Chrome, Internet Explorer, and Firefox are vulnerable to
easy-to-execute techniques that allow unscrupulous websites to construct
detailed histories of sites visitors have previously viewed, an attack
that revives a long-standing privacy threat many people thought was
fixed.
Until a few years ago, history-sniffing attacks were accepted as an
unavoidable consequence of Web surfing, no matter what browser someone
used. By abusing a combination of features in JavaScript and cascading style sheets,
websites could probe a visitor's browser to check if it had visited one
or more sites. In 2010, researchers at the University of California at
San Diego caught YouPorn.com and 45 other sites using the technique to determine if visitors viewed other pornographic sites. Two years later, a widely used advertising network settled federal charges that it illegally exploited the weakness to infer if visitors were pregnant.
Until about four years ago, there was little users could do other
than delete browsing histories from their computers or use features such
as incognito or in-private browsing available in Google Chrome and
Microsoft Internet Explorer respectively. The privacy intrusion was
believed to be gradually foreclosed thanks to changes made in each
browser. To solve the problem, browser developers restricted the styles
that could be applied to visited links and tightened the ways JavaScript
could interact with them. That allowed visited links to show up in
purple and unvisited links to appear in blue without that information
being detectable to websites.
Now, a graduate student at Hasselt University in Belgium
said he has confirmed that Chrome, IE, and Firefox users are once again
susceptible to browsing-history sniffing. Borrowing from a browser-timing attack disclosed last year
by fellow researcher Paul Stone, student Aäron Thijs was able to
develop code that forced all three browsers to divulge browsing history
contents. He said other browsers, including Safari and Opera, may also
be vulnerable, although he has not tested them.
"The attack could be used to check if the victim visited certain
websites," Thijs wrote in an e-mail to Ars. "In my example attack
vectors I only check 'https://www.facebook.com'; however, it could be
modified to check large sets of websites. If the script is embedded into
a website that any browser user visits, it can run silently in the
background and a connection could be set up to report the results back
to the attacker."
The sniffing of his experimental attack code was relatively modest,
checking only the one site when the targeted computer wasn't under heavy
load. By contrast, more established exploits from a few years ago were
capable of checking, depending on the browser, about 20 URLs per second.
Thijs said it's possible that his attack might work less effectively if
the targeted computer was under heavy load. Then again, he said it
might be possible to make his attack more efficient by improving his
URL-checking algorithm.
I know what sites you viewed last summer
The browser timing attack technique Thijs borrowed from fellow researcher Stone abuses a programming interface known as requestAnimationFrame,
which is designed to make animations smoother. It can be used to time
the browser's rendering, which is the time it takes for the browser to
display a given webpage. By measuring variations in the time it takes
links to be displayed, attackers can infer if a particular website has
been visited. In addition to browsing history, earlier attacks that
exploited the JavaScript feature were able to sniff out telephone
numbers and other details designated as private in a Google Plus
profile. Those vulnerabilities have been fixed in Chrome and Firefox,
the two browsers that were susceptible to the attack, Thijs said. Stone unveiled the attack at last year's Black Hat security conference in Las Vegas.
The resurrection of viable sniffing history attacks underscores a key
dynamic in security. When defenders close a hole, attackers will often
find creative ways to reopen it. For the time being, users should assume
that any website they visit is able to obtain at least a partial
snapshot of other sites indexed in their browser history. As mentioned
earlier, privacy-conscious people should regularly flush their history
or use private browsing options to conceal visits to sensitive sites.
Forensic experts have long been able to match a series of prints to
the hand that left them, or a bullet to the gun that fired it. Now, the
same thing is being done with the photos taken by digital cameras, and
is ushering in a new era of digital crime fighting.
New technology is now allowing law enforcement officers to search
through any collection of images to help track down the identity of
photo-taking criminals, such as smartphone thieves and child
pornographers.
Investigations in the past have shown that a digital photo can be
paired with the exact same camera that took it, due to the patterns of
Sensor Pattern Noise (SPN) imprinted on the photos by the camera's
sensor.
Since each pattern is idiosyncratic, this allows law enforcement to
"fingerprint" any photos taken. And once the signature has been
identified, the police can track the criminal across the Internet,
through social media and anywhere else they've kept photos.
Researchers have grabbed photos from Facebook, Flickr, Tumblr,
Google+, and personal blogs to see whether one individual image could be
matched to a specific user's account.
