Public Intelligence got a hold of some interesting slides that Microsoft seems to present to law enforcement personnel. Microsoft explains the weaknesses in their privacy/security functions and how law enforcement et al. can leverage them best.
Here are some highlights:
InPrivate
A benefit to law enforcement of InPrivate is that website data for sites added to favorites will be left alone if a box remains ticked.
Not surprisingly, The Tor Project comes up in the presentation (because anyone using Tor must be doing something bad!!), associated with the user name ‘bad guy’.
Common uses of the InPrivate mode include checking e-mail on public computers and “shopping for gifts” on family computers.
In a plea to not lose their law enforcement buddies because of the inclusion of these inconveniencing features, Microsoft says that they’re not alone including private browsing functionality, ie. they were forced to do this because the competition was doing it (good job Firefox and Chrome).
Bitlocker
Microsoft says that it’s not all bad, BitLocker isn’t available to any commoner, it “has a number of ‘Recovery’ scenarios that we can exploit”, and that users are scared of encryption.
“We are the good guys!” Who are the bad guys then? The people using encryption/BitLocker?
Virtual PC Undo Disks
Virtual PC Undo Disks are scary for law enforcement.
The SIS and police confiscated digital devices belonging to Former Fijian cabinet minister Rajesh Singh last week “in connection with an alleged plot to assassinate Fiji’s leader Voreqe Bainimarama”.
A woman from the SIS turned up with three plain clothed police officers and said she had a search warrant. But she couldn’t show Rajesh it or give him a copy because it was classified. Because you know, wanting to know why people are raiding your house is a completely unreasonable request.
Idiot/Savant asks why, if the alleged plot was actually reasonable, was Rajesh or someone else not arrested. @civillibertynz points out that this secret warrant wouldn’t even need to be presented in court later on.
The laptop and phone were returned later in the day, assumedly after being copied. I wonder if the SIS are allowed to install spyware?
Data retention by NZ telecom providers
I also wonder whether they needed physical access to the phone for what they were looking for. Telecom companies here are very vague about how long they keep user data for. It doesn’t seem like customer facing staff (and thus customers) are generally privy to the period of time information is actually kept.
Telecom says text message content is stored for two to three months. Vodafone says up to six months. 2degrees said six months, but that the technical team could access archives further back than that (a detail I wonder if others didn’t mention).
I requested my data from 2Degrees and they sent me every text message I had sent involving 2Degrees (18+ months worth), including nine months of text messages I had sent to 2degrees customers when I was on another network.
“A telecommunications agency that holds telecommunications information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.”
Whose interests are being served by keeping information for such an unnecessary amount of time, especially when customers have no idea it’s happening?
And whose interests are being served when a secret search warrant is served on an ex-foreign cabinet minister in relation to a dubious overseas assassination plot?
Formspring recently reset lots of passwords after some were misplaced/stolen. Their email to users seems a little light on detail and doesn’t elaborate what the security reasons are, or even link to their own blog post about what happened. Sharing is caring, Formspring.
“Since January, the Dotcom legal team has asked for the footage, but police refused, until finally the agency agreed that an IT expert for DotCom could come and collect a copy of the footage. When the IT expert arrived at the police station, he found the server completely disassembled, and authorities said they could not reassemble it or give him any footage. Now, no one outside the police agency is sure the footage still exists.”
Here’s what the Police said to me on 13 February:
“Police do not have any equipment which may hold this security footage. This equipment is held by the Official Assignee on behalf of the Crown, not Police.”
And here’s what the Insolvency & Trustee Service said on 17 February:
“The Official Assignee has no knowledge of any security camera footage.”
So what exactly does this footage show that the police and friends don’t want getting out?
An interesting site popped up near the end of last year called YouHaveDownloaded.com. You might not have visited it, or even heard of it, but if you’ve been using torrents, it might have heard of you.
