News & Events

A team of computer researchers from the University of Waterloo in Canada and the University of Michigan has developed an anticensorship system by which ISPs can provide ways around network censorship. J. Alex Halderman, assistant professor of computer science and engineering at the University of Michigan, in a blog post claims that the technology “has the potential to shift the balance of power in the censorship arms race.”

The project, called Telex, exists right now only as a single server in a laboratory. The researchers–a group that also includes Ian Goldberg, associate professor of computer science at the University of Waterloo, and University of Michigan Ph.D. students Eric Wustrow and Scott Wolchok–have not offered specific deployment goals. They say that they hope the project inspires further discussion and research of censorship circumvention.

“[W]e have been using Telex for our daily Web browsing for the past four months, and we’re pleased with the performance and stability,” wrote Halderman. “We’ve even tested it using a client in Beijing and streamed HD YouTube videos, in spite of YouTube being censored there.”

One way around traditional online censorship is the use of a proxy server, a server that acts as an intermediary to connect network traffic when the more direct path is blocked. The problem with proxy servers is that they too can be blocked, requiring new proxy servers to be established. This cat-and-mouse game is quite common in countries that censor the net.

Telex avoids this problem by creating what the researchers describe as a proxy without an IP address. After installing downloadable client software, a user wishing to access a blocked website can connect to a non-blocked site outside the censor’s network. To the censor, this would appear to be a permitted connection; but the user would be redirected via Telex software installed at the ISP level and connected to the blocked site.

The researchers describe Telex as a way to counter state-level censorship. They note that ISPs would likely require some incentives from governments to deploy Telex.

The U.S. government might be ready to contribute. Secretary of State Hillary Clinton has championed efforts to develop tools to fight Internet repression. In an address in February, she noted that grants worth $20 million have been awarded to further Internet openness over the past three years and that this year the grant total will reach $25 million. Internet freedom, she said, “is one of the grand challenges of our time.”

Telex sounds promising but has a lot to prove. Using insecure anticensorship software in contravention of local laws can lead to imprisonment, torture, or death in some countries. This is why there was so much controversy last year when questions about the security of an anticensorship software project known as Haystack led to the effort’s collapse.

InformationWeek Analytics is conducting a survey on mobile device management and security. Respond to the survey and be eligible to win an iPod Touch. Take the survey now. Survey ends July 22.

By Riva Richmond and Nick Bilton | New York Times | June 26, 2011 |

Flickr Creative Commons| alperer16|

Facing increasing pressure from law enforcement agencies over its brazen computer attacks, the small group of hackers known as Lulz Security announced over the weekend that it would disband.

But security experts said on Sunday that the dissolution of the group might not signal an end to the attacks, which have hit dozens of Web sites, including those of prominent targets like the Central Intelligence Agency, the United States Senate, the Arizona state police and Sony.

Indeed, in its farewell message posted on Saturday, the group, also known as LulzSec, urged other hackers to join the “revolution” aimed at governments and corporations that it started recently with Anonymous, a much larger collective of politically minded hackers from which many of the LulzSec members sprung.

“It looks like these sort of ‘hacktivist’ ideas are spreading and gaining popularity,” said Dino A. Dai Zovi, a prominent independent security consultant. He said that LulzSec appeared to be trying to inspire others to join a sprawling, if fragmented, array of local groups, which could feed more attacks.

In recent weeks, LulzSec has become a target itself, as global law enforcement authorities and rival hackers have gone after the group. One man associated with LulzSec, Ryan Cleary, was arrested last week in Britain. Meanwhile, a growing assemblage of rival hackers has been working to unmask the core half-dozen LulzSec members and feed information on them to the authorities.

American officials on Sunday characterized the attacks carried out by LulzSec as “nuisances” rather than real security threats. One government official said that LulzSec had never penetrated government servers or stolen any classified information.

“What we are really worried about is people getting access to our systems, or putting malware on it,” said the official, speaking on condition of anonymity.

