Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ars Editor Learns Feds Have His Old IP Addresses, Full Credit Card Numbers

samzenpus posted about 3 months ago | from the no-stone-left-unturned dept.

United States 217

mpicpp writes with the ultimate results of Ars's senior business editor Cyrus Farivar's FOIA request. In May 2014, I reported on my efforts to learn what the feds know about me whenever I enter and exit the country. In particular, I wanted my Passenger Name Records (PNR), data created by airlines, hotels, and cruise ships whenever travel is booked. But instead of providing what I had requested, the United States Customs and Border Protection (CBP) turned over only basic information about my travel going back to 1994. So I appealed—and without explanation, the government recently turned over the actual PNRs I had requested the first time.

The 76 new pages of data, covering 2005 through 2013, show that CBP retains massive amounts of data on us when we travel internationally. My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.

Sorry! There are no comments related to the filter you selected.

nigger lips (-1)

Anonymous Coward | about 3 months ago | (#47496393)

monkey nigger lips

Big Brother (4, Insightful)

fizzer06 (1500649) | about 3 months ago | (#47496399)

He is a nosy bastard.

Re:Big Brother (5, Funny)

Anonymous Coward | about 3 months ago | (#47496477)

My Big Brother is also my Uncle Sam. Does that make me inbred?

Re:Big Brother (-1)

Anonymous Coward | about 3 months ago | (#47496559)

it makes you a nigger, but the laziness and watermelon eating did that anyway

Re:Big Brother (0)

Anonymous Coward | about 3 months ago | (#47496999)

You aren't related to Ma Bell are you?

this is news? (1)

turkeydance (1266624) | about 3 months ago | (#47496413)

is there a surprise "twist" ending?

Re:this is news? (5, Insightful)

Concerned Onlooker (473481) | about 3 months ago | (#47497727)

The surprise twist ending is when we end up with an authoritarian regime because too many people just sighed and said, "this is news?" any time something that should outrage us happened.

Re:this is news? (0)

Anonymous Coward | about 3 months ago | (#47497859)

You're welcomer.

This is news? (0)

Anonymous Coward | about 3 months ago | (#47496419)

This is just basic customer information.
Why wouldn't they have this info? Storing it takes up a couple hundred bytes per passenger.

Re:This is news? (2, Insightful)

Anonymous Coward | about 3 months ago | (#47496435)

full Credit card numbers is not just basic Info, imagine a data breach.

Re:This is news? (3, Interesting)

Anonymous Coward | about 3 months ago | (#47496619)

How do you think all those companies let you pay without re-entering payment info?
They store your credit card number.
Sure it sucks if they get hacked or whatever, but that's the way it is.
They whole idea that you can use someones credit card just by knowing some numbers is stupid anyway.

Re:This is news? (2)

Luckyo (1726890) | about 3 months ago | (#47496705)

Untick "keep my credit card information for future payments". In vast majority of the cases, that means company doesn't keep your info after payment has been received.

Re:This is news? (2)

camg188 (932324) | about 3 months ago | (#47497127)

"reuse your stored credit card information for future payments"
is what they really mean.

Re:This is news? (5, Insightful)

flyneye (84093) | about 3 months ago | (#47497761)

Anyone who believes that, go stand on your head in the corner and be counted.

Re:This is news? (1, Interesting)

flyneye (84093) | about 3 months ago | (#47497757)

All this info, just lying around, in case they need it. They wanna see what kind of home improvement crap I bought, what brand of tortilla chips I eat, where I gas up at, when I occasionally call on the phone, perhaps they'd like a scratch n sniff X-ray of my colon before I had a polyp removed. Maybe they'd like to hear the last obnoxious joke I told with the punchline of Hillary carrying Obamas two headed love child to term before marinating it in jalepeno barbeque sauce.

I'm pretty boring, and I hate and distrust the charlatans misusing the government, like any other human on the planet. But it's nice to see that one day they will have spent everything I ever paid in taxes on hardware to store my unused trivia.
LOL, yeah Omama is gonna PROTECT us from terrorists and is busily doing everything he can think of with that baseball sized head of his. Him n his Repubmocrat buddies gonna start a PROGRAM to look into what could help and appoint a commitee to get a feel for what the Corporations would agree to and talk about a solution and it's effect on the economy, while appeasing the voters.
(Ever listen to the words of DEVOs "Mongoloid"? Kinda applies to the whole shithouse load of them, doesn't it?)

Re:This is news? (5, Insightful)

NicBenjamin (2124018) | about 3 months ago | (#47496611)

Because most of the time the airline blacks out most of the Credit Card before sending it to the Feds. In theory the Fed're only supposed to have the last four digits, because that should be enough (when combined with name and expiration date) to identify the card.

This is actually a pretty typical story on this issue. The Feds collect data that can be very useful in searching for terrorists, but they don't actually look at it much. They do a computer search, and most of it will never come up. So the airline sent them more then it should, and maybe somebody noticed, but nobody cared. So it got sent to his file folders (both electronic and physical). Then he FOIA'd the info, and since nobody FOIA's the info they had no procedure to respond to the FOIA, so he got it in a ridicuklous way (two batches, the first batch of which he had not asked for, and the second batch seems to have been totally unexpected).

If you think privacy rights are incredibly important, and are sincerely worried that Obama isn't enforcing them better, it's terrifying that a federal Agent could have stolen his CC info. And it's even more terrifying that there's no bureaucrat in charge of purging irrelevant info (like his CC number).

If you're me, and you take a more philosophical view of the whole issue, you note that a bureaucrat in charge of looking at his info would have looked at his info. Said info was highly unlikely to leak from the TSA to anyone else unless a) they had probable cause due to some investigation, or b) some enterprising agent decided to go over his file and verify it. Federal agencies just don't share information with each-other the way privacy purists imagine in their nightmares, rather they horde it and then exaggerate the info-horde's usefulness in powerpoints demanding an increased budget.

Re:This is news? (4, Insightful)

mattwarden (699984) | about 3 months ago | (#47496747)

So, do you believe abuses like those described here do not happen as a regular course of business: "NSA Employees Routinely Pass Around Nude Photos Obtained Via Mass Surveillance" http://www.zerohedge.com/news/... [zerohedge.com]

I find that naive. Now, do I care? Not really. But I understand why some people might, and I don't consider that privacy purity.

Re:This is news? (1)

NicBenjamin (2124018) | about 3 months ago | (#47496867)

Talk about a non sequitir.

Let's say I admitted that Snowden was right about the NSA and naked pictures, why would that imply anything about a completely different agency and text files? I can see how a bored NSA agent might get a kick out of a nudey that looked kinda like Natalie Portman (or even a nudie of Natalie Portman) and show it to other bored NSA Agents, but this is a text file. It's a very boring text file. It says some guy took a flight. He spoke English. It mentioned his preferred meal.

And we can actually be quite sure it was not widely shared at the TSA, because if it had been some asshole would have stolen his Credit Card number.

Re:This is news? (1)

mattwarden (699984) | about 3 months ago | (#47497019)

Yes, non sequitur indeed. I'm sure government abuses of power are limited to the NSA.

