April 17, 2014

avatar

Cookies that give you away: The surveillance implications of web tracking

[Today we have another announcement of an exciting new research paper. Undergraduate Dillon Reisman, for his senior thesis, applied our web measurement platform to study some timely questions. -Arvind Narayanan]

Over the past three months we’ve learnt that NSA uses third-party tracking cookies for surveillance (1, 2). These cookies, provided by a third-party advertising or analytics network (e.g. doubleclick.com, scorecardresearch.com), are ubiquitous on the web, and tag users’ browsers with unique pseudonymous IDs. In a new paper, we study just how big a privacy problem this is. We quantify what an observer can learn about a user’s web traffic by purely passively eavesdropping on the network, and arrive at surprising answers.
[Read more...]

avatar

Silk Road, Lavabit, and the Limits of Crypto

Yesterday we saw two stories that illustrate the limits of cryptography as a shield against government. In San Francisco, police arrested a man alleged to be Dread Pirate Roberts (DPR), the operator of online drug market Silk Road. And in Alexandria, Virginia, a court unsealed documents revealing the tussle between the government and secure email provider Lavabit.
[Read more...]

avatar

Senate Judiciary Testimony: FISA Oversight

I testified today at a Senate Judiciary committee hearing on Oversight of the Foreign Intelligence Surveillance Act. Here is the written testimony I submitted.

avatar

The Debian OpenSSL Bug: Backdoor or Security Accident?

On Monday, Ed wrote about Software Transparency, the idea that software is more resistant to intentional backdoors (and unintentional security vulnerabilities) if the process used to create it is transparent. Elements of software transparency include the availability of source code and the ability to read or contribute to a project’s issue tracker or internal developer discussion. He mentioned a case that I want to discuss in detail: in 2008, the Debian Project (a popular Linux distribution used for many web servers) announced that the pseudorandom number generator in Debian’s version of OpenSSL was broken and insecure.
[Read more...]

avatar

Software Transparency

Thanks to the recent NSA leaks, people are more worried than ever that their software might have backdoors. If you don’t believe that the software vendor can resist a backdoor request, the onus is on you to look for a backdoor. What you want is software transparency.

Transparency of this type is a much-touted advantage of open source software, so it’s natural to expect that the rise of backdoor fears will boost the popularity of open source code. [Read more...]

avatar

On Security Backdoors

I wrote Monday about revelations that the NSA might have been inserting backdoors into security standards. Today I want to talk through two cases where the NSA has been accused of backdooring standards, and use these cases to differentiate between two types of backdoors.
[Read more...]

avatar

NSA, the FISA Court, and Risks of Tech Summaries

Yesterday the U.S. government released a previously-secret 2011 opinion of the Foreign Intelligence Surveillance Court (FISC), finding certain NSA surveillance and analysis activities to be illegal. The opinion, despite some redactions, gives us a window into the interactions between the NSA and the court that oversees its activities—including why oversight and compliance of surveillance are challenging.
[Read more...]

avatar

Groklaw Shuts Down, Citing NSA Eavesdropping

The legendary technology law blog Groklaw is shutting down. Groklaw’s founder and operator, Pamela “PJ” Jones, wrote that in light of current eavesdropping, email is no longer secure. She went on to say:

There is no way to do Groklaw without email. Therein lies the conundrum.
[...]
What to do? I’ve spent the last couple of weeks trying to figure it out. And the conclusion I’ve reached is that there is no way to continue doing Groklaw, not long term, which is incredibly sad. But it’s good to be realistic. And the simple truth is, no matter how good the motives might be for collecting and screening everything we say to one another, and no matter how “clean” we all are ourselves from the standpoint of the screeners, I don’t know how to function in such an atmosphere. I don’t know how to do Groklaw like this.

I can’t help thinking that there might be more here than meets the eye.
[Read more...]

avatar

51% foreign test doesn’t protect Americans

One of the notable claims we have heard, in light of the Verizon / PRISM revelations, is that data extraction measures are calibrated to make sure that 51% or more of affected individuals are non-U.S. persons. As a U.S. person, I don’t find this at all reassuring. To see why, let’s think about the underlying statistics.
[Read more...]