The official said that even though it was possible that LulzSec had disbanded, hackers tended to operate in a world of shifting alliances and it would be easy for a new group copying LulzSec’s techniques to appear in the future.

“All it takes is one guy in his basement to do this, not an organized group,” the official said.

On Monday, the Department of Homeland Security plans to introduce a system to help institutions eliminate common programming errors that allow hackers to easily infiltrate databases and steal user names and passwords. The agency’s hope is that the program, which is voluntary, will make it easier for companies and agencies to better secure their corners of the Internet, thus contributing to a safer global network.

Some security experts and hackers were skeptical of LulzSec’s sudden about-face and said they believed the group intended to continue its activities. The latest announcement could be just another ploy for attention, rival hackers said on Twitter and on private online message boards.

Over the last several weeks, LulzSec had said repeatedly on its Twitter feed that it planned to continue attacking governments and financial institutions indefinitely.

Members of LulzSec did not respond to phone calls and e-mails on Sunday.

Whatever happens to LulzSec, the brash and public brand of hacking that it embraced and defined may be here to stay, some experts say. The group’s attacks on prominent targets, accompanied by raucous bragging on social networks and chat rooms, helped it amass more than 280,000 followers on Twitter. It has used that megaphone, as well as chat rooms, to try to recruit more hackers to its ranks. 

Some of LulzSec’s activities had a political tinge. For example, it said its theft and public disclosure of Arizona law enforcement records was in response to the state’s tough laws aimed at illegal immigrants. But the group claimed that its hacking was primarily a celebration of the “lulz,” or laughs, and the members seemed to lap up the media attention they generated.

But if LulzSec had continued, it would have faced an increasing risk that its members would be captured, said Chris Wysopal, the chief technology officer of the security firm Veracode.

“By stopping now and regrouping, I think they will live to hack another day,” he said. “If anything, there will be more people hacking in their footsteps.”

Mr. Wysopal added, “Until they’re arrested — if they ever do get arrested — I don’t think anything will slow down.”

The recent flurry of hacking done for notoriety rather than financial gain “feels like a kind of return to a period in the past,” said Gabriella Coleman, an assistant professor at New York University who is studying groups like LulzSec and Anonymous.

In the late 1980s and early 1990s, a number of hacker groups brazenly attacked some major institutions. That wave was largely squelched after a crackdown in which well-known hackers, including Kevin Mitnick, were caught and given heavy punishments, Ms. Coleman said.

After that, hackers began working more quietly, and many joined the security industry, where there was a safer place to employ their skills. Meanwhile, organized crime began moving online, following the money that was flowing through Web-based commerce and banking systems.

The return of more public hacking has been inspired by WikiLeaks, whose disclosure of reams of United States government documents showed hackers and the computer adept that they could use their skills to participate in a new way in the public sphere, Ms. Coleman said.

That notion was fed by Anonymous, a large collective of online hackers that opposed the Church of Scientology, championed freedom on the Internet and came to the defense of WikiLeaks by attacking the Web sites of companies like MasterCard and PayPal, which had refused to process donations to WikiLeaks after it disclosed confidential diplomatic cables.

More recently, Anonymous has gotten behind an array of international political causes, from the democratic uprisings in the Middle East to anticorruption protests in India.

LulzSec began as a splinter group from Anonymous, and LulzSec’s members now seem to be focusing on operating through that larger network.

To judge from purported discussions between LulzSec members that were posted online by a rival hacker known as the Jester, the internal operations of LulzSec seem as chaotic as the anarchistic behavior online. The messages show continual infighting among group members as pressure from law enforcement agencies has increased, and some members have reportedly quit.

But publicly, LulzSec insisted that its 50 days of online pandemonium had come to an end, its members would continue attacks on governments and corporations, either as part of a different group or acting individually.

Perhaps to win allies, it called the new effort “AntiSec” in an apparent effort to tap an older, similarly named movement among malicious hackers known as “black hats” that opposed working cooperatively with software makers and the security industry to fix security vulnerabilities.