Re:This is news? (1)

NicBenjamin (2124018) | about 3 months ago | (#47497235)

So your argument is that if government agents abuse power one way it is clear, beyond all doubt, with no actual investigation necessary, they abuse power all other ways?

That is the definition of a non sequitir.

Re:This is news? (2)

mattwarden (699984) | about 3 months ago | (#47497673)

Governments abuse their power. I did not come to this conclusion from this incident. This incident is yet another example of innumerable examples in history. You think this new scenario is an exception based on... I don't know what.

Re:This is news? (1)

NicBenjamin (2124018) | about 3 months ago | (#47498045)

Government abuse their power, therefore every government agency you can possibly imagine abusing it;'s power in any way will eventually abuse it's power in exactly that way?

That's not logic. It's projection.

Re:This is news? (5, Insightful)

Antique Geekmeister (740220) | about 3 months ago | (#47497105)

> And we can actually be quite sure it was not widely shared at the TSA, because if it had been some asshole would have stolen his Credit Card number.

Except that they're available, in bulk, to whoever administers that database. And a theft or loss of a backup of that database is hideously unlikely to ever be reported, for "national security reasons" but also to reduce bureaucratic business. And given the history of federal agency personal and political fraud against private citizens, especially politically active citizens, it verifies that they have far too much data, far too easily accessed, available at whim for whatever purpose is desired.

Just because "it's boring text" does not mean it's not incredibly useful for political espionage or frame-ups. Please, do not try to claim that it "wouldn't happen here" The abuse of confidential federal information to harass political opponents certainly _has_ happened here, in the McCarthy hunt for Communits, with the Committee to Re-Elect the President in Nixon's presidential reign whose failures cost Richard Nixon his presidency, and with the Valerie Plame affair during George W. Bush's presidency.

The collection and aggregation of "uninteresting" private information or "metadata" represent risks to political careers and private liberty that will not cease simply because "who would care" or "it's dull". It's hardly dull to be able to use someone's personal information and credit card data to track the nature, times, and location of _every purchase_, and have warrant free monitoring of travels and personal business. And there is, effectively, no oversight of such access because it's the NSA: they operate under a tremendous shroud of national security that prevents rational oversight of such sensitive information.

Re:This is news? (5, Insightful)

NicBenjamin (2124018) | about 3 months ago | (#47497525)

You realize Hoover never had access to any non-FBI database? Neither did HUAC at al. And there are plenty of Federal databases besides the FBI. In another thread I mentioned three that are actually a lot more dangerous, and a lot older, then anything we're talking about: the Census, Social Security, and the IRS. Neither the CREEPs nor the Plame Scandal involved the use of a Federal database. Plame was not even a database at all. Rove was talking to a random guy about her husband, and he mentioned the CIA connection. The CREEP did not abuse any Federal databases, it tried to steal information that could not be added to those databases (like reports from the shrink of a guy who pissed Nixon off).

I'll note here you haven't managed to quote the only actual example of a Federal database being used against US Citizens (Japanese internment).

So while I will agree, that in theory this database could be used by a future Hoover, I will also point out that it is quite useful in numerous actual law enforcement situations. Terrorism actually exists, even tho we like to pretend it no longer counts just because almost all the victims are black Africans. I disagree with much of the war on drugs, but the drug runners are not nice people. Both groups use the US Air network, and if there's any pattern to their usage we can't find that out unless it's recorded somewhere. Given that the US Government is pretty consistent in it's evils (they tend to involve totally ignoring the Constitution to get new data, and/or abuse minorities; using data from existing data sources just isn't the MO), the long-term risk of them abusing old data is quite low. Call it 5%.

So we have a database, that will be useful in numerous perfectly legitimate law enforcement operations, and a small risk of it leading to bad things. You're free to conclude any risk is too much, but I think that risk is fine.

Re:This is news? (1)

Anonymous Coward | about 3 months ago | (#47497753)

You realize Hoover never had access to any non-FBI database? Neither did HUAC at al. And there are plenty of Federal databases besides the FBI. In another thread I mentioned three that are actually a lot more dangerous,

You''ll forgive me if I find the argument that there are other more serious risks within the federal government to be not particularly reassuring.

I disagree with much of the war on drugs, but the drug runners are not nice people. Both groups use the US Air network,

Your explicit expansion of the war-on-terrorism to the war-on-drugs is disheartening.

Re:This is news? (1)

linearz69 (3473163) | about 3 months ago | (#47496659)

Why wouldn't they have this info?

Why should they?

The retaining of 8 years worth of data is the biggest problem here. What is the value of 8 year old Credit Card numbers? You'd figure after 8 years they'd know who tried to light that shoe on fire....

So yes, it's News.... unless you work for an intelligence contractor or agency and knew about this already.

Re:This is news? (1)

beelsebob (529313) | about 3 months ago | (#47496673)

No one should ever be keeping your credit card number without your explicit permission.

Data sent to airlines (5, Interesting)

bunyip (17018) | about 3 months ago | (#47496431)

The Travelocity guy avoided telling the whole story. They do provide relevant information, but if the government has the PNR with all the remarks in it, then it likely came from Travelocity or Sabre.

Travel agencies and 3rd-party web sites, such as Travelocity. put all this encoded stuff into the remarks section of the PNR, it's all that "H-" stuff. When the PNR is sent to the airline, NONE of the remarks are transmitted. The airline doesn't receive your IP address, for example. Seat numbers, phone and contact information are transmitted in Special Service Request (SSR) and/or Other Service Information (OSI) fields. One major exception is that Travelocity and AA share the same PNR when booking AA.

Now, the airlines have to send a whole bunch of data about you to the TSA to get clearance for you to board. Look up Secure Flight / APIS / AQQ and you can learn a little bit about it.

A.

Re:Data sent to airlines (1)

Anonymous Coward | about 3 months ago | (#47497769)

> then it likely came from Travelocity or Sabre.

!bing!

I think it is entirely reasonable to believe that the TSA (and other agencies) get a complete dump of everything that goes into Sabre. It is too tempting of a data chokepoint for the government not to have appropriated a direct line into it. They probably get a real-time feed out of it.

yawn (0)

Anonymous Coward | about 3 months ago | (#47496439)

The new shell company for just this problem was already in the works, and the spam data has already been transferred.

They never made their money providing service, they made their money effectively blackmailing people to get their "domain squatted" domains back. Half a dozen companies like this tried to hire me in the middle of the dotcom boom, and they're not changed a bit except that now they have to change company names faster.

The Stasi & Stripes (5, Insightful)

Blue Stone (582566) | about 3 months ago | (#47496467)

The government has files on everyone (or nearly everyone); people never suspected of, or implicated in, any crime.

How is this different from what the Stasi did?

Re:The Stasi & Stripes (5, Informative)

Anonymous Coward | about 3 months ago | (#47496501)

"The Lives of Others (German: Das Leben der Anderen) is a 2006 German drama film, marking the feature film debut of filmmaker Florian Henckel von Donnersmarck, about the monitoring of East Berlin by agents of the Stasi, the GDR's secret police. It stars Ulrich Mühe as Stasi Captain Gerd Wiesler, Ulrich Tukur as his superior Anton Grubitz, Sebastian Koch as the playwright Georg Dreyman, and Martina Gedeck as Dreyman's lover, a prominent actress named Christa-Maria Sieland."

http://en.wikipedia.org/wiki/The_Lives_of_Others

Re:The Stasi & Stripes (0)

Anonymous Coward | about 3 months ago | (#47496553)

These artists make sex like dandies if you need bugs everywhere to know they are banging.

