When The Customer Isn't King - Account & Data Security Breaches That Can Be Prevented

The news for two major retailer giants in Canada has not been good for them or their customers in the past few days. Loblaws, a grocer and dry goods retailer, had their PC Points loyalty system breached. One customer had 110 points worth $110 spent in the province of Quebec, and she has never even visited that province. Another customer who is a system administrator, said that he had a different password for every account, had his points stolen as well. News link: http://globalnews.ca/news/3237876/ps-plus-points-stolen-security-breach/

As well, Canadian Tire, a retail giant that sells everything from automobile accessories to sporting goods to snack foods, has been hacked, compromising both loyalty points and credit card balances online. News link: http://globalnews.ca/news/3236903/exclusive-canadian-tire-website-breached-consumer-accounts-in-question/

The financial losses of hacks such as these, are tremendous. When Target was breached in 2014, they estimated the losses to be $148 million dollars according to an article in Time Magazine. In that same year, job losses due to customer data breaches were estimated at 150,000 people in Europe. The global picture is frightening. McAfee, the Intel security company estimates monetary losses of $160 billion per year for data breaches.

Hacking isn't exactly a new phenomena. In 1979, infamous convicted hacker, Kevin Mitnick broke into his first major computer system, the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. The most embarrassing privacy breach came when Ashley Madison, the website for having extra-marital affairs, was hacked and over 30 million names and credit card numbers were exposed, causing at least two suicides.

So in this day and age, why does this happen? Can it be prevented?

Aside from an inside job, one of the reasons that hacking is successful, is the antiquated way that servers, databases and accounts are accessed. To connect to a server, one usually must have a username and a password. This is true to gain access to a server as an administrator. However one doesn't need administrator access to hack into data and accounts. Customer account information is stored in what is known as a 4GL database (4th Generation Language). This table-driven database is usually clustered on it own server and is exposed to the outside world so that its data can be accessed by platforms, analytics, and web interfaces. Again, with a user name and password, once can gain entrance to the data store and exploit the data. Many many databases still have "root" as the username to gain God-like access, and all that you have to do is either guess, derive, or gain access to the password. Many administrators commit the cardinal sin of using the same password on all accounts, and it may be gotten from such things as the name of their pet, which is information on social media. For years, the huge database company Oracle shipped their databases with a default account name of "Scott" and a password of "Tiger", left over from one of the original developers, that were never removed. I walked into many data centers as a consultant, and typed in Scott/Tiger and got access to the crown jewels.

No matter how much security that is built into any system, it is still vulnerable to the shaky access of system of a username and password. There is a better way. It is inexpensive, fairly autonomous, easy to use, and orders of magnitude more secure than a conventional database approach to storing customer data. It is a blockchain.

People know blockchain from the digital crypto-currency Bitcoin, and that fact alone has poisoned the well for quick adoption of blockchain technology. Blockchain is a technology & methodology for the digital recording of any transactions, events, ancillary derived meta-data & chronological logging of any business transaction that requires security, integrity, transparency, efficiency, audit & resistance to outages. It is the acme of trusted data. It also stores values like crypto-currency, digital cash and loyalty points, but its main selling point is that it is a true, autonomous ledger. Period.

When a technology evangelist mentions blockchain to the C-Suite level, several things happen. If they have heard of blockchain and its association with Bitcoin, there is pushback, because of how crypto-currencies have been exploited in the press. If they haven't heard of blockchain or have heard of it, but do not understand it, there is a fear of committing to the unknown. There are only about 2,000 blockchain developers worldwide, and most of them are still building proofs of concept. C-Level tech officers in corporations do not have the tech talent to immediately go to this technology, and it is perceived as untested bleeding edge stuff (not true). The other fly in the ointment, is that there is a blockchain consortium built around the Ethereum platform. That may all be well and good, but Fortune 500 is more suited to a private blockchain, controlled by themselves as they are responsible for their data.

So why is a blockchain more secure? For starters, any responsible blockchain incarnation does away with username and passwords. Authentication is done with a private encryption key right on the device. No amount of keylogging or password trapping will allow the breach. On top of it, conscientious construction of the authentication should be done with a tandem collection of MAC address or MDID of the mobile device. A MAC address is the embedded serial number of the network card in the computer that can easily be collected by any web page and MDID is the hardware serial number of a mobile phone or tablet that can be externally queried. Thus, any machine making changes to the data can be identified by device and encryption key.

On top of all of that, each blockchain query agent needs an encryption key just to read the blockchain. No amount of brute force hacking can get you into the blockchain, unless you are authorized to do so, and have a key created for you.

Blockchains can not only hold digital values like money or loyalty points, but they also can contain bits of code that enable smart contracts. In fact, they can store a digital anything. In other words, when certain conditions are met, actions can happen securely because of code embedded in the blockchain. Blockchains are impervious to data being fraudulently altered, because each transaction is linked to a previous transaction using encryption and hashing. You would have to change the entire transaction history to perpetrate a fraud.

