Soghoian is referring to a piece of tape FBI Director Comey places over his laptop camera.  The subtle message for the public is that electronic privacy is for the privileged elite.

EU-Flag.jpgYou may be hearing about EU-US Safe Harbor discussion in the news.  At risk is the multinational companies ability to store and process EU data in the US.  Companies like Apple, Facebook, and Google provide EU services through computers located in the US.  Data is sent from EU to the US under the auspices of the EU-US Safe Harbor agreement.

October 6, 2015 the Court of Justice for the European Union (ECJ) ruled the Safe Harbor agreement invalid which places all EU data sent to the US in jeopardy.

“…the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country” [4] Court of Justice of the European Union

The ECJ recommended where protections cannot be guaranteed, “suspending the contested transfer of data”[4].  The only way US businesses can guarantee adequate protections for EU data is for the US government to develop laws protecting EU data from US government warrantless surveillance programs.  Without such transparency measures the only choices for Internet bellwethers are, develop new data centers within the EU for EU data, or pull the plug on the EU.  Either option is not very tenable for US multinationals or citizens of the EU.

Even if Internet bellwethers underwrote efforts to build EU data centers it’s not clear EU data will be safe from US government overreach.  In a developing case between Microsoft and the US government,  the government contends it has the right to demand the email of anyone in the world so long as the provider is headquartered within the US [6].  Presumably, the legal precedent established for email would apply more broadly to all data.  I have been covering developments in this area over the last couple of years [1][2] for interested readers.

[1] Securitycurmudgeon.com, Balkanization of US Products and Service Technology Accellerates
[2] Securitycurmudgeon.com, A Crisis of Confidence Costs Real Money
[3] The Register, US tries one last time to sway EU court on data-slurping deal
[4] Politico.eu, Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015 [pdf]
[5] Reuters, Europe-U.S. data transfer deal used by thousands of firms is ruled invalid
[6] Guardian, Microsoft case: DoJ says it can demand every email from any US-based provider

Image: Wikipedia, EU Flag

LinkedIn-Share-Obfuscated.pngI think it’s great that LinkedIn prompts members using LinkedIn API enabled applications about the type of information requested.  This is the minimum amount of transparency all cloud applications should present to their users but what information is included in a connection?  Sure, “1st and 2nd degree connections”  but what does that mean?  Only a members relationship to another member?  Or the connection relationship along with other profile information?  Asking a LinkedIn member to share profile information for another is like asking my Mom if it’s ok for me to come out and play.  It should be each members choice what they want to share about their profile.  I’m open with my information but some are very private and connect only to their closest colleagues.  An easy area of future improvement is to clean up the connection sharing description to users.  A future suggestion, if the type of information can’t be clearly communicated to members don’t do it.
Another area of improvement in this message dialog is provide members some options about the type of information they are willing to share.  Today the choice is all or nothing.  Members can choose to “Allow access” or not use the application.  Essentially many applications hold you hostage on this screen.  You either hand over all your member data or you don’t get access the application.  My concern is that often applications request much more information than the application requires.  I’m not against software developers asking but the user should have some choices.  If LinkedIn is concerned about their members privacy they should provide a checkbox next to each type of information requested.  This allows members to turn off information they don’t want to share (like personal connections) while sharing other types of information.

You may have missed on of securitycurmudgeon.com’s post in the past or perhaps you started following later and missed earlier posts.  Whatever the reason,  I thought it would be interesting to recap some of the sites best past blog posts.   Some are still relevant and it’s interesting to see how security and privacy change over the years.  Many posts did not make the cut for this list.  If any of these posts peak your interests, I encourage you take a deeper look at some of the past posts.  It’s been a pleasure to blog over the years and I appreciate your readership!

2012

Who is spying on you?  Your Car!
Privacy concerns about the confluence of information technology in automobiles.

Do Not Track, Why Does it Matter?
The verdict is out, nobody cares about our personal privacy preferences.  Still it was great to have hope at the time.

Java Spotlight Episode 106: Java Security Update
Roger Brinkley interviewed Bruce Lowenthal and I on Java security.  It was surprisingly popular since there was little discussion about Java security outside of Oracle at the time.

Movie Reviewed, We are Legion: The Story of Hactivists
Security pros on talk on camera about Anonymous hacking group in this documentary film.

Measuring Internet Connection Throughput
Discuss Java project to measure performance of Internet connection with Java.

Google Hacking — Blast From the Past
Use advanced Google search commands to find the needle in the Internet haystack.  Useful to find anything of interest.

2013

Provided readers a teaser about the brand new JavaOne Security Track.
Highlights around security concerns from 2013 at these conferences.
Link to official Oracle post addressing Java security concerns at the time.
Interviewed by Roger Brinkley discussing the new Java Security Track at JavaOne.
Security is a big profession and their are many different domains of expertise covered in this post. 
Amazing eye opening movie about Internet privacy.
Academic research around posts we type but instead decide not to share.

2014

Overview of various technical security features found in Java SE 8.  A video is available as well.
Security metrics of the day and my first stab at an infographic.
My first Raspberry Pi project.  Explain my experiences assembling the Raspberry Pi with a 2.8″ TFT touch screen.
SSLTLS Introspection(project DeepViolet)
SSLTLS is increasing under fire from attackers I decide to learn more about the low level protocol negociation.  Instead of opening a HTTPURLConnection I built some code to negotiate the connection myself (with some help from others on the Internet).  Several articles as well as code in GitHub.
Coverage for security concerns at Black Hat and DEFCON 22.  Describe experience with Software Defined Radio (SDR).  Ancillary coverage of DEFCON 22 computerize badges and pre-launch party for security book Iron Clad Java.
Second Raspberry Pi project.  I use the SDR radio I purchased from DEFCON 22, my recently completed Raspberry Pi with 2.8″ TFT display, and dump1090 software to make ADS-B aircraft receiver.  I learn something about aircraft security – it stinks.
Links to security presentations from JavaOne 2014.
Ever heard of racing drones?  This isn’t your daddies DJI Phantom, forget that.  This is a 100mih(158kmh) drone you fly with VR googles first person style.  Forget your wallet as well.
I try my luck at memes and developed an appsec focused meme.  Challenging to distill a message into a meme but a surprisingly effective way to communicate.

Honorable Mentions

All these are only honorable mentions since they are likely more relevant for me and not readers.  First is the blog post I decided not to write, I provided a public conference call around Java platform security that started a media fire storm (ComputerWorld,  JavaWorld, The Register, SecurityWeek, and others).   Another runner up is improved transparency around Java platform security by adding a Security Track to JavaOne (multiple posts, Conferences tag).  Last but not least, I was invited to speak at Black Hat 2013 USA, Oracle; On Java Security to security leaders from around the world on Java security.  The entire session was provided under NDA.  I had to eat my Powerpoint presentation when I finished.  But all is not lost, I developed a follow-up post about attending the conference for readers, Black Hat 2013 USA and DEFCON 21 Trip Report.