Flickr Creative Commons | Annigram

How important is privacy online?It is a well-known—though questionable—truth in the online community that consumers won’t pay for privacy. Accordingly, most companies regard the entire issue warily. For them, privacy means expensive disclosure requirements, constraints on their ability to collect information about their customers, and a potential source of legal liabilities.

So they consult lawyers and I.T. risk specialists to consider their options. They write lengthy disclosure statements that cover every possible use of data so that they cannot be sued. They then hand these statements to their marketing departments, who hide them behind little windows in small type.

In general, these companies see consumer data as something that they can use to target ads or offers, or perhaps that they can sell to third parties, but not as something that consumers themselves might want. Most pundits on both sides—privacy advocates and marketers—don’t realize that rather than protecting consumers or hiding from them, companies should be bringing them into the game.

I believe that successful companies will turn personal data into an asset by giving it back to their customers in an enhanced form. I am not sure exactly how this will happen, but current players will either join this revolution or lose out.

Let’s start with the disclosure statement. Most disclosure statements are not designed to be read; they are designed to be clicked on. But some companies actually want their customers to read and understand the statements. They don’t want customers who might sue, and, just in case, they want to be able to prove that the customers did understand the risks.

So the leaders in disclosure statements right now tend to be financial and health care companies—and also space-travel and extreme-sports vendors. They sincerely want to let their customers know what they are getting into, because a regretful customer is a vengeful one.

That means making disclosure statements readable. I would suggest turning them into a quiz. The user would not simply click a single button, but would have to select the right button for each question. For example:

What are my chances of dying in space?

A) 5 percent
B) 30 percent
C) 1 to 4 percent (the correct answer, based on experience so far; current spacecraft are believed to be safer)

Now imagine:

Who can see my data?

A) I can.
B) XYZ Corporation.
C) XYZ Corporation’s marketing partners. (Click here to see the list.)
D) XYZ Corporation’s affiliates and anyone it chooses.

As the customer picks answers, she gets a good idea of what is going on. In fact, if you’re a marketer, why not dispense with a single right answer and let the consumer specify what she wants to have happen with her data (and corresponding privileges/access rights if necessary)? That’s much more useful than vague policy statements. Suddenly, the disclosure statement becomes a consumer application that adds value to the vendor-consumer relationship.

And show the data themselves rather than a description. There’s her browsing behavior, her choice of seats on your airline, or her choice of airlines on your travel site. There’s her size and her style preferences on your fashion site. How much money has she spent with you, and on what? (Give her points and other recognition for her purchases.)

To be sure, this is all very easy if you are the site with which the user communicates directly; it is more difficult if you are in the background, a third party collecting information surreptitiously. But that practice should be stopped, anyway.

Meanwhile, just as they have with Facebook, users will become more familiar with the idea of setting their own privacy preferences and managing their own data. Smart vendors will learn from Facebook; the rest will lose out to competitors. Visualizing the user’s information and providing an intelligible interface is an opportunity for competitive advantage.

I see this happening already with a number of companies, including some with which I am involved. For example, in its research surveys, 23andMe asks people questions such as how often they have headaches or whether they have ever been exposed to pesticides, and lets them see (in percentages) how other 23andMe users answer the question. This kind of information is fascinating to most people. TripIt lets you compare and match your own travel plans with those of friends. Earndit lets you compete with others to exercise more and win points and prizes.

Consumers increasingly expect to be able to see themselves both as individuals and in context. They will feel more comfortable about sharing data if they feel confident that they know what is shared and what is not. The online world will feel like a well-lighted place with shops, newsstands, and the like, where you can see other people and they can see you. Right now, it more often feels like lurking in a spooky alley with a surveillance camera overlooking the scene.

Of course, there will be “useful” data that an individual might not want to share—say, how much alcohol they buy, which diseases they have, or certain of their online searches. They will know how to keep such information discreet, just as they might close the curtains to get undressed in their hotel room after enjoying the view from the balcony.

