This year, I’m not doing any presentation. I have some ideas for next year.

I will be running the keysigning party on Friday, October 9 at 7:15pm at the conference. I’m stepping into doing this a bit last minute, so we’re going to provide some additional info and the instructions for the keysigning party on the UTOSC website should be updated very soon.

To participate, just show up. If you want help generating a key pair and getting started, there will be several people there who can assist you, just be sure to bring your own notebook computer. If you have keys, please, email me your full key ID (not a short or medium) at keysigning@openbrainstem.net. It is a good idea to digitally sign that email. If you have multiple keys, include them all. I actually have three separate keys these days and 2 of them have multiple IDs associated with them.

(and PGP) allow us to digitally sign messages (usually email, but can be used with other communications systems, too), code and other documents. It also let’s us encrypt files, emails and just about anything else. This is an extremely important technology for a lot of reasons, some of which I’ve discussed in past articles on this blog (and others). Defending our privacy and ensuring the integrity of our personal, family and business communications is vital. We sign each other’s keys to build a “web of trust.” This is the critical step that makes the whole thing usable.

If you have never used PGP or GPG (a.k.a. GnuPG, Gnu Privacy Guard) before, visit the GnuPG website for a basic description of how to generate your key pair.

If you have never participated in a keysigning party, check out the Keysigning Party HOWTO and/or [ http://keysigning.org/ ].

Immediately following the Utah Open Source Conference 2007 keysigning party, I wrote a simple script to help help you sign-lots-o-keys. You can download the script from [ http://www.openbrainstem.net/download/sign-lots-o-keys ]. If I have time before the keyparty in just two days, I have some little updates that I would like to implement in that script. But don’t hold your breath. Perhaps there will be time at the conference on Saturday?

So, please, plan on joining us on Friday. These are always good fun.

I’m posting the script, which is still very rough, as I didn’t both taking any time when I whipped it up last night to take care of everything that it really should be doing. Still, I’ll work on it here and there, I’m sure. You can download it from http://www.openbrainstem.net/download/sign-lots-o-keys. If you feel like makeing some fixes, either post your patches (please, create them as a unified diff file, if you wouldn’t mind) and put a link in the comments here and/or on your own blog.

Enjoy!

The new law amends the “Foreign Intelligence Surveillance Act of 1978 to provide additional procedures for authorizing certain acquisitions of foreign intelligence information and for other purposes.” It was sponsored by Sen. Mitch McConnell [R-KY] and Sen. Christopher Bond [R-MO].

I haven’t had time, yet, to fully read the resulting text of the bill (there are always amendments to bills as they pass through Congress), so I will reserve any specific commentary for a latter time. However, it appears that this new law could seriously affect privacy under certain circumstances in the United States.

The IMMI phone randomly samples 10 seconds of room audio every 30 seconds. These samples are reduced to digital signatures, which are uploaded continuously to the IMMI servers.

But why would they do that? Money, of course:

IMMI also tracks all local media outlets actively broadcasting in any given designated media area (DMA). To identify media, IMMI compares the uploaded audio signatures computed by the phones with audio signatures computed on the IMMI servers monitoring TV and radio broadcasts. IMMI also maintains client-provided content files, such as commercials, promos, movies, and songs.

By matching the signatures, IMMI couples media broadcasts with the individuals who are exposed to them. The process takes just a few seconds.

Panel Members may sometimes delay watching or listening to a program by using satellite radio, DVRs, VCRs, or TiVo. IMMI captures these viewings with a “look-back” feature that recognizes when a Panel Member is exposed to a program outside of its normal broadcast hour, and then goes back in time (roughly two weeks) to identify it.

Now, let’s think about this just a little. If anyone in a given room has bought into this free cell phone scam (yeah, that’s right, I’m calling it a scam; you gotta problem wit dat?), then they have chosen to give up their privacy. But what they probably don’t realize or think about is that everyone else in any room they are in has just lost his/her privacy and they don’t know it.

Personally, I want to know what these “special” cell phones look like so I can recognize them. When I see one, I’m going to politely ask the “owner” of it to remove the battery. I’m sure they’ll look at me funny, but I’ll calmly, patiently and very briefly explain why. If they refuse, then I will ask them to leave the room or bury the phone in a purse, briefcase, coat or computer bag where it can’t hear anything.

I wonder what will happen when the first lawsuit is filed against the company for breaching other people’s privacy. I mean, since I haven’t signed their agreement, they are violating my privacy by placing the device with an irresponsible person who would allow it to be in the same room as me.

One of them built the tracker hardware (for only $250) which they interfaced with Google Maps.