The last benefit of blockchains is not that obvious, but highly desirable. You can write any information to the payload of a blockchain. So if you store transactions with a semantic, machine-readable identifiers, one can perform stream analytics in real time on the transactions. This can be coupled to machine learning, not only to identify fraud, but also to enable wallet-stretch to sell the consumer more things that they really need.

Does a beast such as a private semantic blockchain exist? You bet. Ping me.

Why I Won't Be Re-Joining The BBC Global Minds Panel

I recently received the following email from BBC Global Minds.

Hi Ken Bodnar,

Thanks for your continued interest and participation in the BBC Global Minds panel.

Here at the BBC, we’re always thinking about how we can make your experience on Global Minds a great one. Therefore we’re introducing a brand new site with a fresh new look and layout.

As part of this we’re changing over our supplier from Vision Critical to eDigitalResearch, and if you’re interested in continuing your membership you’ll need to click on the link below to sign up with the new site.

Join the new panel

If the above link doesn't work please copy and paste the following into your browser:

https://bbcglobalminds.epanelmanager.com/signup/index/extID/​393521/trktag/719173526/

We hope you like the new Global Minds panel, and we’re looking forward to sharing some new surveys and polls with you in the coming weeks.

Please note, if you don’t click on the link and complete the 5 quick questions to sign up then you’ll no longer be a member of the Global Minds panel and won’t be able to give us your important feedback.

Kind Regards,

The BBC Global Minds Team

The BBC Global Minds panel was like a self-forming focus group. Anyone could sign up, and they would periodically have surveys for programming on the BBC.  I don't mind giving my opinion, because they are a quality news and programming source.

However, I am not going to follow the direction and re-sign up for Global Minds.  I first soured on this type of thing, when they send me an email requesting me to grant them access to my laptop video camera and they would record me as I watched a BBC video.  They have to be nuts to thing that I would give permission for them to (1) grant them access to my laptop (2) allow myself to be filmed and (3) not knowing what the end result as to whether the video would be destroyed.

That aside, one would think that they would think highly enough of their focus group panel to at least have their new survey company come with with a plan to migrate their contacts.  I am not going to fill out a form for yet another survey company who will own my contact data and who knows what the heck they will do with it.  They probably wouldn't sell it, but I don't them from a hole in the ground, and I don't trust them with my contact data.  When you read about A-List companies having data breaches, I don't really trust anyone, or believe in the wide promulgation of my contact data and personal details.

When I see that they just have a handful of Twitter followers, methinks that they need more than a new survey company. I understand that they are under siege from the current UK government who doesn't believe in the value of a national broadcaster, but surely they can squeeze a fat-cat do nothing director out, and hire someone to coordinate their social media.  Hell, I would be pleased to advise them for free as to how to maximize their content engagement with the world.

So sadly to say, I will not be re-joining the BBC Global Minds Panel. 

Giving The Shaft To Data Mining And Obsfucating IBM & Twitter's Privacy Intrusion on Your Life

Those b*st*rds are going too far. Even though I am a data miner, I have a great concern as a data privacy advocate. Essentially Twitter & IBM are teaming up to mine your Twitter Stream to monetize your posts. They will take your tweets and try to sell crap to you, or worse, sell your data to other companies.

Here's how it will work. If you post that your mother died, you will see a crematorium or undertaking ads. Tweet about spending some time in the hospital, and you might pay a higher health insurance premium because they will sell that info to insurance companies.  The same about driving fast. Tweet about your kid going to college, and you will get a full court press on everything from college choices to clothes for university life.

It sucks. It just isn't right. You have three choices.  You can vote with your feet and leave Twitter. I have already left Facebook and LinkedIn. Twitter is my last stand.

You can carry on, but in a previous blog post, I mentioned that the most dangerous thing about Big Data Mining, is that data mining can make assumptions about you that simply aren't true, and you may be categorized into a list that you don't want to be on. It could affect your job, your security clearance, your credit score or who knows what.

You could self-censor, but censorship is wrong, even self-censoring.

I like the last option - f*ck with the machine learning, and deep learning and data-mining.  How? Obfuscate.  Here are a few things that I will do.

1) Disable all location services for tweets.
2) Disable all location services that your smart phone takes. It writes the location into the EXIF data. It also writes date and time and camera type, etc.
3) Google for a free EXIF editor, and remove all EXIF data from your pics.
4) Do not put your actual location in your bio. For example, I follow a dude, who's location is : Where I Have To Be
5) Put in a fake town where you live. If you have a dog named Rover, put down that you live in Roverville.  You can still keep your same state.
6) Never use your middle name or initial. It's just one more authentication factor.
7) When social media streams are mined using NLP or Natural Language Processing, an important part of that is finding "possessive determiners".  Don't use them.  Possessive Determiners are words like my, your, her, etc.  If you tweet "Its my birthday", even the dumbest NLP data mining machine can pick it up. However if you say "Welcome to Birthdayville, Population Me", not even the smartest NLP machine can pick that up. Get rid of possessive determiners in your Tweets.
8) Practice Typoglycemia.  http://en.wikipedia.org/wiki/Typoglycemia  Here is an example that would totally screw up a deep learning machine:

"I cdn'uolt blveiee taht I cluod aulaclty uesdnatnrd waht I was rdanieg: the phaonmneel pweor of the hmuan mnid. Aoccdrnig to a rseearch taem at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoatnt tihng is taht the frist and lsat ltteer be in the rghit pclae. The rset can be a taotl mses and you can sitll raed it wouthit a porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe. Scuh a cdonition is arppoiatrely cllaed Typoglycemia .
"Amzanig huh? Yaeh and you awlyas thguoht slpeling was ipmorantt."

