(2007-11-19) [The Register] Mozilla's head of security has promised a patch for a dangerous vulnerability that's been lurking in the popular Firefox browser for more than eight months.
The new urgency in fixing the jar: protocol handler comes after bloggers in recent weeks demonstrated how the vulnerability could wreak real-world havoc, including allowing attackers to steal a victim's Gmail contacts. Short for Java Archive, the jar: protocol is used to compress Java classes and other types of files into a single file. Problem is, the protocol will open any zip-formatted file without first validating the MIME type of the archived contents. Malicious content is then run in the context of a trusted site. "An attacker can use this to evade filtering on sites that allow users to upload content and use this [to] initiate a cross site scripting attack," Window Snyder, Mozilla's security chief, wrote in this post on the Mozilla Security blog. "This may allow the attacker to access information stored on the trusted site without the victim's knowledge." (Excerpt from news story by Dan Goodin)
[source: News]
(2007-11-19) [BBC] Like most journalists I know I'm very sloppy about keeping my online communications secure. I rarely encrypt e-mail messages, leaving them to be read by anyone in the electronic chain between me and the intended recipient. And I use public chat services like MSN Messenger and iChat, even though they send messages as plain text across the network.
Partly this is because the tools needed to make communications secure can be cumbersome and complicated, even for someone with a technical background. But partly it is because I have not often been involved in researching stories that are going to bring me to the attention of those with the capabilities needed to tap even insecure online communications. But you never know. (Excerpt from news story by Bill Thompson)
[source: News]
(2007-11-11) [NewsWireless.net] The often-quoted number of times the average Londoner is caught on camera per day is scary: 200. (And that was a few years ago; it's probably gone up.) ... What is the right, privacy-conscious response to make?
I was reminded of this a few days ago when I was handed a copy of Privacy in Camera Networks: A Technical Perspective, a paper published at the end of July. Given the amount of money being spent on CCTV systems, it's absurd how little research there is covering their efficacy, their social impact, or the privacy issues they raise. In this paper, the quartet of authors -- Marci Lenore Meingast (UC Berkeley), Sameer Pai (Cornell), Stephen Wicker (Cornell), and Shankar Sastry (UC Berkeley) -- are primarily concerned with privacy. They ask a question every democratic government deploying these things should have asked in the first place: how can the camera networks be designed to preserve privacy?
[source: Blog]
(2007-11-11) [The Washington Post] As Congress debates new rules for government eavesdropping, a top intelligence official says it is time that people in the United States changed their definition of privacy.
Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information. Kerr's comments come as Congress is taking a second look at the Foreign Intelligence Surveillance Act. Lawmakers hastily changed the 1978 law last summer to allow the government to eavesdrop inside the United States without court permission, so long as one end of the conversation was reasonably believed to be located outside the U.S. (Excerpt from news story by Pamela Hess) See also speech transcript.
[source: washingtonpost.com]
(2007-11-09) [1105 Media, Inc] Hugo Teufel III, chief privacy officer of the Homeland Security Department, said recently at a roundtable discussion on cyber security for the Congressional High Tech Caucus that there was no need to balance privacy and security. The two go hand in hand, he said.
What a disturbing thing for a chief privacy officer to say. Although it is true that security can help ensure privacy, the two are not the same thing. Security often entails gathering sensitive information about individuals, and these collections raise plenty of concerns about privacy, no matter how well-intentioned. (Excerpt from news story by William Jackson)
[source: Government Computer News]
(2007-11-08) [Ars Technica LLC] Criminals have plenty of reasons for wanting to encrypt their e-mail, and services like Hushmail offers such encryption in a strong form; not even the company can view the messages sent through its systems. Under most circumstances.
But there are cases when it can read the messages, and when that happens, those messages can then be subpoenaed by law enforcement. An alleged California supplier of anabolic steroids found that out the hard way earlier this year when Drug Enforcement Agency officers collected his supposedly "secure" e-mail from Hushmail. (Excerpt from news story by Nate Anderson)
[source: ars technica]
(2007-11-07) [EDRI] The Czech Interior Ministry introduced in October 2007 a new National Action Plan to Combat Terrorism that would increase the access of the police and intelligence authorities to personal data, under the pretext of the protection against terrorism.
The Czech Ministry of Interior has introduced a similar plan every year since 2002 - in 2005 it actually won the Czech Big Brother Award for it - which, until now, has been rejected by the Parliament. The Plan of Action is meant to be used to draft legislation allowing police and other agencies to have access to emails and to wiretap without following any court procedures.
