Archive - Privacy and Anonymity RSS Feed

Framing someone by planting evidence

May 13, 2008 in Forensics, law enforcement, Privacy and Anonymity with 2 Comments

I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.

Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.

I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”

Presentation on anonymous surfing and anonymous emailing

March 30, 2008 in law enforcement, Privacy and Anonymity with 0 Comments


I recently did a presentation on anonymous surfing and anonymous emailing for the High Technology Crime Investigation Assocation. HTCIA is a community that has goals to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. The membership includes law enforcement, government, and private sector from different countries including Canada and the United States.

One thing I found challenging when creating the presentation was the technical level to target. HTCIA membership includes individuals and groups from many different disciplines. Most members have different levels of knowledge and experience within any given discipline. With that in mind, I tried to create a presentation that would be beneficial to the majority of individuals.

A PPT compressed slideshow of the presentation is here. There is also a PDF that can be found here. I’d recommend the PPT slideshow over the PDF. Animation doesn’t show well in the PDF and as a result some of the slides are covered over with different layers of the animation.

Unseen connections: New ways that objects and poeple are linked.

January 23, 2008 in Privacy and Anonymity, Security with 1 Comment

A colleague of mine recently pointed me to a new show on CBC called Spark that started in the fall. All their shows are available via the web which is great.

I just finished the show Unseen connections: New ways that objects and poeple are linked.
Great show. They discuss RFID tags, how they work and examples of their uses today. Casinos use them in chips to stop forgery, how they can be used in consumer products and save information such as product lot number, when, where it was manufactured and other information that can be extracted.

Smart homes were discussed. In the interview they discussed up till recently the hold back to the adoption of smart homes has been compatibility. This has now been overcome by the Amigo Project, an open source project that is supported by most vendors. One of the issues currently being researched by this project is privacy. With your home all connected privacy is naturally a big concern. Lots of information can be generated by a smart homes and the devices in your home; what you purchase, how often you cook, what you watch, what items you take with you, prescription information. This type of personal information is valuable and wanted by marketing and research firms. Privacy is becoming one of the hottest issues on the internet and it only makes sense that this issue is of even more concern in your home as it becomes more and more connected to the outside world. I look forward to the results of their research. Although a smart home is something that really intrigues me, I worry about both security and privacy. If my thermostat was connected to my smart home for example, would it be possible for an external entity to keep tabs on what I set my thermostat temperature at? This doesn’t seem like a big deal, but it is one step towards government stepping in and legislating that we are forcing everyone to keep their dwellings at x degrees for the sake of the nation, betterment of the greater population, or something to that effect. You might think I am paranoid and spreading fear but this was tried recently (although unsuccessful).

Personally, I think any smart home should have an override for the home owner. A switch or detailed configuration screens where under no circumstances can data be extracted or removed without prior authorization — a default ‘deny’ on ingress and/or egress connections. No individual device should be able to override the master control of the house. Even the government should not be able to do it in any circumstance. On the positive side, the project is open-source so even if this is discovered to be possible, someone will patch it quickly.

Mobile phone tracking and law enforcement access

October 15, 2007 in Privacy and Anonymity, Wireless with 0 Comments

Great article by Jennifer Granick on mobile phone tracking. We all know that service providers keep the location information in a database for each mobile phone as it moves from tower to tower. I am unaware of the retention time for this data, but it is probably safe to assume forever.

The article focuses on the requirements to legally obtain access to mobile location information. Unfortunately, it appears that it is getting easier not harder. A simple showing of ‘relevance’ is now enough for law enforcement to request mobile location information. This is just one example of many that show the privacy laws in the United States being eroded away slowly, undetectable to the average person. Eventually one day the world will wake up and say “Wait a minute! What happened? We need to do something.” But by then I fear it will be too late.

This of course doesn’t apply to Canada yet, but that is only a matter of time.

Privacy and Anonymity

September 20, 2007 in Privacy and Anonymity with 0 Comments

Privacy compared to anonymity is something that I constantly explain to clients. They often think they are the same thing and if you have one, you have the other. This is very untrue however.

This article by Bruce Schneier, is really well written. It talks about tor and the recent release of e-mail addresses by an individual that was watching tor exit nodes. More to the point of this entry however, it explains very well the difference between privacy and anonymity.

Internet Privacy

September 20, 2007 in Privacy and Anonymity with 0 Comments

I’m all for Privacy and personally I am concerned where technology is headed in terms of Privacy. I think the public doesn’t understand the implications and will eventually wake up and go ‘what happened’ but then it will be too late. Similar to global warming and cigarettes. However, I think this is going too far.

If you choose to put something on the web, then there is reasonable expectation it will be searched, indexed, and archived for life. Learn it, understand it, accept it, and don’t put anything up you don’t want that done with.

Turn off your bluetooth ….

April 2, 2007 in Privacy and Anonymity, Wireless with 0 Comments

Watch them make calls from your phone as you pass them.

http://www.youtube.com/watch?v=dltjEnrePxc

Who needs clothes?

March 10, 2007 in Privacy and Anonymity with 0 Comments

Check this out: Now when you go on a flight the TSA can see a detailed image of you as if you had no clothes!

The best part is the fact that it takes a “detailed” digital image of your body, but shows an “obscured” version for the TSA screener. No worries, they always delete the original digital image so it MUST be a good thing :(

Page 3 of 3«123