HazDat
18Mar/10

If your car’s not owned it could be pwned

Disgruntled Hacker [Debt Collector] Disables More Than 100 Cars Remotely

Pay Technology's Webtech Plus

Cleveland-based Pay Technologies is a company that sells hidden wireless black boxes that allow car dealers to remotely disable a car’s ignition, or trigger the horn to begin honking, as a not-so-gentle reminder that a payment is due. The Webtech Plus responds to commands issued through a central website, and relayed over a wireless pager network.

A car dealer in Austin Texas began receiving complaints from hundreds of stranded customers late last month. According to the dealership's manager, the complaints stopped several days later, when he reset all the Webtech Plus employee passwords. Then police obtained access logs from Pay Technologies, and traced an IP address to a former employee. Police say he hacked into the dealership's computer system to deactivate the starters on the cars and set off their horns.

To call the suspect a "hacker" is really an insult to hackers. On the other hand, anyone who's ever spoken with a debt collector probably isn't very surprised by allegations of unethical behavior.

According to the dealership, the employee's account had been closed when he was terminated last month, but they allege he got in through another employee’s account. They claim he was working his way alphabetically through a database of all 1,100 customers whose cars were equipped with the device.

Share
14Mar/10

FTC Queues-in on Netflix Member Privacy

Attn. MPAA: There are much worse ways to copy movies than with a computer.

In 2007 prosecutors in Anchorage Alaska accused 34 year old stripper Mechele Linehan of plotting a murder based on the 1994 movie "The Last Seduction". Life so closely imitated art, said prosecutors, that they even tried to have the movie played for the jury.

Rockstar Games Grand Theft Auto

In 2008 a teenager confessed that he was trying to imitate scenes from the video game "Grand Theft Auto" when he robbed a murdered a taxicab driver in Bangkok Thailand. Movies like "The Deer Hunter" (1978) are even believed to have inspired several "copycat" suicides in the late 1970's and early 80's.

All of this may seem like fodder for censorship advocates, but that debate has largely come and gone in favor preserving the First Amendment's right to free speech. Wise as the framers of the U.S. Constitution may have been, few would accuse them of being clairvoyant. After all, who could have predicted the impact the Internet would some day have on both the precept of free speech and the concept of privacy?

Though many speak of the "right to privacy", it is not, at least as far as the U.S. Constitution is concerned, a right at all. It is, nonetheless, an ethos that has long been coveted by Americans, and is implicit in the Fourth Amendment's:

...right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures...

Of course, mention the term "search" to most people today, and it's far more likely to conjure thoughts of friends lists", home pages and e-books, than actual people, houses and papers. And while, in just the past few years, popular culture has come to embrace the sharing of intimate, private and personal details with virtual strangers, the desire to remain "secure" seems to be very much alive in the 21st Century. In fact, more than any other, the Fourth Amendment has played a central, albeit contested, role in the litigation of hi-tech criminal evidence.

I know what you watched last summer...

So, what does all this have to do with your Netflix queue? Though Americans, and many other people around the world, may be willing to voluntarily divulge personal information, either in trade for modern conveniences and services, or increasingly, for a sense of online significance, we're not quite as enthusiastic when it's taken from us and shared without any tangible return. It's no longer a secret that the monetary value of data has been pre-calculated into the return on investment (ROI) of so many of today's business models, but consumers still tend to expect a certain level of security. In recent years the bar has been set pretty low. Still, it may surprise many to learn that "anonymous" usage data can be deciphered into personally-identifiable intelligence, as proven by a pair of researchers at the University of Texas using what was thought to be anonymous user data provided to contestants in the three-year $1 million "Netflix Prize" to improve the site's recommendation results.

The UT's results brought both unwanted attention from the Federal Trade Commission and a lawsuit from a private firm, resulting in Netflix's decision last week to cancel a planned sequel to the prize awarded last year.

It's not hard to imagine how this sort of data could be exploited to peddle shoes to people who have rented all six seasons of "Sex in the City", or BestBuy ads targeted at fans of NBC's "Chuck".

Dreamworks Minority Report (2002)

It's no longer extraordinary to see similar data exploited in the process of investigating crimes either. Certainly the viewing interests and habits of the individuals mentioned above have been considered relevant discovery by law enforcement. In these cases, there's little, if anything, to decipher.  Anything that Netflix knows about you, your account, and your viewing habits, is subject to a warrant, and, with or without much imagination, could be incriminating. How many of us haven't seen a good fictional car case, a well-written murder plot, a scripted street-fight, or a perfectly executed crime? The consumption of such fiction could be hazardous to your defense, if it proceeds similar accusations.

Now, imagine the same evidence available to anyone, without a warrant, subpoena, or probable cause. Perhaps someone at the FTC had the movie "Minority Report" in their queue.

Share
28Oct/09

Location, Location, Location.