9) User slang. If your gas pedal foot itches to drive a BMW, call it a beamer or a beemer and don't capitalize the word.

10) Use alternate spelling. Ime a bygg phan of Neel Yoongs mewsic.

11) Throw in rand o m   s pac es   in yo ur  sente nce.  Or e*ven the od*d star will do.

12) Never tweet your age, your spouse or partner (I see married to @sweetiePie all the time) or any other information.  It is okay to list your employment of academic institution and that leave a lot of room to fool the NLP machines if you work at the Big Blue, or teach @ the Yard (thanks to the Harvard profs that follow me -- appreciate it).

Using these simple tips will cause the data mining and perceptrons scanning your feed to take a pass on what you type. Now is the time to bowdlerize or obfuscate your account.

I think that the bigger answer, is to startup a new hybrid of Twitter and Facebook that guarantees information privacy. But in the meantime, let's be careful out there as to what we post.  And remember, its not that difficult to deke out smart machines.

Data Privacy At International Borders

There is a shocking liberty and data privacy incident going on in Canada. The Canada Border Services or Custom Guards stopped a traveler and asked him for his smart phone password.  He refused.  The traveler was charged with obstructing a customs officer. In Canada, a smart phone can be considered like any other of your belongings and liable to be searched.  The constitutionality is being tested in May, but the border authority still asserts the right to check your smart phone, tablet or computer.  Here is the link:
http://www.cbc.ca/news/alain-philippon-phone-password-case-powers-of-border-agents-and-police-differ-1.2983841

So, if you want to be immune from these sorts of fishing exercises what can you do?  Here are some tips:

1) Offload documents to a book type external disk. A terabyte drive is less than $100 now. Documents that you will need can be stored in the cloud. There are several cloud providers for file services.

2) Carry documents on a USB stick on a key chain. There are several USB key chain novel items that do not even look like USB keys. Put it on a keychain in plain site. Or here is a pair of USB keys that are earrings:

3) Offload your photos to other storage. They may want to clone your photos to see if you are lying about where you traveled to.

4) When traveling, never use your mail program like OutLook that resides on your computer. Just by firing it up, one can see all of your contacts.

5) If you do have an email account that doesn't have a web interface or browser interface, create a gmail account, that is accessible by browser, and for the duration of travel, forward your mail to the gmail account.

6) Do not download the mobile app for email, either Yahoo, or Gmail or whatever.  Always use the browser.

7) Before crossing international borders, always erase your browsing history and delete all of your cookies.  That way, it will not even be apparent that you have a web email account.

8) It goes without saying, do not have questionable documents or pictures on your devices.  You know what they are.

9) In many countries, your hard disk is surreptitiously cloned (notably China and Israel). So even if you delete documents, all that is deleted is the memory reference to them. They can be forensically reconstructed. The solution is that sensitive documents are never written to disk. They are copied to a USB stick, and edited on the stick. That way, temp edit files that are created when you open the document, are not written to the disk, but in the same directory on the USB stick. If the system doesn't clean them out (and they do stick around), they will not be on your cloned disk.

10) Your smart phone is your life. It is the repository of who you are. Giving up the password is opening the book on your life, your finances, your business, everything. If you are really concerned about this, the solution is to buy a cheap flip phone while travelling. Remove the SIM card from your smart phone, and put it in the cheap flip phone. You still have  conventional SMS texts, phone and a browser for you email, but you don't carry your own personal data repository around with you.

11) Never use free airport WIFI. Always use your 3G or 4G data in the airport. All of the intelligence agencies in the world listen in, (and so do I when I am bored).  I just fire up my network monitoring tools and watch the data go by.

12) Finally, if you are a bona fide company, or a High Net Worth Individual  looking for an enterprise or robust solution to the empty laptop, send me an email   DataPrivacy-at-mail.com (substitute "-at-" with "@")     We have an enterprise, secure solution where the data is safely stored in a bunker in the Bahamas, and access is through a hardware key to your computer with intense SSH/SSL encryption and tunneling.  Be advised though that we do due diligence and KYC (Know Your Customer) because we want purely legitimate business with privacy concerns. Our usual customers are financial institutions and multi-national or international corporations operating from a G20 country.

The age of information really erodes personal privacy, but there can be technology solutions as well.

The Dark Side of Big Data

There is a dark side to big data.  It is personal privacy.  There are obvious privacy risks for the accidental or intended disclosure of collected "hard", personal data, but to my way of thinking the real danger is from derived or predictive data using mathematical constructs like Bayesian Inference and other tools.  Using large datasets, these tools are melded into business intelligence cubes that work wonders in improving the bottom line, but violate privacy in a fundamental way in the sense that they are predicting human behaviors based on inferential probability, that may have a large degree of error in individual cases, yet are useful enough on a macro scale to improve the bottom line.  A good example of this are credit scores.  Just because 80 percent of people employing action A with action B tend to default on loans 55 percent more than people who do not exhibit those behaviors, doesn't mean that the entire population demographic will default, yet they are judged as if they all will.

