Loss of Privacy

Under the Computer Misuse Act, the United Kingdom has outlined rules that will essentially ban legitimate IT software.  Though pressured, the Home Office refused to back down on its stance of making distribution of such tools and offense.  It is, therefore, now illegal to create or distribute software tools that could be used for hacking.

The controversial measure is among amendments to the Computer Misuse Act included in the Police and Justice Act 2006. However, the ban along with measures to increase the maximum penalty for hacking offences to ten years and make denial of service offences clearly illegal, are still not in force and probably won’t be until May 2008 in order not to create overlap with the Serious Crime Bill, currently making its way through the House of Commons.

The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.

One man’s security tool is another’s hacking and cracking tool.  The law should state clearly that there are legitimate uses for such tools and that each case be decided on its own merit.  You cannot make blanket laws without injuring the innocent.  This is a clear case of “if guns are outlawed, then only outlaws will have guns.”  If you outlaw legitimate IT tools, then there will no longer be a way to check for vulnerabilities, leaving the “outlaws” with the only tools to break into systems that can no longer be secured.

Following industry lobbying the government has come through with guidelines that address some, but not all, of these concerns about “dual-use” tools. The guidelines establish that to successfully prosecute the author of a tool it needs to be shown that they intended it to be used to commit computer crime. But the Home Office, despite lobbying, refused to withdraw the distribution offence. This leaves the door open to prosecute people who distribute a tool, such as nmap, that’s subsequently abused by hackers.

We are again faced with people making laws about things that they do not have any idea about how they work.  They assume that, because a piece of software can be used illegitimately, then it must be bad and, therefore, banned.  They still don’t know the difference between a hacker, cracker, phreaker, and script kiddies.

All this does is make a vain attempt at security through obscurity, something that has never worked well.  The next, logical step, is to create certificates, whereby only certified IT professionals may obtain the use of such tools.  However, that takes the common user out of the picture, particularly one that might want to use a program, such as nmap, to locate free wifi connections.

It is clear that the British government looks at the tools as the devices of illegal activity and not the users.  You are thus claiming that the individual is not responsible for his or her actions.  It is the program’s fault and, therefore, the program should be banned.

By the way, you can check out Nessus or nmap.  Even if they’re banned in the UK, they will still be out there lurking for whomever wants access to them.  They won’t care that it’s illegal.

The US Government, in its infinite wisdom, has decided to issue new passport cards for people who frequently travel between the USA, Canada, Mexico, and the Caribbean that can be read up to 20 feet away.

The goal of the passport card, an alternative to the traditional passport, is to reduce the wait at land and sea border checkpoints by using an electronic device that can simultaneously read multiple cards’ radio frequency identification (RFID) signals from a distance, checking travelers against terrorist and criminal watchlists while they wait.

“As people are approaching a port of inspection, they can show the card to the reader, and by the time they get to the inspector, all the information will have been verified and they can be waved on through,” said Ann Barrett, deputy assistant secretary of state for passport services, commenting on the final rule on passport cards published yesterday in the Federal Register.

Alternatively, people can wait in line and, by the time they reach the inspector, someone will have stolen the information off their passport card and cloned it.  In a matter of a few minutes, someone could take the same information from everyone else in line and walk off with a nice database of IDs up for grabs to the highest bidder.

The bottlenecks that we all suffer at border crossings has nothing to do with the passports and everything to do with the borders being severely understaffed all the time.  It’s quite difficult to check 200 people getting off a ship in Aruba when you only have two people on duty.  It doesn’t matter what kind of passport or passport card you have.  There is still going to be a delay.

Even at places, such as Niagara Falls, the lines there cause a few minutes delay and it doesn’t matter if you have a passport or a passport card.  You’re still going to wait.

You also aren’t getting waved on through.  That never happens to anyone.

The $45 card will be optional and cannot be used for air travel. Travelers can opt for a more secure, if more costly, e-passport that costs $97 and contains a radio frequency chip that can only be read at a distance of three inches. Privacy and security experts said the new passport cards that transmit information over longer distances are much less secure.

So, first we’re told that we need these new RFID enabled passports to secure our borders from terrorists.  Now, they are saying you can get a less secure card because we should be making things easier for Americans so the lines move faster.

The problem with the card, Schwartz said, is that it uses a standard that wasn’t meant to track people. “It’s not made as an identity document,” he said. “The technology they’re using was designed to track goods — pallets of toilet paper at Wal-Mart,” he said.

