Kurze Durchsage von Peter Schaar

Peter Schaar
Peter Schaar beim 30. Chaos Communication Congress in Hamburg, 2013, Bild: Wikipedia / Tobias Klenze / CC-BY-SA 4.0.

Kurze Durchsage von Peter Schaar zur Telefonortung wegen Corona: Handy-Ortung war demzufolge keine Idee der wissenschaftlichen Beratungskommission für die Corona-Pandemie. Es war die gesellschaftliche Situation, die es der Politik ermöglicht hat, einen lang gehegten Wunsch umzusetzen. Peter Schaar war übrigens von 2003 bis 2013 Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).

Update: Ulrich Kelber, der amtierende Bundesdatenschutzbeauftragte, sieht das wohl ähnlich.

CloudFront and Lambda at the Edge

AWS OfficeHours with Woodrow Arrington and David Brown, both Senior Product Managers on the AWS CloudFront Team. They discuss the benefits of CDN technology and use-cases of Lambda@Edge. The video touches security related considerations.

‘We’ve created a privacy industry’

‘We’ve created a privacy industry’ was a statement you could often hear when Europe introduced General Data Protection Regulations (GDPR) and the German implementation DatenSchutz GrundVerOrdnung (DSGVO). Already back in 2016 first predictions arrived, that GDPR will boost European software industry and give them a unique selling point. After the regulation became effective in Europe May 25th 2018(!), after a 2 years transition period, perceived only complaints happened. Affected data controllers and processors cited the difficulties implementing these regulations. A BitKom funded survey even indicates the regulation is hurting the European market.

'We've created a privacy industry'
Panel on Internet Security and Privacy

Now, around 1.5years later, the industry seems to have settled on the regulation and business continues as usual. Subjectively perceived, privacy is indeed still an obstacle to decision makers in the market. Even politicians keep on imploring data to be the new oil, demanding a data driven economy and to weakend the underlying ideas of european data protection acts. Meanwhile, the opportunity has moved along. Californian Start-Ups discovered this niche and turn privacy it into value:

Privacy-focused technology companies are offering a variety of services, from personal data scrubbing to business-focused software meant to help companies comply with the law.

Source: ‘We’ve created a privacy industry’: California law fuels wave of startups

Off Facebook Activity

Off Facebook Activity is a tool, that let’s Facebook users see which sites they used outside of Facebook. The tool is as creepy as you would think it would be. Facebook, through it’s like buttons and other embeds, has sheer unlimited insight into personal browsing behaviour.

Facebook Company Logo
Facebook Company Logo / Wordmark

In an attempt by the company to create more transparency, it discloses how much curiosity in a negative sense is driving the social network in trying to understand their audience. And actually sell this gained knowledge to their customers.

The release of Off Facebook Activity a reminder we are living in an increasingly connected world that is watching us. There is entirely no point for any company to collect this type of data outsire of making us a product.

The Washington Post writes about how creepy and scary this feature is, and even more important, how to work with privacy settings. While the article deals with Facebook internal settings alone, the amout of data transferred to Facebook won’t stop. At this point, you may want to consider personal privacy tools like uMatrix (for Firefox or Chrome). Or, to leverage protection for the entire network, e.g. for your family, Pi-Hole is worth taking a look, too.

via: Washington Post

Privacy in the Platform Economy

Privacy in the Platform Economy: In the tracking business, access to the customers desktop was in firm hands of Google and Facebook. Until recently!

SnakeOil promises people security to get them install software that’s capable of eavesdropping ssl and all other access to a computers interaction. Quite obvious to see this is a good source to profile a users behavior. A violation of users privacy for the sake of security. You sure all read the fineprint in the anti virus software, right?

Now apparently, somebody in the SnakeOil industry figured that out. A recent leak disclosed Avast Antivirus leverages their market access to almost hald a billion user profiles and devices to package up this insight. “every search” that promises ‘Every search. Every click. Every buy. On every site.’. Of course the target audience is the same as for marketing- and tracking clients.

Source: vice.

See also:

Twelve Million Phones, One Dataset, Zero Privacy

Twelve Million Phones, One Dataset, Zero Privacy is part one of One nation, tracked, an New York Times investigation series.

Twelve Million Phones, One Dataset, Zero Privacy

is part one of One nation, tracked, an New York Times investigation series of smart phone information tracking and by Stuart A. Thompson and Charlie Warzel, within their privacy project. The research covers multiple topics, only starting out with an analysis of the potential contained in smartphone tracking information.

What we learned from the spy in your pocket.

