Tag Archives: privacy

‘Confidential Content’? YouTube bug shows scary but harmless banner in search results

Internet, Tech, , , ,

People performing searches this afternoon on YouTube for videos to watch are being treated to an ominous-looking banner perched atop the search results, warning them that their search results might contain “confidential content,” like this:

These videos aren’t actually confidential.

Though it looks forbidding, Google assures us that the banner’s visibility is actually due to a snafu rather than anything nefarious or secret. When the banner started appearing in our own search results, Ars reached out to Google for comment. A spokesperson explained that the anomalous banner is due to “a bug” and that its presence is entirely accidental.

YouTube also quickly reacted with a tweet to assure folks that nothing worrisome was happening:

Read 1 remaining paragraphs | Comments

Friendly reminder: Your Snapchat photos are still stored on your phone

Tech, , , , , , ,

A forensics firm has found that Snapchat, an app whose killer feature is that it deletes photos sent between users once they’ve been viewed, does not actually delete photos once they’ve been viewed. According to KSL.com, the app saves the images to the device and, once they’re viewed, changes the file extension so they’re no longer accessible.

Utah-based Decipher Forensics claims that the photos take about six hours to extract, though most of that time is spent imaging the phone’s data. So far, Decipher has only managed to penetrate Android phones. The images reside in a folder on the recipient’s device named RECEIVED_IMAGES_SNAPS.

Once the files have been viewed within the time constraints of the app, the app affixes the extension .NOMEDIA to make it less readable. However, if the files are extracted and the extension is changed, the images are viewable once again.

Read 1 remaining paragraphs | Comments

FBI claims right to read your e-mail, just like other federal agencies

Tech, , , , ,

If we’ve told you once, we’ve told you a thousand times—the feds can (and do) easily access your e-mail. In fact, sending materials through the United States Postal Service is legally more secure than e-mail.

On Wednesday, as the result of a Freedom of Information Act request, the American Civil Liberties Union has published the first public copy of the 2012 edition of the FBI’s Domestic Investigations and Operations Guide. And this document clearly draws that distinction. The new disclosure shows that the FBI believes it does have the authority to open your e-mail essentially whenever it wants:

18.7.1.3.4.3 (U) MAIL OPENINGS

(U) Mail in United States postal channels may be searched only pursuant to court order, or presidential authorization. United States Postal Service regulations governing such activities must be followed. A search of items that are being handled by individual couriers, or commercial courier companies, under circumstances in which there is a reasonable expectation of privacy, or have been sealed for deposit into postal channels, and that are discovered within properties or premises being searched, must be carried out according to unconsented FISA or FRCP Rule 41 physical search procedures.

18.7.1.3.4.4 (U) COMPELLED DISCLOSURE OF THE CONTENTS OF STORED WIRE OR ELECTRONIC COMMUNICATIONS

(U) Contents in “electronic storage” (e.g., unopened e-mail and voice mail) require a search warrant. See 18 U.S.c. § 2703(a). A distinction is made between the contents of communications that are in electronic storage (e.g., unopened e-mail) for less than 180 days and those in “electronic storage” for longer than 180 days, or those that are no longer in “electronic storage” (e.g., opened e-mail). In enacting the ECPA, Congress concluded that customers may not retain a “reasonable expectation of privacy” in information sent to network providers. However, the contents of an e-mail message that is unopened should nonetheless be protected by Fourth Amendment standards, similar to the contents of a regularly mailed letter. On the other hand, if the contents of an unopened message are kept beyond six months or stored on behalf oft he customer after the e-mail has been received or opened, it should he treated the same as a business record in the hands of a third party, such as an accountant or attorney. In that case, the government may subpoena the records from the third party without running afoul of either the Fourth or Fifth Amendment. If a search warrant is used, it may be served on the provider without notice to the customer or subscriber.

Here’s what all that means: under the much-maligned (but frustratingly still-current) 1986-era Electronic Communications Privacy Act (ECPA), law enforcement must get a warrant to access e-mail before it has been opened by the recipient. However, there are no such provisions once the e-mail has been opened or if it has been sitting in an inbox, unopened, for 180 days. In March 2013, the Department of Justice acknowledged in a Congressional hearing that this distinction no longer makes sense and the DOJ would support revisions to ECPA.

Read 2 remaining paragraphs | Comments

SpiderOak encrypted cloud storage adds drag and drop support with Hive

Tech, , , , , , , , ,

Last year we had a look at SpiderOak, a public cloud service with a focus on security above all else. The idea behind SpiderOak was to create a service with the same type of features as Dropbox but without the ability for anyone other than an account’s user to see the unencrypted contents of that user’s data store—including SpiderOak itself.

This is done by storing everything on the SpiderOak service as encrypted blocks and ensuring that the decryption keys for those blocks can only themselves be decrypted with the user’s password. That password is entered by the user into the locally installed SpiderOak client and is never seen by the backend service. SpiderOak has gained a strong following as a more tech-savvy alternative to Dropbox because of its central emphasis on encryption. Dropbox also encrypts files stored on its service, but it also holds the decryption keys and uses them to perform global single-instancing—that is, if you and your friend both upload a copy of the new Star Trek trailer, Dropbox will save backend storage space by only actually storing the trailer once. It can do this because even though your files are secured and encrypted from access by others, the Dropbox service itself is able to decrypt files in order to ensure it’s only storing each unique set of blocks once.

So SpiderOak has traditionally appealed to the more security-conscious (or paranoid) user, since data is securely encrypted by the SpiderOak client installed on the user’s computer or computers, and its backend treats everything as encrypted blocks, no matter what. However, SpiderOak’s emphasis on security has come at the expense of a bit of usability; contrary to Dropbox, getting files stored on the SpiderOak service and synced across different devices isn’t seamless out of the box; SpiderOak requires a bit of setup to reach the same place that Dropbox and others start out with.

