Blogging

Spies in the Valley

Thanks to HP, another catch phrase enters the public consciousness. Pretexting. It's a technique of social engineering, or gaining access to systems by manipulating people into divulging information that should remain confidential. Many people never heard of the phrase “pretexting” before private investigators, hired by HP's top manageent, collected the private phone records of its directors and a CNet reporter. Why? Someone on the board of directors leaked information to the reporter and, damn it, HP was going to find out who did it. I won't go into further details here because you can read about the story elsewhere.

The part that interests me is how easily the investigators collected private information. Pretexting is a means of deceiving someone with an untruth. In this case, the investigators pretended to be the people whose records they wanted to retrieve from the phone company. In short, they lied. They also broke the law.

Under federal law — the Gramm-Leach-Bliley Act — it’s illegal for anyone to:

  • Use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
  • Use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
  • Ask another person to get someone else’s customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.

The Federal Trade Commission Act also generally prohibits pretexting for sensitive consumer information.

According to that third bullet, the HP management who ordered this theft of information may also be at fault under the law. I'm sure they'll claim they never knew the investigators would use illegal means, but I wouldn't buy that if I were sitting in a jury.

Think of the confidential information companies collect about you. They know your name and where you live. Some have your credit card data, and part or all of your Social Security Number. Stores know what you're buying, and when you're likely to buy a product again. Think of your medical records or credit card transactions getting into the wrong hands. Your search engine queries may reveal things that you have a right, and a wish, to keep private.

The problem with raw data is that it provides no context. The records don't say why you purchased a banana and a jar of vaseline at the grocery store last Tuesday. If you were running for election this year, imagine the uncomfortable suggestions that an opposing political rival could make those that tidbit.

We hear about invasions of other people's privacy almost daily, but how often do we make changes to protect ourselves? For example, do you have a GMail or Yahoo Mail account? If so, all of your searches while logged into those accounts trace back to your identity. Even if you don't login with an account, the search engine records the IP address you use for your query. In real world encounters, how much information do you give to an unknown source when you register to win that “free” car sitting in the mall, or answer a telephone survey?

There is always someone who can use your private infomation to their benefit. Only you control how much information you give. Once that information is out of your hands, you have no control over it. We trust certain organizations – banks, insurance companies, phone companies, utilities, blood banks, schools, employers, physicians and hospitals – to keep our information safe and confidential. Some succeed. Some fail. It's up to you to understand the privacy policies of an organization when you provide your information. There are laws to protect us, but laws won't stop criminals.

I believe that the inherent weaknesses of organizations that are vulnerable to pretexting are exactly why we need secure credentials. When you vote or conduct some financial transactions in person, you have to show a photo identification to authorize your access. Why do we not demand authentication for more transactions to retrieve confidential data? It's time for greater use of fully proofed and vetted identification systems to become the standard for personal and electronic interactions. It's too easy to fake your way through an informal interrogation or compromise a password. Identity requires something you know and something you have.

How much does EA Games need to know about you?

It's almost automatic. When you install software, there's a point where you have to accept the user license agreement before you can continue. If you don't click a button to agree, the installation ceases. Have you ever tried to return opened software or a game with the excuse “I don't agree to the license?” Chances are that it won't work. Once you break the shrinkwrap, you're chances of a refund decreased almost 100%.

Do we even look at the user license agreement anymore, even on video games? Fortunately, someone did. That's why there's a buzz now about EA Games license agreement for XBox Live games.

[box type=”info”]If you sign up to play EA games through Microsoft’s Xbox Live Service, Microsoft will provide your Xbox Live user account information to EA so that we can establish an EA Online account for you. You need an EA Online account to play EA’s Xbox Live titles. By signing up to play EA's Xbox Live titles, you agree that Microsoft can transfer your user account information to EA. Information collected will vary depending upon the activity and may include your name, e-mail address, phone number, mobile number, home address, birth date and credit card information. In addition, we may collect demographic information such as gender, zip code, information about your computer, hardware, software, platform, media, Internet IP address and connection, information about online activity such as feature usage, game play statistics and scores, user rankings and click paths and other data that you may provide in surveys or online profiles, for instance. We may combine demographic information with personal information.[/box]

That content comes from EA's Privacy Policy web site. For its part, Microsoft has two privacy policy sites. The first one mentions the following about Personal Information:

  • When you register for certain Microsoft services, we will ask you to provide personal information.
  • The information we collect may be combined with information obtained from other Microsoft services and other companies.
  • We use cookies and other technologies to keep track of your interactions with our sites and services to offer a personalized experience.

The second bullet states that information may be combined with infomation obtained from other sources. What does that mean? Combining information from multiple sources does not indicate distribution, as I understand the statement. Now let's look at the next set of bullets about Uses of User Information:

  • We use the information we collect to provide the services you request. Our services may include the display of personalized content and advertising.
  • We use your information to inform you of other products or services offered by Microsoft and its affiliates, and to send you relevant survey invitations related to Microsoft services.
  • We do not sell, rent, or lease our customer lists to third parties. In order to help provide our services, we occasionally provide information to other companies that work on our behalf.

The third bullet states that Microsoft does not sell, rent, or lease customer lists to third parties. That would seem to indicate that they do not distrubute (although there's no mention of freely giving away your private information). However, the second sentence in the third bullet does seem to indicate that Microsoft does distribute your private information to companies that work on Microsoft's behalf.

Does EA Games work on behalf of Microsoft? If you buy a copy of Madden NFL '07, does EA work for Microsoft? I doubt it. Maybe I'll have to ask some of the guys at my gym who work for EA – they make Madden right across the street.