Re:The Stasi & Stripes (0)

Anonymous Coward | about 3 months ago | (#47497025)

Yes, I also recommended this film.

Re:The Stasi & Stripes (1)

Anonymous Coward | about 3 months ago | (#47496507)

The stasi was german (=> nazi) and socialist, therefore evil. The government is protecting us from terrorists, therefore a hero. But to make sure everyone shares the right opinion about these matters lets trace those who oppose tracing. They can have only one reason: hiding even more crimes. crimes can be done by even the most infant looking people. lets make sure we also trace the babies. It is already great that parents film their babies pee into their pants -> this can give lots of information about their later personal aspects, which is most important for investigation in the case they try to steal something from the kiosk when they are grown, which should be penalized by death by injection of previously untested overdoses, only escape is convertion into a mule and blaming the neighbours of most horrific crimes.

And never forget: stasi didn't cooperate with US agencies, which makes it suspective of hiding crimes also.

Re:The Stasi & Stripes (0)

Anonymous Coward | about 3 months ago | (#47496627)

the way i seem to understand it, the nazi's viewed the jewish people as an existential terrorist threat.

i really don't see your point.

a list is a list is a list
esp. when you're keeping tabs on others.

my neighbor is a terrorist, he lights firecrackers without my permission. i keep tabs on him out my window.
the guy behind me? he's a terrorist too, he **says** he works midnights but ... i don't know about that.

Re: The Stasi & Stripes (0)

Anonymous Coward | about 3 months ago | (#47497843)

It was a BofA credit card in the first place. Those guys are f-ing NAZIs. If you're nieve enough to trust them with your information in the first place who cares if the government has it. I doubt for the average person the FBI is going to be able screw them much harder then BofA ever will.

Re:The Stasi & Stripes (2, Insightful)

Anonymous Coward | about 3 months ago | (#47496551)

Because 'Murica has better propaganda and dumber citizens.

Re:The Stasi & Stripes (0)

Anonymous Coward | about 3 months ago | (#47496609)

Thing is, people thing this is a new thing.

There has been recordkeeping going back thousands of years, with varying degrees of accuracy.
The digital world just makes it easier to record things so some dude can throw your information through some algorithm and see if it flags you as a possible threat. And this, despite the fact that the algorithms themselves are horribly inaccurate at the best of times since they heavily depend on exposure to actual events being correlated to records, which isn't exactly easy to do. (not to mention that it still isn't even that accurate with said information because it still depends on the human mind, which there is no average for, no matter what shitty psychologist, psychiatrist, neurologist or others states.)

God forbid the days when a supposed AI is used to correlate data and make decisions.
Woops, already beaten.

Re:The Stasi & Stripes (1)

danomatika (1977210) | about 3 months ago | (#47496621)

How is this different from what the Stasi did?

It's *alot* easier now?

Re:The Stasi & Stripes (5, Insightful)

Anonymous Coward | about 3 months ago | (#47496631)

How is this different from what the Stasi did?

They were at least honest about the fact that they were doing it. Also, I don't think it was unconstitutional in Germany, so it wasn't the government acting rogue like we have now.

Re:The Stasi & Stripes (2, Informative)

Anonymous Coward | about 3 months ago | (#47496911)

In fact east germany had a democratic constitution, most likely due to pressure from the americans directly after the war, so that the soviets don't errect a communist dictature (same in all eastern european countries). The americans failed, but the constitution was democratic. The only truly democratic votes were at the end of the DDR. The voted parliament then declared to join west germany.
Second thing to know: west germany still had claims on east germany, thinking it was one country. This was also the reason why people who fled over the wall quickly got west german papers. If you argument this way, stasi was unconstitutional, even if you say that the right for privacy was created by the bundesverfassungsgericht much later. This however didn't change the fact that the stasi officers still had their ranks and even got their pension. There weren't nürnberg processes after the reunification.

Re:The Stasi & Stripes (2)

linearz69 (3473163) | about 3 months ago | (#47496665)

How is this different from what the Stasi did?

The Stasi needed "electricians" to install bugs. We now buy the bugs and install them ourselves.

Re:The Stasi & Stripes (1, Insightful)

NicBenjamin (2124018) | about 3 months ago | (#47496775)

Uhh...

What country doesn't have a file on all it's residents? Seriously.

Just think about all the files the US Government has had since the late 18th century. the Census had very good clues to everyone's religion, generally actually had a line for ethnicity, etc. During the first Libertarian-=Conservative period of dominance in the Judiciary the IRS had a database on exactly how much everyone made. A few years later the New Deal added a database on how much everyone makes that's updated every time you get a check. All three of these have more information, and more personal information then the TSA database. Both the IRS and the Social Security database could be used to steal a lot more from you then a single Credit Card.

Re:The Stasi & Stripes (0)

Anonymous Coward | about 3 months ago | (#47497241)

Protip: Recognizing the machinery that ensures history will repeat is not insightful. The point is not that all the countries are doing this. It's that it costs us a lot in terms of money and privacy and security to do so, and ensures the countries demise. Snowden showed that a measly government contractor can get access to more data than anyone is comfortable with, and if he can get it then all our "enemies" spies can too. Thus collection of such data is treasonous, by definition.

protip: "Everyone else was doing it, so I thought I'd do it too," or "I was just following orders," doesn't excuse the crime, especially not war crimes against humanity.

Re:The Stasi & Stripes (1)

NicBenjamin (2124018) | about 3 months ago | (#47497535)

Protip: If every country, including Germany, has files on its individual citizens, then arguing "files on your individual citizens is just like the Stasi" is ridiculous. It's literally like saying "The Stasi paid their agents, all US Government employees must be uncompensated!"

Seriously. How the fuck would Germany enforce it's income tax if it didn't have a file on every German who has income?

If you were talking about the actual contents of the database you might have an argument particularly if you focused on the NSA databases which are fucking scary, but this "They have a database with lots of people in it, therefore they are going to MURDER ALL!!" argument is just fucking stupid. If it had any relation to reality the entire fucking world would hacve been murdered back in the 17th century when European monarchs figured out that they could enforce there will via pen and paper databases. The Chinese would have been gone long before then.

Re:The Stasi & Stripes (1)

fustakrakich (1673220) | about 3 months ago | (#47497409)

How is this different from what the Stasi did?

Our government acts with the full consent of the governed.

Re:The Stasi & Stripes (0)

krups gusto (2203848) | about 3 months ago | (#47498037)

That was different.  Remember the Stasi were the bad guys. 

Re:The Stasi & Stripes (2)

Sir Holo (531007) | about 3 months ago | (#47498043)

How is this different from what the Stasi did?

It's not.

There is a quote from a former Stasi guy (East-German secret police) regarding the Snowden leaks of NSA capabilities: "We could only have dreamed of having such powers."

