Category: Privacy

You can never rely on encryption

Like most people in Ireland I listened to the story of how the Irish Blood Transfusion Service (IBTS) had a laptop stolen in New York with the details of 171,000 blood donors on it, not least because, as a blood donor, there is a good chance some of my data is involved.

The IBTS has said that

The records were on a CD that was encrypted with a 256 bit encryption key. These records were transferred to a laptop and re-encrypted with an AES 256 bit encryption key. This represents one of the highest levels of security available and to our knowledge there is no record of a successful attack against this level of encryption.

Unfortunately, people who were relying on Apple’s FileVault, or Window’s Bitlocker encryption software to keep their data secure, were probably equally satisfied with that AES encryption until yesterday when a group from Princeton demonstrated how that encryption could be broken with a bit of liquid nitrogen!

The IBTS justified the fact that people’s personal information was in New York because the IBTS are updating their software and wanted to bring live data with them with which to test the new software. Why it didn’t occur to them to obfuscate the information which could identify people I really can’t understand. You can never rely on encryption alone.

23AndMe? I don't think so!

Another one of the more interesting presentations at the DLD Conference was the sales presentation given by Esther Dyson, Anne Wojcicki and Linda Avey.

I call it a sales presentation because the 3 speakers in that session were all board members of 23andMe and they spoke the entire time about 23andMe’s product offering – your DNA explained.

How does it work? For about $1,000 dollars you get a saliva collection kit which you complete and return to 23andMe. This returned saliva kit contains de facto, a sample of your DNA.

23andMe examine this DNA and return a report outlining your ancestry, you can compare your results with other, anonymised group data to see how prevalent your trait of reading Esquire on the toilet on Saturday mornings is (not really!) or just how likely you are to die of diabetes, heart attack, cancer, etc.

If all your family (parents, grand-parents, children, grand-children, etc.) submit their DNA, you can get a fascinating map of who inherited what traits from whom. At $1,000 a head you better have a big bank balance or a small family though (and hope that you are not in for nasty surprises like, oops, maybe that guy you called Dad all these years isn’t actually related to you at all!).

Now, I’m not a hugely private guy. I regularly publish photos of my family (including my two kids) on Flickr. I publish my contact details, including mobile phone number and email in the sidebar of this blog in plain text. I blog about deeply personal matters on this blog. In short, I’m quite an open guy.

I stop short though at the prospect of sending my DNA to a company to be analysed (never mind paying them $1,000 for the privilege).

This is not a matter of ignorance. I specialised in molecular biology in the final two years of my degree in plant science.

No, this is a matter of absolute unease with the idea of anyone having possession of analysed samples of my DNA – the most fundamental element of my being. Even if this service were free, I really can’t see myself using it. I’m not sure I can completely explain logically why but it is not for me.

Data Portability

With the rising interest in, and use of Social Networks (FaceBook, Plaxo et al) there is growing unease in what those sites are doing with your data, never mind the inconvenience of uploading all your data every time you join a new site.

Enter a site whose philosophy is:

As users, our identity, photos, videos and other forms of personal data should be discoverable by, and shared between our chosen (and trusted) tools or vendors. We need a DHCP for Identity.

An eminently laudable aim. See more about their aims on this quick video.
DataPortability – Connect, Control, Share, Remix from Smashcut Media on Vimeo.

The video was put together by Michael Pick and I came across it via Marjolein Hoekstra.

Update: Marshall Kirkpatrick has posted about this video now on Read Write Web.

BT Broadband users can be hacked!

James Galvin posted a couple of weeks ago about a recently published exploit which made hacking Eircom’s wireless routers trivial.

As Eircom are the largest provider of residential broadband in Ireland, this is potentially a big deal. As Joe Drumgoole commented at the time:

they have inadvertently created Ireland’s largest free WIFI network. Good man Eircom!

However, BT is now facing an even more serious issue on its wireless routers according to an article in the Register today. At least in Eircom’s case, the vulnerability only exposed the WEP key, allowing use of the wifi on the router.

In the case of the BT router, the Reg is reporting that

a remote attacker can quietly gain full administrator control over a device simply by social engineering a user into visiting a website. The exploit makes it possible to steal a user’s WPA key, listen in on VoIP calls, steal VoIP credentials or change DNS settings so users are silently redirected to fraudulent websites

This is a far more serious an issue then the Eircom one and the number of routers this affected is likely to be orders of magnitude greater.

The one saving grace is that the hack hasn’t been published in the wild, as was the case with Eircom. Yet.

Throw away the key!

I’m delighted to see that Bill Lockyer, California’s attorney general has filed felony criminal charges against former HP Chair Patricia Dunn and four others for their spying on fellow board members and on journalists.

The back story to this is that HP were concerned about leaks to the press from HP’s board meetings. An investigation was begun which involved spying on members of the board and various journalists (illegally accessing their phone records amongst other things).

The story broke recently causing havoc on the board (Dunn resigned, as did the general counsel, a second director and two other senior officers).

It will be interesting to see how this affects the company’s stock price.

I used to work for an employer who wouldn’t hesitate to spy on employees – throw away the key I say!