The site is quite simple, it tracks torrents and the people (IP addresses) downloading them, much like copyright holders do (or hire companies to do for them). They claim to be tracking roughly 4%-6% of all torrent downloads and 20% of torrents from public trackers, like The Pirate Bay.
The difference to the copyright holders is that this site makes the information is collects public. You can see what it thinks the IP address you’re using has been used to torrent, or any other IP address you can think of. It might not be right, or it might be spot on.
This site just highlights what is going on all the time. Torrenting is a very public activity unless you’re making an effort to protect your privacy (like using a proxy or VPN from a reputable provider). Privacy is not the default on the interwebs.
IP addresses are more like PO Boxes than physical addresses — most people have dynamic IP addresses that regularly change, and add in the fact that some people have insecure Wi-Fi, the results on the site aren’t that accurate.
The site brings up an interesting statistic, especially if it’s true: “About 10% of all online shoppers, in the US, are torrent users as well.” In the future will advertisers link an IPs torrenting history to an advertising profile. Is this already happening?
The removal form
The site provides a form that supposedly enables people to request removal from the site. Don’t use it.
Previously it asked people to sign in using their Facebook accounts, and the CAPTCHA to get to the non-Facebook removal form didn’t work (ie. they wanted to link your data with a real name, cue warning bells). Now it seems like Facebook has revoked their access to use Facebook logins (they say Facebook logins are “Temporarily disabled due problems with Facebook”), so it brings up the removal form, which asks for a name and an email address.
I’m not saying this is what the people behind the site are doing, but this would be all the information they would need, in addition to the information they have on torrents associated with your IP address, to send an extortionate email your way. Or sell your data (probably not to copyright holders, because they hire people to do this for them already).
Here’s what their removal terms are (and yeah, the rest of the site is worded like this too):
“Removal Terms The Details: By submitting a request to have your download activity removed from our database, you are acknowledging that the activity was, in fact, carried out by yourself. This means that you are only submitting a request to have the details of your own personal activity deleted. Any unrecognized activity, such as files you did not download or do not remember downloading, are not — I repeat, are not to be included in your removal request. Why is this imperative? Well, we actually don’t have to explain ourselves…sorry.
The important part is that you understand these terms and conditions before hitting that beautiful button that will erase your criminal back ground, at least for now. Wait, you did remember to read these terms before making the decision to submit a removal request, right? Of course you did, everyone reads the fine print.
Other Important Things to Consider: We make no guarantees that your information will not appear on any other databases. We may have erased your bad behavior but, keep in mind that your data on this site is aggregated public domain. So, if by chance, another sadistic group of people decides to open a similar web site, we have no control over what they do with your information. Furthermore, if you continue to involve yourself in activity like this, your future download history will, without a doubt, appear in our database again and we may not be as nice about it next time.
If any part of these terms is still unclear, please visit your local elementary school and ask to repeat grades 3 through 5.”
Giving the people or company behind the site any more information about yourself is not a good idea, even if they claim that the site is a joke and you shouldn’t take it seriously.
And anyway, if your IP address is listed on the site, it must be because of the person that used it previously. Right?
A survey commissioned by the MPAA and friends last year stated that seven out of 10 people surveyed said that they would stop illegally sharing files after they received one notice from a copyright holder under the three strikes scheme.
Perhaps they should have also asked how many people would just change how they download files illegally?
The WAND Network Research Group at The University of Waikato has been measuring how traffic flows through a New Zealand ISP. They can split traffic into types with a pretty high degree of accuracy without having to “look inside” too much. Donald Clark compares it to looking at the postmark of a package and giving it a squeeze and being able to tell, in general terms, what’s inside, without having to open it.
Here’s a graph (ht Tech Liberty/1through8) showing the change in traffic volume in September 2011 and January 2012 by type relative to January 2011. In January 2011 the Copyright (Infringing File Sharing) Amendment Act (the three strikes Skynet law) wasn’t in force. On September 1 2011 copyright holders could start sending notices to IPAPs, and around that time there was a strong media interest in the law. January 2012 is a few months later.
