Bipul Lama believes Facebook is spying on him.
And he’s got proof, sort of. Lama performed a test. For two days, all he talked about was Kit-Kats.
“The next day, all I saw on my Instagram and Facebook were Kit-Kat ads,” Lama said.
After his Kit-Kat experiment, he successfully repeated it with chatter about Lysol. The 23-year-old musician is now more convinced than ever that Facebook is listening to his conversations through his phone’s microphone.
“It listens to key words. If you say a word enough times, the algorithm catches those words and it sets off targeted ads,” Lama theorized.
Lama is far from alone. The belief that Facebook is actively listening to people through their phones has become a full-on phenomenon. Facebook has, of course, denied it does this. That has done little to dampen the ongoing paranoia around the theory.
Because it is just a theory… right?
Source: Why everyone is so convinced Facebook is spying on their conversations
http://www.wired.com/2015/08/cant-squat-spotifys-eerie-new-privacy-policy/
SPOTIFY RELEASED A new privacy policy that is now in effect, and it turns out that the company wants to learn a lot more about you and there’s not much you can do about it.
We encourage everyone to read the whole privacy policy before downloading the update or checking off the “Accept” box, but in case you have better things to do, here are some highlights from it.
…
“With your permission, we may collect information stored on your mobile device, such as contacts, photos, or media files. Local law may require that you seek the consent of your contacts to provide their personal information to Spotify, which may use that information for the purposes specified in this Privacy Policy.” – Spotify
Like a jealous ex, Spotify wants to see (and collect) your photos and see who you’re talking to. What kind of media files Spotify will collect from you is vague, and why the company needs it is unclear, but it’s doing it regardless. Also, the fact that Spotify expects you to go through your contact list and ask everyone for their consent in sharing their data with Spotify is–what’s the word? Oh yes: it’s ridiculous.
…
“You may integrate your Spotify account with Third Party Applications. If you do, we may receive similar information related to your interactions with the Service on the Third Party Application, as well as information about your publicly available activity on the Third Party Application. This includes, for example, your “Like”s and posts on Facebook.” – Spotify
It shouldn’t surprise you that if you connect your Spotify account to Facebook, Spotify will be able to see the information you post there. If this bothers you, we suggest that you log into your Spotify preferences and disconnect Spotify from your Facebook account (more information on how to do this can be found here). After all, Facebook isn’t all that necessary to use Spotify (unless, of course, you want your friends to know you’re listening to Owl City).
…
“If you don’t agree with the terms of this Privacy Policy, then please don’t use the Service.” – Spotify
…
I value my privacy, so I’ll stop using Spotify. Bye Spotify, I won’t miss you.
The National Security Agency has some of the brightest minds working on its sophisticated surveillance programs, including its metadata collection efforts. But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts.
School dropout codes chat program that foils NSA spying (Wired UK).
The Information Commissioner’s Office (ICO) has criticised the Student Loans Company Limited after a series of data breaches involving customers’ records.
The business reported several incidents where information held about customers, including medical details and a psychological assessment, had been sent to the wrong people.
An ICO investigation found that not enough checks were carried out when documents were being scanned to add to customer accounts, and more sensitive documents actually received fewer checks.
Student Loan Company rapped after data breaches.
It looks like the message came through – as of 9am this morning (CET), Sintel is available on YouTube again. In case you missed it, there was an outcry on the internet this weekend as it was pulled by Sony after alleged copyright infringement.
To put things into perspective, these YouTube takedowns are massively automated. Software scans all the uploaded media and flags any material where they detect copyrighted material. Large corporations such as Sony have enough traction with YouTube that they can then also automatically take down these media (smaller companies have to manually submit a DMCA takedown notice).
So is there still a problem? You bet there is – we’re lucky to have a huge and vocal community behind us, that spread this story over the web in a couple of hours. The story was featured on Cartoon Brew, Boing Boing, Slashdot and Reddit (which nuked the BlenderNation server for a few hours). This helped revert the takedown. If you’re a small publisher however, you will find it nearly impossible to talk to anyone and get your video back up. These automated takedowns can destroy your project and leave you powerless.
