Yes, the Belgian government can decide which websites we visit and which we don't. The first step on a road that will lead us to situations like we have seen in Australia (According to Child Support groups, Net filtering is a waste of money)
Here is the best Belgian article I have read to date about this issue which covers all aspects : "zwarte lijst voor belgische surfers omstreden" by Els Bellens (Zdnet.be)
Like Tim Berners-Lee, inventor of the WWW stated, the internet was designed to be used without limitations. The main argument of government officials to start with this blacklist, is that "average users won't be able to stumble upon these bad websites anymore. It's for their own protection. "
And in a typical Belgian fashion, (luckily for us), it's implemented in the least efficient manner: a DNS blacklist.
And as expected, a lot of internet users (e.g. blogologie, lvb.net, belgiancowboys.be, tik vzw) have started listing ways to bypass this filter just as a matter of principle (like the Streisand effect).
So let's hope that this blacklist will go away and the government will stop throwing away money on an inefficient systems that will never work.
Saturday
Ways to bypass the Big Belgian firewall
Wednesday
Sign against Dataretention - bewaarjeprivacy.be
Finally something in Belgium to be proud of. Several organizations in Belgium representing internet users, lawyers, journalists, etc.... have started a petition against the Belgian adaptation of the EU Dataretention law.
Why should you sign this petition?
- It's an invasion on your privacy
- It makes 10 million Belgians potential suspects
- It invades the professional confidentiality between lawyers and their clients, journalists and their sources etc....
- The necessity of Dataretention has yet to be proven
- Dataretention provides no guarantee against terrorism or crime
- It will result in a high price that consumers will have to pay....
Tuesday
Automated Social Networking Surveillance Systems
Last week, I noticed the existence of an EU surveillance project called "Intelligent information system supporting observation, searching and detection for security of citizens in urban environment" better known as "INDECT". You can have a look at their official website.
According to Wikileaks, INDECT’s “Work package 4″ is designed “to comb web blogs, chat sites, news reports, and social-networking sites in order to build up automatic dossiers on individuals, organizations and their relationships.” Ponder that phrase again: “automatic dossiers.” (source)Automatic dossiers? Doesn't that give you a warm fuzzy feeling inside? There are a lot more reports and articles mentioned about similar projects (including network monitoring and data mining suites designed by Nokia Siemens, Ericsson and Verint) on this website.
I enjoy and believe in the benefits of social networks as long as commons sense prevails about what you publish. But how many people are aware of the potential issues? Not that mass surveillance should be expected and allowed.
Say a word online out of context and be labeled a potential 'problem' case. I don't believe in a technological magic wand who will correctly filter information. Too much possible false positives. Hasn't the world of IDS taught us that? Question is, who is making the alert filters for this systems? Who is going to watch the watchers?
Some time ago, the Social Media Security blog and podcast was founded. While I haven't really had time to spend some time on it, I highly advice to have a closer look at it.
So apart from cybercriminals, must we also fear our governments?
Related posts:
- International Action Day “Freedom not Fear 2009 – Stop the Surveillance Mania!” on 12th September 2009
- According to Child Support groups, Net filtering is a waste of money
- Big Brother 2009: Has the rebellion started?
- Privacy matters: A movie by XS4ALL to raise user awareness to data surveillance
- ENISA's New Paper: "Inside the matrix: Privacy & data protection challenges".
- Dress good! Google Streetview driving around in Belgium.
- ENISA releases paper on Security and Privacy in online games and social and corporate virtual worlds
- Skype backdoor speculation and Data surveillance of today
- FBI Wiretapping: Just point and click
- China's golden shield, a citizen mass surveillance system
- The dangers of social networking and some countermeasures
- German ID card won't include fingerprints
- Billion pound UK CCTV solves 3% of crimes. Efficient?
- When technology takes over our life
- Airport Security: All your data are belong to us
- Dutch government wants fingerprints of every dutchman in national database
- Wikileaks releases details on German police Trojan
- EU might decide that an IP is personal information
Privacy and the 'Belgian Mobility Card' (BMC)
It has been some while since we blogged about the "Privacy failure in the Belgian RFID transport card", but the card will still be introduced nationally.
