Security quotes of the week [LWN.net]

We log every message. We log who sent it, from what IP address, and to whom. We scan headers and payloads for potentially "spammy" topics. We even retain binary attachments and other payload data. Whereas before, the Email system only logged trivial, non-identifiable information, it now warehouses every message and tags it internally with a customer account number.

This is the "equal and opposite" reaction to blacklists: Total Information Awareness applied to our customer's email.

-- Anonymous PRIVACY Forum reader (and ISP employee)

Paula Broadwell, who had an affair with CIA director David Petraeus, similarly took extensive precautions to hide her identity. She never logged in to her anonymous e-mail service from her home network. Instead, she used hotel and other public networks when she e-mailed him. The FBI correlated hotel registration data from several different hotels -- and hers was the common name.

The Internet is a surveillance state. Whether we admit it to ourselves or not, and whether we like it or not, we're being tracked all the time. Google tracks us, both on its pages and on other pages it has access to. Facebook does the same; it even tracks non-Facebook users. Apple tracks us on our iPhones and iPads. One reporter used a tool called Collusion to track who was tracking him; 105 companies tracked his Internet use during one 36-hour period.

-- Bruce Schneier

So, you know all that talk about things like Aaron's Law and how [the US] Congress needs to fix the CFAA [Computer Fraud and Abuse Act]? Apparently, the House Judiciary Committee has decided to raise a giant middle finger to folks who are concerned about abuses of the CFAA. Over the weekend, they began circulating a "draft" of a "cyber-security" bill that is so bad that it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA. Rather than fix the CFAA, it expands it. Rather than rein in the worst parts of the bill, it makes them worse. And, from what we've heard, the goal is to try to push this through quickly, with a big effort underway for a "cyberweek" in the middle of April that will force through a bunch of related bills.

-- Mike Masnick analyzes proposed US legislation

(Log in to post comments)

Security quotes of the week

Posted Mar 29, 2013 15:33 UTC (Fri) by apoelstra (subscriber, #75205) [Link]

Regarding Schneier's comment that
> One reporter used a tool called Collusion to track who was tracking him; 105 companies tracked his Internet use during one 36-hour period.

The Firefox extension RequestPolicy prevents sites from connecting to other domains unless you specifically authorize them to. It's astonishing on how many sites connect to the same spy agencies.

(Of course, there are still sites, like LWN, which don't need any additional domains, or just need one or two CDN's. But not many.)

Security quotes of the week

Posted Apr 8, 2013 10:35 UTC (Mon) by Duncan (guest, #6647) [Link]

I've been using RequestPolicy for some time now (FWIW in stricter policy-per-host mode, not the default policy-per-second-level-domain mode).

It DOES take a few days/weeks of active hassle to get it setup nicely on one's usual sites, permitting the domains needed for (actually needed) scripting and CSS and for images and similar content, without permitting the all too normal tracking (including off-site ads, also google analytics, the ONE tracker site LWN seems to (ab)use), but once one's normally visited sites are setup, maintenance load goes down DRAMATICALLY. There's still the one-time sites to setup, but at least here, I don't really have as many of them as I might have thought. And when I do follow a link to such a site, I make sure I only allow temporary permissions so it doesn't clutter my permanent list too badly.

Of course I use noscript as well, which means for scripts I often have to permit them in two different spots, noscript and requestpolicy, but again, once it's setup for one's usual sites it's not too much of a hassle.

The one feature I SORELY miss in requestpolicy that's in noscript is the "untrusted" list that's automatically blocked and thus doesn't show up in the primary blocked list at all, but rather in the "untrusted" submenu. Were that feature available, it'd cut down the clutter of "never trust" sites showing up in the candidate allow list dramatically, thus making it much easier to find and allow the site's CDMs only, without having to go thru the whole list of googleanalytics/facebooktracker/twittertracker/etc that I *NEVER* allow, eliminating the "needle in a haystack" effect the requestpolicy list sometimes gives one the feeling of now. That'd be the single best usability enhancement I could think of.

But that said, as to requestpolicy effectiveness, put it this way: With requestpolicy in place I tried but eventually uninstalled collusion, because it was simply a boring rehash of all the (one, two, very occasionally a single handful of) sites I'd previously specifically allowed a particular site to connect to. And even then, in many cases collusion only showed a connection once I deliberately followed a link. Basically, I tried to get collusion to give me the nice diagram of connections displayed in the documentation, and it simply wouldn't, because requestpolicy was simply blocking too much of the tracking web collusion might have otherwise constructed, so there simply wasn't anything interesting to show. I was actually a bit disappointed in collusion, but OTOH, it definitely boosted my faith in requestpolicy. =:^)

Duncan