Required quote from Casablanca (5, Interesting)

sandbagger (654585) | about 3 months ago | (#47496469)

Major Strasser: We have a complete dossier on you: Richard Blaine, American, age 37. Cannot return to his country. The reason is a little vague. We also know what you did in Paris, Mr. Blaine, and also we know why you left Paris.
[hands the dossier to Rick]
Major Strasser: Don't worry, we are not going to broadcast it.
Rick: [reading] Are my eyes really brown?

PCI Compliance? (0)

Anonymous Coward | about 3 months ago | (#47496475)

... the feds store personal financial data at rest unencrypted ? That's nice to know.

Re:PCI Compliance? (0)

Anonymous Coward | about 3 months ago | (#47496657)

Feds don't have to worry about PCI compliance because they don't conduct credit card transactions. Even if they were compromised and all of the CC data was stolen can you imagine Chase actually suing them for damages?

North Korea and USA - freedom haters. (1)

abrahamOH (3712519) | about 3 months ago | (#47496479)

When two totalitarian countries spy on its citizens data collection should not surprise anyone.
Remember in Asia it it North Korea. In North America it is USA.
Two regimes that hate any signs of freedom.

Re:North Korea and USA - freedom haters. (2)

Mister Liberty (769145) | about 3 months ago | (#47496595)

Not correct.
You can have a certain --even high-- degree of freedom, and still be under more or less total control.
The latter is the program that has been initiated quite some time ago.
Those in power, a minuscule pertentage of the population, need to consolidate that power. How you
do that? By gaining total control over the masses
It's so simple it could've been a conspiracy -- if it weren't for the sheer number oif stories like these
popping up every day, and then some.
Get organized!

Re:North Korea and USA - freedom haters. (0)

Anonymous Coward | about 3 months ago | (#47496645)

> Two regimes that hate any signs of freedom.

To be fair, there's no evidence that data collection is somehow a sign against freedom (which is how you have framed it). It is historically accurate that totalitarian regimes keep a lot of data on its citizens...but how much does the chinese/nk govt have on random farmer? Probably not very much. The data collection aspect is as likely a sign of totalitarianism as technological efficiency. So I'm sure your viewpoint sounds like you would wear a sandwich board on the highway if you believed the tinfoil hat worked.

I'm Shocked!!! (0)

Anonymous Coward | about 3 months ago | (#47496505)

Ok, not really. Though I would be shocked if I found out that anyone else was shocked by this.

Re:I'm Shocked!!! (1)

TWX (665546) | about 3 months ago | (#47496613)

Yeah, I remember a movement several years ago to try to swamp them with too much information. The problem with this approach is that it doesn't account for ever-increasing storage density combined with a need to replace end-of-life equipment periodically, essentially guaranteeing that they'll never run out of space.

Re:I'm Shocked!!! (0)

Anonymous Coward | about 3 months ago | (#47496937)

plus;
They can statistically analyze the data, and differentiate the chaff from the signal.

This isn't news (4, Insightful)

GrandCow (229565) | about 3 months ago | (#47496513)

Really, is there anyone out there (reading this site) that doesn't know that you have no privacy anywhere anymore?

The actual question is: what are you going to do about it?

Re:This isn't news (0)

Anonymous Coward | about 3 months ago | (#47497611)

not care, learn their cutesy wootsy bullshit (put fed keyloggers on cnc and watch hilarity ensue) , and slap their ass with the fucking bill until im physcially restrained.

Re:This isn't news (0)

Anonymous Coward | about 3 months ago | (#47498017)

The shocking part is that it is continuing because Obama can't stop it. When the Bush crime family ruled, they wrote their edicts in such a way that subsequent Presidents cannot overturn them. That is the problem. Obama has fought hard for years to change things, but he legally can't with the Republican ScROTUS overruling every decision he has tried to make. It is Bush's fault things are like this, and it is his fault nothing can change.

So Feds in the 2000s have the same data... (2)

retroworks (652802) | about 3 months ago | (#47496519)

... as credit card companies have been keeping on us since the 1980s?

PCI-DSS (5, Insightful)

Alioth (221270) | about 3 months ago | (#47496521)

As an organisation accredited to be following PCI-DSS, we would be crucified if the PCI auditor found us holding the PAN (the long number on the front of your credit card, PAN = primary account number) in plain text. Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?

Re:PCI-DSS (0)

Anonymous Coward | about 3 months ago | (#47496663)

I'd hardly call the Feds "anyone else".
Clearly they operate under a different set of rules and couldn't care less about credit card issuers' desires.

Re:PCI-DSS (1)

WaffleMonster (969671) | about 3 months ago | (#47497375)

Surely the airlines/booking agents should not be passing the PAN to anyone else if they are following PCI-DSS (which is mandatory if you want to accept card payments)?

What part of "any tangible thing" and third party doctrine does one suppose is non-applicable to card numbers?

Government is not bound by rules of the road created by industry.

Does the country you're a national of.... (4, Insightful)

Mister Liberty (769145) | about 3 months ago | (#47496529)

have a constitution that has some reknown, and maybe organized defenders of same?
If so, get in touch with them, organize, get active.

In Soviet USA (1)

Anonymous Coward | about 3 months ago | (#47496563)

not spying on its citizens is a crime.

Not effective (5, Insightful)

HangingChad (677530) | about 3 months ago | (#47496617)

This kind of mass data collection on everyone is a huge waste of resources. The more people you add to a database, the less relevant it becomes for anything. People who know trade craft, know how to cover their tracks and pollute big data. So this is basically a giant database of amateurs, stupid crooks and ordinary civilians.

Another problem with big data are the large numbers of errors. I've run big databases where users were motivated to provide good data and there were still gaps in the data, misspelled names, numbers transposed, and some entries locked out because they were trying to enter duplicate primary keys. Travel data is coming in fast, I can't imagine what the exception reports look like every day.

Re:Not effective (4, Insightful)

linearz69 (3473163) | about 3 months ago | (#47496715)

Writing this off as not effective misses the point. Most reasonable people - certainly most reasonable technical people - know this is ineffective. But this isn't about finding terrorists.....

If a defense contractor can convince bureaucrats and politicians that an ineffective big system can effectively ID potential terrorist, then we are left with either a false sense of security and/or a lot of innocent people being treated like potential terrorists. It makes for good security theater at the expense of civil liberties.

Re:Not effective (1)

Anonymous Coward | about 3 months ago | (#47496957)

... If a defense contractor ...

And of course a good deal for the defense contractor. And happy share holders, too.

Re:Not effective (1)

Antique Geekmeister (740220) | about 3 months ago | (#47497159)

> This kind of mass data collection on everyone is a huge waste of resources.

Compared to the cost of intelligently filtering it down to unpredictably "relevant" information, and only storing that? Picking out only the "relevant" or even "legal to hold" information would be, in espionage terms, a complete waste of time, prone to error and reducing the effectiveness of exactly the sort of personal, detailed information which this helps gather.

I sincerely doubt that the NSA cares about the fine grained accuracy of such bulk data. That's what analysis is for, not filtering. And by collecting bulk information on US citizens, they've gathered an enormous currency in private data that can be provided to the US government without a warrant, or that can be traded with foreign intelligence to gather the information they _are_ chartered to obtain.

