Metrolinx provided customer data from transit cards to police

In Ontario, Canada, the Presto card is the transit card that many daily commuters use. The company Metrolinx has provided customer information to the police without requiring a warrant in many cases.

According to the article,

The transit agency has received 26 requests from police forces so far this year and granted 12 of them, according to Metrolinx, which is the provincial transit agency that operates the Presto fare card system used across the GTHA and in Ottawa. It is not known how many requests Metrolinx granted in previous years because the agency only began tracking them in 2016.

The problem in this case is that while it may be legal for them to share information with the police, customers have been entirely unaware of what information is being shared and when and with who. Metrolinx’s privacy policy is not clear enough and they aren’t transparent enough. As one of the largest operators of public transit payment systems, they have to be held accountable and must offer clear information on how they respect customers and their personal data.

This is one of the biggest risks of moving to an all digital payment system that is controlled by one entity. In many cases customers are actively discouraged from using privacy-safe alternatives like cash or tokens.

To bring this back to open source and professionalism. If the transit card systems were open source they could be audited. If the administration software was open source it could be audited and improved to add police data requests as part of the database. Whoever built the system to gather customer data should have been professional and raised the privacy concerns that affect customers.

Google said to be planning a built-in ad blocker for Chrome

https://techcrunch.com/2017/04/19/google-said-to-be-planning-a-built-in-ad-blocker-for-chrome/

This is great news, a lot of web browser users typically do not look for adblockers, by having an adblocker built into the browser and activated by default, those users will be better protected from intrusive ads that slow down their web browsing experience.

However, the more security-minded users will want to audit the open source code for the built in adblocker.

Shazam keeps your Mac’s mic on

http://motherboard.vice.com/read/shazam-keeps-your-macs-microphone-always-on-even-when-you-turn-it-off

This is why I advocate for more software to be free/open source, because in some cases you have no idea what it’s actually doing. When the code is freely available under a free software or open source license, it becomes possible for third parties to do an audit of the code and to see what it actually does.

Shazam’s Mac app is misleading users by defining “off” as “well your mic is still on and we will only listen to what you say when the app is active, we promise”.

Surveillance Self-Defense Software

Check out this article from The Intercept, detailing how to defend yourself from government surveillance.

Here’s a list of the software that is mentioned, and while some of it is proprietary, I thought it would be alright to list it here because it does protect privacy through encryption technologies:

  • Signal (open source)
  • What’s App (proprietary)
  • Semaphor (proprietary), it’s like Slack but encrypted
  • Let’s Encrypt SSL certificates
  • Tor Browser
  • Qubes, a GNU/Linux distribution that runs everything in disposable virtual machines and compartmentalizes to protect you from USB drive viruses and PDF malware

Canadian spy agency, CSIS, uses illegal bulk data collection to subvert Canadian freedoms

On a beautiful Sunday morning, I have to link to this bit of ugliness on the illegal bulk data collection by the Canadian spy agency, CSIS. Only a handful members of government knew about and it was only revealed because of a court case.

From the article:

Many corporations and government agencies are now gravitating toward so-called big data computer analytics that can predict patterns of future behaviour based upon records about what has happened in the past. Spy agencies are no different, and the centre in question appears to be the Canadian Security Intelligence Service’s equivalent of a crystal ball – a place where intelligence analysts attempt to deduce future threats by examining, and re-examining, volumes of data.

Continue reading “Canadian spy agency, CSIS, uses illegal bulk data collection to subvert Canadian freedoms”

A Unique Approach to the Cryptography Debate

In this article, Paul Rosenberg explains the problem with how the cryptography debate is approached by technologists and pro-crypto and pro-privacy advocates. To refresh your memory, the FBI tried to force Apple to give up security keys, while the NSA has continually tried to break encryption algorithms. One side wants to weaken encryption so the government always has access, another side wants to weaken encryption on a case-by-case basis to give government access, and a third side wants to keep encryption strong even if it disallows all government surveillance.

The problem, according to him, is that the debate is approached by the third side, the pro-privacy side, with emotional arguments about whether politicians know enough about technology to even be proposing laws related to encryption, and that anti-privacy politicians just want to build a surveillance complex to benefit their pals in the surveillance industry. Furthermore, cryptography is presented as an all or nothing affair, it works or it doesn’t.

Mr Rosenberg argues that this approach is not helpful because it does not approach cryptography realistically and does not go deeper into the details, details which politicians and other people need to be informed on this debate.

The unique approach is to elevate the debate to a debate about government regulatory powers, especially their control over freedom of speech and freedom of expression.

Continue reading “A Unique Approach to the Cryptography Debate”

Dyn DNS was attacked by IoT devices

The post-mortem of the attack has been posted by Dyn and it contains a timeline and some information about the attack.

There is an attack timeline which is useful:

Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers.

After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.

And here is some information about the attack itself (not nearly enough information in my opinion):

At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack

The other articles about this attack are far more thorough in exploring how the Mirai code works and how it can infect Internet of Things devices and where the attacks originated from.

The article from Krebs on Security explains how the Mirai malware works and what types of devices were infected and how.