Personvern hos våre politiske partier

I valgkampens innspurt høsten 2013 sjekket jeg om de politiske partiene i Norge overholdt personopplysningsloven og de krav/anbefalinger som er gitt av Datatilsynet. Det jeg fant var såpass overraskende at jeg tipset Aftenposten, som selv kontrollerte, og fikk en klar tilbakemelding om lovbrudd for partiene da de henvendte seg til Datatilsynet. Saken til Aftenposten ligger tilgjengelig her.

I tillegg kritiserte jeg også partiene Høyre og Venstre for svak epost sikkerhet, også dette gjennom Aftenposten.

Nå, 6 måneder senere, var det tid for å sjekke hvilke partier som har holdt sine løfter og etablert den sikkerheten de er lovmessig pålagt å ha.

Sparebank 1 MSN på Facebook / Tinder

(English summary at the end)

Oppdatetert 06.02.2014: Dagbladet har laget sak basert på nedenstående.

Sparebank 1 SMN fikk massiv omtale i media i går, etter at de har opprettet 2 falske profiler på Facebook som brukes på Tinder for å tiltrekke seg nye kunder. 

Dette provoserer meg kraftig. 

1) Krav til personprofiler
Både Facebook og Tinder har som krav til personprofiler at de skal tilhøre en eksisterende person. Her har banken glatt oversett dette, og opprettet falske personprofiler.

2) Tinder: krav til bruk
Tinder stiller som krav at konto baseres på en eksisterende personlig Facebook profil, og at denne benyttes til ikke-kommersiell bruk. Her bryter banken vilkårene, da deres formål er å tiltrekke seg nye kunder via en datingtjeneste (!).

3) Personvern
Banken sier at en ansatt som jobber spesielt med sosiale medier har ansvaret for disse (falske) profilene. Jeg finner det naturlig å tro at flere andre ansatte kan få helt eller delvis innsyn i data som fremkommer gjennom deres bruk av disse tjenestene. Ved å bruke disse profilene, aktivt eller passivt, så vil banken få innsyn i opplysninger til uvitende som kan anses som sensitive personopplysninger. 

Jeg merker meg at informasjonsdirektør Hans Tronstad sier seg fornøyd med strategien så langt.

Gratulerer, dere har fått mye oppmerksomhet. Jeg vil i løpet av dagen kontakte Datatilsynet for å be dem om å se nærmere på saken. Jeg vil også rapportere de falske profilene og brudd på Terms of Use hos Facebook & Tinder.

--
English summary:
A Norwegian bank created 2 falsified "personal" accounts on Facebook, and uses them on Tinder (dating site) to attract new potential customers. Not only is this a violation of EULAs in terms of spoofing  & commercial usage, it could also be a gross violation of privacy.

I know these kind of violations happens every day, but I never thought a Norwegian bank could do something this stupid. To top it all off, their head of information says that so far they are very happy with their strategy so far. A bank becoming a scammer. Nice strategy. Now take a look in a mirror, and see what a scammer looks like.

(Full story: google translate the link above).

OCR matching Unicode characters

[Image linked from http://babelstone.blogspot.no/2013/10/whats-new-in-unicode-70.html]

I wonder if somebody could do OCR matching of all Unicode 6.x characters against each other, with a threshold value to find characters that visually will look pretty much the same to "normal" people.

Purpose: to identify characters I could use to mock password crackers by telling them my password is ᖴᕀⅠ੨Ȝ੫ƼⅥ⑦Ȣ, but there's no way in hell you'll be able to crack it.
(No, don't ask me how I would remember how to type in my passwords.)

That's all.

78K and counting!

So far, I have served out 78K+ minutes of viewing time from my YouTube account, through 19K+ views. I am really happy with that. :-)

With 88% males and 12% females watching, I can only speculate why red-headed women seem to have better (longer) passwords on average then men. 146 countries/territories have been watching, even from countries far away like Turkmenistan, Afghanistan, Mongolia, Uganda and South Sudan.

While Windows is the most popular platform for viewing these videos, I'm a bit surprised to see Android in second position, well ahead of Mac, Linux & iOS. But hey, there are viewers out there using Nintendo Wii! :-)

So without further ado, here are the TOP 5 PasswordsCon Videos:

Number 5:

Advanced Password Cracking: Hashcat Techniques for the Last 20% 
Jens Steube (atom, author of Hashcat), Passwordscon in Las Vegas, July 30-31, 2013.

