Archive

Archive for the ‘Security’ Category

OnStar, sat-nav and your safety

September 21st, 2011 No comments

****update*****  9.27.11

Seems OnStar had a change of heart. I wonder how much things like this had to do with that?

************

Jonathan Zdziarski’s blog post describes changes to OnStar’s Privacy Policy (The main link to OnStar’s Privacy Policy which may be updated from the preceding is here.)

In short, not only does OnStar currently track your vehicle’s speed and location but, under the policy linked above, they will continue to track this data and sell/give it to third parties even if you cancel your service unless you explicitly opt out (or disable the hardware).

“Big Deal” you say, we all use GPS all the time, we’re always tracked. No, in fact, you are not. Despite what you may think based on what you’ve seen in spy movies, GPS can’t track you. At its core, A GPS unit is a receiver only. It listens for signals constantly being broadcast to anyone listening by satellites in orbit around Earth. The GPS device figures out your latitude, longitude and altitude based on listening to not communicating with these satellites. GPS is a one way radio from satellite to your device.

Nothing about your location needs to be transmitted to anyone for your device to show you where you are. The data sent by each satellite is incredibly simple, basically, it’s a very precise and synchronized clock. Your devices uses the differences between when these clock signals arrive to calculate your location. By detecting relative delay, the GPS device calculates how far it is from each of the satellites it can ‘hear’ and using this math, it locates itself on the earth relative to the satellites. 299,792,458 metres per second is not just a good idea, its the law. Radio takes time to travel from space to your Garmin. A satellite is farther away, it takes longer, if it’s closer, it gets there quicker. If all the clocks are synchronized, the device can calculate your position based on listening to the signals of 4 or more of the 24 to 32 working satellites in orbit and comparing the timing against each other.

With GPS only ways your location are transmitted to anyone are:

• Your GPS device retrieves maps from some online provider in realtime. Google Maps, Yahoo Maps or somebody else and, in requesting these maps, tells the map-server where you are.

• Your device is OnStar or a system like it with features built in to it with the explicit purpose of telling the provider where you are. In OnStar’s case so they can mine the data and make you feel safer that if you crash and are unconscious, police and rescue can be sent because they detected the airbag going off. Now, if you have a cell phone and call 911, your cell phone will tell first responders where you are. (This is done according to this FCC rule) and can be done via cell tower triangulation and, theoretically, your phone broadcasting the GPS-derived location of your phone when you dial 911.

• Somebody has explicitly attached a GPS tracking device to you (or your vehicle) which passively listens to the GPS system and then actively transmits that location data it’s calculated to whomever is ‘bugging you’ with the tracking device.

There are lots of legitimate concerns about how smart phones and tablets and even your computer browser can send location information to the web sites (or ‘app’ back end servers) you connect to but those are unrelated to GPS tracking and OnStar and a topic for another post.

What should concern you about OnStar and other services that may work in a similar way (XM traffic and weather services perhaps?) is that your location at any given time is potentially very dangerous information when in the wrong hands.

Should the son-to-be-ex-spouse-under-restraining order have any possibility of buying this information? Should the police have any possibility of retrieving this information without a warrant? Should the burden of proof in a legal proceeding be shifted to a presumption of guilt if your phone or your car was found to be in a location you may have been nowhere near?

Post to Twitter Post to Facebook

Privacy, not yours, other people’s….

January 30th, 2011 No comments
Screenshot of Facebook's Friend Finder Feature

Sure, give Facebook your email password, good plan!

This call to action periodically appears on Facebook as an inducement to provide them information to help you locate people you know on Facebook. It’s wrong, deeply wrong in so many ways. You don’t even need to factor Facebook’s already very checkered history with security and privacy. You don’t even need to decide for yourself to be more cautious than you are. All you need do is take a moment to consider that others might be offended, or worse, by your actions.

Don’t do it. Ever.

It’s wrong because it encourages you to decide on behalf of others what their level of privacy concern should be and to compromise their privacy without their consent.

Think about what you risk doing to others by using this feature:

  • If you use your employer’s email you have almost certainly violated their internet usage policy by granting a third party access to your account. Unless you own the company yourself, your work email account doesn’t belong to you. Your work contacts list doesn’t belong to you. Unless you’re the I.T. top dog, you’re not allowed to decide who can access password protected company resources. If you do what Facebook suggests you do with your employer’s email account without explicit permission, you should be fired. Period.
  • If you use your own email address, you have decided that you are both qualified to decide and entrusted by everyone on your contact list to share their personal information with Facebook. Believe it or not, lots of people want nothing to do with Facebook. Now they’re part of Facebook’s data pool. If you upload their contact info, Facebook has that but they also now know those email addresses are connected to you and, to a degree, to each other. Connected to you and whatever you felt like sharing with your Facebook community. Perhaps your friends aren’t too keen on being associated in a database with somebody who’s into knitting? Perhaps they’d prefer to keep their membership in the Free Masons on the down-low?

Sure, this is an extreme case. The hubris on Facebook’s part in actually asking you for log-in credentials for an account is unusual and, I hope, obviously excessive. The problem is, many sites ask you to compromise others under the pretext of doing you, or them, a service. Decide only for yourself who to trust.

Unless you’ve established a prior agreement with your friends that it’s OK….

  • Don’t use ‘send to a friend’ buttons on a web site. Copy the URL and write an email. Let them decide for themselves.
  • Don’t use evites or other  similar services to plan events by giving the service the email addresses of your friends.
  • Don’t send them ‘gifts’, real or virtual, by giving a web site their email address.

If you can’t refrain from doing these things, don’t be surprised to discover who ‘un-friends you’.

Post to Twitter Post to Facebook

Minnesota begins the end of this ‘move to the cloud’ silliness

October 3rd, 2010 No comments

State of Minnesota Signs Historic Cloud Computing Agreement With Microsoft

By making this agreement with Microsoft at this stage in the evolution of ‘cloud computing’ and of Microsoft’s online app development, we will all benefit from the results.  Well, all of us except those who live in, or rely on doing business with the state of  Minnesota. Mark my words, this will get MESSY. Shame too, I kinda like Minnesota.

********UPDATES BELOW*********
10.4.10 - Microsoft’s Office Web Apps: So far, pretty so-so

Post to Twitter Post to Facebook