Read 11 remaining paragraphs | Comments

Rooting exploit could turn Google Glass into secret surveillance tool

Tech, , , , ,

A smartphone hacker has provided conclusive proof that the futuristic computing headset known as Google Glass can be surreptitiously modified to give anyone with physical access almost complete control over the device. He called on Google engineers to improve the security of Glass—which currently is available only to developers—before it becomes available to the general public.

Google engineers have stressed that the head-mounted computing device—which can capture nearby conversations and images and transmit them over the Internet—was meant to be hacked. But until now, it has been easy for end users to know when their all-seeing, all-hearing headsets were modified. All that has changed now that security consultant Jay “saurik” Freeman has fashioned an alternative way to gain almost unfettered “root” control. Using an exploit discovered seven months ago to root smartphones running Google’s Android operating system, it takes him less than five minutes to hack the new device. From there, he can install a customized operating system that silently monitors everything the device sees or hears.

Because it requires a device to be put into a special “debug mode,” the exploit isn’t considered much of a security threat for smartphone users. After all, debug mode can be invoked only after a user has unlocked the handset using a PIN code or other security mechanism. Glass, by contrast, has no form of screenlock, making it possible for someone with even brief access to a headset to make persistent changes.

Read 9 remaining paragraphs | Comments

FBI denied permission to spy on hacker through his webcam

Tech, , , , ,
Sorry FBI, you can’t randomly hijack someone’s webcam.
Stefano Maffei

A federal magistrate judge has denied (PDF) a request from the FBI to install sophisticated surveillance software to track someone suspected of attempting to conduct a “sizeable wire transfer from [John Doe’s] local bank [in Texas] to a foreign bank account.”

Back in March 2013, the FBI asked the judge to grant a month-long “Rule 41 search and seizure warrant” of a suspect’s computer “at premises unknown” as a way to find out more about this possible violations of “federal bank fraud, identity theft and computer security laws.”

In an unusually-public order published this week, Judge Stephen Smith slapped down the FBI on the grounds that the warrant request was overbroad and too invasive. In it, he gives a unique insight as to the government’s capabilities for sophisticated digital surveillance on potential targets. According to the judge’s description of the spyware, it sounds very similar to the RAT software that many miscreants use to spy on other Internet users without their knowledge. (Ars editor Nate Anderson detailed the practice last month.)

Read 10 remaining paragraphs | Comments

Apple remembers where you wanted to get drunk for up to 2 years

Tech, , , , , , ,
Apple probably still has this query of mine from 2011 saved somewhere in the cloud.

Remember that time when you asked Siri about the nearest place to find hookers? Or perhaps the time you wanted to know where to find the best burritos at 3am? Whatever you’ve been asking Siri since its launch in late 2011 is likely still on record with Apple, as revealed by a report by our friends at Wired on Friday. Apple spokesperson Trudy Muller told Wired that Apple stores Siri queries on its servers for “up to two years,” though the company says it makes efforts to anonymize the data.

“Apple may keep anonymized Siri data for up to two years,” Muller said. “Our customers’ privacy is very important to us.”

Why does Apple have your Siri queries on record in the first place? Remember, Siri doesn’t just operate locally on your iPhone or iPad—when you ask it a question, your voice query is sent to Apple’s servers for processing before the answer—a Google search, an answer from Wolfram alpha, a Yelp result, etc.—is sent back. That’s why an Internet connection is required in order to use Siri; if you have no Wi-Fi or cellular signal, you can’t use Siri to perform any actions.

Read 4 remaining paragraphs | Comments

Apple Keeps Anonymized Voice Data Related To Virtual Assistant Siri For Up To 2 Years

Tech, Technology, , , , ,

siri understands

Apple’s Siri voice assistant on iOS devices retains information to help the company generate better and more accurate results in the analysis process that takes place at its remote servers. The company has never previously revealed exactly how long it keeps that data or how exactly it works, but now Wired has learned from an Apple spokesperson exactly how Siri IDs and store data, as well as for how long.

Apple said that it first associates voice files gathered by Siri with a randomly generated number to keep all associated data anonymous, and separate from any other identifiers including your Apple ID or even your email address. That number remains tied to data for six months, at which time Apple deletes it, while retaining the voice file. The voice file itself, now separated from any kind of identifier, can live on Apple’s servers for up to 18 more months in order to help Apple refine Siri and test new products. When a user turns Siri completely off, however, all data and identifiers are immediately deleted.

Privacy concerns around voice dictation services are nothing new. Nuance, the company that helps power Siri with its voice-recognition software, had to defend against privacy concerns back in 2009 when it launched Dragon Dictation for the iPhone. It, too, stores transcriptions of conversations on its servers to help improve its own technology’s results. The situation isn’t all that different from the type of information Google collects to make sure that its ad targeting works effectively, or to help services like Google Now operate properly.

The main concern of privacy critics like American Civil Liberties Union lawyer Nicole Ozer, who sparked the Wired investigation to begin with, seems to be around the fact that Apple doesn’t include this information about its data retention policies anywhere that’s easily accessible to users of Siri, like in its FAQ page about how Siri works. Her argument is built around Apple’s duty to keep consumers informed, since it could influence what type of information they share with services like Siri.

The bottom line is that if an app or service requires a data connection, in all likelihood there’s a back and forth transmission of information going on, and if privacy is one of your top-of-mind concerns, you should be cautious in any such situation. Apple’s policies with Siri seem no more or less egregious than any other, but it is nice to see the company spell it out in no uncertain terms.