Recently, I had a wonderful opportunity to play a game of hi-tech "phone tag" on the streets of San Francisco with Reporter Martin Kaste from NPR's "All Things Considered". Late last Summer I was  asked if I would be willing to sit down for an interview for a story he was researching about location privacy. But, instead of agreeing to meet Kaste, I told him he had to find me.

With the aid of his GPS-equipped smart-phone, some software, a little patience, and a good pair of walking shoes, he was able to "tag" me sipping a latte outside a coffee shop on Market St. Of course, with my own GPS, and software-equipped smart-phone, I was able to see him coming. What follows are the fruits of that encounter:

Digital Bread Crumbs: Following Your Cell Phone Trail

Jeff Fischbach is a little bit like those guys in The Matrix — when he puts on his shades and looks at the world, he sees data.

Walking down the street in San Francisco, he points out all the devices that record people's comings and goings: digital parking meters, apartment intercom systems, digital security cameras...

Listen to NPR's Digital Bread Crumbs: Following Your Cell Phone Trail

Audio and transcript: http://www.npr.org/templates/story/story.php?storyId=114241860&ft=1&f=1019

Share
23Sep/09

You Tweet, therefore: YOU ARE HERE.

TwitterVisionHow Twitter says they'll hide your location from twits with subpoenas.

Recently, Twitter announced that they would be adding geolocation features to their service, allowing users to embed their physical location in their Twitter feed. As not to alarm: Twitter has always maintained that this would be an opt-in feature. But, frankly, any web site you visit is privy to some information about your physical location by virtue of the IP address assigned to your computer by your Internet Service Provider (ISP) from a group of IP addresses reserved for your neighborhood. The logs kept by a web server, combined with a subpoena to the appropriate ISP, usually yield a street address for the subscriber assigned that IP address.

SmarterWare's Gina Trapani (formerly of Lifehacker.com) is attending the Twitter Conference in LA. She's posted updates explaining how Twitter plans to deploy this service and how they intend to protect its Twitter geolocation users from subpoenas. According to Gina, "Twitter will scrub geo-data stored in tweets more than 14 days old to avoid getting subpoena’d about a user’s location in the past. They will outright delete the location information from their database, not just anonymize." ... CONTINUE READING »

Share
7Sep/09

Taking a dump 21st Century style.

Gordon Bell (Source: Gizmodo)

Gordon Bell (Source: Gizmodo)

Every time Microsoft researcher Gordon Bell takes a dump he learns something about himself. For instance, he know knows that he's visited 221,173 web sites in the last 8 years, and written or received 156,041 emails. He also knows how well his heart is pumping, how many miles he's walked, where he's been, and even with whom he's spoken and visited. In fact, from what most of us consider a waste product, Bell can even decipher how many songs he's listened to, and see pictures videos of the places he's been and the things he's seen.

Fantastic as this may sound, Bell is not the only person on earth who can do this. The same product is flushed from nearly every person every day in North America, and other industrialized nations. More significantly, while most of us are ignorant or deny the very possibility, the government and large corporations are secretly extracting much the same information from each of us that Bell collects himself. ... CONTINUE READING »

Share
24Aug/09

Protected: HazDat Geocaching Private Page

This post is password protected. To view it please enter your password below:

Share
14Aug/09

Reality TV fans: This is your chance to be on TV’s Big Brother

CBS TV's Big Brother

CBS TV's Big Brother

OK, I'll admit it: I'm a reality TV junkie--including, but not limited to, CBS's Big Brother. (Go ahead, laugh, tease, ridicule. I can handle it.) And, now I come to find Big Brother is a fan of me!

Almost any night of the week, America tunes in to see good looking people who gave up their mundane lives and mediocre livelihoods for a chance have complete strangers watch their every move. If this has always been a dream of yours, I have great news:

Now, you can have complete strangers watch your every move! You don't have to be good looking, and you don't even have to give up your mundane life or mediocre livelihood.

What's the secret? It's called PrimeSense. PrimeSense is a revolutionary set-top box (STB) which, according to the company's web site, "allows a computer to perceive the world in 3D and derive an understanding of the world based on sight, just the way humans do. The device includes a sensor, which sees a user (including their complete surroundings), and a digital component, or 'brain' which learns and understands user movement within those surroundings."

George Orwell's "1984"

George Orwell's "1984"

According to CableFAX, a cable industry publication, a "chip resides in a camera on the STB that provides something similar to thermal images, showing how many people are in front of the TV, etc."

PrimeSense was voted Best New Product Idea at CableLabs' Innovation Showcase in Denver, CO. CableLabs (Cable Television Laboratories, Inc.) is a non-profit research and development consortium founded in 1988 by cable operating companies. Votes were cast through informal polling of cable industry executives. Which is good news, if you were hoping to have complete strangers watching your every move. Because, it could be coming to a cable set-top box near you.

