Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

CTunnel and the Palin breach

14 Comments Posted by on September 19, 2008

It seems like everyone and there twin sisters first cousin is blogging about the breach of Palin’s email accounts. I’ve resisted so far, but wanted to touch on the latest report from the BBC that says that FBI agents are investigation the breach. As part of the news story the use of the CTunnel tool was mentioned as the anonymous proxy service used by the “hacker”. It seems that the FBI is seeking records from the people behind CTunnel in connection to the investigation.

After a quick look at the CTunnel website, I found the following text in reference to the CTunnel logging and retention of data.

“Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpenoa could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy. In short, we value your browsing experience as well as your anonymity, and would not do anything to break your trust in us.”

It’s not specific from this what “regularly” means, and it will be interesting to see what legal ramifications come from the use of CTunnel in this breach. If the people behind CTunnel are forced to provide all logs related to the breach, I can see people moving away from the service for fear of future privacy issues. I would be much more comfortable if CTunnel had a specific written policy that details things a little better than just “regularly”. However I’m not a customer of the service, so it’s not for me to say. However if CTunnel truly “value your browsing experience as well as your anonymity” then I’d hope they have better in-house policies than the badly worded ones listed on their website.

I guess we’ll have to watch this one as it unfolds.

Security, Technology , ,

14 responses to “CTunnel and the Palin breach

← Older Comments
  1. Dave Keays September 23, 2008 at 19:58

    I second Chris’ thoughts but I want to add a couple of thoughts.

    This situation being used as an excuse for being a Luddite. When times are changing you have to expect people and conglomerates of people (aka governments) to change too. But some are willing to fight changes– any and all changes.

    Maybe the conglomerate will change too much and need to be fought, but we can’t just blindly bulk at all changes.

    The phrase “privacy invasion” is being used in the same way as “murder” is by the anti-abortion crowd.

    Look at the back cover of the HGTTG.

  2. Chris Riley September 23, 2008 at 23:03

    This is true, however many small changes can easily group together to weaken your rights to privacy. Things like this are quick to occur, and people are slow to respond when their rights are threatened.

    I’m not a privacy advocate by any means, but I would hate to see the US (and other like minded governments) continue down the road they’re currently on. There may be many different reasons for reviewing privacy laws, however hiding the changes behind the mask of terrorism or blaming a few bad eggs (i.e. Hackers) isn’t the way to make the changes needed. After all, policy in the US, UK, etc.. will ultimately impact on those of us in Central Europe.

  3. Richard Harvey December 3, 2008 at 20:48

    “The whole attack seems very simple once you understand how it was done. No exploitation, no vulnerable services (in the strictest sense of the word), just good old fashioned research and luck that Yahoo’s password reset was badly implemented (or at least not as well implemented as we’d all like). All the information required for the reset is easy enough to find. When you add the fact that she’s “moderately” well known, then things just get so much easier.”

    Are you serious? It’s social engineering at the best.

  4. Chris Riley December 4, 2008 at 10:12

    I think if you re-read my first comment, you’ll find that’s what I’m trying to say. This wasn’t a hack, it was somebody taking advantage of a badly designed password reset. Anyway, this has already been covered a thousand times. The mainstream news will continue to call this person a hacker, and those in the know will continue to argue that it wasn’t even a hack. Then again, that’s an arguement that will always rage.

← Older Comments
%d bloggers like this: