STE WILLIAMS

Amid a storm of criticism, a set of facial images built by scraping the Tinder dating service has been pulled from Kaggle.

Developer Stuart Colianni had built the 40,000-strong set of “hoes” (the charming variable name^* in his source code – more below in case that repo also dies) on the premise that facial datasets are generally too small to be useful.

The Kaggle page where he published the dataset now returns a 404.

The Register has asked Kaggle, whose terms and conditions forbids crawlers, to confirm the reason for the deletion.

At the GitHub page, Colianni attributes the removal to a request from Tinder.

In any jurisdiction with medium-strength privacy regulations, scraping and publishing the data without consent probably represents a breach.

For example Australian privacy analyst Stephen Wilson of Lockstep told The Register scraping a dating site is “an offence akin to theft by finding” (that is, if you find a suitcase stuffed with banknotes, you’re don’t get to keep it, you have to try and find the owner).

Likewise, the popular hobby of inferring personally identifiable information from multiple datasets is a breach of privacy legislation in many countries.

Wilson notes that the word “public” almost never occurs in data privacy laws around the world. ®

^*Bootnote: It’s hard to accept the intentions as benign with code snippets like this:

# Iterate through list of subjects
        for hoe in hoes:
                
                # Get the subject ID
                sid = hoe['_id']
                
                # Gets a list of pictures of the subject
                pictures = hoe['photos']

Keep it classy

We’re all hoes, it seems.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/01/people_of_tinder_data_disappears_amid_uproar/

Web beacons are objects such as transparent, single-pixel GIFs planted in emails and web pages to phone-home when users access the content. They’re trivially easy to expose – simply forcing an e-mail client to show URLs instead of links can do the trick.

In the case of the CIA’s “Scribbles” program, WikiLeaks is trumpeting a user manual telling spooks how to plant beacons in Word files – the idea being to snag leakers by seeing the IP address of machines on which a document was opened.

The bugs would only put a leaker at risk if they were using Microsoft Office, and if they or their sysadmins had configured it to accept remote images (something this Microsoft article, for example, says is turned off by default since at least Outlook 2007).

Microsoft told Kaspersky’s Threatpost Office 2013 and Office 365 similarly protects users, since documents are by default opened in Protected View.

If, for some reason, the user was using OpenOffice or LibreOffice to open documents, the WikiLeaks post warns that the watermark and target URL “may be visible to the end user”.

Similarly, if the documents were locked forms, or if users were passing them around encrypted or password-protected, tracking didn’t work.

If you really want to read the pearl-clutching release from WikiLeaks, it’s here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/30/cia_scribbles_wikileaks/

A paranoid Welsh Muslim who wore gloves while typing on his laptop, admitted being part of Islamic State, and, gasp, harbored a copy of Linux Mint, has been described as a “new and dangerous breed of terrorist.”

Samata Ullah, 34, who also used voice modulation software to disguise his thick Welsh accent while making instructional videos about encryption, pleaded guilty to five terrorism charges at Cardiff Crown Court. He was due to be sentenced Friday afternoon.

The former pensions administrator had bought 30 sets of cufflinks containing tiny USB sticks from eBay, the court was told. On one of those was a copy of harmless open-source operating system Linux Mint, while others contained military manuals for guided missiles, which Ullah was said to have been preparing to translate for the Islamic State terrorist organization, as reported by Court News UK.

Prosecutor Brian Altman QC branded Ullah a “cyber terrorist” and said he was part of a “new and dangerous breed of terrorist.” Ullah admitted to five charges:

• Membership in the Islamic State
• Terrorist training
• Preparing for terrorist acts
• Two charges of possessing terrorist material

Another charge, of directing terrorism for Islamic State by hacking information from its enemies, was left to lie on file.

Altman added: “We say [Ullah] employed his not-inconsiderable self-taught internet technology skills to further the cause of terrorism … all this he did from the relative security of his bedroom where he lived alone.”

The court heard that the FBI picked up messages sent between Ullah and alleged Islamic State terrorist Abu Fidaa, who is awaiting trial in Kenya. He was also alleged to have encrypted his blog, though The Register understands this means he hosted it on the anonymizing network Tor, a corner of the internet commonly referred to as the “dark web.”