The real danger of this predictive stuff comes from aggregators who combine predictive data with actual personal data and sell it to other companies.  Judgements will made that may be untrue, but may result in denial of things like college entrance, handgun ownership, club memberships, professional certifications, career choices (suppose that you are of a certain height and the data says that people of that height do not do well in a particular professional sport.  Yet we all know stories of the little guy who could.) and other life events where some sort of body has authority over certain aspects of our lives. 

One of the current thrusts of Big Data, is to find non-intuitive behavioral predictors.  For example we have heard of Target Department Stores sending pregnancy coupons to a 15 year old girl.  Her parents threw a fit, until they discovered that their daughter was actually pregnant.  Target figured it out using probabilities and finding a correlation of beauty products and vitamins leading to buying pregnancy stuff five months later in a certain demographic.  Supermarkets have long known to put beer and diapers together on a Saturday, and it results in a large increase in sales. (Wife sends hubby to store for diapers, but the big game will be on later on in the weekend and the hubbies buddies are coming over.)  All this is fine and dandy because it happens on an anonymous level, but when this sort of predictive stuff is applied with identifying data, it could become dangerous.

What is a CIO or CTO to do?  To my way of thinking, the chief responsibility is to management, shareholders and the bottom line, and not to the privacy of the masses.  Business is the last venue of civilized men for uncivilized warfare, and as a result, I am predicting a further erosion of privacy from Big Data.  It is a force majeure, an unstoppable tsunami of assaults against our privacy that will rival any effort of the NSA or any other organization intent on cataloging the behaviors of the masses.

Blocking Extensions for Chrome

(click for larger image)

Regular readers of this blog will know that I am a privacy freak. I also use Google Chrome which is the safest, fastest, best browser in the marketplace.

I just got a new laptop, and I had forgotten to add my privacy extensions. However I was reminded when an old highschool friend sent me an invitation to join her on Facebook, and since she had my email address, the Facebook code read my contacts and suggested other friends that were not connected to her, but were to me.

Since I get my email through my browser, I decided that it was time to add the privacy extensions. I added Disconnect.me, Ghostery and Do Not Track Plus. I also added Ad Block, but I had to disable it, because I couldn't read how much money that I was making on the ads for Google Adsense.

However, I am quite pleased with the performance of the blocker privacy extensions for Chrome. So far, the worst offender for tracking in my experience, is the CNN.com website.

As an added feature for today, you get a fearless prognostication. Facebook stock is going to tank today. The closing price was $20.38 and I'm willing to bet that it will close lower today.

More Reasons Why To Quit Facebook and LinkedIn

Man, I am looking smarter and smarter every day for quitting Facebook and LinkedIn. Can you imagine that your credit rating will suffer for something that you have posted on LinkedIn or Facebook?

Here is the URL of an article of Privacy Violation on these social networking sites:

http://www.smeweb.com/index.php?option=com_content&view=article&id=3722:facebook-inc-data&catid=62:news&Itemid=101

And here is a reprint of the article in case it goes off line:

Credit agency plans to use Facebook Inc data to form credit ratings

Monday, 11 June 2012 11:25

Schufa is also looking into using information from other sources including Twitter and Linkedin.

Schufa, Germany's largest credit agency, is planning to use data from Facebook Inc (NASDAQ:FB) to form credit ratings, according to leaked documents says to consumer advisory body Which?

As well as pulling information from Facebook pages the agency is looking into using information from other sources including Twitter, Linkedin and Google Street View to assess individual credit ratings.

The documents, leaked to German broadcaster NDR, suggest the agency is planning to use 'crawling techniques' like those used by search engines to find relevant information with aim of 'identifying and assessing the prospects and threats'.

Mark Batistich, a member of the Which? Legal team, said: "Whilst it's not exactly clear what credit checking companies such as Schufa intend to do with data obtained from Facebook, it is certainly possible, at least in the UK, that using such information without consent could be in breach of the Data Protection Act, and also the Facebook Terms and Conditions, which set quite stringent guidelines on what can be done with information obtained from that site."

The plans have drawn criticism from the German consumer protection minister Ilse Aigner as well as justice minister, Sabine Leutheusser-Schnarrenberger, who both said the plans went too far.

Make Money from LinkedIn Passwords Hacked

A few weeks ago, I mentioned on this blog that I have quit both Facebook and LinkedIn. That looks like a pretty prescient and smart move now, in spite of the fact that prophets are never accepted in their home country.

Based on the news today that 6 million LinkedIn passwords were published on a hacker blog in Russia, I feel that by quitting these two Internet time-wasters, I have greatly enhanced my security from identity theft.

You can read about the password breaches with LinkedIn here.