In a paper
entitled "On the usage of Sensor Pattern Noise for Picture-to-Identity
linking through social network accounts", the team argues that "digital
imaging devices have gained an important role in everyone's life, due to
a continuously decreasing price, and of the growing interest on photo
sharing through social networks"
Today, "everyone continuously leaves visual 'traces' of his/her
presence and life on the Internet, that can constitute precious data for
forensic investigators."
The researchers were able to match a photo with a specific person 56
per cent of the time in their experiment, which examined 10 different
people's photos found on two separate websites each.
The team concludes that the technique has yielded a "promising result,"
which demonstrates that such it has "practical value for forensic
practitioners".
While the certainty of the technique is only just better than chance,
the technology is pretty new, and the numbers could get a bit more
promising in the future. And, like fingerprints, the SPN signature would
likely only be a part of the case being brought against a suspect.
Virtual 3D faces can now be produced from DNA code. The application,
developed by Mark Shriver of Pennsylvania State University, produces a
virtual mug shot of potential criminals. Pictured here is a work flow
diagram showing how facial features were processed for the application. (Photo : PLOS ONE)
Models of a criminal's face may so be generated from any trace of DNA
left at the scene of a crime. Computer-generated 3D maps will show
exactly how the suspect would have looked from an angle.
Mark Shriver of Pennsylvania State University and his team developed
the application, which produces a virtual mug shot of potential
criminals.
Shriver and his team took 3D images of almost 600 volunteers, coming
from a wide range of racial and ethnic groups. They superimposed more
than 7,000 digital points of reference on the facial features and
recorded the exact position of each of those markers. These grids were
used to measure how the facial features of a subject differ from the
norm. For instance, they would quantify the distance between the eyes of
a subject, and record how much more narrow or wide they were than
average.
A computer model was created to see how facial features were affected
by sex, genes and race. Each of the study participants were tested for
76 genetic variants that cause facial mutations. Once corrected for
race and sex, 20 genes with 24 variants appeared to reliably predict
facial shape.
"Results on a set of 20 genes showing significant effects on facial
features provide support for this approach as a novel means to identify
genes affecting normal-range facial features and for approximating the
appearance of a face from genetic markers," the researchers wrote in the article announcing the results.
As part of data collection, the team asked participants to rate faces based on perceived ethnicity, as well as gender.
Digital facial reconstructions from DNA have proven to be notoriously
unreliable. Even seemingly simple information like height can be
difficult to determine through genetic analysis. Other aspects of human
physiology, such as eye color, are easier to predict using genetic
analysis.
"One thing we're certain of [is] there's no single gene that suddenly
makes your nose big or small," Kun Tang, from the Shanghai Institutes
for Biological Sciences in China, said.
In order to further refine the system, Shriver has already started
sampling more people. Adding further diversity to the database should
allow the application to make even more accurate recreations of a
person's face. In the next round of testing, 30,000 different points
will be used instead of 7,000. Merging this development with 3D
printers would make it possible to print out 3D models of a person, just based on a piece of DNA.
Such models - digital or physical - are not likely to be used in
courts anytime soon. A more likely scenario is use as modern day version
of police sketches, assisting police in finding suspects. Only after an
arrest would the DNA of a suspect be compared to that collected at the
scene of a crime.
Creating 3D facial models from genetic evidence was detailed in Nature.
The Twitter logo displayed on a smart phonePhoto: PA
Scientists have developed the ultimate lie detector for social media – a
system that can tell whether a tweeter is telling the truth.
The creators of the system called Pheme, named after the Greek mythological
figure known for scandalous rumour, say it can judge instantly between truth
and fiction in 140 characters or less.
Researchers across Europe are joining forces to analyse the truthfulness of
statements that appear on social media in “real time” and hope their system
will prevent scurrilous rumours and false statements from taking hold, the Times
reported.
The creators believe that the system would have proved useful to the police
and authorities during the London Riots of 2011. Tweeters spread false
reports that animals had been released from London Zoo and landmarks such as
the London Eye and Selfridges had been set on fire, which caused panic and
led to police being diverted.
Kalina Bontcheva, from the University of Sheffield’s engineering department,
said that the system would be able to test information quickly and trace its
origins. This would enable governments, emergency services, health agencies,
journalists and companies to respond to falsehoods.