Re:Not effective (1)

Anonymous Coward | about 3 months ago | (#47497233)

It's a waste of resources until the grand change over from oligarchy to full blown fascism then some parsing will take place, algorithms will be written and many many many people will disappear overnight.
Far-fetched? Maybe, but we thought the NSA having all internet traffic, including SSL, from every country in the world was far-fetched. It's only a matter of time.

Re:Not effective (0)

Anonymous Coward | about 3 months ago | (#47497805)

> So this is basically a giant database of amateurs, stupid crooks and ordinary civilians.

That is why cops like to say criminals are stupid.
They only catch the stupid ones, in reality the smart ones never even show up on their radar.

Re: Not effective (0)

Anonymous Coward | about 3 months ago | (#47497831)

Surrogate keys ftw

This just in: PNRs include notes (1)

Shag (3737) | about 3 months ago | (#47496633)

I know, Occam's Razor would explain this by simply having all airline employees be psychic, but in fact, when you call and talk to someone, they note what you talked about, then when you call and talk to an entirely different person who magically knows what you talked about before, they're just reading that note. OMG!

Re:This just in: PNRs include notes (1)

russotto (537200) | about 3 months ago | (#47497789)

I know, Occam's Razor would explain this by simply having all airline employees be psychic, but in fact, when you call and talk to someone, they note what you talked about, then when you call and talk to an entirely different person who magically knows what you talked about before, they're just reading that note. OMG!

I've never actually had this experience when dealing with an airline; I typically have to explain the situation to each employee, often more than once.

if you've voted R or D... (1)

Anonymous Coward | about 3 months ago | (#47496635)

If you've voted for a republic or democrat in the last 20 or 30 years, then congratulations.

This is your fault.

Re:if you've voted R or D... (2, Insightful)

SuiteSisterMary (123932) | about 3 months ago | (#47496899)

Nonsense. For example, if you voted for Ross Perot, you're directly responsible for the Republicans losing the White House. If you voted for Nader, you're directly responsible for the Democrats losing the White House.

Either go back to your government as intended; that is to say, without political parties, or accept the fact that there are, in fact, political parties, and change your government setup to work with that.

Re:if you've voted R or D... (1)

Anonymous Coward | about 3 months ago | (#47497657)

No, your post is nonsense. A vote signifies endorsement of a specific candidate and consent to be governed by their policies. If you voted for Perot or Nader, you voted because that is the government you wanted. If that candidate didn't win, it's hardly your fault.

Re:if you've voted R or D... (1)

bill_mcgonigle (4333) | about 3 months ago | (#47497865)

Nonsense. For example, if you voted for Ross Perot, you're directly responsible for the Republicans losing the White House.

That's silly - exit polls showed more Perot voters would have otherwise voted for Clinton than for Bush.

Either go back to your government as intended; that is to say, without political parties, or accept the fact that there are, in fact, political parties, and change your government setup to work with that.

That right there, though, is some good stuff.

Re:if you've voted R or D... (4, Insightful)

jeIIomizer (3670945) | about 3 months ago | (#47497983)

The only wasted vote is a vote for provably evil scumbags. To say that someone else might win because I cast my vote for someone who isn't an evil scumbag is extremely short-sighted; nothing is ever going to change if people do not take a stand. And win or not, people voting for third parties sends a message to The One Party.

A whole lot of whine (1)

dave562 (969951) | about 3 months ago | (#47496647)

I read the article and while one might question why data is being stored that is almost a decade old, the data itself is not that big of a deal. Basically the airlines store all the information about how he bought the ticket and what his preferences were (seat assignments, meal choices, etc.) The call center agents kept notes on why he called.

All of the information is benign. They kept his credit card information in plain text which is lame, but I have yet to see a story about a CBP breach that led to a bunch of fraud. It could happen, and they should probably encrypt the data in the future, but it is not a massive, conspiracy re-enforcing revelation.

The only disconcerting thing is the length of the data retention. Once it is obvious that the plane did not go down and nobody flying was involved in any subsequent terrorist activities, the data should be purged.

Gestapo like? I am afraid to admit...[Yes] (1)

bogaboga (793279) | about 3 months ago | (#47496671)

My own PNRs include not just every mailing address, e-mail, and phone number I've ever used; some of them also contain: The IP address that I used to buy the ticket, my credit card number (in full), the language I used, and notes on my phone calls to airlines, even for something as minor as a seat change.

Someone tell me there's a difference on this issue...Just this issue please.

Re:Gestapo like? I am afraid to admit...[Yes] (0)

Anonymous Coward | about 3 months ago | (#47496713)

Gestapo was more direct. They didn't just interrogate, they also beated people up if they had the mood, and tortured at will. You should compare it to the stasi instead. From the late 1970s on they used almost no direct violence, no bruises you could show to others when you came out.

Re:Gestapo like? I am afraid to admit...[Yes] (2)

AHuxley (892839) | about 3 months ago | (#47496989)

The files and paper work to sort on a massive scale. Per city in German–occupied Europe the Gestapo staff count was not big considering the tasks.
Most work was done with informants and tips, letters. A vast network of local people wanting to settle grudges and grievance via denunciation.
A vast happy to help collaborative staff in different nations also worked very hard to clear out their cities..
Very few nations bothered to look into the huge numbers of collaborative staff after ww2. Most just returned to gov work with a few cover stories.
After the war some just reinvented their pasts and went back to basic police work and retirement.
ie its not so much the politics - its the badge, uniform, suit, car, the power and prestige. Reinventing a workplace change from post ww1 Germany, into ww2 Germany and then helping in the four occupation zones after ww2.
The difference is now the computers really work good. The difference is now the global telco sector really helps so much more. Todays staff work hard at sites to create double agents. Terms like ghost detainees, black sites and the roles of medical doctors listed as 'medical technicians' also point to complex tasks.
So with the data seen by the press, what was sorted on cards via complex rented sorting equipment during ww2 is now pre sorted as entered.

Murrica! (0)

Anonymous Coward | about 3 months ago | (#47496759)

Murrica!

Re:Murrica! (2)

buckfeta2014 (3700011) | about 3 months ago | (#47497531)

FUCK YEAH!

Wait, no... Fuck you!

Folded, spindled, and mutilated. (1)

bmo (77928) | about 3 months ago | (#47496961)

"The population census has got him down as "dormanted". The Central Collective Storehouse computer has got him down as "deleted". [â¦] Information Retrieval has got him down as "inoperative". And thereâ(TM)s another one - security has got him down as "excised". Administration has got him down as "completed". ⦠Heâ(TM)s dead."

Brazil (1985)

IP's with out ISP logs are useless and even if the (1, Insightful)

Joe_Dragon (2206452) | about 3 months ago | (#47497029)

IP's with out ISP logs are useless and even if they have them ones from public networks are dead ends unless they have full logs as well.

Re:IP's with out ISP logs are useless and even if (1)

WaffleMonster (969671) | about 3 months ago | (#47497477)

IP's with out ISP logs are useless and even if they have them ones from public networks are dead ends unless they have full logs as well.

Perhaps some 20 years ago when millions browsed the web from AOL behind a complex series of proxy server.

Today everyone has always on broadband at home with long lived IP addresses. Knowing the user or household associated with an IP with some degree of accuracy seems to me to be anything but useless.

