Re: [Dataloss] [ekmi] Re: fringe: Open source laptop tracking

[Arshad Noor <arshad.noor@strongauth.com>]

While I agree with you, Allen, I think its too late for that.
Don't Google, Yahoo, MSN, etc. have all this information 
already?  Didn't Yahoo already turn over one dissident to the 
Chinese government already?  

(Aren't we all being tagged on this conversation already? :-) )

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Allen" <netsecurity@sound-by-design.com>
To: "Arshad Noor" <arshad.noor@strongauth.com>
Cc: "Matthew Rosenquist" <matthew.rosenquist@intel.com>, "security curmudgeon" <jericho@attrition.org>, ST-ISC@MAIL.ABANET.ORG, "ekmi" <ekmi@lists.oasis-open.org>, dataloss@attrition.org, "brian honan" <brian.honan@bhconsulting.ie>, "Brian Krebs" <Brian.Krebs@washingtonpost.com>
Sent: Thursday, July 17, 2008 11:24:06 AM (GMT-0800) America/Los_Angeles
Subject: Re: [Dataloss] [ekmi] Re:  fringe: Open source laptop tracking

Hi Gang,

There is another issue in all this that is being neglected - the 
constant flow of data to a server somewhere about the activities of 
the person with the tracking software installed.

It seems to me that we are putting leashes on ourselves to gain some 
minor "security" about the theft of our laptops.

> Once downloaded onto a laptop, the software starts anonymously sending encrypted notes about the computer’s whereabouts to servers on the Internet. If the laptop ever goes missing, the user downloads another program, enters a username and password, and then picks up this information from the servers, a free storage service called OpenDHT.

If I understand this correctly, data about your presence is saved 
(for how long?) on a server (that is controlled by whom?) in an 
encrypted form (how good is the encryption?) that can be use later 
to trace where the computer was the last time it was connected to 
the internet, or, perhaps, the next time it is connected to the 
internet.

I see two serious privacy issues with this, data retention, and 
potential real-time tracking.

Remember, the Gestapo used the Hollerith cards from the censuses of 
1933 and 1939 to assist in rounding up Jews for the Holocaust. There 
is not a huge difference between that use of technology and the 
potential for its abuse today. I don't want to get into the politics 
of how this might come to be, but rather focus on the potential 
risks. After all there has already been on attempt to create 
military overthrow of our government during the chaos of the 
Depression years so the possibility can not be total ignored. (See 
retired Marine Corps Major General Smedley Butler's history for details)

It seems to me as security professionals we owe a duty to not only 
see that what we propose works as intended, but in addition, it can 
not easily be subverted to work against the best interests of our 
society.