People should never be tracked, yet alone be tracked by technologies that are trying to determine if someone stole a pallet of toilet paper.

The government said that to protect the data against copying or theft, the chip will contain a unique identifying number linked to information in a secure government database but not to names, Social Security numbers or other personal information. It will also come with a protective sleeve to guard against hackers trying to skim data wirelessly, Barrett said.

It’s been proved several times that these can still be hacked into.  Once you get the unique identifying number, all you need to do is clone the card and then let it ping the official reader and you can copy information.

Avi Rubin, a professor at Johns Hopkins University, said that two years ago, he duplicated an RFID chip in his “speedpass” used for buying gas, copied the information onto a laptop and, after extending a radio antenna from the laptop out the car door, was able to buy gas with the cloned RFID chip.

Although the chip is passive and can be read only when a reader pings it, a reader with a strong battery can detect the chip’s signal from as far as 40 feet away, Schwartz said. It can easily be cloned, posing the risk that a hacker could make a duplicate card to fool a border agent, he said.

And there you go.  You’re now a mule for a drug dealer and you didn’t even know it.

Randy Vanderhoof, executive director of the Smart Card Alliance, represents technology firms that make another kind of RFID chip, one that can only be read up close, and he is critical of the passport card’s technology. It offers no way to check whether the card is valid or a duplicate, he said, so a hacker could alter the number on the chip using the same techniques used in cloning.

Last year, the Government Accountability Office reviewed technology similar to that used in the passport cards. The report found low read rates and said the technology should be used only to track goods, not to identify people.

Even the GAO agrees with Mr. Vanderhoof.  This is far too easy to copy and entirely stupid to use a system that puts so many people at risk.

Again, we have a system put in place that will anger those who are jumping through the hoops necessary for them to travel.  Those that are entering for nefarious purposes are going to get in.

If you are still convinced that the RFID information is secure and that the “bad guys” can only ping your card and not actually read it, remember, they can tell, just by being able to ping the card, that it is likely you are an American, thus putting you, personally, at risk.  You are now a target.

Pudding Media has raised $8 million for their new venture, giving you ads while you talk.  They own ThePudding, a free, web based service that allows you to make phone calls for free over the Internet.

ThePudding provides free, PC-based phone calls to anywhere in the US or Canada. The big catch: computers in Fremont, CA will eavesdrop on and analyze every word of your conversation so they can serve up advertisements tailored to the topic at hand.

These ads are like the ads in Gmail, except that the Pudding’s computers do a speech-to-text translation of what you are saying and serve up contextual ads accordingly. The company says it does not store any of the conversations. The company plans on using its new capital to expand its reach to “cover all forms of voice services – mobile carriers, VoIP operators and Web voice applications.”

The large, privacy issue with this is that Pudding Media believe that, if you find such a service so chilling and entirely pervasive, then you don’t need to use it.  They are targeting people who don’t care.  They just want a free phone call.  The problem is, the person on the other end of the line never gave their consent to being monitored.  They gave no permission to have their conversations analyzed by anyone, even a computer.

In some states it is illegal to record telephone conversations without telling both parties that the conversation is being recorded. Those laws may or may not apply here, since these phone calls are not recorded, but rather monitored on the fly. A counterargument would be that the content of the calls are stored (i.e. recorded) for some period of time in order to be converted to text, analyzed,and matched to ads—even if it is just a few seconds before being discarded. This could become a legal can of worms.

You got that right.  This a can of worms that never should have been opened.  The fact that calls to anywhere in the world are cheap enough these days that a lot of people are going to balk at the idea of having their conversations monitored.  Did people not learn from Beacon that they still think this is a good idea?

Privacy experts are concerned after Halifax bar, The Dome, agreed to have extensive security and surveillance cameras installed inside the bar.  They believe that, by agreeing to such measures, other business establishments will be forced to do the same.

Authorities closed the Dome after a brawl early on Dec. 24 resulted in 38 arrests. The bar is back in business now, but only after it agreed to implement a long list of security measures, which include giving police and liquor inspectors full access to surveillance cameras at the premises or via the Internet.

This is such a huge invasion of privacy that most people don’t even realize that there is, and will be, an end result to all this spying.  You are going to be watched every single place you go.

“The biggest risk is this can become more common, and once you start doing that it’s very easy to extend it further and extend it further,” said David Fraser, a privacy lawyer in Halifax.

“They see it work in once place and they extend it all over the place. And then it’s impossible to go out and have a drink without actually being watched by the police. A lot of people would get freaked out by that.”

Once police and liquor inspectors get access to surveillance cameras in bars with a history of violence, authorities could make it mandatory in establishments with potential for problems, Mr. Fraser said.

“As these things become more normal or more standard, the less jarring it is for those who actually care about privacy.

“If you put a frog in a pot of cold water and you turn up the heat, it’s not going to jump out because it doesn’t notice the incremental changes.”

There would be few limits on what authorities could do with the information they gather from surveillance cameras, Mr. Fraser said.

“It’s really no different than, theoretically, having a cop sitting at the bar or walking around the establishment. It’s just a whole lot more convenient and probably more pervasive.”

Mr. Fraser said he’d be less likely to have a drink in a bar if he knew authorities could be watching.

Police aren’t sure yet how they’ll use 64 surveillance cameras at the Dome.

64?  Sixty-freaking-four?  Why in God’s name would you need 64 cameras in a bar?

“This is something new to us. We’ve never had access to their cameras, other than, as in any establishment, you would have after (a crime) for the purpose of investigation,” Halifax Regional Police Supt. Don Spicer said after Friday’s Utility and Review Board hearing that reinstated the Dome’s liquor licence.  “So we really have to look at what we really will be doing with the access that we will be gaining.”

You don’t even know how you’re going to use the information you’re now getting, yet you made it mandatory for this bar to re-open.  I bet the police don’t even see the possible abuses of this system and will be surprised when it happens.

The new camera system means liquor inspectors will be able to monitor the bar without being there, Mr. Parent said.

Great.  Now you have a system in place whereby the people that are supposed to be inspecting the place never even have to show up.  Why have inspectors at all then?

Surveillance video could be used to both indict and clear people of any wrongdoing, he said.

Aw, isn’t that nice.  You’ll let the innocent people have access to the footage as well.  It’s only the law to begin with, you moron.

“I guess Big Brother if you want to put it in that sense, if you’re out to do something wrong,” he said. “If you’re not out to do something wrong, then I think you’d see it as a safeguard.”

Looks like Mr. Parent has been reading how-to manuals from the Nazis.  Once this power is in the hands of the state, the people are the ones in danger.  Good luck stopping this snowball from growing.

First, New Jersey decided that it was necessary to require newborns and their mothers to be tested for HIV, then, it restricted sex offenders’ access to the Internet, and, now, they’ve made breathalyzer tests mandatory in several high schools.

Instead of addressing the root problem of underage drinking, school authorities have, instead, just pushed their kids into other gateway drugs, such as marijuana and heroin.  They’ll still pass the breathalyzer test though, so no worries there.  Though the rule right now is for dances and other social events, it is easy to see that initial,successful tests at dances will lead to instituting the policy school-wide and for any situation the administration deems necessary.

“I’m all for it because if your child isn’t doing anything wrong, then you have nothing to hide,” parent Barbara Fede said.

Well, Barbara, I hope things like the Patriot Act come back to bite you in the ass one day.  I hope you enjoy that the government can listen to your phone conversations without a warrant and without notifying you.  Then again, you should have no problem with such a law because, you know, you don’t have anything to hide, do you?

Pequannock School District superintendent Dr. Larrie Reynolds said some students’ recent behavior left the district no choice.  “It actually came to a head when last year at the graduation senior trip, that we had students who actually couldn’t graduate as a result of their drinking,” school board member Dr. Larrie Reynolds said.

Ah, yes.  Let’s blame everyone for a few people who broke the rules.  Maybe it would have been a good idea to have the chaperones on that graduation senior trip, oh, I don’t know, actually act like chaperones?  These trips don’t happen without adults present.

Pequannock also has an active Breathalyzer test, similar to what would be used during a police traffic stop. It’s a little more intrusive, but administrators believe it sends a clear message about their zero-tolerance policy on alcohol abuse.

Uh, no.  The only message it sends is that alcohol is bad and if you drink alcohol, you’re bad.  It sends the message that you should let those in authority over you do whatever they want, no matter how intrusive it is.  It is sending the message that we should all be sheep and obey whatever anyone with any power over you has to tell you.

“I don’t think people will like, drink anymore,” Pequannock student Erika Vecchiet said.

I think, like, you know, Erika is the exact kind of good citizen these people want.

Pequannock school officials say they avoided running into any privacy issues by making students sign a contract which states they must submit to a Breathalyzer if they want to attend a school social event.

Goodbye social events then.  Never sign a contract where you voluntarily give away your rights, especially when any minute failure of said devices can prevent you from even attending this school.