Lightbeam, a firefox plugin you may want to try... or not... in order to have an idea about what it means for you and your privacy to browse the Web. Nowadays, this is something obvious and well spread that the 'free' Web is now a very old chimera. Web drills you the same way one drills for oil.
Collusion is a similar plugin for the Chrome Web browser.
On Friday, Microsoft released its 3D Builder app, which allows Windows 8.1 users to print 3D objects, but not much else.
The simple, simplistic, free app from Microsoft provides a basic way to
print common 3D objects, as well as to import other files from SkyDrive
or elsewhere. But the degree of customization that the app allows is
small, so 3D Builder basically serves as an introduction to the world of
3D printing.
In fact, that’s Microsoft’s intention, with demonstrations of the MakerBot Replicator 2 slated for Microsoft’s retails stores this weekend. Microsoft customers can buy a new Windows 8.1 PC, as well as the $2199 MakerBot Replicator 2, both online as well as in the brick-and-mortar stores themselves.
One of the selling points of Windows 8.1 was its ability to print 3D objects,
a complement to traditional paper printing. Although Microsoft is
pitching 3D Builder as a consumer app, the bulk of spending on 3D
printing will come from businesses, which will account for $325 million
out of the $415 million that will be spent this year on 3D printing,
according to an October report from Gartner. However, 3D printers have made their way into Staples,
and MakerBot latched onto an endorsement of the technology from
President Obama during his State of the Union address, recently
encouraging U.S. citizens to crowd-fund an effort to 3D printers in
every high school in America. (MakerBot also announced a Windows 8.1
software driver on Thursday.)
MicrosoftMicrosoft’s 3D Builder includes some basic modification options.
Microsoft’s 3D Builder app could certainly be a part of that effort.
Frankly, there’s little to the app itself besides a library of
pre-selected objects, most of which seem to be built around small,
unpowered model trains of the “Thomas the Tank Engine” variety. After
selecting one, the user has the option of moving it around a 3D space,
increasing or decreasing the size to a particular width or height—and
not much else.
Users can also import models made elsewhere. Again, however, 3D Builder
isn’t really designed to modify the designs. It’s also not clear which
3D formats are supported.
On the other hand, some might be turned off by the perceived complexity
of 3D printing. If you have two grand to spend on a 3D printer but
aren’t really sure how to use it, 3D Builder might be a good place to
start.
In June 1977 Apple Computer shipped their first mass-market computer: the Apple II.
Unlike the Apple I, the Apple II was fully assembled and ready to use
with any display monitor. The version with 4K of memory cost $1298. It
had color, graphics, sound, expansion slots, game paddles, and a
built-in BASIC programming language.
What it didn’t have was a disk drive. Programs and data had to be
saved and loaded from cassette tape recorders, which were slow and
unreliable. The problem was that disks – even floppy disks – needed both
expensive hardware controllers and complex software.
Steve Wozniak solved the first problem. He
designed an incredibly clever floppy disk controller using only 8
integrated circuits, by doing in programmed logic what other controllers
did with hardware. With some
rudimentary software written by Woz and Randy Wigginton, it was
demonstrated at the Consumer Electronics Show in January 1978.
But where were they going to get the higher-level software to
organize and access programs and data on the disk? Apple only had about
15 employees, and none of them had both the skills and the time to work
on it.
The magician who pulled that rabbit out of the hat was Paul Laughton,
a contract programmer for Shepardson Microsystems, which was located in
the same Cupertino office park as Apple.
On April 10, 1978 Bob Shepardson and Steve Jobs signed a $13,000
one-page contract for a file manager, a BASIC interface, and utilities.
It specified that “Delivery will be May 15?, which was incredibly
aggressive. But, amazingly, “Apple II DOS version 3.1? was released in
June 1978.
For some time Facebook has studied your Likes, comments, and clicks
to help create better ads and new products, but soon, the company might
also track the location of your cursor on screen. Facebook analytics
chief Ken Rudin told The Wall Street Journal about several new measures
the company is testing meant to help improve its user-tracking, like
seeing how long you hover your cursor over an ad (and if you click it),
and evaluating if certain elements on screen are within view or are off
the page. New data gathered using these methods could help Facebook
create more engaging News Feed layouts and ads.
The Journal notes that
this kind of tracking is hardly uncommon, but until now, Facebook hadn't
gone this deep in its behavioral data measurement. Sites like
Shutterstock, for example, track how long users hover their cursors over
an image before deciding to buy it. Facebook is famous for its liberal use of A/B testing
to try out new products on consumers, but it's using the same method to
judge the efficacy of its new testing methods. "Facebook should know
within months whether it makes sense to incorporate the new data
collection into the business," reports the Journal.