Their paper has the details.

This is a great example of how even without any personal information stored on an RFID chip, privacy is easily violated (as long it has anything unique on it, like an ID).

Hilarious.

But there’s a great security point here, too. They wanted to reduce the incidence of “dine-n-dash” events, where people skip out without paying. Holding your driver’s license would surely help, or so they thought. But they didn’t count on the reaction to this violation of privacy or, more importantly, the inconvenience this was to their customers.

Security Rule #1: Security is only as good as the weakest link.
Security Rule #2: You’re weakest link will (almost) always be the users.
Security Rule #3: To users, security = inconvenience.

Observation of End Users in the Wild: Users will fight inconvenience.

Good security is invisible to users, or at least, it isn’t overtly present and doesn’t require them to do anything. That’s why supermarkets and convenience stores place monitors where customers can see that the front doors (and other high-value areas) are being watched. People make the assumption that the camera feeds are also being recorded (which is not always true, but often).

At least this IHOP incident wasn’t condoned by corporate management.

Bruce Schneier, CTO of BT Counterpane, author and world-renowned security expert & privacy advocate gave an interview regarding RFID passports. It is available as a podcast.

There isn’t any new information in there, at least, nothing that I haven’t talked about before. However, it is an excellent, easy to understand explanation of the key issues surrounding RFID chips being embedded in government issued IDs. It’s not very long, but is good information for everyone from the technically challenged to government officials and even security experts.

Abstract:

By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international Machine Readable Travel Documents which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilises technologies and standards that are poorly conceived for its purpose. In this declaration, researchers on Identity and Identity Management (supported by a unanimous move in the September 2006 Budapest meeting of the FIDIS “Future of Identity in the Information Society” Network of Excellence[1]) summarise findings from an analysis of MRTDs and recommend corrective measures which need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues.

Thanks to Bruce Schneier for posting this on his blog.

I had read about TrackMeNot a little more than a week before on Bruce Schneier’s blog, and so I already knew TrackMeNot was a flawed idea. Peter also makes some very good points in his post, but, unfortunately, it falls short of pointing out some of the more serious problems with TrackMeNot.

I’ll just summarize the problems here. For further explanation, read Bruce’s post:

1. It does not hide your searches (they are still identifiable with you).
2. It’s far too easy to spot (and therefore, far too easy for AOL and others to defeat) and it’s schedule is regular & fixed.
3. Some of the generated searches are worse than what you would try to hide.
4. It wastes lots of bandwidth, while returning absolutely no privacy or security benefit.

I like this quote from Bruce’s post:

Yes, data mining is a signal-to-noise problem. But artificial noise like this isn’t going to help much.

You really should read the whole article,even though I summarize it here.

The folks at FairUse4WM cracked Microsoft’s PlaysForSure DRM software in Microsoft Windows Media Player.

If you really want to see Microsoft scramble to patch a hole in its software, don’t look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond’s DRM.

It only took a couple of days for the FairUse4WM people to compensate. I’m sure it won’t be long before Microsoft tries to patch this again.

But the real moral of the story is that companies like Microsoft don’t actually care about security except when it embarrass them or directly threatens their strategic agreements (like with record labels).

Well, it’s just not true.

It’s only a thin wrapper around Microsoft’s Internet Explorer version 5.5 (or later). Since IE stores all sorts of stuff in places on your system without telling you, Browzar can’t deal with all of it. Scott Hanselman has actually shown that Browzar misses the mark on this point.

There are other problems with this, too. For example, this program will not affect any servers that you visit, or any caching proxy servers in between (like at work or a university).

Anonymity on the web is not just about the stuff that’s on your computer, though it’s an important part; it’s also about the things those servers you connect to keep track of and tell each other.

Web browsers such as KDE’s Konqueror, Mozilla’s Firefox, Apple’s Safari (built on/from Konqueror, BTW) and others already support local privacy features. These include Konqueror’s excellent cookie management capabilities and Firefox’s support for auto deletion of cached data. All of these browsers sport these privacy enhancing features, though they have differing approaches and levels of control.

First, they put spam up that includes links to their phishing sites on blogs they troll the net for. This part is very easy, thanks to services like Technorati and Blogger.

Next, “young” bloggers (i.e., those who are still fairly new to the “sport” of blogging), see comments. Either they naively authorize the spam comment, don’t moderate at all or decide to follow the links and check it out before authorizing the comment. If the comment gets posted to the blog, then others who read the blog can fall into the trap. If the blogger decides to visit the pages, they could get sucked in to all kinds of things.