Via SlashDot (http://yro.slashdot.org/story/09/08/11/2236252/Sensor-To-Monitor-TV-Watchers-Demoed-At-Cable-Labs?from=rss)

Share
13Aug/09

Palm’s Pre has you covered — like an enemy of the state

VZ_Network_thumbHey, Verizon customers -- ever get tired of having "The Network" following you around everywhere you go? It's such a hassle, especially when you have to use the restroom, or spend some "alone time" with your significant other.

Well, Sprint's Palm prē has you covered. Palm's latest smart phone is so smart, the network can find YOU -- ANY TIME THEY WANT!

Palm Pre_FrontClosed-CardViewGoogleMaps-300-100

INFORMATION SENT TO PALM: { "errorCode": 0, "timestamp": 1249855555954.000000, "latitude": 36.594108, "longitude": -82.183260, "horizAccuracy": 2523, "heading": 0, "velocity": 0, "altitude": 0, "vertAccuracy": 0 }

The news was released on Joey Hess' blog. Hess, a programmer, noticed a log file on his Palm prē was being sent to http://ps.palmws.com on a daily basis. Among other things, the log file contained his GPS coordinates (in this case, his home address) in the form of longitude and latitude. This information is derived from the built in GPS common to most cellular telephones on the market today.

In addition to his location, the log file also recorded the name of every application he used, when, and for how long.

Although there has been some speculation that this information is only recorded when the device crashes, Hess has shown that, even though Palm's WebOS makes a record of device crashes, this is supplemental to the daily GPS location, and usage-tracking that is sent to Palm every day. (All of which, for now, he has disabled by hacking a file in the operating system.)

Palm's response to this shocking revelation?

RTPP: Read The Privacy Policy. In a statement released by Palm, "Our privacy policy is like many policies in the industry and includes very detailed language about potential scenarios in which we might use a customer's information, all toward a goal of offering a great user experience."

In preparation for this posting, I read Palm's Privacy Policy (08-13-2009). Focusing strictly on users' private location data, the only mention of  location-based information being collected and transmitted is as follows:

"When you use location based services, we will collect, transmit, maintain, process, and use your location and usage data (including both real time geographic information and information that can be used to approximate location) in order to provide location based and related services, and to enhance your device experience."

This policy specifically addresses use of this data when "provid[ing] location-based and related services". That does not explain why they are collecting and transmitting GPS data as part of a daily log.

Frankly, I have some issues with Palm's right to this data, even if it has been disclosed. Although, arguably, Sprint has to process this data through their network to provide service to it's customers, Palm sells hardware and software, not network service, or even traffic and directions. As an individual who collects and analyzes similar data for criminal cases on a daily basis, I see no justification in Palm's Policy, or in terms of the way the equipment operates, for the transmittal of location-specific data to their company.

Read more @ InformationWeek (http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=219300120)

{ "errorCode": 0, "timestamp": 1249855555954.000000, "latitude": 36.594108, "longitude": -82.183260, "horizAccuracy": 2523, "heading": 0, "velocity": 0, "altitude": 0, "vertAccuracy": 0 }
Share
12Aug/09

Opt-out — for good!

TheOnion has posted this report on what they call "Google's Op-Out Village".

Via TWiT's Leo Laporte (http://leo.tumblr.com/post/161380154/google-opt-out-feature-lets-users-protect-privacy?dsq=14729616#comment-14729616)

Share
11Aug/09

Is the new Cookie Diet just a lot of Flash?

So, you gave up cookies back when you were still using Netscape 4.0? If you're like me, you've tried slimming down with fad browsers like Dillo and HotJava. I can't tell you how many times I've jumped from one crashed browser to the next. You've turned off cookies and scripting and ActiveX controls, to no avail. I've even purged a few times, and my cache is still bloated.

FlashI'm here to tell you--It's not your fault! Blame Adobe.

While you were painstakingly avoiding every cookie that came your way, web sites all over the Internet were secretly getting you hooked on Flash Cookies. Yes, Flash Cookies!

While you may have diligently banned cookies in your browser settings, Flash Cookies can't be controlled through privacy settings in your browser. What's worse, some are even able to store and reinstate traditional cookies, even after you've dumped them.

Open Share Icon

Open Share Icon

Even the ever-popular "AddThis" button (not to be confused with the "AddToAny", AKA, "Share/Save" button below) found on many blogs, utilizes a Flash Cookie that, while providing continuity across various web sites that a user may visit, can also be used to track a user's browsing habits, interests, and predilections across an endless cycle of browsing sessions.

Or friends over at the Berkeley Center for Law & Technology and the Social Science Research Center (SSRN) have submitted a report to the White House Office of Science & Technology Policy (OSTP) outlining their findings and general concern over the proliferation of undisclosed Flash cookies, and the lack of browser controls for users to protect their privacy.

Read more @ Wired (http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/)

Share

Log In


Join the conversation...

Join the conversation on Twitter

Join the conversation on Facebook

disquslogo_180 Subscribe to RSS feed

Join the Google conversaton…

Geo Visitors Map