I joined the Microsoft Security Response Center (MSRC) in April 2001 and left the company in December 2010. During that time I was involved in security and privacy at Microsoft, culminating in my role handling worldwide crisis communications for security and privacy incidents. I am one of a handful of people who knows what the security world was like at Microsoft before Chairman Bill Gates' Trustworthy Computing memo on Jan. 15, 2002. I was also part of the growth and transformation that memo brought about over the years.

As Microsoft marks the tenth year anniversary of that memo, it seems a good time to share a former insider’s view of what it really meant and accomplished. As well, I'll share thoughts on why, in the next 10 years, it’s critical that other technology companies follow Gates’ lead.

Continue reading →

The chorus of opposition to Google's recent search changes grows louder, with Electronic Privacy Information Center urging the Federal Trade Commission to launch an investigation into whether or not Google is violating users' privacy with the new feature.

Google settled with the FTC in March over its failed Buzz service, submitting to privacy audits for a period of 20 years as a result. EPIC is specifically concerned with personal data, photos, posts, and contact details being included in search results.

Continue reading →

Tomorrow is "Dump Go Daddy Day", not that many of you waited, based on your comments. For those considering to show their outrage at the registrar for active SOPA support (since withdrawn), it might be helpful to see what others are doing, where they're taking domains and exact reasoning for kicking Go Daddy down the hill.

But first, I must say that negative response to yesterday's Go Daddy/SOPA post surprised me. My some of you really are outraged. What I don't understand: Why focus all that anger on Go Daddy, or any other SOPA supporter, when legislators in the House and Senate who proposed the Stop Online Piracy Act, and sibling PROTECT IP ACT (PIPA), have the power to pass a bill into law? Wouldn't boycotting them make more sense? Or letting President Obama know how you would feel about him signing rather than vetoing the legislation? We are entering a big election year in just a few days, after all.

Continue reading →

Stop Online Piracy Act, or SOPA, is churning up increasing debate as the holidays approach. There's irony here. The very public response about SOPA is freedom the bill, or its Senate sibling PROTECT IP, could take away. Dan Bull's "SOPA Cabana" YouTube music video is example of the grassroots response to the proposed legislation. YouTube is one of the services SOPA would target, likely diminishing freedom of expression like Bull's. The headline to this post comes from his video.

To recap, Senators introduced PROTECT IP in May and House representatives did likewise with SOPA in October. Either bill would give the government broad powers to take down websites, seize domains and compel search engines from indexing these properties. Little more than a request from copyright holders is necessary. It's essentially guilty-until-proven-innocent legislation that would punish the many for the sins of the few, while disrupting the fundamental attributes that made the Internet so successful and empowered so many individuals or businesses to accomplish so much. (Review the bills: PROTECT IP. SOPA.)

Continue reading →

User names, passwords, credit card numbers, personal details: your PC may contain all kinds of personal data, easily accessible to malware or anyone with physical access to the system. You know this already, of course, which is why you probably protect your system with a firewall, antivirus package, maybe an encryption tool and more.

But what you maybe don’t know for sure is exactly how much data might be exposed on your system, should an attacker actually be able to penetrate your defences. And that’s where Identity Finder comes in. Tell the free version of the program to scan your system and it will immediately identify any passwords that might be stored by your browsers, for instance. You can then selectively delete all or just the most sensitive of these, and perhaps turn off password storage entirely if it seems too risky.

Continue reading →

I offer a hat tip to Gizmodo, which has put together a list of smartphones that have Carrier IQ. The company disclosed the information as part of a US Senate inquiry. Sprint subscribers are the most likely to have the spyware installed -- 26 million, or nearly half of them. Verizon: None. The information is also available in a statement from Sen. Al Franken (D-Minn.), just not as quickly scannable.

But not all phones where Carrier IQ is installed have it active. Android developer Trevor Eckhart uncovered Carrier IQ last month, offering detailed explanation how the rootkit-like software works. I followed his instructions to see if the software was active on my Samsung Galaxy S II Skyrocket, and it appeared not to be. Days later I installed Carrier IQ detectors from BitDefender and LookOut Labs, which found the software but didn't indicate its status. Apparently, Skyrocket is one of the phones where Carrier IQ is installed but not active. Same is true of HTC Vivid, AT&T's other LTE phone.

Continue reading →

Carrier IQ is once again making headlines, this time over reports that it is giving information to law enforcement. Complicating matters more, the FBI denied a Freedom of Information Act (FOIA) request last week asking about its own use of Carrier IQ technology, saying the release of such documents "could reasonably be expected to interfere with law enforcement proceedings".

The FBI's admission in the letter that documents do exist raises concerns that Carrier IQ is using its technologies more than just for customer experience purposes, but actual spying as it is being accused of by many pundits. The company is moving quickly to quell this latest round of criticism.

Continue reading →

All kinds of unsolicited mail pours into my inbox, and I ignore about half the stuff that probably matters -- that's if the Junk Mail filter doesn't grab it first. I'm particularly leery of messages promoting an infographic made by some organization that might have vested interest in the topic. But this one, from BusinessInsuranceQuotes, depicts such an emotionally-heated topic, I figured: "Oh, what the hell, just post the damn thing".

