Jan 27

all your encryption passwords are belong to the cops

By alberg deep thoughts, privacy, worst practices Comments Off

...but you do have to give up your passwords

Interesting and depressing post from Ars Technica:

A federal judge has ruled that a Colorado woman can be compelled to decrypt her encrypted laptop so that the police can inspect it for incriminating evidence. The woman, Ramona Fricosu, is a defendant in a mortgage scam case. She had argued that the Fifth Amendment’s privilege against self-incrimination protected her from having to disclose the password to her hard drive, which was encrypted using PGP Desktop.

The rest of the sordid details can be found here.

It seems to me that forcing someone to reveal a password to  a computer which might contain incriminating documents should be construed in the same way as forcing them to provide other self incriminating testimony.   Just saying…

 

Share
May 14

it’s not always nice to share

By alberg hacks, online security, privacy, worst practices Comments Off

Sharing is for weenies. (This is why it is good that I have no kids)

From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare.  Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.

Share
Dec 31

location based validation of card transactions and more?

By alberg privacy, travel security Comments Off

Should I validate that transaction?

An interesting idea from Visa (of credit card fame) over in Europe… using card members’ mobile phones as location based tokens to verify credit card transactions and ATM withdrawals. The thinking is that if your mobile phone is in the same location as where a purchase or ATM withdrawal is being made, it is more likely that you too are present and that the transaction is valid.

On the pro side:

Using this as one of multiple factors to validate a transaction seems like a good idea… people tend to keep track of their mobile phones and keep them close and adding a token (something you have in addition to the credit card itself) without requiring the user to do anything provides an extra layer of security without adding inconvenience.

This would be particularly handy for those of us who travel a lot – I usually find my card shut down due to a fraud alert at least once per international trip (even if I provide the card issuer with an itinerary in advance).

On the con side…

Some people may see privacy issues with this… The card issuer already knows where you are based on the transaction data and the phone location information does not really add much to the information being disclosed.  However, this assumes that the only time that the issuer avails themselves of the location data from the phone is when a transaction is made.  I could conceive of  situations where the issuer could use the location data for other reasons – for example, detecting that you are at the mall and offering an incentive to use their card rather than the other cards in your wallet.

This model breaks down if a thief gets hold of my mobile AND my credit card or if I forget to take my phone with me.   However, if the phone location is used as one of multiple validation criteria, the system should be able to handle these edge cases.

The verdict:

I think that this could be a good idea IF protections could be put in place to limit the use of phone location data by card issuers to validation of transactions.  I could also foresee this as a tool that could be used by enterprises as an additional authentication factor for remote access to systems and networks.  If the carriers could provide an API which would allow geolocation of corporate phones and that information could be cross referenced with IP geolocation, we could get alerts or block access when the locations don’t match…  this has potential, but the proverbial jury is still out.

Read more at Fast Company…

Share
Aug 24

this conversation may be recorded, just cause i wanna…

By alberg privacy Comments Off

From the US Federal Courts (via ThreatLevel)… it turns out that recording a conversation on your iPhone (and I assume any other device capable of making such recordings) with the permission of the other person you are recording is not a violation of the Wiretap Act unless you plan to use the recording for “nefarious purposes.”  (The court did not weigh in on whether secretly recording your conversation makes you obnoxious, however).   Now, in order to do this legally, you must be one of the participants in the conversation, triggering the “one party permission” exception to the law.  One of the interesting (and somewhat unsettling) statements made in the opinion was that a person having a conversation with another person in their own kitchen did not have a “reasonable expectation of privacy.”  It was also noted that one does not need to have been invited to participate in the conversation being recorded to be considered a participant allowed to record.

Recording conversations is getting easier and easier as more of our devices include the hardware, software and storage needed.  Products such as LiveScribe’s Echo Smartpen and iPad apps such as Audiotorium add a productivity bonus, allowing recordings to be quickly tied to written notes.   This decision seems to remove the last legal barrier to people unilaterally recording their conversations for later reference – or to make sure that the person they are talking to cannot claim they said something different or was misunderstood later.

My takeaways from this:

I think we are going to see a lot more personal use of recording devices in the coming years… storage is cheap and the ability to index and search recordings is only going to get better.   The idea of having a permanent record of your normal daily interactions for later review will become more mainstream.  While this has some advantages (“You did so promise to have my home renovations done in 30 days, shady contractor… and here you are saying it”), it also has the potential to change the dynamics of conversations.  Will this make us more careful in choosing our words?  (Probably not, but it will make it more entertaining to trip people up with their own words.   I hope my wife is not reading this…)

Forensics to prove that a voice on a recording belongs to a specific person already exist; they will become more of an issue (and profit center) as more recordings are used in civil cases.  I wonder if geotagging of recordings will also play a role here… if you checked in to FourSquare at the same time and place as my recording of a conversation with you, does this make the conversation more attributable to you?

This seems to present a dilemma for corporate security professionals.  Recording conversations can be a great memory aid and productivity enhancer, however, how can we know that those same recordings (probably on devices not owned by the organization) will be stored and handled securely?   There is also the question of the effect of such recordings on corporate culture – will people be willing to share ideas and opinions freely knowing that their words may be recorded for posterity?  It seems to me that organizations need to make a conscious decision as to whether to allow recordings of meetings and conversations to be made on their premises – and if the answer is “no,” to make the policy known to employees and visitors.

Share
preload preload preload