A few thoughts come up from this episode. In no obvious order:

• A lot of people use the same password for their email, bank accounts, Facebook and LinkedIn accounts. A breach of one, may be a catastrophic breach for some people.
• The other striking fact was that may users used linkedin as their password to LinkedIn. This sort of thing enabled the Russian hackers with small penises to break the SHA-1.
• LinkedIn was negligent in not "salting" the passwords with random bits to enhance the security so that the same passwords do not hash out the same every time.
• This is a prime opportunity for some young hotshot lawyer to sue the pants off LinkedIn in a class action suit for not protecting its users privacy.
• We trust these websites a lot with our identities, and when they fail to protect them, they should be made to pay for that negligent lapse. After all, they make money from the users who sign up. You would think that they would protect that revenue stream.
• A class action suit would work, because LinkedIn has some pretty heavy corporate hitters who value their identity privacy.
• This sort of thing spells opportunity for any geek who can solve the intrinsic problems of traditional user name and password credentials for websites.

And I can't go a day without mentioning my own personal bête noire -- Facebook. I am not sure if Facebook tightened things up with a complete https session, but various industry insiders pointed out that there are vulnerabilities in Facebook. If Anonymous or the diminuitive tallywhacker hacker Russians ever break Facebook security, it would greatly accelerate its inevitable destiny of becoming a penny stock.

The Black Hole Net ~ Dark Web 2.0

There will come a time when internet privacy will be the concern of everyone. Only the lower socio-economic classes of people with continue to use the internet in a promiscuous way. But I predict the evolution of a deep dark web called the BlackHoleNet. This will be like the black credit cards or Swiss trusts -- a place where those that can afford it, can surf the web in virtual assured privacy. What will the BlackHoleNet look like?

First of all, to get to it, you will enter an IP address with no domain name. A lack of a domain name means one less step of information gathering by the registrar. When you arrive at the site, it will be a blank page that has a happy face or an "Under Construction" banner. Nothing. Nada. No links. Nowhere to go.

Then you insert a USB key, or SD card or another removable memory device into a port on your computer. You refresh your browser, and another page opens up. No apparent links. However this page contains an Easter Egg. If you know where it is, it asks you to log in. You have made it passed the bastion server. You are connected to the bastion server with an encrypted tunnel. On top of that, the contents of the traffic are encrypted as well.

Once behind the bastion server, you have the dark net. No search engines. No DNS. You have to know the IP addresses. The browser is such that if you start scripting a series of IP addresses, the browser will never work again, nor will the credentials to the dark web.

Inside the BlackHoleNet, there is no SMTP email. Not everyone is aware that every single email sent is archived by the intelligence agencies of almost every First World government. Inside there is no general broadcast of email. One logs into a server, and the email goes from mailbox to mailbox, in the server. Each subscriber must tunnel into the server to get their mail.

If you have to send an external regular email, the email is passed to a tokenizer which creates a token of the identity of the sender. All geo-location stuff is stripped out, and the email is then sent over regular SMTP channels. When the email is answered, a server decodes the token and takes it to its appropriate inbox.

There is a Facebook-like social media app, but it is all private, and the app is prevented from selling data or advertising. All of this privacy is funded by subscription.

There are websites that one can surf without anyone collecting information on you. There are stores that sell products, and all transactions are handled by an anonymity broker. Both the seller and buyer pass their information to the broker, and neither one knows the particulars of the other. The anonymity broker is a trust, that is audited regularly.

In essence, there will be an exclusive private darknet that will not be accessible to governments, intelligence agencies, pornographers, spammers, pedophiles, British tabloid editors, Rupert Murdoch and other scumbags and all of the vermin that now infests the internet.

Coming to an IP address near you soon. Bring a couple of wallets to pay the subscription fee.

A Typical Privacy Policy

Here is a typical privacy policy.

Privacy Policy

What This Privacy Policy Covers

 This policy covers how Mythical MegaCorp and its subsidiaries (“Mythical MegaCorp”) treats personal information that Mythical MegaCorp collects and receives, including information related to your past use of Mythical MegaCorp services. For purposes of this Privacy Policy, “personal information” and “personally identifiable information” shall mean any information that can identify an individual directly or through other reasonably available means, except your name, business address, business telephone number, business email address and business fax number. By providing personal information to us, you signify your consent to Mythical MegaCorp’s collection, use and disclosure of your personal information in accordance with this Privacy Policy.

 This policy does not apply to the practices of companies that Mythical MegaCorp does not own or control or to people that Mythical MegaCorp does not employ or manage.

Information Collection and Use

General

 Mythical MegaCorp collects personal information when you register with Mythical MegaCorp and when you use Mythical MegaCorp services.

 When you register with Mythical MegaCorp we may ask for information such as your name, address, email address, phone number, credit card information, business license information, driver’s license information, postal code (zip code), and other financial information. Once you register with Mythical MegaCorp and log in to use our services, you are not anonymous to us.

 Mythical MegaCorp collects information about your transactions with us, including information regarding items you bid on.

 Mythical MegaCorp automatically receives and records information on our server logs regarding your sessions on Mythical MegaCorp websites and those of its subsidiaries, and related cookie information.