The resulting data is a valuable insight into how residential DSL customers at this particular ISP reacted to the new law.
More graphical goodness can be found in the slides from a NZNOG presentation here.
There was about a 75% decrease in BitTorrent traffic straight after the law was introduced, largely sustained into 2012, with huge increases in remote and tunneling traffic. The law isn’t stopping file sharing, just moving it underground, using VPNs, seedboxes and sites like now closed Megaupload.
There was also a big decrease in newgroup traffic, even though it doesn’t appear to be targeted by the new law.
“P2P, P2P structure, Unknown, Newsgroups and Encrypted [not all shown in the graph above] have all decreased massively from their January 2011 levels. Interestingly, each of these categories can be tied to the illegal downloading activities targeted by the CAA [Copyright Amendment Act]. P2P and P2P structure are obviously related, Newsgroups are a common source of torrent files and the Unknown and Encrypted categories were strongly suspected of containing a significant quantity of encrypted P2P traffic.
Even more interestingly, Remote, Tunneling and Files experienced similarly large growths in the amount of traffic downloaded by DSL users. This is probably indicative of people changing their approach to downloading copyrighted material. Instead of participating in file sharing on their home machines, it has become more common for people to use machines based in other countries and ship the file back home via another protocol. This might be via SSH, VPN or FTP, for example, which are all covered by the growing categories.
Similar trends are observed when looking at traffic transmitted by the DSL users. Categories associated with P2P file sharing have seen much less traffic compared with January 2011, whereas Tunneling, Remote and Files have soared.
It should be noted that although Tunneling has grown significantly, the overall amount of Tunneling traffic is still much less than the total amount of P2P traffic. But the sudden changes in application protocol usage are still very noteworthy and suggest that the CAA has had a major impact on people’s Internet usage.”
We’re six months into the Copyright (Infringing File Sharing) Amendment Act, the law that pleased no one (the copyright lobby thought copyright holders should only pay the price of sending a letter, everyone that uses the internet thought the law was stupid), but was passed anyway.
Invalid notices
Tech Liberty asks if some infringement notices being sent to customers are invalid because they don’t contain the required information under the law.
An Orcon customer posted on the 3StrikesNZ forum about two notices (s)he received and posted the screenshots of the emails (click for larger versions). Note that both notices are for the same song. Anonnz says that the offending file, torrent, and software was removed after the first notice and so a second warning notice should never have been sent.
4(2)c(iii) states notices must describe the type of work in terms of section 14(1) of the Copyright Act.
4(2)c(iv) states notices must describe the restricted act or acts in terms of section 16(1) of the Copyright Act by which copyright in the work is alleged to have been infringed.
4(2)c(v) states notices must give the New Zealand date and time when the alleged infringement occurred or commenced, which must specify the hour, minute, and second. The first notice doesn’t specify the time to the second.
4(2)c(vi) states notices must identify the file sharing application or network used in the alleged infringement.
5(2)b states notice numbers must identify whether the notice is a detection notice, a warning notice, or an enforcement notice; and (c) that they must identify the IPAP that sent the notice.
Account suspension
Additionally, the second to last paragraph of the notice misinforms customers about internet account suspension, stating: “the Copyright Tribunal has the authority to … apply to the District Court to suspend your account for any period up to six months”. Account suspension is not currently an available punishment.
The requirements for notices and punishments are spelled out quite clearly, so I wonder what else copyright holders and IPAPs are doing incorrectly.
Delivery of infringement notices
There’s some really interesting discussions over on the 3StrikesNZ forum.
The nature of delivery of infringement notices has been brought up. FlyingPete suggests that email is unreliable for the delivery of such important notices (as in missing them could cost the account holder $15k), because of spam filters and because some people don’t check email accounts very often.
The Act states that infringement notices are to be sent the same way bills are sent, unless agreed otherwise, and assumes that the way you receive your bill must be reliable, otherwise you wouldn’t pay it. It overlooks that a lot of people are using automatic payments and don’t need to check the bill for a service that stays the same price every month.