Ullah, of Rennie Street, Riverside, Cardiff, gave 13 no-comment interviews to police and two prepared statements claiming he only wanted to gain an “understanding of the troubles of the Muslim world.” He was first arrested in September last year, with his trial taking place this March. Reporting restrictions were in force for the duration of the trial, though Judge Gerald Gordon lifted those at the conclusion of the trial, adjourning sentencing to 28 April.

Speaking after the March trial, Metropolitan Police Counter Terrorism Commander Dean Haydon said: “Just because Ullah’s activity was in the virtual world we never underestimated how dangerous his activity was. He sat in his bedroom in Wales and created online content with the sole intention of aiding people who wanted to actively support ISIS and avoiding getting caught by the authorities.”

“This is just the sort of information that may have helped people involved in planning devastating, low technical level attacks on crowded places as we have seen in other cities across the world,” added the policeman. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/28/welsh_linux_terorrist/

The NSA has stopped snooping on communications between US citizens and foreigners, it was claimed today.

Government officials whispered to the New York Times that the spy agency is halting surveillance conducted under the legal fig leaf provided by the 2008 FISA Amendments Act – which allows snoops to rifle through American citizens’ private emails, phone calls, and other communications, so long as one of the parties is a foreigner. These spying powers were renewed by Congress for five years in 2012, and are thus up for renewal at the end of 2017.

So it seems the NSA has pulled the plug early before it could be ordered to stop by Congress. That’s assuming a shut down was likely. Perhaps, instead, there was some other reason behind the snoops backing off monitoring Americans talking to foreigners.

In 2011, prior to the latest renewal, the FISA rules were challenged in court, leading to the NSA modifying its procedures slightly: it would gather up private communications as usual but hold them in a special silo before agency analysts could examine them. That was supposed to encourage staffers to hunt for specific stuff rather than pore over a firehose of Americans’ personal and sensitive messages. Don’t forget, the NSA is not supposed to spy on its own citizens.

However, the agency has persistently stonewalled efforts to find out how many Americans have had their conversations swept up in the surveillance dragnet.

Senator Ron Wyden (D-OR) has been trying for years to get clarification on this point out of the intelligence agencies, with a notable lack of success. He and others in Congress have been looking forward to the FISA renewal debates and committee sessions, but it appears the NSA may have preempted that chance.

“This change ends a practice that could result in Americans’ communications being collected without a warrant merely for mentioning a foreign target,” Wyden said on Friday in an email to The Register.

“For years, I’ve repeatedly raised concerns that this amounted to an end run around the Fourth Amendment. This transparency should be commended. To permanently protect Americans’ rights, I intend to introduce legislation banning this kind of collection in the future.”

That’s certainly convenient for the agency, but it’s going to have the conspiracy theorists all aflutter, since there is serious interest in certain prominent Americans and their links to foreigners who might influence. Expect spittle-flecked ranting from Alex Jones and his ilk on this one.

Technological factors might also have played a part. With more and more telcos and service providers using encrypted network connections and adopting strong end-to-end encryption – in part due to revelations from Edward Snowden on how deeply NSA signal taps had been set up on their data linkages – it may be that this has made large portions of slurped data useless.

But the NSA being what it is, you can bet that the agency has found other ways to get the information it wants. There’s plenty of post-9/11 legislation out there that’s full of legal loopholes that the Maryland data miners can exploit. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/28/nsa_may_stop_overseas_fisa_spying/

The push to weaken net neutrality that began shortly after President Trump took office took another step forward this week, with Federal Communications Commission chairman Ajit Pai announcing plans to demolish the 2015 rules former President Obama used to implement net neutrality with Title II classification.

Pai outlined those plans yesterday during a speech at The Newseum in Washington (click here for a full text of his remarks). He called Obama’s directives “heavy handed” and “all about politics”.

He claims the rules have hurt investment and clobbered small internet providers with mandates they can’t afford.

He said the internet has been the greatest free-market success story in history because of the landmark agreement between former President Clinton and a Republican Congress that resulted in the Telecommunications Act of 1996. In that legislation, he said, both parties decided “to preserve the vibrant and competitive free market that presently exists for the internet, unfettered by federal or state regulation”.

Until two years ago, that is, when he said the FCC decided to impose a set of heavy-handed regulations upon the internet in what he called a partisan action. He said:

[Obama and the Democrats] decided to slap an old regulatory framework called Title II – originally designed in the 1930s for the Ma Bell telephone monopoly – upon thousands of internet service providers, big and small. It decided to put the federal government at the center of the internet. Why? It was all about politics. Days after a disappointing 2014 midterm election, and in order to energize a dispirited base, the White House released an extraordinary YouTube video instructing the FCC to implement Title II regulations. This was a transparent attempt to compromise the agency’s independence. And it worked.