Re:IP's with out ISP logs are useless and even if (1)

the eric conspiracy (20178) | about 3 months ago | (#47498067)

If you are paranoid change the router MAC address on a regular basis.

Re:IP's with out ISP logs are useless and even if (1)

z0idberg (888892) | about 3 months ago | (#47497581)

Not useless.

Can you not cross-reference the IP address of known transactions (booking a flight with credit card/personal info), with unknown transactions (emails intended to be sent anonymously, visits to "offensive/dangerous/terrorist" sites etc) to determine who is doing what?

Yes, there are ways around masking your IP source and identity if you go to the trouble, but that doesn't mean everyone takes those measures.

Just another reason not to fly..... (2)

the_rajah (749499) | about 3 months ago | (#47497261)

My wife and I last flew commercial on 9-10-2001 out of LGA, the day before 9-11. My wife and I decided, the next day that, short of an emergency situation, we were done flying commercial. If we couldn't drive to get there, we didn't need to go. It's not because we were afraid of terrorists, but we saw what a hassle and invasion of privacy it would became.

Re:Just another reason not to fly..... (1)

Anonymous Coward | about 3 months ago | (#47497301)

I think it might be hard for me to drive across the Atlantic Ocean on business.

Re:Just another reason not to fly..... (3, Informative)

Nkwe (604125) | about 3 months ago | (#47497353)

My wife and I last flew commercial on 9-10-2001 out of LGA, the day before 9-11. My wife and I decided, the next day that, short of an emergency situation, we were done flying commercial. If we couldn't drive to get there, we didn't need to go. It's not because we were afraid of terrorists, but we saw what a hassle and invasion of privacy it would became.

I hope that when you are driving, you don't use any toll roads and that when you buy gas or anything else, you use cash that you obtained from an ATM when you were at home. Best also not to drive through any intersections with red light cameras. You also might need to put optical filters on your license plates if you don't want to be tracked. There are lots of cameras out there.

Re:Just another reason not to fly..... (2)

Bing Tsher E (943915) | about 3 months ago | (#47497803)

They said 'hassle' not just 'invasion of privacy.' None of the things you listed amount to a hassle similar to that which regular people now face when they try to enter an airport terminal.

But that stuff you rambled on about certainly sounds like a hassle. Is that how you live your life? Really?

Re:Just another reason not to fly..... (1)

jeIIomizer (3670945) | about 3 months ago | (#47497995)

But that stuff you rambled on about certainly sounds like a hassle. Is that how you live your life? Really?

I consider avoiding being tracked by government thugs to the best of my ability to be very important.

meh (0)

Anonymous Coward | about 3 months ago | (#47497601)

As long as you dont get their river trip special your ok.

They swarm through the air via SDR/RF (-1)

Anonymous Coward | about 3 months ago | (#47497685)

Microsoft Kinect Spy System

THIS ARTICLE IS BEING SCRUBBED FROM THE NET. THE SITE IT WAS ORIGINALLY POSTED TO YANKED THE PLUG ON THEIR WHOLE SITE!!! COPY/PASTE THIS ARTICLE AS MUCH AS POSSIBLE TO DISCUSSION FORUMS, BLOGS, FACEBOOK, TWITTER, AND ARCHIVE AND MIRROR THIS DOCUMENT SO IT DOES NOT VANISH FOREVER!

"So you just got the Kinect/Xbox360 gaming system and you're having fun, hanging out in your underwear, plopped down in your favorite lounge chair, and playing games with your buddies. Yeah, it's great to have a microphone and camera in your game system so you can "Kinect" to your pals while you play, but did you read that Terms of Service Agreement that came with your Kinect thingy? No? Here, let me point out an important part of that service agreement.

        If you accept the agreement, you "expressly authorize and consent to us accessing or disclosing information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft, our partners, or our customers, including the enforcement of our agreements or policies governing your use of the Service; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public."

Did you catch that? Here, let me print the important part in really big letters.

"If you accept the agreement, you expressly authorize and consent to us accessing or disclosing information about you, including the content of your communications⦠on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public."

OK, is that clear enough for ya? When you use the Kinect system, you agree to allow Microsoft (and any branch of law enforcement or government they care to share information with) to use your Kinect system to spy on you. Maybe run that facial recognition software to check you out, listen to your conversations, and keep track of who you are communicating with.

I know this is probably old news to some, but I thought I would mention it because it pertains to almost all of these home game systems that are interactive. You have to remember, the camera and microphone contained in your game system have the ability to be hacked by anyone the game company gives that ability to, and that includes government snoops and law enforcement agents.

Hey, it's MICROSOFT. What did you expect?

And the same concerns apply to all interactive game systems. Just something to think about if you're having a "Naked Wii party" or doing something illegal while you're gaming with your buddies. Or maybe you say something suspicious and it triggers the DHS software to start tracking your every word. Hey, this is not paranoia. It's spelled out for you, right there in that Service Agreement. Read it! Here's one more part of the agreement you should be aware of.

        "You should not expect any level of privacy concerning your use of the live communication features (for example, voice chat, video and communications in live-hosted gameplay sessions) offered through the Service."

Did you catch it that time? YOU SHOULD NOT EXPECT ANY LEVEL OF PRIVACY concerning your voice chat and video features on your Kinect box."

###

"Listen up, you ignorant sheep. Your government is spending more money than ever to spy on its own citizens. That's YOU, my friend. And if you're one of these people who say, "Well I ain't ever done nothing wrong so why should I worry about it?' - you are dead wrong. Our civil liberties are being taken away faster than you can spit. The NSA is working away on its new "First Intelligence Community Comprehensive National Cyber-security Initiative Data Center' to keep track of every last one of us. This thing will be the size of 17 football stadiums. One million square feet, all to be filled with more technology and data storage than you could imagine. And 30,000 spy drones are set to be launched over America which can each stay aloft for about 28 hours, traveling 300 miles per hour. WHY? Why do we want these things in our skies?

The military is now taking a keen interest in the Microsoft Kinect Spy System, the fastest selling electronic device in history. Conveniently self-installed in over 18 million homes, this seemingly innocent game system, armed with facial recognition programming and real-time recording of both sound and video, will be used by our own government to spy on and record us in our own homes.

And it doesn't stop there. Other game systems such as Nintendo's WWII are also being turned into government-controlled spy systems. WHY?

That's the real question. WHY?!!! Why is our own government spending billions and billions of dollars to spy on its own people? To keep us safe? Do you really believe that?"

Microsoft's Kinect System is Watching You
Published on Apr 5, 2012 by TheAlexJonesChannel:

https://www.youtube.com/watch?... [youtube.com]

###

Big Brother alert: Microsoft wants to know how many friends you've got in your living room

- http://blogs.telegraph.co.uk/t... [telegraph.co.uk]

By Mic Wright Gadgets Last updated: November 9th, 2012

- http://blogs.telegraph.co.uk/t... [telegraph.co.uk]

"One of Microsoft's latest patent applications[1] is a humdinger. It proposes to turn the Kinect camera into a snitch for movie studios, reporting back just how many friends you've got in your living room and what they're watching. Think that sounds alarmist? Here's what it actually says: "The users consuming the content on a display device are monitored so that if the number of user-views licensed is exceeded, remedial action may be taken." It's that blatant â" a system to spy on private viewing habits.

