Hello, Is That You?

It looks like Google has been recording your voice searches (German). There have been rumors all along and it was assumed this was going on. They have the actual voice recordings and their transcripts and also generate a “finger print” of your voice to be able to verify it.

If you extrapolate from that they can by now

*shudder*

NSA’s MITM attack on Cryptome

The moment you find out the NSA is performing MITM attacks on your website’s visitors from a leaked slide deck:

But here is the thing — and this is crucial — the address for Cryptome is listed to be the location of a fiber optic cable junction in Sterling, VA (next to an Amusement Machine company)… which is quite some distance away from your location in NYC, and a considerable distance from your ISP who hosts your file, and it is located away from any signal switching systems use in the area, but it is virtually next door to fiber that goes to a large NSA listening post nearby.

The reason it is notable, is that someone at or near the location in Sterling, VA is performing a MITM attack on Cryptome visitors, and this image out of the slidedeck with the two GPS coordinates is the U.S. Government performing a MITM attack against Cryptome and sharing the collected intelligence with the Brits, or the U.S. Government giving the British government backdoor access into the U.S. (illegal) collection systems.

NSA’s Speech-to-Text capabilities

The Intercept has a lengthy article on what we know on the NSA’s speech recognition capabilities. Putting aside the actual capabilities, just the fact that anything you say will be recorded, stored and may be accessed at any point in the future only protected by “policy” sends shivers down my spine.

“People still aren’t realizing quite the magnitude that the problem could get to,” Raj said. “And it’s not just surveillance,” he said. “People are using voice services all the time. And where does the voice go? It’s sitting somewhere. It’s going somewhere. You’re living on trust.” He added: “Right now I don’t think you can trust anybody.”

Also when all the voice data gets automatically transcribed, made keyword-searchable, flagged and presented to agents as “potentially interesting” there’s basically no way of producing any sort of indication for suspicion other than pointing at a black box and mumbling something vaguely resembling “correlation.”

“When the NSA identifies someone as ‘interesting’ based on contemporary NLP [Natural Language Processing] methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting’; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.'”

Privacy Consequences of the SPE Hack

Bruce Schneier in his comments on the recent Sony Hack cites a Gizmondo article that sums it up very well why privacy is important to everyone even for mundane everyday stuff we do on the internet:

These are people who did nothing wrong. They didn’t click on phishing links, or use dumb passwords (or even if they did, they didn’t cause this). They just showed up. They sent the same banal workplace emails you send every day, some personal, some not, some thoughtful, some dumb. Even if they didn’t have the expectation of full privacy, at most they may have assumed that an IT creeper might flip through their inbox, or that it was being crunched in an NSA server somewhere. For better or worse, we’ve become inured to small, anonymous violations. What happened to Sony Pictures employees, though, is public. And it is total.

And in Bruce’s words:

These people didn’t have anything to hide. They aren’t public figures. Their details aren’t going to be news anywhere in the world. But their privacy has been violated, and there are literally thousands of personal tragedies unfolding right now as these people deal with their friends and relatives who have searched and reads this stuff.

They Don’t Care About Your “Online” Privacy

Messenger apps show your friends’ online status. Anytime you open the app, they’ll notify the service that you’re “online” at the moment. Now everybody else can see it in their contact lists.

And with everybody I mean anybody! If you have a phone number you can check that person’s online status as often as you want from wherever you want (no need to be friends or anything).

So did a group of researchers at the Friedrich-Alexander-Universität Erlangen-Nürnberg. They used this “feature” to “find out how frequently and how long users spent with their popular messenger” on a random sample of 1000 people in different countries for over eight months.

Looking through the project’s website should make it clear how little the creators of those apps care …

Moreover, we were able to run our monitoring solution against the WhatsApp services from July 2013 to April 2014 without any interruption. Although we monitored personal information of thousands of users for several months — and thus strongly deviated from normal user behaviour — our monitoring efforts were not inhibited in any way.

… and that they don’t want you to be able to care.

Unfortunately, affected messenger services (like WhatsApp, Telegram, etc.) currently provide no option for disabling access to a user’s “online” status. Even WhatsApp’s newly introduced privacy controls fail to prevent online status tracking, as users still cannot opt-out of disclosing their availability to anonymous parties.