Many people incorrectly assume that they have an expectation of privacy while using “their” computer at work. This can vary from state to state and country to country, but in most places, any activity on company-owned equipment is subject to review and monitoring by the company. This activity can include emails, web traffic, and any documents saved on company equipment.

Aside from the legitimate monitoring that your employer may be performing, there are other reasons why you should avoid using your work computer for personal purposes. Your computer is not an island. In most cases, your computer will be on the same network as a number of your coworkers. Being part of the same network means that one of your coworkers could potentially access data stored on your computer, or capture your web and email traffic as it traverses the network. While this scenario is somewhat unlikely, on many corporate networks there are few controls in place to prevent this, and little to warn you if this is occurring.

Your work computer is intended for just that; work-related activities. Save your personal web browsing and email for times when you are on a trusted computer, such as your home computer. In most cases, your personal information will be far safer there than at work.

Many users, specially those who are worried about privacy, already know cookies: how they work, where are they saved and, most imprtantly, how to delete them. Most browsers include an utility to manage them, blocking or deleting the ones we don’t want.

But even if you are actively deleting cookies, you might still be leaving something behind. Local Shared Objects are the implementation of cookies done by Adobe Flash. So, if you have this software installed (and most people do) these Flash cookies are resting on your hard disk, maybe forever.

Each site using Flash can store, by default, up to 100 KB of data in your computer, even without you knowing it. No permission is asked unless the application tries to store more data than permitted.

This data is save in the following lcoations:

• In Windows: C:\Documents and Settings\[user]\Application Data\Macromedia\Flash Player
• In Mac OS X: /Users/[user]/Library/Preferences/Macromedia/Flash Player
• In Linux: ~/.macromedia

So, how can we manage these Flash cookies? The Adobe Flash Player Settings Manager is a small Flash program by Adobe which will allow to view the stored Local Shared Objects, delete them and limit the quantity of data each site is allowed to save.

We can even block the Flash cookies completely from the Global Storage Settings Panel, unchecking the Allow third-party…

There are also some applications that allow manipulation of the Local Shared Objects, like SolVE, which works in Windows and Mac:

or Sol Editor, only for Windows.

So, are you going to protect your privacy or you don’t mind any marketer being able to spy on you? Yes, this is technically feasible and has already been done. Adbrite and Google ad manager are already storing data on your Flash cookies, who knows how many more will do it?

Let’s situate ourselves. Some investigators from Vrije University, at Amsterdam, wrote some papers predicting the apparition of RFID viruses, explaining how to code them and giving some examples. Although it can work theoretically, I don’t think these viruses pose any threat in the near future.

RFID tags do not contain code, they only contain some data which can be read with an appropriate scanner. The basis of the papers these investigators wrote is that the software controlling the reading of the data will contain bugs that will allow this data to get executed. Technically, this is known as SQL injection, where data is interpreted as SQL code and executed by the database. This is a known trick which has been used by hackers for a long time, allowing them to deface websites and other nasty things.

But, in the physical world, it will be more difficult to make this work. First of all, you will need to know how the software you want to hack works. This is much easier in the web, where many times you can get the source code for the application you want to hack and can examine it line by line. In real world, not many applications will be available for inspection. For example, your local supermarket using RFID won’t allow you to have a look at their source code.

This doesn’t imply it can’t be done, as with some experimentation one can guess how the system is built and how to work around it, but will probably limit a lot the attacks.

For me, the privacy implications of RFID are more important than the probability of a RFID virus appearing some day, and this is something that has not been extensively discussed.

From | Help Net Security

This takes us to the need for encryption. Luckily, our favorite guru Phil Zimmermann (one of the man who has done more things for expanding the use of encryption), the creator of PGP, has just released Zfone, a software that allows to encrypt any voice call done using SIP, an standard VoIP protocol.

If you have used PGP you will have seen that it’s a bit difficult to keep up with all the terms: PKI, key-management, public keys,… With Zfone you will not need this kind of technical expertise. You only install it and it works for you. The key exchange is done with the Diffie-Hellman algorithm which allows to share some private info through a public medium and it avoids men-in-the-middle attacks (typical of these algorithm) with the use of authentication strings which are short enough to be transmitted in the telephone conversation. This is a great idea and a really innovative way to make it easy for users to check the conversation is really secure.

The idea is to make this protocol an standard and integrate it in VoIP clients. By now, it works with any program you are currently using by capturing the data transmitted.

If you want to try you can download it for Linux and Mac and it will be released for Windows in mid-April. If you do so, remember this is beta software, so it might have some bugs and keep in mind this will only encrypt your calls if the other end also uses this software.

From | Error500.

Some time ago, police were the only ones able to locate mobile phones and they usually required a judge to authorise it. But not anymore. In United Kingdom, various web sites give you the opportunity to see the path a person has been following during all day and where is he at every moment.

How does this work? Base stations, the antennas which allow you to communicate wirelessly with your mobile, have a known location so, as your phone is associated with the nearest base station there’s a reduced range where you can be at that moment. The precision can even be increased with the use of multiple base stations to locate you, in a process call triangulation, where your location can be found with a precision of few meters.

How do I track someone? It’s really easy. You only have to visit World Tracker web site and register. Then  you’ll be able to track the mobile phone you want. OK, not that really easy, as this would be a serious breach of privacy. When you add someone to your list they are send an SMS asking for confirmation, once they answer to it you’ll be authorised to track that mobile.

But, what about the mobile of your spouse or your coworker. It’s probably really easy for you to get it for a few moments, add it to the tracking service, confirm the received SMS and delete it so they won’t know about it. And then, ta-dah, you can locate that mobile phone without them knowing. Hey, even better, you can see them in Google Maps.

In theory, these companies have to send reminders to that mobile at random intervals of time, but many times days pass without receiving these reminders, so we could track someone for a few days without their knowledge.

Scared, now? Yeah, me too. This does not only work in United Kingdom. Some time ago, a similar service was launched in Spain called Localízame. It works in a similar way, where people have to authorise you, and then you only have to send an SMS with their number and you’ll receive a reply with their location and even the accuracy of this location.

There’s no real solution to this problem. The only thing you can do is keep your mobile phone with you at all times or, if you are really paranoid, not having a mobile could be even better.

To make matters worse, the classic justification was used: “If you don’t do anything wrong why would you have to worry?” Well, as Bruce Schneier says, we don’t have a crisp answer to that, but I know most of us don’t feel like having a camera installed at home. There’s something called privacy most people value a lot. I don’t feel comfortable when police can know everything I do, everything I like or everything I say.

So, the question is would Houston’s police chief like to have some cameras installed at his home?

As Benjamin Franklin said: “They who can give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.”, and this is a question about liberty. Do you think this will become reality?

From | Schneier on Security