Assuming Facebook's tests go
well, it shouldn't be long before our every flinch is tracked on the
site. So what might come next? Our eyeballs.
Google puts a lot of work into creating a virtual map of the world with Street View, sending cars and backpackers everywhere with huge cameras. But what if a computer program could do all that automatically? Well, there's one that can. All it needs is Wikipedia and Google Images.
Developed by Bryan Russell at
Intel Labs and some colleagues at the University of Washington in
Seattle, the program is almost deceptively simple. First, it trawls the
internet (mainly Flickr) for a wide variety of pictures of a location.
By looking at them from different angles, it's able to piece together a
pretty good idea of what it looks like in 3D space from the outside.
Like this:
Then, for
the interior of that 3D shell, the program cruises through Wikipedia,
making note of every single noun-phrase, since its dumb robot brain
can't tell what is important and what is not. Finally, it searches
Google Images for its big stack of phrases, pulls the relevant pictures
(if it can find any), and plasters them roughly where they belong in the
model's interior. When that's all said and done, it can then behave as a
procedurally generated 3D tour that guides you through a recreation of
whatever you're reading about on Wikipedia. Awesome!
It's a
crazy idea, but it seems to work pretty well for popular landmarks, at
least. The operating logic here is that if a thing is important, there
will be pictures of it on the internet, and text describing the
pictures. So long as that's true, it's possible to start piecing things
together.
For the moment, the program has only compiled complete
virtual representations of exceedingly popular and well-documented
sites like the Sistine Chapel. With less common places, there's less
data to pull. But with the advent of tech like Google Glass, and the
wide proliferation of smartphones that can take a half-decent picture,
the data-voids are slowly getting filled in—and they'll only fill in
faster as time goes on.
So if you ever needed a great reason to keep all your vacation pictures public and publicly indexed, here it is. [Bryan C. Russell via New Scientist]
The world of Big Data is one of pervasive data collection and
aggressive analytics. Some see the future and cheer it on; others rebel.
Behind it all lurks a question most of us are asking — does it really
matter? I had a chance to find out recently, as I got to see what
Acxiom, a large-scale commercial data aggregator, had collected about
me.
At least in theory large-scale data collection matters quite a bit. Large data sets can be used to create social network maps
and can form the seeds for link analysis of connections between
individuals. Some see this as a good thing; others as a bad one — but
whatever your viewpoint, we live in a world which sees increasing power
and utility in Big Data’s large-scale data sets.
Of course, much of the concern is about government collection. But
it’s difficult to assess just how useful this sort of data collection by
the government is because, of course, most governmental data collection
projects are classified. The good news, however, is that we can begin
to test the utility of the program in the private sector arena. A useful
analog in the private sector just became publicly available and it’s
both moderately amusing and instructive to use it as a lens for thinking
about Big Data.
Acxiom is one of the
largest commercial, private sector data aggregators around. It collects
and sells large data sets about consumers — sometimes even to the
government. And for years it did so quietly, behind the scene — as one
writer put it “mapping the consumer genome.” Some saw this as rather ominous; others as just curious. But it was, for all of us, mysterious. Until now.
In September, the data giant made available to the public a portion of its data set. They created a new website — Abouthedata.com
— where a consumer could go to see what data the company had collected
about them. Of course, in order to access the data about yourself you
had to first verify your own identity (I had to send in a photocopy of
my driver’s license), but once you had done so, it would be possible to
see, in broad terms, what the company thought it knew about you — and
how close that knowledge was to reality.
I was curious, so I thought I would go explore myself and see what it
was they knew and how accurate they were. The results were at times
interesting, illuminating and mundane. Here are a few observations:
To begin with, the fundamental purpose of the data collection is to
sell me things — that’s what potential sellers want to know about
potential buyers and what, say, Amazon might want to know about me. So I
first went and looked at a category called “Household Purchase Data” —
in other words what I had recently bought.
It turns out that I buy … well … everything. I buy food, beverages,
art, computing equipment, magazines, men’s clothing, stationary, health
products, electronic products, sports and leisure products, and so
forth. In other words, my purchasing habits were, to Acxiom, just an
undifferentiated mass. Save for the notation that I had bought an
antique in the past and that I have purchased “High Ticket Merchandise,”
it seems that almost everything I bought was something that most any
moderately well-to-do consumer would buy.
