings team, Devon Harris.

The team made the Crowdtilt effort its official fundraising campaign, and the Crowdtilt founders worked with the Dogecoin Foundation to convert the $30K raised in Dogecoin (from 1,600 Dogecoin supporters) into Bitcoin and then combine it with the money raised on Crowdtilt.

As one might expect, the campaign quickly surpassed its goal and then some. After three days live, the campaign raised just under $130K ($129,587, to be precise) more than 12 times the campaigns goal including the contribution from the Dogecoin community.

Crowdtilt co-founder James Beshara tells us that it was one of the fastest campaigns to reach its goal in the platforms history and there were points when as much as $3,000 was donated in 60 seconds. The average donation was $34.60, with nearly 3,000 individuals contributing to the campaign from 50 states and 52 countries.

Read the original:
How Cryptocurrency, Crowdfunding And A Little Internet Altruism Saved Jamaica’s Hopes For Bobsled Gold


« First...102030...2,4982,4992,5002,5012,502...2,5102,520...Last »