[source: EDRI-gram, Number 5.21]
(2007-11-07) [EDRI] ICANN meeting that took place last week (29 October - 2 November 2007) in Los Angeles was expected to decide on the WHOIS database privacy problems. But unfortunately the decision taken was just to make further studies on the matter, despite the already seven years of discussions on this topic.
The need for WHOIS reform has been a hot topic for some years in the civil society and some ICANN structures. An EPIC & NGO Letter to ICANN Board on Need for Whois Reform sent on 30 October 2007 asks "for changes to WHOIS services that would protect the privacy of individuals, specifically the removal of registrants' contact information from the publicly accessible WHOIS database."
[source: EDRI-gram, Number 5.21]
(2007-11-07) [EDRI] The European Commission(EC) put forward on 6 November 2007 a PNR plan that is almost similar to the EU-USA PNR (Passenger Name Records) agreement. The EU PNR plan is part of a new package of proposals "aimed at improving the EU's capabilities in the fight against terrorism."
According to this proposal, EU will have to collect 19 pieces of personal data on air passengers coming into and leaving the EU space, including phone number, e-mail address, travel agent, full itinerary, billing data and baggage information. The information will be collected in analysis units that will make a "risk assessment" of the traveller, which could lead to the questioning or even refusal of the entry. The data is to be kept for five years and then another eight years in a "dormant" database.
[source: EDRI-gram, Number 5.21]
(2007-11-07) [EDRI] European Digital Rights Initiative (EDRI) is supporting the letter Privacy International (PI) sent on 5 November 2007 asking the head of the European Commission DG Competition, Commissioner Kroes, to take the merger of Google-Doubleclick to the next phase. PI argues that the merger could have serious implications for privacy innovation in advertising.
The letter explains the problems that the merger could bring to the online advertising market: "Google's purchase of Doubleclick is particularly worrying because it is a significant consolidation in this domain and we worry that this very competition to provide high-quality privacy practices will dissipate. Google's dominant position in the search marketplace will be compounded by Doubleclick's dominant position in online profiling, leading to a potentially abusive situation for the protection of privacy. If the merger is approved, then Google's dominant service will transform radically from one with a search advertising function into one that collects both searches and browsing habits of users. "
[source: EDRI-gram, Number 5.21]
(2007-11-06) [CanWest MediaWorks Publications Inc.] Canada's privacy commissioner says there was very little consultation with her office before the Conservative government introduced a no-fly list for air travellers last June.
And Jennifer Stoddart told the Air India inquiry Tuesday that she has so far seen little rationale for the list, part of the so-called Passenger Protect Program. Stoddart told inquiry Commissioner John Major she is concerned that people could be placed on the list in error and face dire consequences if their identities are then disclosed to the RCMP or passed on to police agencies in other countries. (Excerpt from news story by Kim Bolan)
[source: Edmonton Journal]
(2007-11-05) [McGraw-Hill Companies Inc.] Part of a new anti-terrorism campaign, a commission proposal would allow member states to collect personal information and keep it for 13 years
As part of a new EU counter-terrorism strategy, Brussels is to propose that member states collect 19 pieces of air passenger data, with the possibility to store it for up to thirteen years. On Tuesday (6 November), EU home affairs commissioner Franco Frattini will kick off a lengthy legislative process, which at the end should see an EU-wide air passengers name recording scheme (PNR) similar to the controversial US database on European air travellers. (Excerpt from news story by Renata Goldirova)
[source: BusinessWeek]
(2007-11-01) [Datainspektionen] Nu ersätter kollektivtrafiken biljetter och månadskort med smartkort som lämnar elektroniska spår. Datainspektionen har granskat de tre stora bolagens system och godkänner korten på vissa villkor. Till exempel ska man kunna resa anonymt.
Storstockholms lokaltrafik (SL), Västtrafik och Skånetrafiken håller som bäst på och inför nya biljettsystem där resenärerna använder smartkort som kan laddas med elektroniska biljetter eller kontanter att resa för. När en resenär använder kortet på en buss eller i en T-banespärr registreras en resehistorik: kortnummer, datum, klockslag och hållplats/spärr. Så långt kan inte uppgifterna kopplas till någon person, men om kunden vill ha tjänsten förlustgaranti för att kunna spärra kortet om det blir stulet eller borttappat och få tillbaka pengarna som finns kvar, behöver bolaget kunna identifiera resenären. Då måste kortnumret kopplas till personnummer, namn och adress. Förlustgarantin är frivillig, men medför att det elektroniska spåret, resehistoriken, kan kopplas till en person.
[source: Nyheter]