Feast your eyes on this little ditty about SOPA -- the Stop Online Piracy Act -- that I repeatedly mistype as "privacy", subconscious response meaning to invade it, perhaps. The infographic really lacks the drama SOPA would create if enacted as law. Little things like empowering the government to take down your site or seize your domain based on the presumption of guilt. That's the painless part. You go to jail if convicted. Perhaps Federal prisons aren't as overcrowded as California jails.

Continue reading →

Android users have a multitude of options in order to detect whether Carrier IQ exists on their smartphones, with at least a dozen applications available through the Android Market. While most of the apps will not stop Carrier IQ from running, they will at least give those concerned with the company's actions some solace in knowing for sure whether they're being tracked or not.

Carrier IQ's discovery -- that stealthily monitors cellular users' smartphone activity -- set off a firestorm of controversy over the past several weeks. Some see it as a serious threat to users' security and privacy, while others have likened the reaction to mass hysteria generated by the media.

Continue reading →

If you have any private photos on Facebook that you really don't want out there, consider this story your fair warning to delete them. A flaw in the social networking site's reporting mechanism allows users to peer into content that is otherwise marked "private". Now would be a good time to remove that pic of drunken you mooning the boss.

The flaw was first widely reported on the forums of bodybuilding.com, a popular fitness site. The post -- since removed -- details the exploit. Proceed through the menus after reporting an image as inappropriate. When the dialog asks if you want to report any other images in the album, click "yes". All images, whether public or private, will be displayed.

Continue reading →

The US blogosphere has become increasingly alarmed by the new Anti-Piracy Act – Stop Online Piracy Act or SOPA. Discussions of the topic are, to put it mildly, quite frank, with comments like: "These idiots are coming for your internet."

What is SOPA? It is support for and development of something that is currently very relevant – the protection of intellectual property. Ladies and gentlemen, this really is important! "Thou shalt not steal," as the Bible says! An author – or more often than not, a team – spends sleepless nights writing a book, composing music, shooting a film, creating software or testing software packages. Doesn’t that deserve a financial reward? Yes or no? Think before you answer – someone could well ask the same question about your profession… So?

Continue reading →

Security research company and prominent antivirus software vendor Kaspersky Lab has announced its intent to withdraw from the Business Software Alliance (BSA) because of the Alliance's support for the Stop Online Piracy Act (SOPA, also known as H.R. 3261).

The Business Software Alliance (BSA) and the Software & Information Industry Association (SIIA) are the software industry's two biggest trade groups. Since both groups have strong anti-piracy stances, neither directly opposed the Stop Online Piracy Act. Both expressed interest in working with Congress to design the law.

Continue reading →

We have some division here at BetaNews regarding Carrier IQ and reporting about its tracking software. On one side there's the "me-too" defense -- that software stealthy hidden on smartphones sending information back to Carrier IQ or cellular carriers is no worse than what other companies do. That it's irresponsible to report keylogging behavior based on researcher Trevor Eckhart's blog post and YouTube video. That early reporting was "sloppy" and Eckhart is suddenly "quiet". Dog poop.

Over the last couple days, Carrier IQ finally responded to the maelstrom of controversy. But the response falls short. Carrier IQ fails to address the most troubling aspect about Eckhart's demonstration: Capturing data from keystrokes, nor does it answer why so much information is collected. Carrier IQ's defense is something like: "We don't look at the naked person. Not us". It's the "if a tree falls in the forest" defense. "We didn't listen, so it didn't happen". If there's anything "sloppy" about the news reporting, it's that not enough journalists dig deep enough. There's nothing unfair here.

Continue reading →

The furor over Carrier IQ tracking software only intensified on Thursday, as different affected parties attempted to limit public relations or potential legal damage. Apple and Verizon both essentially disavowed Carrier IQ, while Sprint acknowledged using the software/service but narrowed the scope. Meanwhile, the Carrier IQ website couldn't handle sudden traffic surges. BetaNews used a Google cached version to obtain the official statement, but later reached the site.

Android developer Trevor Eckhart instigated the Carrier IQ scandal in a blog post and YouTube video based on his investigation of a persistent process running on HTC Android phones. He uncovered Carrier IQ, which he calls a rootkit because of its stealth behavior and the amount of information/services tapped. "The application is hidden in nearly every part of our phones, including the kernel", he writes. "Carrier IQ also subverts standard operating system functionality".

Continue reading →

Okay, the stupidity lies with cellular carriers who let the tracking software onto their phones. Their actions will irreparably tarnish the industry's image and quite likely lead to unwanted government intervention. I'm assuming, of course, that Carrier IQ really is as bad as Android developer Trevor Eckhart claims. My God, what if it's worse?

Carrier IQ is tracking software that behaves every bit like a keylogger -- installed at a low-level like a rootkit would be. It logs all activities. That's right. Everything, even when the phone is disconnected from the network, or when using WiFi, and it continues its privacy-violating ways even after a cellular subscriber's contract has expired. Simply put: It's an abomination. It's a violation of privacy in the worst way, because cell phones are the most personal tech devices and used to maintain the most intimate relationships.

Continue reading →