Pai’s proposal is to:

1. Return the classification of broadband service from a Title II telecommunications service to a Title I information service. This would be a return to the “light-touch regulation” from the Clinton Administration, he said.
2. Eliminate the so-called Internet Conduct Standard. Pai said the 2015 rule gave the FCC a roving mandate to micromanage the internet. Eliminating the standard would end that.
3. Seek comment on how to approach the so-called bright-line rules adopted in 2015. 

The FCC will vote on the plan at a May 18 meeting. Months of debate will surely follow as the matter is opened up for public comment. The commission will revise the rules based on that feedback, Pai said.

Though Pai describes the actions of two years ago as a politically motivated case of government overreach, it’s worth noting that in 2014 more than 4m public comments supporting net neutrality were sent to the FCC. A lengthy debate ensued then as well, and the Obama-era FCC agreed with the majority.

Speaking for the minority, Pai, a free-market conservative, wrote a scathing 67-page dissent saying net neutrality was a response to “anecdote, hypothesis, and hysteria… not just a solution in search of a problem – it’s a government solution that creates a real-world problem”.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/wGH6Aop5bHM/

Should your ISP play a greater role in keeping you safe from malware, viruses and other web threats? One of Australia’s senior politicians seems to think so. In a column in The West Australian, Dan Tehan, Australia’s cybersecurity minister, wrote: “Just as we trust banks to hold our money, just as we trust doctors with our health, in a digital age we need to be able to trust telecommunications companies to protect our information from threats.”

A companion news article in the same newspaper cited Tehan as arguing that “the onus is on telecommunications companies to develop products to stop their customers being infected with viruses”.

According to The Financial Review, Tehan told the British Australian Fintech Forum in London that “telcos and ISPs must take greater responsibility for ensuring their customers understand risks and said the government expects them to engage with the not-for-profit sector and SMEs – who may not have their own resources to establish protective measures – and offer them commercial products to identify and eradicate threats”.

Tehan’s government roles include assisting the prime minister on cybersecurity, so folks throughout Australia perked up when he said all this. However, it’s not clear if there’s an actual plan behind Tehan’s observations – or if there is, whether it will be backed by legal mandates.

In another speech to the British Chamber of Commerce, Tehan emphasized partnership and teamwork, saying that the Australian government wants to

… support the private sector to step up and provide… products that reduce the risk of malicious cyber activity and give users the choice to purchase additional security services… industry must be empowered to design and implement solutions the public want… telecommunications companies and ISPs can and should develop products which users can embed to build-in cyber security measures and reduce the risk of malicious cyber activity before it ever reaches the end-user.

There’s not a lot of “mandate” in that language. And Tehan swore he wasn’t talking about government-mandated content filtering (a major controversy in Australia several years ago). But, back home in Australia, some early reactions to the possibility of any new government interference weren’t kind.

In iTWire, Sam Varghese said, “Dan Tehan has just provided the country with adequate reasons as to why he should not be allowed anywhere near any post that has anything to do with online security.” Varghese added: “When it comes to detail, Tehan predictably goes missing.” Overclockers.com.au called Tehan’s comments “an attempt to be seen to be doing something when you have no clue as to what that ‘something’ is”.

Press reports suggest telecoms don’t yet know what if anything the government is cooking up. According to The Inquirer, “John Stanton, CEO of telecoms industry body the Communications Alliance, told Australian IT magazine IT News that he’d not had any contact from the government about its intentions.” iTwire elicited anodyne statements of cooperation from Telstra and Vodafone, two of Australia’s largest telecoms.

If you’re looking for something a bit more solid, it might be this: Tehan also discussed the Australian government’s move towards a posture of “active defence,” in which it “aims to disrupt malicious cyber activity using measures, such as blocking or diverting malicious traffic, to prevent problems before they occur”.

He said the government would more aggressively prevent government employees from visiting known malicious sites, and try to reduce legal roadblocks “that may be preventing the government and private sector from delivering” more aggressive cyberdefense services. That might mean poking some new exceptions into privacy laws against information sharing among government and businesses. But again, the devil’s in the details – and the details don’t yet exist.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/03T-JGTXFAA/