Yes, living online takes a little more thought than living offline. But it is not quite as complex once Internet-based services provide the right tools—and once awareness and control of one’s own data become a habit.

But that’s exactly what Franken is up to these days. On June 16, he and co-sponsor Sen. Richard Blumenthal, (D-Conn.), introduced the Location Privacy Protection Act of 2011, a bill designed to give users more control over the data generated by their mobile phones by closing some of the loopholes in the existing Electronic Communications Privacy Act (ECPA).

More specifically, Franken hopes to make it harder for OEMs, carriers and application developers to share their customers’ information with third parties, while also curtailing the practice of stalking by technological means.

In a one-page summary of the proposed bill, Franken explains the gaping hole in existing legislation. “When a person uses a smartphone to place a phone call to a business, that person’s wireless company can’t disclose his location information to third parties without first getting his express consent,” Franken wrote. “But when that same person uses that same phone to look up that business on the Internet, because of ECPA, his wireless company is legally free to disclose his location to anyone other than the government.”

And while securing our privacy may seem nothing more than an expected grace to some, Franken’s bill aims to stem some of the more sinister abuses of location-aware technologies, primarily stalking. According to a January 2009 special report by the Department of Justice, approximately 26,000 persons are victims of GPS stalking annually, including by cell phone.

While some rules regarding the collection, storage and sharing of location information are long overdue, industry players are always watchful that regulation doesn’t bring unintended consequences that might adversely affect growth and innovation. However, the timing of the Location Privacy Act of 2011 might be just right, as a little regulation can often times go a long way and in the end legitimize services that might previously have worried consumers.

We’re Already Doing It
Application developers could be particularly affected by location privacy legislation, as many of them share a user’s information with advertisers. While users may not realize it, many of the “free” mobile applications they’re downloading, say a tic-tac-toe game that asks to access their location information, are paid for by the sale of said location so that a brand can more accurately profile and target the audience it wants to reach.

Wayne Irving, CEO of Iconosys, an app developer with more than 500 retail-grade smartphone apps to its catalog, says that he hopes that any information that is obtained by one of his company’s apps will lead to a better experience for the consumers.

When asked why a standard app like Zombie Slasher that’s all about, you guessed it, slashing zombies, would need a user’s location information, Irving says location has become an expected integration in gaming. He says Zombie Slasher is a great example, because the game will feature 36 different cities in which players can slay zombies. “So with Zombie Slasher, we may need your location, so we can put you in your own town.”

But he admits that consumers can benefit by sharing their location with an app in other ways.
For instance, Iconosys has a partnership with Jiffy Lube, where Jiffy Lube might offer Zombie Slasher for free if you get an oil change at one of its stores. He says that Iconosys will gather a user’s location and store it for a short period of time on a macro-location basis, meaning by ZIP code or area code. Obviously, Jiffy Lube wouldn’t want to offer a free copy of Zombie Slasher to users who don’t have a Jiffy Lube in their area, he adds.

“It’s only for our own internal purposes,” Irving says. “We haven’t really found a reason to use it for any other purpose. I think getting super finite, as far as the location, you know within 3 meters, doesn’t really make sense.”

Irving says the time is right for legislation that will give consumers piece of mind, although he says Iconosys is already very mindful of how it obtains and uses customer information, adhering to best practices already put in place by the Mobile Marketing Association (MMA).

“We have a triple opt-in process over here with all of our apps. So even though we don’t collect GPS data, they do need to sign the User Licensing Agreement (ULA), they do get the ULA emailed to them and they do get an email notification that reminds them that they did sign the ULA,” he says.

Irving, who has two kids who are on Facebook and using mobile phones, says the definition of privacy is changing in a fundamental way, as technology allows and even encourages people to disclose more about themselves in very public ways.

“The Gen Yers are kind of a peephole into the future, and watching how they live on the Internet, and live on Facebook… Fortunately, if we talk about it, people can be a little more cognizant and a little more aware of what they do share,” Irving says.