But as I looked at a few of the links, they turned out to cause redirects to either www.abusepost.com or www.spamcop.net (I didn’t make those into links on purpose; DISCLAIMER: GO TO THOSE SITES AT YOUR OWN RISK, I’M NOT RESPONSIBLE FOR YOUR CHOICES). Of course, the vast majority of bloggers, both experienced and just getting started might think that those sites are providing a pretty good service. Looking a little more closely at the form and at the HTML itself reveals that these sites look suspicious. They require your name, email address and website address (which will be the blog that they hooked you at in the first place, for most people).

Were you paying close attention? They require you to provide the exact information spammers want in order to “report” a site that they are already “about to shut down”? Doesn’t make much sense to me.

Do you smell phish or am I the only one?

A word to the wise: Just Say No.

Here are some simple rules for Internet safety, though, they apply (with proper contextual edits) to any online communication:

1. Moderate — Whether it’s comments on your blog(s), forums (which I hate, BTW) or mailing lists. Moderation is currently the most consistently effective way to defeat all forms of SPAM.
2. Never give out your information if you don’t have to — Just because a particular website’s “form” says that it requires your information, doesn’t mean they should be given any. We all know not to publish our credit card numbers online, but it’s amazing how many people don’t understand that your name, email address, street address, phone numbers, websites, employer’s name, favorite color, mother’s maiden name, etc. are not needed by most websites. When in doubt, don’t give it out.
3. The only stupid questions are the ones you do not ask — In other words, ask someone you know who has lots of experience with the Internet, email, spam, security, etc., any questions about specific websites or other items in general. Keeping yourself safe is hard enough to do, but keep trying to do it without the right information and you just might make things much worse.
4. Don’t open HTML emails — If someone sends me an HTML email (and I think it’s worth this effort), I send it back to them with a simple, polite note explaining that for security reasons, I do not accept nor read emails that are not in plain text. Too many people are using stupid email programs like Microsoft Outlook and Outlook Express that have hundreds of severe security flaws when it comes to processing HTML email, alone.
5. Don’t Panic — It can be easy to let fear take over at this point and abandon your dreams of blogging and the “Internet lifestyle”. Don’t worry, it’s not that hard to keep yourself safe. Once you know how to recognize the dangers, it’s easy to avoid them.
6. Think — (OK, this one could sound kinda mean, but it’s not; it’s just a sad truth, so don’t take it too personally) The spammers and the Phishers keep doing what they do because it works. There are just too many people on the Internet who do not think for themselves. You have a brain and I’m sure it functions at least well enough to read this far. I’m sure you have a lot more capacity to figure things out than you might be giving yourself credit for. Being able to think is not enough on it’s own, but with a little bit of knowledge, your brain can be used to help keep yourself, and your loved ones, safe on the Internet.
7. If in doubt, bail out — You don’t have to go any further than you already have when visiting any website or continuing a discussion on IM in a chat room or on a mailing list. You can pull the rip-cord at any time.

I’m sure there are other things that we could put in that list. Perhaps some commenters will try to help me out in that regard. But I think these basics should be enough to get you started.

This is one of my favorite Turkish proverbs:

No matter how far you have gone down the wrong road, turn back.

Although I’m not a lawyer in Canada or anywhere else, but it sure feels like this guys rights were ignored. It is especially disturbing to me that his notebook was riffled after he was already cleared; after the authorities decided that it was a complete false alarm.

I also think that it’s both good and bad that these kinds of overreactions are being ignored by the mainstream media. It’s good because they’re not fearmongering as much as they did. It’s bad because they are not showing how the recent fearmongering is still affecting us and they are missing out on the civil rights/anti-privacy story. Then again, it would seem that the mainstream media doesn’t understand privacy. Perhaps it’s not in the “journalist’s Glossary”?

Thanks again go to Bruce Schneier for bringing this example to our attention.

Oh, and the EFF gets mentioned in the article, starting from the second paragraph.

Privacy is a very important matter. Privacy is a central, core component to liberty and true freedom. If we (US Citizens) don’t pay attention to it, there are forces who would like to take it away. Most of the time, we call those forces terrorists, but there are other more subtle forces also at work in the world.

My good friend, Pete Ashdown has an exellent position on the issue of privacy, and I support him on these efforts.

I’m not the political activist type person. I’m not going to use my blog that way, either. But I do consider it very important to let your voice be heard in matters that affect basic liberties. I vote.

Privacy is the most priceless freedom of all. It underlies every human right. Without true privacy, there is no liberty.

That’s my view. I’m Lamont Peterson and I’m not running for any political office. But if I win as a write in, I’ll throw a good party. :)