Twelve Million Phones, One Dataset, Zero Privacy

The authors analyse a large dataset of location information from New York and Washington, DC, cell phone users. With the analysis, the article debunks myths about data privacy. The key takeaway of the analysis, to my interpretation are:

Twelve Million Phones - One Mobile Phone User in Munich
Mobile Phone User – Munich
  1. Data is not anonymous – the authors successfully identified a Senior Defense Department official and his wife. And this was possible during the Women’s March. According to authors, nearly half a million descended on the capital for this event. (Other sources only mention one hundred thousand attendants)
  2. Data is not safe – the authors point out complex relationships of companies in the tracking business. Complexity makes it impossible to ensure ownership. There is no foolproof way for anyone or anywhere in the chain to prevent data from falling into the hands of a foreign security service.
  3. Affected persons cannot consent – the authors criticism seems reasonable. Virtually all companies involved with tracking require user consent. And even cell phones make the geo-tracking feature visible to users. Only barely anyone in the business makes purpose transparent. In other words, no company prominently announce how they package and sell data or insight.

One Nation, Tracked

The article is a creepy read, but worth the time spending. The series One Nation, Tracked continues with 6 other parts:

  1. discussing how to Protect Yourself
  2. National Security, which is for the the US in the article.
  3. details on How it works
  4. individual spying in One Neighborhood
  5. Protests is about how this business betrays democracy
  6. And offers Solutions through privacy rights.

Source: Opinion | Twelve Million Phones, One Dataset, Zero Privacy – The New York Times

Security Nightmares beim 36C3

Security Nightmares – Frank und Ron beim 36C3 in Leipzig

Wie jedes Jahr , jedenfalls seit 1999 während des 19C3 in Berlin, haben Frank und Ron auch dieses Jahr wieder Ihren Vortrag Security Nightmares beim 36C3 zu Sicherheitsbezogenen Vor- und Rückschauen gehalten.

Frank und Ron zu Security Nightmares 0x14 auf dem #36c3
Security Nightmares 0x14

In einer Rückschau auf diesen ersten Vortrag “vor zwanzig Jahren” blicken die beiden auf die Vorhersagen von Damals und die Ereignisse der letzte Jahre zurück und fassen den ganzen Zeitraum der beiden Jahrzehnte damit zusammen, ob man Makros erlauben möchte. Makros waren schon 1999 (Melissa, I love you) wie heute (Emotet) einer der wichtigsten Angriffsvektoren für Malware. Der folgende Rückblick auf die letzten zehn Jahre alleine fällt etwas technischer aus. Trotzdem ruft der Teil einige schöne Ereignisse noch einmal ins Gedächtnis. Darunter z.B. den Aufschrei Deutschlands gegen Streetview, die Debatte um intelligente Stromzähler oder die elektronische Gesundheitskarte. Themen, die auch bis heute nicht vollkommen abgeschlossen sind.

Ein “Internet-Normalitätsupdate” setzt jüngere und auch noch laufende Angriffe mit bekannten Zahlen in Perspektive.

Darüber hinaus setzt der Vortrag sich mit Rückschauen in den Themenfeldern E-Gov, Datenreichtum und Crypto (SPD Mitgliederbefragung!), Geschäftsfelder, Crypto, Sport und Bemerkenswertem auseinander, bevor sich Frank und Ron den Stichworten für 2020 widmen. Wenig technisch wagen die beiden eine Prognose zu Berufsfeldern, die die Cyber-Situation hervorbringen könnte. Das reicht von der Cyber-Nachsorge für das Seelenheil Betroffener, über die Cyberfantasy-Geschichtenschamanen, die magiehafte Technologie nachvollziehbar erzählen können, bis zu Verzerrungs-Sucher und IPv6 Exorzisten

Wie jedes Jahr ein interessanter und unterhaltsamer Vortrag. Auch wenn ich die Lesung nicht selbst hören habe können, lohnt sich die Aufzeichnung auf media.ccc.de nachzusehen.

Netflix (Security) on Youtube

Netflix (Security) on Youtube: Netflix Security runs a YouTube Channel! As opposed to the company channel, it does not only broadcast previews! This is a great subscription for security practiconers!

Via Stephanie Olsen (on LinkedIn).

Unbekannte dringen in Server von Conrad Electronic ein

Ist hier jemand Online-Kunde von Conrad-Elektronik?

Conrad Elektronik
Conrad Elektronik Markt

Durch eine Sicherheitslücke verschafften sich Unbekannte Zugriff auf Conrad-Server mit 14 Millionen Kundendatensätzen.

Source: Unbekannte dringen in Server von Conrad Electronic ein | heise online

Thoma Bravo to buy Sophos

Sophos Logo
Sophos Logo

Both company announce the plans for the acquisition today. The private equity company Thoma Bravo plans to buy the UK-based cyber-security giant Sophos for $7.40 per share, for a total value of $3.9 billion, at a 37% market premium.