See Chipkaarten De Lijn niet voor volgend jaar (datanews)
Testing will occur in 2010 and the rollout will happen during 2011 and 2012. Time to go over some past facts.
Some researchers of the UCL published a report about a privacy issue together with opensource tools that they used to test the card. On http://www.uclouvain.be/sites/security/mobib.html
But the details of the research were removed soon after, together with the tool. Why? Were they pressured in removing it? What would the benefit be in removing it? Don't people know that security by obscurity doesn't work? Sound a bit like a conspiracy, considering who owns the transport card company and who subsides the university. But we can't say for sure.
Some details could still be found via google:
http://www.uclouvain.be/sites/security/download/slides/Avoine-2009-iwrt-slides.pdf
From the PDF:
Personal data are stored in the clear in the card.How can this not be an issue? This can totally be abused by stalkers with a good antenna and a laptop in their backpack, just to name one of the obvious abuses. Fathers, lock up your wife and your daughters.
- Data stored in the card during its personalization: name of the holder, birthdate, zipcode, language, etc.
- Data recorded by the card when used for validations: last three validations (date, time, bus line, bus stop, subway station, etc.), and some additional technical data.
So I hope that the MIVB/STIB, minister Hilde Crevits and other parties involving the Belgian Mobility Card (BMC) will do the right thing and NOT store this sensitive information in the clear before launching this card!!!
Claiming that our national ID contains the same public information is true but it is not on a contactless card. Meaning I have to take it out of your wallet and physically put it in a reader. Comparing those two and claiming there is no issue with cleartext information on a wireless chip is a fantasy story.
There is enough information and other tools available to read the info on the card. e.g.
Other online articles mentioning the issue:
- Met Mobib op het openbaar vervoer in Brussel: uw gegevens te grabbel? (Permanent Gecontroleerde Zones)
- Gekraakte Mobib-kaart doet vragen rijzen naar privacy (Brussel Nieuws)
Monday
Flu epidemic already announced in Belgium
First of all, this is about the general flu epidemic which occurs every year. It's nothing H1N1 specific, which has been overhyped. Act normal and use common sense. But this is relevant information. Apply good hand hygiene, eat healthy and get enough sleep. Enough said.
The Belgian center for Flu Control announced a flu epidemic in their latest week report (pdf) mentioned in their weekly newsletter. Here is the interesting bit translated to English.
Influenza Surveillance for week 40 (28 September tot 4 October)
The epidemic findings for week 40 are: The surveyed data show a heightened circulation of the Influenza virus and a moderate activity for the flu symptoms. According to the determined criteria, the flu epidemic has started.Google search results and other online sources are also a good indicator and they do confirm the results of the Belgian flu center. Have a look at the B.V.L.G blog for a detailed analysis (Dutch) with some nice graphs.
...
The number of H1N1 cases have doubled compared to last week and was estimated at 4160 in week 39 with a cumulative total of 12678.
Related posts:
Thursday
Null character MITM Certificate released
This year Dan Kaminsky and Moxie Marlinspike discovered that when requesting a certificate for example "Paypal.com\0.phishing.com" that some CAs would approve the request. What made it worse is that SSL client (and browsers) would ignore the characters after the null character, leading to an effective SSL Man in the Middle attack.
Although it isn't possible to request these certificates anymore, Jacob Appelbaum released such a certificate yesterday together with the private key, stating that everybody had time enough to fix the issue. If you're a developer, you might want to look into this issue. For example Blackberries were still vulnerable to the attack.
Firefox patched the issue a few days after the initial presentation but other browsers like IE and Chrome rely on Microsoft's CryptoAPI to process the certificate and are still vulnerable.
"There are thousands of products on Windows right now that are still vulnerable to this SSL attack, and if someone were to publicly publish a targeted null prefix certificate, they'd be in trouble," said the white-hat hacker, who goes by the moniker Moxie Marlinspike. "Basically, everything that runs on Windows would be vulnerable with that one certificate." (source: Theregister.co.uk)
Previous posts:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