In the end, Irving says that abusing a customer’s trust by misusing their information is the last thing a respected app developer wants to do. “The last thing I want to do is to have to go pull a bunch of apps down and do a revision and send a bunch of apology letters … because an app wasn’t protecting users. We’re trying to be responsible and advanced, so that we’re not faced with that kind of situation. We want to move forward.”

Good for the Consumer, Good for the Brand
Alistair Goodman, CEO of Placecast, which offers location- and SMS-based mobile advertising solutions, says that the majority of his company’s existing customers are pleased with the results of sharing their location and would do so in the future so long as it proves valuable to them and they have control.

“I think where this space is going is much more towards consumer choice and giving consumers full transparency as to how any data is used,” Goodman says.

Placecast customers double opt-in to the company’s program through an operator or a brand, he says, but stresses that his company always ensures that customers agree to the program once and then agree to share the location information in a separate instance.

Goodman says honoring the consumer’s trust is first and foremost. Placecast only uses location information for the purposes of delivering someone an offer for something that they’ve already said they want and only when it’s relevant. He adds that all of the information Placecast gathers is encrypted and the company dumps that data shortly after a consumer has acted on an offer.

So how does Goodman feel about Franken’s legislation? “Spot on,” Goodman says. “What Senators Blumenthal and Franken are proposing is really a practice that Placecast has been using with its clients for years now, with respect to our shop alerts program.”

Like Irving of Iconosys, Goodman says that reasonable legislation can only foster a healthier relationship between the consumer and brands that want to create valuable experiences for their potential customers.

“Ultimately, brand marketers that do succeed in delivering a great experience for consumers are going to have their trust, and they’re also going to have a great way of communicating with consumers when they’re near a store and in the mindset to make a purchase,” he says.

Devil in the Details
While legislation can certainly protect consumers, it can have unintended effects on an entire ecosystem. Julian Sanchez, a research fellow at the libertarian Cato Institute, says that Franken’s proposal adds some legal muscle to best practices that on the whole are already being adhered to by most of the industry.

“The effect of this legislation I think will be to effectively push app developers to do something that they were already supposed to be doing, and maybe some of them weren’t,” Sanchez says, noting that both Apple and Google already require app makers to ask permission before they acquire any location information.

But Sanchez offers that location, which is all that is covered under Franken’s bill, represents just a sliver of the information that modern smartphones collect. Sanchez says that even more worrisome than an application that relays location information are apps that relay information like a device’s Unique Device ID (UDID), which can be used to re-identify data when it’s combined with other data sets.

According to a report published by The Wall Street Journal that looked at 101 applications and what kind of information those apps are accessing and transmitting to third parties, fully 57 of those apps obtained a user’s UDID and transmitted it to a third party.

While Sanchez says Franken’s bill is all good and fine, he adds that legislators are going to want to look specifically at what the requirements and penalties are and how consent is supposed to be implemented.

As an example of how good intentions can pave the way to future problems, Sanchez points to a provision of the bill that requires companies that store more than 5,000 mobile phone records to be able to go in and delete those records at the user’s request.  “For example, cell phone providers use location data for network maintenance. So if you have random gaps in that data set, that can create an issue,” he says, with the caveat that this is just an off-the-top suggestion as to the kinds of challenges this kind of legislation will face as it moves towards a vote.

As for stopping staking, one of the legislation’s key aims, Sanchez is skeptical. “For the most part, I’m assuming that people who do stuff like that are already committing the crime of stalking. This is the kind of behavior that is often illegal whether or not it’s done by technological means.”

Those concerns aside, Sanchez agrees with Irving and Goodman that rules like those being proposed can be a good thing for the industry on the piece-of-mind level.

“Rules like this can be beneficial in that even when apps are not doing anything wrong, sometimes consumers don’t feel up to  sorting through all these obtuse, legalistic privacy policies,” he says, adding that consumers are also currently relying on companies like Apple and Google to do a certain amount of curating of malicious apps.