 Mythical MegaCorp uses information for the following general purposes: to contact you, to facilitate bidding, buying, and selling of items by you through Mythical MegaCorp and its affiliated companies, and to comply with laws and regulations related to purchases and sales of items by you through Mythical MegaCorp.

Information Sharing and Disclosure

 Mythical MegaCorp does not rent, sell, or share personal information about you with other people or nonaffiliated companies except to (i) provide products or services you've requested, (ii) when we have your permission, or (iii) under the following circumstances:

 We provide the information to trusted partners who work on behalf of or with Mythical MegaCorp under confidentiality agreements. These companies may use your personal information to help Mythical MegaCorp communicate with you about offers from Mythical MegaCorp. However, these companies do not have any independent right to share this information.

 We provide the information in response to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims, or upon receipt of a request from law enforcement;

 Mythical MegaCorp does not otherwise share personal information about website users with third parties unless doing so is appropriate to carry out a user’s request or it reasonably believes that doing so is legally required or is in Mythical MegaCorp’s interest to protect its property or other legal rights or the rights or property of others;

 We may transfer information about you if Mythical MegaCorp is acquired by or merged with another company to the extent permitted by applicable law. In this event, Mythical MegaCorp will notify you before information about you is transferred and becomes subject to a different privacy policy.

 We transfer information about you to sellers of items purchased by you, to buyers of items sold by you and to their service providers that they may retain to facilitate the assignment of items to Mythical MegaCorp sales venues, and to state and federal regulatory agencies as part of the title or ownership transfer process.

Cookies

 Mythical MegaCorp may keep track of the pages visited by its users by placing a small entry in text file, called a cookie, on a user’s hard drive. Cookies are text files we may place on your computer to understand user traffic patterns, technology used, usage data and aggregate demographics. They are also used to serve ads and authenticate you on the system. Cookies do not contain any personal information, but they do allow us to personalize the Service. You can remove or block cookies using the settings in your browser although doing so may interfere with your use of some of our site and Service.

Communications

 We reserve the right to send you certain communications relating to Mythical MegaCorp services and your account with Mythical MegaCorp, including but not limited to notifications, service announcements, and administrative messages without offering you the opportunity to opt-out of receiving them. Should you choose not to receive certain communications your access to or use of certain services may not be possible.

Links and Features Offered in Conjunction with other Providers

 To make our website more valuable to our users, we may feature some products and services that come from other providers through arrangements with companies that specialize in providing such services. We may share with these third parties such information as is necessary for them to provide the products or services. Our site may include links or provide access to third party sites, services and products. We do not

control the privacy policies and practices of third parties, and you are subject to the privacy policies of those third parties where applicable. If you can’t find the Privacy Policy of any third party via a link either from the site’s homepage or from the pages on which the products or services are offered, you should contact the third party directly for more information.

Data Storage

 Mythical MegaCorp may store your account information active in our databases indefinitely following the termination of your account with Mythical MegaCorp to the maximum extent permitted by law.

Confidentiality and Security

 We limit access to personal information about you to employees who we believe reasonably need to come into contact with that information to provide products or services to you or in order to do their jobs.

 We have physical, electronic, and procedural safeguards that comply with federal regulations to protect personal information about you.

 If Mythical MegaCorp learns of a security systems breach we may attempt to notify you electronically so that you can take appropriate protective steps. By using this website or providing personal information to us you agree that we can communicate with you electronically regarding security, privacy and administrative issues relating to your use of this website. Mythical MegaCorp may post a notice on our website if a security breach occurs. Mythical MegaCorp may also send an email to you at the email address you have provided to us in these circumstances. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. To receive free written notice of a security breach (or to withdraw your consent from receiving electronic notice) you should notify us at privacy@remarketapp.com.

Changes to this Privacy Policy

 Your use of the our site and Service, and any disputes arising from it, is subject to this Privacy Policy as well as our Terms of Use and all of its dispute resolution provisions including limitation on damages and choice of law. We reserve the right to change our Privacy Policy at any time. We will provide a prominent notice on our website informing you of any changes in our Privacy Policy. The amended Privacy Policy will be effective immediately upon posting on our site, and your continued access or use of the Service following the posting of any such amendment will constitute full acceptance of the Privacy Policy as amended. We encourage you to refer to this policy on an ongoing basis so that you understand our current Privacy Policy. Unless stated otherwise, our current Privacy Policy applies to all information that we have about you and your account. You may determine when this policy was last updated by referring to the modification date found at the bottom of this Privacy Policy.

This Caught My Eye -- Investigating Jurors Over the Web

Check out how Facebook and social media is being used to investigate jurors.

It's Time -- A New Plug-in Filter for Browsers Needed

I am starting to get a little ticked off at how much data is being collected on me when I surf the internet. Websites often ask for authentication data including name and birth date, which they match to an IP address and can get a geographic location. For websites that I deem do not need that information, I always give them an alias, fake birthday and I use a throw-away free email address.

However, through various means, many companies collect browsing data, referrers and all sorts of meta-data, browser information etc. that can be used to pinpoint you. I say that it is time to stop the madness. It is time for us software geeks to take back the internet. I don't want to have to use a proxy server to browse the internet. I say that it is time for a new privacy plug-in for the browsers.