Boing Boing hits the nail on the head with their comment:
While it’s probably a mistake, because this is so brain-meltingly obviously wrong, it’s also a very stark example of how sloppy, over-broad, and consequence-free enforcement of copyright can damage culture.
I don’t think there was any intent behind this particular takedown – just an unfair, unaccountable system. I’m glad we got Sintel back.
Sintel Restored on YouTube Editorial | BlenderNation.
The ICO’s investigation found that Kent Police had no guidance or procedures in place to makes sure personal information was securely removed from former premises. The problem was made worse due to an apparent breakdown in communications between the various departments involved in the move.<
ICO Head of Enforcement, Stephen Eckersley, said:
“If this information had fallen into the wrong hands the impact on people’s lives would have been enormous and damaging. These tapes and files included extremely sensitive and confidential information relating to individuals, many of whom had been involved in serious and violent crimes. How a police force could leave such information unattended in a basement for several years is difficult to understand.
“Ultimately, this breach was a result of a clear lack of oversight, information governance and guidance from Kent Police which led to sensitive information being abandoned. It is only good fortune that the mistake was uncovered when it was and the information hasn’t fallen into the wrong hands.”
Kent Police fined £100,000 after interview tapes abandoned at former station | ICO news release.
I’ve started looking at the iptables function within the Linux kernel, and found out, that with a bit of tinkering, you can use the IBLOCK lists to do a machine-wide block based on IP. You use pipes (gotta love ‘em) to route them into ipset which allows you to create a set of IP addresses/ranges which then reference in the iptables. You can use wget or curl. If you use wget, you might need to use the quiet switch. You can use xargs to multi-download lists and concatenate. I’m tinkering with my download script at the moment.
First, create the set. Here, I have used a high maxelem number because I use a lot of IBLOCK’s lists. The “maxelem 1048576” can be omitted or the number reduced if you are only using one or a small number of IBLOCK lists.
ipset create IBLOCK hash:net maxelem 1048576
Second, download and add to the set if it doesn’t already exist. You can chain multiple lists into the wget or use xargs. For this example, I’m only using one.
wget -q "[list.iblocklist.com](http://list.iblocklist.com/?list=bt_level1&fileformat=p2p&archiveformat=gz)" -O- |
gunzip |
cut -d: -f2 |
grep -E "^[-0-9.]+$" |
gawk '{print "add IBLOCK "$1}' |
ipset restore -exist
Finally, add rules into the iptables to drop package to and from IP addresses that exist in the set. This means that packets coming in from external IPs that match IP addresses in the set will not be answered.
iptables -I INPUT -m set --match-set IBLOCK src -j DROP
iptables -I OUTPUT -m set --match-set IBLOCK dst -j DROP
When I tried this with my IBLOCK download script, it seemed to kill TOR functionality as well, which I suspect means that IBLOCK have included the TOR IP range in one or more of their lists, so I’ll need to determine which one(s) they are and exclude them, as I do use TOR actively.
As with most things, there’s more than one way to do this, and this is one of many ways you could implement blocking behaviour.
Source: Dustin C. Hatch, Using PeerBlock lists on Linux
In October, the tech industry's biggest companies petitioned congress to reform the US Government's surveillance policies. Now, the firms are taking their pleas global. Microsoft, Apple, Facebook, Google, LinkedIn, Yahoo and AOL (Engadget's parent company) have banded together to ask the world's governments to reassess its intelligence practices. This time, however, the firms are presenting more than a strongly worded letter - they've laid out five core reform principals, detailed both on an official website and in full-page ads in national publications.
The breakdown is fairly straightforward; the group asks that government’s authority be imposed with “sensible limitations on their ability to compel service providers to disclose user data,” and that they give more consideration to the link between privacy and trust required by technology providers and their users. The group is also demanding increased oversight, accountability and transparency, outlining a system that allows companies to publish the nature and frequency of user information requests and attached to a “clear legal framework” with “strong checks and balances.” Governments outside of the US are encouraged to work together too, to create a “robust, principled and transparent framework” to guide requests for data across jurisdictions. The group of tech giants also wants these changes to respect the flow of information, and ensure that service providers are able to build infrastructure on a global scale, without needing to store data inside the country for the sake of national government inquiries.