StuFlemingWIC, from an IPAP, points out that even snail mail is unreliable, especially when sent to student flats. He suggests that registered mail would have been a good requirement for sending notices.
Not with Photoshop (and apparently Paint Shop Pro), or your printer, anyway.
The counterfeit deterrence system
If you try to open an image of specific currencies (and I assume at a specific resolution or higher) in Photoshop, you’ll receive the same error message as above. It’s interesting to note that New Zealand’s money isn’t blocked from being opened. Probably because we’re too busy trying to stop our passports from being counterfeited.
Here is Adobe’s information page on their ‘Counterfeit deterrence system’. What Photoshop is looking for is apparently a Digimarc digital watermark, different from the EURion constellation printers, or at least colour photocopiers look out for.
How to get around it
So what if your counterfeiting plans were going well so far, and now you’re at a standstill because of Adobe? You can use Gimp. It opens banknotes without trouble. So do old versions of Photoshop. And Microsoft Paint.
Why did Adobe think it was a good idea to add this? Counterfeiters will already know that they can use an older version of Photoshop, or use other software to get around this additional ‘feature’ and will be doing that.
All Adobe is doing is pissing off people who are trying to use Photoshop for a legitimate reason.
The Rules For Use website the dialog box directs users to even lists situations where you can reproduce banknotes legally (e.g. at a certain size), but Photoshop blocks opening banknotes full stop.
Why is it included?
Adobe will have had to spend time and money on including this system, with no returns in the form of additional sales. I assume they were pressured to include it, or even paid to include it by the Central Bank Counterfeit Deterrence Group.
“The inner workings of the counterfeit deterrence system are so secret that not even Adobe is privy to them. The Central Bank Counterfeit Deterrence Group provides the software as a black box without revealing its precise inner workings, Connor said.”
Secrecy
If you’ve bought Photoshop, were you aware of this system at the time of sale? You bought the software to open and edit images, but there are limitations you wouldn’t have been told about.
Here’s the two places where this system is talked about on Adobe’s website. A forum post and the information post linked to above.
Where’s the information page linked to from on Adobe’s website? My guess is not very many places, because they should have come up in the search too.
Printers are in on this too
I tried to print United States banknotes from Banknotes.com too. And the job failed. Here’s a New Zealand banknote that printed (and scanned) fine, with one of the United States notes below, which stopped printing halfway through.
Here’s the error message in the print dialog.
Error 9707 seems to be specific to the counterfeit deterrence system, but is only described as “reading pixels failed”.
BNZ specifies an interesting use for your Eftpos card PIN that’s not permitted in their newest card terms and conditions – using it for the lock code on your phone.
1.5 PIN selection … Your PIN should not be used for any other purpose including your lock/unlock code for your mobile phone.
In the new card letter they also make an interesting comparison of PINs to electronic signatures. But I think their next sentence shows why this is a potentially confusing example to give:
“When selecting a PIN please remember that this is your electronic signature. You must not keep a written record of your PIN, give your PIN to any other person or select a PIN that can be readily associated with you such as birth dates, addresses, parts of telephone numbers, car registrations, sequential numbers (eg 1234, 9999) or any other easily found personal information.”
Signatures are often written down, given away and are made up of personal information. Perhaps there is a better comparison available?
Foodstuffs/New World are using RFID technology on trolleys to track customer movement around the store.
Hi Matt,
Yes they are RFID receivers designed to pick up the signals from the front of most of our trolleys (although they are not currently active due to an issue with the some of the receivers). The project is being done by Foodstuffs so that they can better understand customer movements around the store. This will enable them to design better supermarkets in the future.
Regards
>Hi > >I noticed Symbol(?) units installed on the ceiling in the store. I’m just curious as to what they are for. Are they using RFID technology? > >Kind regards > > >Matt Taylor