Flaws could expose users of privacy-protecting software, researchers say

SAN FRANCISCO — Researchers have found a flaw that could expose the identities of people using a privacy-oriented operating system touted by Edward Snowden, just two days after widely used anonymity service Tor acknowledged a similar problem.

The most recent finding concerns a complex, heavily encrypted networking program called the Invisible Internet Project, or I2P. Used to send messages and run websites anonymously, I2P ships along with the specialized operating system “Tails,” which former U.S. spy contractor Snowden used to communicate with journalists in secret.

Though a core purpose of I2P is to obscure the Internet Protocol addresses of its roughly 30,000 users, anyone who visits a booby-trapped website could have their true address revealed, making it likely that their name could be exposed as well, according to researchers at Exodus Intelligence.

“People shouldn’t trust something wholeheartedly just because Snowden says,” Exodus Vice President Aaron Portnoy told Reuters. “Generally, we assume the things we can find, others can find.”

Tails launches from a DVD or USB stick and is designed to maintain privacy even when a computer or network has been hacked.

Much more than I2P, Tails relies on Tor, the better-known anonymity system that it uses for all software connections to the Internet. But leaks in the past year have shown that Tor is also a major target for the U.S. National Security Agency and others, and researchers at Carnegie Mellon University said they could have identified hundreds of thousands of Tor users.

Those researchers planned to detail their technique next month at the security conference Black Hat. After Tor developers complained to Carnegie Mellon, the university told Black Hat to cancel the talk.

Tor programmer Roger Dingledine conceded that the researchers had found a flaw, and he said his team was now working to fix it before any public disclosure exposes dissidents and other types of users on Tor to greater risk of attack.

The I2P flaw will likewise be fixed, in what a spokesman for the I2P project called the “near future.” In the meantime, he said, users should disable the programming language JavaScript.

Tails did not respond to an email seeking comment. It was not clear how many Tails users would be vulnerable, since the I2P application does not launch automatically when the operating system is opened. The I2P spokesman said a user would have to have chosen to run I2P to be vulnerable.

Exodus is one of a dozen or more companies known to sell secret security flaws to intelligence agencies, law enforcement and other customers in a controversial marketplace.

No system is failsafe

But in this case, Exodus alerted I2P and Tails to the problem and said it would not divulge the details to customers until the problem has been fixed. Portnoy declined to say what the company would do if a government client asked him to find a similar flaw in the future.

The Tails and Tor episodes show that no anonymity system is failsafe, Portnoy said, and those in jeopardy should focus on compartmentalizing their efforts so that a single breach would not expose everything about them.

“Tor works for most purposes, but a determined adversary will always find a way,” he said.

In one such high-stakes case, the FBI used a flaw in a Firefox Web browser that came bundled with Tor to identify a man suspected of hosting child pornography, according to Irish media reports.

Leaked NSA documents show that the NSA logged the IP addresses of many Tor users and may have scanned emails for users living outside of the United States and its four closest intelligence allies, German media reported this month.

source: interaksyon.com

US toughens online privacy rules for children

WASHINGTON DC — US regulators unveiled new rules Wednesday aimed at strengthening online privacy protection for children, to reflect the growing use of mobile apps and social networks.

The Federal Trade Commission said its updated rules require online services to get consent from parents if they are aimed at children under 13 or know that they are collecting personal information from young children.

But FTC chairman Jon Leibowitz said the Children’s Online Privacy Protection Act would not include stricter proposals which would have made companies liable for “plug-ins” such as the Facebook “like” button or Twitter’s “tweet” button.

“The Commission takes seriously its mandate to protect children’s online privacy in this ever-changing technological landscape,” said Leibowitz.

“I am confident that the amendments to the COPPA Rule strike the right balance between protecting innovation that will provide rich and engaging content for children, and ensuring that parents are informed and involved in their children’s online activities.”

Leibowitz told reporters that websites will still be able to direct ads to children, and that “the only limit we place is on behavioral advertising,” which is based on a person’s browsing activity.

“Until you get parental consent, you may not build massive profiles of children to deliver advertising,” the regulator said.

The rules close some loopholes on online operators who can be liable for violations of the law, which was passed by Congress in 1998.

But the regulations note that, in light of comments received on a draft, the FTC decided the rules should not encompass platforms such as Google Play or the App Store, that offer access to “someone else’s child-directed content.”

Third-party plug-ins will be responsible only where they have “actual knowledge that they are collecting personal information from users of a child-directed site.”

Leibowitz said the FTC “struggled with this” issue and sought to avoid rules which clamped down on operators to force them to create a “sanitized” Internet for older children and adults.

“We think where we ended up was both balanced and very very strong,” he said. “We did two rounds of comments because we wanted to get it right and we wanted to listen to everybody.”

The proposal drew hundreds of comments, including some who feared Facebook could be held liable if it allowed young children to hit the “like” button without getting parental consent.

Senator Jay Rockefeller, who joined the news conference unveiling the updated rules, said they were as strong as the law allowed.

“The FTC really went as far as they could,” Rockefeller said.

“There will be groups that will complain about it and so will I. But we can’t do anything about it because the FTC is governed by law.”

Jeff Chester, executive director of the Center for Digital Democracy, which lobbies for greater privacy protections, called the FTC move “a major step forward” but warned that it may not be effective.

“We are concerned about possible loopholes that could undermine the intent of the rules,” he said, adding that his group would maintain “file complaints against any company that violates the new rules.”

source: interaksyon.com