Of course, I mentioned that Microsoft has another privacy policy statement. This is Microsoft's full disclosure for online privacy. I think the pertinent statement in the full disclosure is this line:

[box type=”info”]Except as described in this statement, we will not disclose your personal information outside of Microsoft and its controlled subsidiaries and affiliates without your consent.[/box]

So what exception described in this statement is the one that allows Microsoft and EA Games to pass your private data around like a beach ball at an outdoor concert? Why, I think it's this one:

[box type=”info”]Some Microsoft services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Microsoft and the other company may receive information collected in conjunction with the co-branded services.[/box]

EA Games and Microsoft's XBox Live must come under the “co-branded” loophole. That means neither of them will make it obviously clear where your information is going. Once EA Games has your information how does it protect you?

[box type=”info”]We will only collect and use personal information in accordance with this privacy policy to the extent deemed reasonably necessary to serve our legitimate business purposes, and we will maintain appropriate safeguards to ensure the security, integrity, accuracy and privacy of the information you have provided. In addition, we will take reasonable steps to assure that third parties to whom we transfer any personal information will provide sufficient protection of that information.[/box]

In other words, “Trust us. We know what's best for you.” Who knows where your information will end up? Congratulations to the co-branded offerings from Microsoft and EA Games. You've developed identity transivity. If only your customers knew.
SlashDot article

Does the U.S. government need to know your hotel reservation?

The latest attack on your personal data may come from Uncle Sam. Homeland Security Secretary Michael Chertoff wants access to personal information about airline passengers such as names, addresses, credit card information and associated hotel or rental car reservations. It may not end with Uncle Sam, though. European governments want the same information.

An article in the New York Times mentions two databases. The first, the Advance Passenger Information System contains basic passenger information commonly found in a passport, like name, nationality and date of birth. The second database, Passenger Name Record, comes from global travel reservation companies.

[box type=”info”]Each time someone makes a reservation, a file is created, including the name of the person who reserved the flight and any others traveling in the party. The electronic file often also contains details on rental cars or hotels, credit card information relating to travel, contact information for the passenger and next of kin, and at times even personal preferences, like a request for a king-size bed in a hotel.[/box]

The reasoning behind it is the same – counter-terrorism. While I applaud the mental wizardry of those who would like to prevent future attacks from compelled idiots bearing explosives, I fear the feeble security of those already assigned to protect us at the airports. If someone can lose a laptop full of personal data in one government agency, how long will it be until another loses this database?

Yet Another Identity Precaution

It doesn't seem that long ago when we learned of dumpster divers – people who sift through trash looking for identity information from discarded bills, credit card offers, and other scraps containing your identity information. Leave it to some Nigerians, the current leaders of the fraud industry, to bring the same technique to used hard drives.

The BBC reports that bank details on thousands of Britons were sold in West Africa for less than £20 each. How did they get the information? It was left on used PC's sent for recycling.

Some of us know that merely deleting files is insufficient. You can find free programs on the Internet to undelete files. That's because deleted files aren't removed from the disk. Instead, deleting a file merely removes an entry in the disk's catalog claiming the space necessary to store it. When you delete a file and remove the catalog entry, another file may, or may not, overwrite the previous one.
The old suggestion was to wipe the disk clean – essentially, overwrite existing files with a series of 0's and 1's to ensure the old information is gone. However, there's a new suggestion in the data protection game. Smash the hard drive with a hammer.

That's right, just beat the snot out of it. Make sure you crash the case and damage the platters containing the data. Hard drives are now one of the cheapest components on a personal computer. If you're sending a PC off to get recycled, chances are good that your old drive is too slow and too small for modern needs. Let the next guy buy his own hard drive. Your identity data and bank records may prove too valuable to risk on some unknown recipient of your old trash.

Ouch!

I love my  bike. This morning, I rode it down to Orlando Harley-Davidson for its 25,000 mile service. The brakes need adjusting, it needs a new rear tire, and I told them I wanted synthetic oil. Who knows what else they do for this service mark?

Fortunately, it doesn't cost me much. I already have a four-year prepaid service plan for this maintenance, including oil & tires. Sure, I pay a little bit to upgrade the oil to synthetic, and I still have to pay labor to mount the tire. Overall, it's not so bad. On top of all that, they give me a free rental so I can ride home. That beats hanging around the dealership from 8:00 am until 4:00 pm.

About 4:00 pm, I got a call from Kim in the service department. I figured my bike was ready to pickup, but something in her voice sounded hesitant. The thought running through my head was, “What have you done to my bike?”

Well, they wrecked it. Not terribly, and the mechanic is OK. After doing all the work, they take the bikes out for a short ride to make sure everything feels right. He didn't get far when a car pulled out in front of him while he was making a left-hand turn.

Lucky for him (and my bike) that this happened at a slow speed; he figures about 5 mph. Still, it messed up a fork, bent the brake roter, and dented my front fender.

Orlando Harley-Davidson is taking care of all the damage. I would expect that much, but it's nice to hear them offer it on the phone without being prodded.

I can pick up my bike tomorrow morning about 10:00 am, but it'll still have a dent in the fender. They have to order a new fender and have it painted to match my bike's color. That takes about two weeks, and then I bring the bike over to have the fender replaced. I'd feel kind of dorky riding around with a dented fender. Maybe I'll put a band-aid on it.

Part of me wondered if the mechanic was a bit careless, but it doesn't matter. The damage isn't that bad, the dealer will take care of it, and there's not a damn thing I could change. It just sucks to have someone bang up your ride.