Flickr Creative Commons | Vladimir Frolov

By Leyla Boulton | Financial Times | June 16, 2011 |

When state television showed a dynamic Vladimir Putin at the wheel of a yellow Lada touring the provinces after devastating forest fires, a fuller picture was to be found on the internet.Video shot by laughing onlookers and uploaded to the net showed that the prime minister was in fact followed by a motorcade of at least two dozen vehicles, including three spare yellow Ladas in case of a mechanical breakdown.

There are few sectors that better reflect Russia’s lopsided development than the internet. The web has grown strongly as a business, drawing on the nation’s strengths in maths and science to produce a domestic search engine, Yandex, that describes itself as “better than Google”.

Yet the government’s efforts to foster a Russian Silicon Valley outside Moscow show how a poor investment climate is letting down that human potential. Politically, the return to an authoritarian system, in which the government controls television but not newspapers or radio, has turned the internet into a valuable – though incomplete – forum for free speech and discussion.

Like jokes in the Soviet era, the internet takes the sting out of Russian life in the 21st century.

Unfettered news and comment about everything that television will not touch includes descriptions of high-level shenanigans and mockery of the ruling tandem of Mr Putin and Dmitry Medvedev, the president.

Mr Medvedev’s online nickname of “Captain Obvious” refers to his tendency to say the right thing with little to show for it. A few days after he declared that the release from prison of Mikhail Khodorkovsky would pose “absolutely no danger” to society, the former tycoon was sentenced to a second term in prison in what was widely seen as a politically motivated trial.

“You can go on the internet to vent your frustration and that makes you feel like you’ve done something, although of course you haven’t really changed anything,” says Sergey Alexashenko, a 21-year-old student at Georgetown University in the US. He is struck by the idealism of his US peers, compared with the cynicism back home.

Exceptions to such apathy include the Duma intern who was fired after he published details of expense-fiddling and time-wasting by parliamentarians on his blog.

Although internet penetration in Russia is expected to increase from 40 to 70 per cent over the next four years, according to Public Opinion Foundation, a Moscow-based polling agency, online debate is confined to a relatively small proportion of the population.

At one end of the range is the slick website of Snob magazine. Blogs by subscribers including oligarchs sit alongside interviews with the likes of Bill Browder, a foreign investor banned from Russia, whose lawyer died in custody while trying to protect his client’s assets from a scam involving officials.

At the other extreme, rightwing groups used the internet to organise demonstrations against immigration and corruption in December, and more chillingly, to target specific individuals. Oleg Kashin, a reporter, was savagely beaten in November (and filmed for all to see) after his picture appeared on a farright website labelled “to be punished”.

Given widespread apathy, Maria Lipman, a political analyst at the Carnegie Endowment in Moscow, argues that an Arabstyle revolt driven by social media is not on the cards. “I see the mood but not the movement,” she says. “People are increasingly angry, but this does not change the overall assumption – that ‘there is nothing we can change’. ” The authorities, for their part, are taking no chances.

In an embarrassing episode before its IPO in New York last month, Yandex was forced by the FSB security agency to hand over details of contributors to an anti-corruption website run by Alexei Navalny, a popular blogger and whistleblower. The details found their way to Nashi, a nationalist youth group prone to violent harassing of government critics.

And was the Kremlin involved in a cyber-attack on LiveJournal, a blogging site used by Mr Medvedev, Mr Navalny and the Duma intern? “Yes and no,” says Ilya Ponomarev, head of the Duma’s subcommittee for high-tech development, who advises the president on the internet.

He believes the attack was the “initiative of people sponsored by the administration to generate pro-government content in the blogosphere … but I don’t think they were directly ordered to [attack].

“As this community becomes larger, they invent activities for themselves to prove they are important. The same applies to our nationalist groups. It’s a Catch-22. The authorities give them money to gain leverage; they ask for more and go out of control.”

But in the absence of “open” politics, says Mr Ponomarev – speaking in a still largely empty mansion housing the president’s Institute for Contemporary Development – high-tech remains Russia’s most likely engine of progress.