I do suppose that the wide variety of purchases I made is, itself,
the point — by purchasing so widely I self-identify as a “good”
consumer. But if that’s the point then the data set seems to miss the
mark on “how good” I really am. Under the category of “total dollars
spent,” for example, it said that I had spent just $1,898 in the past
two years. Without disclosing too much about my spending habits in this
public forum, I think it is fair to say that this is a significant
underestimate of my purchasing activity.
The next data category of “Household Interests” was equally
unilluminating. Acxiom correctly said I was interested in computers,
arts, cooking, reading and the like. It noted that I was interested in
children’s items (for my grandkids) and beauty items and gardening (both
my wife’s interest, probably confused with mine). Here, as well, there
was little differentiation, and I assume the breadth of my interests is
what matters rather that the details. So, as a consumer, examining what
was collected about me seemed to disclose only a fairly anodyne level of
detail.
[Though I must object to the suggestion that I am an Apple user J.
Anyone who knows me knows I prefer the Windows OS. I assume this was
also the result of confusion within the household and a reflection of my
wife’s Apple use. As an aside, I was invited throughout to correct any
data that was in error. This I chose not to do, as I did not want to
validate data for Acxiom – that’s their job not mine—and I had no real
interest in enhancing their ability to sell me to other marketers. On
the other hand I also did not take the opportunity they offered to
completely opt-out of their data system, on the theory that a moderate
amount of data in the world about me may actually lead to being offered
some things I want to purchase.]
Things became a bit more intrusive (and interesting) when I started
to look at my “Characteristic Data” — that is data about who I am. Some
of the mistakes were a bit laughable — they pegged me as of German
ethnicity (because of my last name, naturally) when, with all due
respect to my many German friends, that isn’t something I’d ever say
about myself. And they got my birthday wrong — lord knows why.
But some of their insights were at least moderately invasive of my
privacy, and highly accurate. Acxiom “inferred” for example, that I’m
married. They identified me accurately as a Republican (but notably not
necessarily based on voter registration — instead it was the party I was
“associated with by voter registration or as a supporter”). They knew
there were no children in my household (all grown up) and that I run a
small business and frequently work from home. And they knew which sorts
of charities we supported (from surveys, online registrations and
purchasing activity). Pretty accurate, I’d say.
Finally, it was completely unsurprising that the most accurate data
about me was closely related to the most easily measurable and widely
reported aspect of my life (at least in the digital world) — namely, my
willingness to dive into the digital financial marketplace.
Acxiom knew that I had several credit cards and used them regularly.
Acxiom knew that I had several credit cards and used them regularly. It had a broadly accurate understanding of my household total income range [I’m not saying!].
They also knew all about my house — which makes sense since real
estate and liens are all matters of public record. They knew I was a
home owner and what the assessed value was. The data showed, accurately,
that I had a single family dwelling and that I’d lived there longer
than 14 years. It disclosed how old my house was (though with the rather
imprecise range of having been built between 1900 and 1940). And, of
course, they knew what my mortgage was, and thus had a good estimate of
the equity I had in my home.
So what did I learn from this exercise?
In some ways, very little. Nothing in the database surprised me, and
the level of detail was only somewhat discomfiting. Indeed, I was more
struck by how uninformative the database was than how detailed it was —
what, after all, does anyone learn by knowing that I like to read?
Perhaps Amazon will push me book ads, but they already know I like to
read because I buy directly from them. If they had asserted that I like
science fiction novels or romantic comedy movies, that level of detail
might have demonstrated a deeper grasp of who I am — but that I read at
all seems pretty trivial information about me.
I do, of course, understand that Acxiom has not completely lifted the
curtains on its data holdings. All we see at About The Data is summary
information. You don’t get to look at the underlying data elements. But
even so, if that’s the best they can do ….
In fact, what struck me most forcefully was (to borrow a phrase from
Hannah Arendt) the banality of it all. Some, like me, see great promise
in big data analytics as a way of identifying terrorists or tracking
disease. Others, with greater privacy concerns, look at big data and see
Big Brother. But when I dove into one big data set (albeit only
partially), held by one of the largest data aggregators in the world,
all I really became was a bit bored.
Maybe that’s what they wanted as a way of reassuring me. If so, Acxiom succeeded, in spades.