Number 4:

Energy-efficient bcrypt cracking
Katja Malvoni, PasswordsCon in Bergen, December 2013

Number 3:

Passwords^12 - Exploiting a SHA-1 weakness in password cracking 
Jens Steube (atom, author of Hashcat), Passwordscon in Oslo, December, 2012.

Number 2:

Password Cracking, From "abc123" to "thereisnofatebutwhatwemake" 
Joshua Dustin and Kevin Young, Passwordscon in Las Vegas, July 30-31, 2013.

Number 1:

Password Cracking HPC
Jeremi Gsoney, PasswordsCon in Bergen, December 2012.

Congrats Jeremi! :-)

PasswordsCon Bergen - practical info

Alrighty, less than a month until PasswordsCon in Bergen, Norway!

Just some quick & practical information for those travelling from far away here:

Hotels

Most hotels in the city center will represent walking distance (15-30 minutes tops) to our venue.

Recommended hotels (preferred order, based on proximity to city center):

Radisson Blu Hotel Norge (absolute city center)
Clarion Collection Hotel No 13 (absolute city center)
Thon Hotel Bristol Bergen
Rica Travel Hotel Bergen
Grand Hotel Terminus (has one of the best Whisky bars in northern Europe)

I recommend looking them up on ww.tripadvisor.com, but do check out their prices directly from their home pages, as that just might give you the best price after all, without all the low price restrictions. All these hotels are very close to each other, making it easier to go out during the evening and find your way back home late at night. :-)

Depending on your arrival (saturday or sunday), I'll be able to show you & others around the city, including a visit to the top of 1 or more of the 7 mountains surrounding the city. Prepare for a bit colder and rainier environment than ... well... wherever. :-)

CFP: Passwords^13 (PasswordsCon), Bergen, Dec 2-3

PasswordsCon
December 2-3, 2013
Bergen, Norway

CALL FOR SUBMISSIONS
====================================

Per Thorsheim, with the support of FRISC (www.frisc.no), the University
of Bergen and Stricture Consulting Group, organize PasswordsCon,
the fifth edition of a technical conference only devoted to passwords
and related authentication methods.

Passwords are the most common authentication method on internet services
and on computers in general, regardless of their form factor (desktop,
laptop, tablet, smartphone, etc.).  Dissatisfaction with the robustness
and usability of current approaches has motivated the previous editions
of the Passwords conference, and more recently prompted the organization
of the Password Hashing Competition.

The purpose of PasswordsCon is to gather leading researchers in
passwords security and authentication methods in general, so as to best
understand the challenges posed and to address them adequately.

Details on the conference as they are ready will appear at our website:
passwordscon.org

Seriously RapidSSLOnline....

RapidSSLOnline sends out HTML formatted emails for certificate renewal containing a direct SSL login link to your account, for easy renewal (or change/delete) of SSL certificates.

Hmm.. And I actually thought that sending out direct login links by clear-text e-mail was a bad idea....

Seriously?

Important update: my link + title initially pointed at RapidSSL.com, while the correct should be RapidSSLOnline.com. Big thx to Tom Willows for correcting me!

Bring CRM - og Thon Hotels

Jeg er medlem i fordelsprogrammet til Thon Hotels, på linje med flere andre hotellkjeder. Mulighetene for en "gratis" overnatting er fristende nok. Regelmessig har jeg mottatt min bonusoversikt på epost, sammen med diverse tilbud for å få meg til å bruke både poeng og penger.

Jeg irriterte meg imidlertid fra første mail, som hadde ovenstående skjermbilde som innledning i hver eneste mail. Poeng til deg om du skjønner hvorfor allerede nå.

Facebook Promoted Posts

Passwords^13 in Las Vegas was exceptionally great. I may not be totally neutral when saying so, but after the conference and putting the videos online, I wanted to try out Facebook Promoted Posts. I was deeply disappointed. Here's why.

Quick look: PIXELPIN

A quick look at:

PixelPin says on their front page:

"Passwords are inherently flawed: they can be phished, hacked, dictionary attacked, and good ones are hard to remember. PixelPin solves all of these problems."

You really can't waive a bigger piece of red cloth in front of my eyes, so I had to take a quick look at what they have to offer. I like the idea of picture passwords, but I'm not all that happy about my observations here.