This privacy browser, first of all, would effectively filter out the ads as efficiently as the old incarnations of Firefox did. But it would do much more.

It would deny all http calls to third party sites not in the visiting domain. It would filter out third party cookie information. It would filter out browser information. It would prevent the reading of browsing history. It would deny any app from reading my email address or my contacts. It would not send any data to any domain not in the visiting domain.

Certainly it is not in the best interest for any organized company to write this browser filter, so it would have to come from the community of programmers who are concerned about online privacy. It is certainly time to take this privacy issue into our own hands.

Ultra secure, Data Privacy and Secure Storage

This is a reprint from a White Paper about "My Privacy Tool".

Data privacy is a growing concern in this day and age. As the Internet evolved, it has become an incredibly important facet of our lives for communication, transacting business, socializing and entertainment.

Our electronic data and personal information is trapped every day in multiple locations through activities as signing up for a social network account, buying items online, or just surfing the web. We are tracked, recorded and analyzed continuously as we use the Internet.

Even more problematic in the privacy domain, is that various agencies, governments, businesses and media are quite interested in gaining access to our electronic data, documents and communications.

India and several countries in the Middle East have announced that they are banning Blackberry because their intelligence agencies cannot read the communications.

The United States, in its war on drugs and terrorism, has sweeping powers of electronic surveillance. The intelligence agencies currently archive every single email sent over the Internet, and automated software robots troll the emails for keywords.

In early September of 2010, the Obama administration announced that they were seeking to further the government’s ability to tap into communications, by having providers like Skype and Blackberry build a back door into their software so that the government could monitor communications.

The "My Privacy Tool" solution is a secure, encrypted paradigm that incorporates email, instant messaging, data storage in a document repository and hot back up for documents on a computer.

The way it works, is that the application creates an encrypted tunnel to a storage and server farm in a trusted offshore jurisdiction (You can have your own server hosted there, you can use it as a service and have it hosted on an application hosting service, or you can have the server on your own premises.)

The encryption in the "My Privacy Tool" system is twofold. The first level of encryption is the tunnel which uses SSH and SSL encryption. SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Secure Sockets Layer (SSL), are cryptographic protocols that provide security for communications over networks such as the Internet. Then the documents are further encrypted by AES encryption. In cryptography, the Advanced Encryption Standard (AES) is a symmetric-key encryption standard adopted by the U.S. government.

The company that provides the "My Privacy Tool" operating infrastructure has been providing gateway mail services over fifteen years to international clientele.

The secure tunnel over the internet is created when the user starts the application. The application cannot be started without a USB key, which contains the encryption tools necessary to connect and be validated. Each user is also provided with a panic password. If the user is forced to divulge his login credentials, he/she can provide a panic password that when used, insulate the data and the session is directed to an innocuous place with artificial data. Removing the USB key also causes the application to quit with no ill effects should the user require instant privacy.

Once the tunnel is set up, the user enters their password, and has access to secure communications and storage.

The email is not regular SMTP email, or email that is broadcast across the internet. When an email is sent from one person to another, it is merely put into an inbox behind the bastion server in the bunker that guards against intrusion.

Users wishing to check their email, must tunnel into the bunker and check their inbox. Nothing is ever broadcast over the internet like regular email.

The instant messaging (chat) works in the same manner as the email, in terms of security. Both users tunnel in, and if they are both connected, they can chat. Chats transcripts may be saved.

The communications (email & instant messaging) algorithm is based on the Swiss Trust paradigm that enables anonymous communication. Each user has three account numbers that he may give out to other "My Privacy Tool" users. These numbers all point back to the user. The other user then creates a contact nickname for this person using the given number. The nickname or alias can be nominal or random. Also, if the account number is disclosed by one party only, the person receiving the account number may communicate with that person without ever disclosing his/her identity. The system keeps track of the users while routing the messages.

The next piece of the solution is the secure document storage. It is a repository with the capability of created private and shared folders. Each user must be specifically assigned to a folder by an administrator before he or she has access to it.

There are various levels of access. The first is a data contributor. A person may create a document for the enterprise, and has the ability to upload it to a shared folder. But that person does not have the ability to download documents or delete documents.

The second level of trust is the data user, who has the ability to upload documents to shared folders, download them to edit them, and upload them again. This person has no delete privileges.

The next level of trust is the ordinary user who can create his/her own folders, and upload and download documents to them. They may also contribute or download documents to shared folders if they are authorized to do so by the administrator. They can delete documents as well.

The administrator is responsible for re-keying users that have lost their USB keys. He/she also locks out users who have been terminated by the organization, and keeps track of the organization through the contacts list.

The data storage area is a generous 100 GB per user. Not only is the tunnel encrypted, but the data is as well, as it is stored in a database. As a result, it is not readable to hackers, or to anyone else for that matter.

The last feature of the "My Privacy Tool" tool is the hot backup function. A user can list up to 50 documents, and the system automatically checks to see if they have been modified on the host computer. If so, they are automatically backed up without user intervention.

Benefit 1

"My Privacy Tool" is the most secure way to transfer a document electronically over the internet.

