This morning I read the Wired's article, Encrypted E-Mail Company Hushmail Spills to Feds. In short, Hushmail - which is a canadian comparny - helped the feds to decrypt steroid dealers' mails who were using the non-java webmail service (see the comparison java/non-java configuration for details). Read also the mail thread between Kevin Poulsen and Hushmail CTO, Brian Smith. He stressed that "The key point, though, is that in the non-Java configuration, private key and passphrase operations are performed on the server- side. This requires that users place a higher level of trust in our servers as a trade off for the better usability they get from not having to install Java and load an applet.".
Keyword - privacy
Thursday, November 8 2007
Hushmail and the feds
By Greg on Thursday, November 8 2007, 14:58 - IT security / Privacy
Wednesday, October 31 2007
Facebook and privacy
By Greg on Wednesday, October 31 2007, 17:43 - IT security / Privacy
I've just read Replace Facebook Using Open Social Tools a Wired article I found thanks to Breaking Open Facebook With FOSS on Slashdot. See also Breaking Open Facebook with Open Source Software and Breaking Open Facebook with Open Source Software (Part 2). To do a quick sum up, NewsCloud thinks Facebook owns too much information about every user and needs an opensource alternative. yes that's true Facebook knows people's interests, discussions and connexions with other people. That's a concern and it needs attention. But how breaking a single application into distributed one using different services can help to avoid privacy problem? In fact, you need to know how each service manage your personal information. The problem would be also distributed.
W3 started an initiative on privacy: P3P. But what could you do if the service doesn't provide the privacy you want? Would you not use the service? I have many doubt when I see what's happening with instant messaging. Most non technical people I know use MSN. So do I! I actually use kopete, and in addition to my jabber accounts, I have a MSN account. I believe the problem is not about having all your information centralized in one service databases, it's more about how to control what a provider do with you data. Nowadays, I must trust my service providers. How can I check what they do with my information? Even my ISP. Is it only a promise? Industry has brought compliance standards in quality and security (think SOX, ISO 27001). And in privacy? Are they any privacy compliance standard?
Friday, October 26 2007
Scroogled
By Greg on Friday, October 26 2007, 12:58 - IT security / Privacy
I am reading Scroogled, a short novel by Cory Doctorow. French readers may like the translation. It tells the not so far story of a former Google employee who is tracked by data Google had stored about him.
I think it stressed the ubiquitous surveillance that is taking place nowadays, the difficulty of reliability processing this kind of data and how our privacy can be exposed. Sometimes privacy seems to be kept when we provide data to one application. But when all data from all the web applications we are using are correlated, it exposes hardly our whole public life. Ok, everybody already knows that. It's like contactless transportation cards, credit cards, etc... You can be tracked by so many means. But there, in countries like France you have the choice to manage the data that is stored about you. It is stated in the Loi Informatiques et libertes which application is monitored by the CNIL. It means you need to manage the data about yourself. In somewhat Google is now a bit something already well known, the current target is FaceBook.
Talking about surveillance, check AT&T Invents Programming Language for Mass Surveillance that quotes http://www.freedom-to-tinker.com/?p... from Andrew Appel (yes you actually read the man who wrote Modern Compiler Implementation.
To be continued...