If put into practice, Microsoft's plan could mean that the film you're watching suddenly stops playing if it detects that you've got more people squashed on to the sofa than the licence allows. You'd then be prompted to buy a more expensive licence to keep watching. It's as if Big Brother had built 1984's Telescreen not to monitor the population but to ensure no one was pirating the Two Minutes Hate.

In all likelihood, Microsoft will struggle to actually apply this patent in the real world. While copyright holders would be delighted, customers would be turned off by such a draconian system. But that's what's interesting about this application and patent applications in general: they often reveal what companies would do if they could get away with it. The black and white drawings and blandly technical language can cover immoral, scary and downright evil ideas.

There was an even more striking example from Apple earlier this year[2]. In September, it was granted a patent for "Apparatus and methods for enforcement of policies upon a wireless device", i.e. a system allowing companies or governments to remotely disable mobile phones and tablets in a particular area.

While Apple mentions benign examples such as preventing phone calls from disturbing concerts or ensuring devices are switched off on planes, it also states: "Covert police or government operations may require complete "blackout" conditions." That's exactly the kind of feature certain governments would love to use to suppress pictures and videos. The patent Apple put its stamp on is a handy form of censorship regardless of whether it will ever apply it.

Last year, Google's chairman, Eric Schmidt, said that the company would hold off from creating a facial recognition service because it would be "crossing the creepy line". Still, Google has filed for and been granted extensive patents in the area and, as its Project Glass augmented reality goggles move forward, who knows when the "creepy line" will shift?"

[1] http://appft.uspto.gov/netacgi... [uspto.gov]

[2] http://www.zdnet.com/apple-pat... [zdnet.com]

(C) Copyright of Telegraph Media Group Limited 2012

###

"People are aware that Windows has bad security but they are underestimating the problem because they are thinking about third parties. What about security against Microsoft? Every non-free program is a 'just trust me program'. 'Trust me, we're a big corporation. Big corporations would never mistreat anybody, would we?' Of course they would! They do all the time, that's what they are known for. So basically you mustn't trust a non free programme."

"There are three kinds: those that spy on the user, those that restrict the user, and back doors. Windows has all three. Microsoft can install software changes without asking permission. Flash Player has malicious features, as do most mobile phones."

"Digital handcuffs are the most common malicious features. They restrict what you can do with the data in your own computer. Apple certainly has the digital handcuffs that are the tightest in history. The i-things, well, people found two spy features and Apple says it removed them and there might be more""

From:

Richard Stallman: 'Apple has tightest digital handcuffs in history'
www.newint.org/features/web-exclusive/2012/12/05/richard-stallman-interview/

###

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.

Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.

If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.

The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.

But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use - which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.

Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.

I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then... you won't notice it.

Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running[1], scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.

[1] In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.

[2] Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".

[3] http://www.stallman.org/ [stallman.org]

Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.

So scan away, or blissfully ignore it, but we need more people like RMS[3] in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.

I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".

(Remotely Attacking Network Cards)
http://theinvisiblethings.blog... [blogspot.com]

(Persistent BIOS Infection)
http://www.phrack.org/issues.h... [phrack.org]

(BIOS --> Vbootkit code(from CD,PXE etc.) --> MBR --> NT Boot sector --> Windows Boot manager --> Windows Loader --> Vista Kernel)
http://www.securityfocus.com/c... [securityfocus.com]

(The ROMOS project)
http://web.archive.org/web/201... [archive.org]

Secure boot is Microsoft's attempt to maintain computer OS market share as their influences is being stripped away by the likes of Google (Android) and Apple (iOS). With HTML5 on the way, we will have WEB based applications that rival desktop versions, and run on ANY device. The OS is just a layer to get to where the real work gets done, information exchange.

AND the worst part is, secure boot doesn't actually fix the problem it pretends it solves. It can't. This is the whole DRM of DVD's and BluRay all over again. Look at how well that is working out.

DRM is broken by design."
- linux.slashdot.org/comments.pl?sid=2985953&cid=40681007

"Richard Stallman has finally spoken out on this subject. He notes that 'if the user doesn't control the keys, then it's a kind of shackle, and that would be true no matter what system it is.' He says, 'Microsoft demands that ARM computers sold for Windows 8 be set up so that the user cannot change the keys; in other words, turn it into restricted boot.' Stallman adds that 'this is not a security feature. This is abuse of the users. I think it ought to be illegal.'""
- linux.slashdot.org/story/12/07/17/2326253/richard-stallman-speaks-about-uefi

I'm concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.

When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.

Some have begun with BIOS security:

http://www.biosbits.org/ [biosbits.org]

Some BIOS has write protection in its configuration, a lot of newer computers don't.

###

CIA Head: We Will Spy On Americans Through Electrical Appliances
Global information surveillance grid being constructed; willing Americans embrace gadgets used to spy on them
http://www.prisonplanet.com/ci... [prisonplanet.com]

###

Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording.
Philip Harrison, from JP French Associates, another forensic audio laboratory that has been logging the hum for several years, says: "Even if [the hum] is picked up at a very low level that you cannot hear, we can extract this information." It is a technique known as Electric Network Frequency (ENF) analysis, and it is helping forensic scientists to separate genuine, unedited recordings from those that have been tampered with."
- http://www.bbc.co.uk/news/scie... [bbc.co.uk]
- http://cryptogon.com/?p=32789 [cryptogon.com]

###

"I'd worry about a Tempest virus that polled a personal computer's
CD-ROM drive to pulse the motor as a signalling method:

* Modern high-speed CD-ROM drive motors are both acoustically and
electrically noisy, giving you two attack methods for the price of one;

* Laptop computer users without CRTs, and the PC users that can afford
large LCD screens instead of CRTs, often have CD-ROM drives;

* Users are getting quite used to sitting patiently while their
CD-ROM drives grind away for no visibly obvious reason (but
that's quite enough about the widespread installs of software from
Microsoft CD-ROMs that prompted Kuhn's investigation in the first place.)"

http://catless.ncl.ac.uk/Risks... [ncl.ac.uk]

###

"I'd worry about a Tempest virus that polled a personal computer' personal computer' CD-ROM drive"

Yes and the hard drive and in some PC's the cooling fans as well are under CPU control.

You can also do it with PC's where the CPU does not control the fan, but the hardware has a simple thermal sensor to control it's speed. You do this by simply having a process that uses power expensive instructions in tight loops, thus raising the CPU temprature (it's one of the side channels I was considering a long time ago when thinking about how the temp inside the case changed various things including the CPU clock XTAL frequency).

The change in sound side channel is one of the first identified problems with Quantum Key Distribution. Basicaly the bod who came up with the idea whilst first testing the idea could tell the state of "Alice's polarizer" simply by the amount of noise it made...

The CD-ROM motor idea I'd heard befor but could not remember where till I followed your link.

Dr Lloyd Wood has worked with the UK's Surrey Uni, the European Space Agency and Americas NASA and one or two other places as part of his work for Surrey Satellite Technology Ltd. He has been involved with CLEO (Cisco router in Low Earth Orbit) and other work on what's being called "The Space Internet".