Benefit 2

"My Privacy Tool" is the most secure way to communicate electronically either with email or instant messaging.

Benefit 3

"My Privacy Tool" is a powerful enterprise tool, yet can be used by an individual as well, for privacy.

Benefit 4

"My Privacy Tool" permits travel with an empty laptop. When a document is required, it is downloaded from the Nassau bunker, edited, printed, and uploaded back to the server.

Benefit 5

Because there is no SMTP stack, multiple copies of emails or communications are not kept all over the system. There is no central place that keeps email and thus when an email is deleted, it is gone. An added feature is that "My Privacy Tool" is not susceptible to email and chat viruses, because it does not use the vulnerable Microsoft paradigm that viruses and Trojans exploit.

Benefit 6

"My Privacy Tool" can be used from anywhere in the world where there is an internet connection.

Benefit 7

"My Privacy Tool" can be used to deliver ultra-private monthly statements or other documents that require care, trust and privacy.

Benefit 8

"My Privacy Tool" can save hundreds of dollars in courier fees for the transmission of private documents.

Benefit 9

"My Privacy Tool" provides your clients with the knowledge that you are vigilant of their privacy needs, and have taken steps to insure their privacy.

Benefit 10

"My Privacy Tool" is a revenue center for your business. It can be marked up, or included with premium services which will generate an additional revenue stream.

Summary

"My Privacy Tool" is not meant to replace your regular document repository and communications systems. It is intended for private, sensitive documents. It enables travel with an empty laptop and protects against email & chat viruses, theft, loss of computer, or unwarranted seizure of your computer. "My Privacy Tool" is the first integrated tool to do this. It is a necessary tool for complaint privacy users.

This concept is an incarnation of the non-cloud cloud storage concept.

Note: This tool is supplied to bona fide entities and corporations after KYC is established, and is not open to individuals or the general public.

For further information, please send an email from a non-free corporate account to DataPrivacy-at-mail.com. (Replace "-at-" with "@")

Thrilled and Not Thrilled With Gmail -- The Anonymous Internet is Dead

For starters, I like a web based email and I use Google's gmail. At first it was a little weird because you can't make folders and do stuff like Outlook. However, I came to see that web-based email was the cat's meow, especially since I travel a lot. Gmail is a lot more resistant to viruses, and after I went to Gmail, Chrome and Avira, I have never had a virus in spite of accidentally visiting some dodgey sites.

I have been asked to try a tool written in the Ukraine that consolidates all of my email accounts, twitter, Facebook and everything into one tool. It sounds good, but the paranoid me would never trust my communications to some code written in a land where one cannot get satisfaction through the courts if my bank password credentials were ever reported back to the coder and sold to various nefarious entities operating from behind the Old Iron Curtain.

So that got me thinking about data privacy, anonymity and such, and I came to the conclusion that it is now impossible to be totally anonymous on the Internet. With the FBI running programs like the old Predator, where every single email sent is archived and trolled through for words that are "threats to the United States of America", it is impossible to be totally anonymous. Osama bin Laden knew that, and that is why he never had internet or phone service in his hideaway.

Back to Gmail. I was reading my gmail, and was absolutely fascinated how the ads were relevant to the content of my email. Once the email is opened in the browser, an AJAX widget would report back the keywords of the content of the email and offered me ads. This is a lot like the movie Minority Report where as Tom Cruise is walking, the advertising kiosks recognize him and tail ads to his tastes.

This isn't as harmless as it sounds. Picture this. Google already knows who I am. They hold my emails for me. Then, a Google widget reads my emails when I open them and sends back the key words. How much do you want to bet that Google saves those keywords and data-mines them. Remember, they know who I am. They have asked me for a backup email address and a bunch of personal information. They hold my emails, and they save the keywords of the content of my emails. They are just one small step over a thin gray line of being Big Brother.

I remember reading a book about the Allied intelligence effort in World War II. They perfected the art of content analysis. Agents would collect the newspapers from small towns around Germany. From the aggregate, they learned the entire picture of the war effort.

From the death notices, they learned the casualty rates of the war. The social columns would print up who went off to war, and they could determine troop build-ups. Other stories and public notices about rations would give them an idea what commodities were in short supply. In other words, content analysis can reveal a lot about you -- especially if you have a software widget reading the mail.

So what's the answer. I just fashioned one - a data privacy tool where one uses an encrypted tunnel to a server, and then encrypts the traffic as well. There are all sorts of crypto keys and authentications and then comes the fun part. All of the communications, such as the email, the instant messenger and such, as well as the data storage, is never broadcast over the internet. The email is non-SMTP. The instant messaging is non-IRC, and the data storage is anti-cloud. It is not somewhere over the internet -- it is in a bunker that you can visit, and the only access is through the tunnel, plus your USB key containing all of the magic. And of course, you never trust the GUI (Graphics User Interface) to a browser. It is all rich client for security.

The last piece of the puzzle, is that you buy your own server as well to host this system. Total anonymity.

Most people don't have the luxury of their own private system, so I guess that we have to get used to the idea that Big Brother is watching, and we hope that he is a benevolent Big Brother.

I have seen Big Brother, and his name is Google.