“Unchecked, undisclosed government surveillance inhibits the free flow of information.” Twitter CEO Dick Costolo writes on the movement’s website. “The principles we advance today would reform the current system to appropriately balance the needs of security and privacy while safeguarding the essential human right of free expression.”
An open letter to Washington underlines the campaign, noting that “the balance in many countries has tipped too far in favor of the state and away from the rights of the individual.” The companies pledge to keep user data secure with encryption technology and by fighting unreasonable government requests, but change needs to start from within. “Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information.” Mark Zuckerberg stated. “The US government should take this opportunity to lead this reform effort and make things right.” Indeed, the letter asks that Congress do just that: “take lead and make reforms” that would bring the proposed changes to fruition.
While the firms openly acknowledge the government’s need to take certain actions for the public good, it clearly states that the current laws governing surveillance are no good, and may even be hurting future adoption of new technologies. Microsoft’s Brad Smith puts it best, “People won’t use technology they don’t trust. Governments have put this trust at risk, and governments need to help restore it."
Microsoft and Google lead coalition demanding limits on government surveillance.
I’ve been using Tor for a while now, and have been tinkering with settings to try to get it work right. One of the many frustrating things is DNS leaking whereby an application resolves DNS using the host DNS and not via Tor. Consequently, since the DNS server of your PoP (Point of Presence) is usually your ISP’s DNS server, or a DNS server maintained by your ISP, they can easily eavesdrop on your surfing behaviour, by simply connecting a DNS query with a traffic stream to that same IP soon afterwards.
Using DNS via Tor is a bit of a pain, but there are various ways I’ve found that seem to work. Some better than others.
Solution 1: Local DNS Host
It is possible to setup Tor to act as a local DNS host by using the “DNSPort 53” directive within the torrc. However, you will need to run tor (or Vidalia) as root in order to be able to open this port.
Once this is done, you can add 127.0.0.1 to your DNS hosts list in /etc/resolv.conf. To account for when Tor isn’t running, I add my true DNS afterwards so my resolv.conf would be:
nameserver 127.0.0.1
nameserver 192.168.0.1
Which means it should resolve through Tor first, then my ISP DNS if that fails. Tor DNS only responds to A-records, MX and NS queries return an error.
If you turn on DEBUG level logging in Vidalia, you can test if DNS is working by trying to ping a host and seeing if Tor receives a DNS request.
Solution 2: Wrapper
Probably an easier method than above, is to use a wrapper tool, such as torsocks or proxychains. My preference is proxychains and you’ll see why.
Torsocks, as its name suggests is built by the same group who created tor and wraps the application you pass to it, tunnelling all traffic through tor. However, it seems rather quirky to me, and when used with some apps, it drops out several pages of LD_PRELOAD errors and the application either doesn’t start or starts without access to the net.
Proxychains, similarly wraps an application and tunnels traffic through a proxy (including its DNS queries, by default.) Not specifically Tor, but it does come with its config already setup for Tor and works fine. When you start it up with an application, by default, it shows all the DNS queries it makes (configurable). It also allows you to chain proxies (hence the name) so proxy A to proxy B to proxy C, etc. to make it even harder to follow your traffic. It even allows you to randomise your proxy chains so one request might go A-B-C and the next might go A-C-B.
At the moment I use the DNS method to hide my DNS traffic on most of my linux applications, then use proxychains on anything I specifically want to tunnel through Tor, such as browser sessions or the occasional BitTorrent download.
In case you haven’t seen this, Tails (The Amnesic Incognito Live System) is a live incognito DVD/USB which you can use to boot off any machine that supports USB boot (and for those which don’t boot of USB, you can use PLOP).
All connections go through Tor and since its a live disk, nothing is left on the hard disk (unless you choose to save something off the Internet, I guess).
I’ve been tinkering with Tor and managed to get my DNS routed through Tor, with my normal DNS as a backup, although routing traffic is a bit tricker, since not applications like to play with the Tor network properly. Some applications such as Vuze provide SOCKS capability, which allows routing of traffic through the Tor network via proxy. Others, like Chrome/Chromium don’t offer this as well, and you have to fudge it.