Of interest is his work on Delay and Disruption Tolerant Networks (DTN). It's not been said "publicaly" as far as I'm aware but the work has aspects that are important to anonymity networks such as TOR.

You can read more on Dr Wood's DTN work etc at,

Lloyd Wood - Delay-Tolerant Networking work
http://personal.ee.surrey.ac.u... [surrey.ac.uk]

The UK occupies an odd position in the "Space Race" it is the only nation who having put a satellite into space then stopped further space rocket development (the Black Knight launch platform was considerably safer and more economic than the then US and CCCP systems). The UK has however continued in the Space Game and is perhaps the leading designers of payloads for scientific and industrial satellites (it probably is on military sats as well but nobody who knows for sure is telling ;-)

Clive Robinson
Schneier on Security: Information-Age Law Enforcement Techniques
http://www.schneier.com/blog/a... [schneier.com]

###

Schneier has covered it before: power line fluctuations (differences on the wire in keys pressed).

There's thermal attacks against cpus and temp, also:

ENF (google it)

A treat (ENF Collector in Java):

sourceforge dot net fwdslash projects fwdslash nfienfcollector

No single antimalware scanner exists which offers the ability to scan (mostly proprietary) firmware on AGP/PCI devices (sound cards, graphics cards, usb novelty devices excluding thumb drives), BIOS/CMOS.

If you boot into ultimate boot cd you can use an archane text interface to dump BIOS/CMOS and examine/checksum.

The real attacks which survive disk formats and wipes target your PCI devices and any firmware which may be altered/overwritten with something special. It is not enough to scan your hard drive(s) and thumb drives, the real dangers with teeth infect your hardware devices.

When is the last time you:

Audited your sound card for malware?
Audited your graphics card for malware?
Audited your network card for malware?

Google for:

* AGP and PCI rootkit(s)
* Network card rootkit(s)
* BIOS/CMOS rootkit(s)

Our modern PC hardware is capable of much more than many can imagine.

Do you:

        Know your router's firmware may easily be replaced on a hacker's whim?
        Shield all cables against leakage and attacks
        Still use an old CRT monitor and beg for TEMPEST attacks?
        Use TEMPEST resistant fonts in all of your applications including your OS?
        Know whether or not your wired keyboard has keypresses encrypted as they pass to your PC from the keyboard?
        Use your PC on the grid and expose yourself to possible keypress attacks?
        Know your network card is VERY exploitable when plugged into the net and attacked by a hard core blackhat or any vicious geek with the know how?
        Sarch out informative papers on these subjects and educate your friends and family about these attacks?
        Contact antimalware companies and urge them to protect against many or all these attacks?

Do you trust your neighbors? Are they all really stupid when it comes to computing or is there a geek or two without a conscience looking to exploit these areas?

The overlooked threat are the potential civilian rogues stationed around you, especially in large apartment blocks who feed on unsecured wifi to do their dirty work.

With the recent news of Russian spies, whether or not this news was real or a psyop, educate yourself on the present threats which all antimalware scanners fail to protect against and remove any smug mask you may wear, be it Linux or OpenBSD, or the proprietary Windows and Mac OS you feel are properly secured and not vulnerable to any outside attacks because you either don't need an antivirus scanner (all are inept to serious attacks) or use one or several (many being proprietary mystery machines sending data to and from your machine for many reasons, one is to share your information with a group or set database to help aid in threats), the threats often come in mysterious ways.

Maybe the ancients had it right: stone tablets and their own unique language(s) rooted in symbolism.

###

'Disconnect your PC from the internet and don't add anything you didn't create yourself. It worked for the NOC list machine in Mission Impossible'

The room/structure was likely heavily shielded, whereas most civvies don't shield their house and computer rooms. There is more than meets the eye to modern hardware.

Google:

network card rootkits and trojans
pci rootkits
packet radio
xmit 'fm fingerprinting' software
'specific emitter identification'
forums(dot)qrz(dot)com

how many malware scanners scan bios/cmos and pci/agp cards for malware? zero, even the rootkit scanners. have you checksummed/dumped your bios/cmos and firmware for all your pci/agp devices and usb devices, esp vanity usb devices in and outside the realm of common usb devices (thumbdrives, external hdds, printers),

Unless your computer room is shielded properly, the computers may still be attacked and used, I've personally inspected computers with no network connection running mysterious code in the background which task manager for windows and the eqiv for *nix does not find, and this didn't find it all.

Inspect your windows boot partition in *nix with hexdump and look for proxy packages mentioned along with command line burning programs and other oddities. Computers are more vulnerable than most would expect.

You can bet all of the malware scanners today, unless they are developed by some lone indy coder in a remote country, employ whitelisting of certain malware and none of them scan HARDWARE devices apart from the common usb devices.

Your network cards, sound cards, cd/dvd drives, graphics cards, all are capable of carrying malware to survive disk formatting/wiping.

Boot from a Linux live cd and use hexdump to examine your windows (and *nix) boot sectors to potentially discover interesting modifications by an unknown party.

"Is Your Antivirus Tracking You? (-1)

Anonymous Coward | about 3 months ago | (#47497693)

"Is Your Antivirus Tracking You? You'd Be Surprised At What It Sends"
by Chris Hoffman, 28th May, 2014, MakeUseOf.com

############

PLEASE READ THE PDF. THE QUOTE FROM THIS ARTICLE DRAWS REFERENCE TO WEB URLs BUT IN ORDER TO PROPERLY COMPREHEND THE MAGNITUDE OF DATA COLLECTION, YOU NEED TO READ THE PDF. PREPARE TO BE FLOORED.

DOWNLOAD THE PDF. STORE IT. CONVERT IT TO OTHER FORMATS. SHARE IT. MAKE SURE IT IS ALWAYS AVAILABLE SOMEWHERE ON-LINE OTHER THAN THE SOURCE BELOW. DON'T BLINDLY TRUST ARCHIVE.ORG OR SITES LIKE IT TO KEEP IT FOR YOU.

EVERYONE NEEDS TO READ THIS PDF BEFORE CONTINUING TO USE ANTI-VIRUS PROGRAMS.

############

        "Your antivirus software is watching you. A recent study shows that popular antivirus applications like Avast assign your computer a unique identifier and send a list of all web addresses you visit to the manufacturer. If the antivirus finds a suspicious document, it will send the document to the antivirus company. Yes, your antivirus company might have a list of web pages you've visited along with your sensitive personal documents!

        AV-Comparatives' Data Transmission Report

        We're getting this information from AV-Comparative's Data transmission in Internet security products report, released on May 8, 2014. AV-Comparatives is an antivirus testing and comparison organization.

        The study was performed by analyzing antivirus products running in a virtual machine to see what they sent to the antivirus company, reading each antivirus product's end user license agreement (EULA), and sending a detailed questionnaire to each antivirus company so they could explain what their products do........""

############

Rest of article and comments here:
http://www.makeuseof.com/tag/a... [makeuseof.com] .PDF - The Study, dated May 20, 2014:
http://www.av-comparatives.org... [av-comparatives.org] .PDF-To-Images Free 0n-Line Viewer:
http://view.samurajdata.se/ [samurajdata.se]

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?