Taking Back Control of Your Data, With Fine Grained, Explicit Permissions 55
BrokenHalo writes with a story at New Scientist outlining one approach to reclaiming your online privacy: a software gatekeeper (described in detail in a paper from last year) from two MIT developers. "Developers Sandy Pentland and Yves-Alexandre de Montjoye claim OpenPDS (PDF) disrupts what NSA whistleblower Edward Snowden called the 'architecture of oppression,' by letting users see and control any third-party requests for their information – whether that's from the NSA or Google. Among other things, the Personal Data Store includes a mechanism for fine-grained management of permissions for sharing of data. Personally, I'm not convinced that what the NSA demands outright to be shared is as relevant as what they surreptitiously take without asking."
I see a problem... (Score:4, Interesting)
Re: (Score:1)
Yes, their naivete is so cute.
From the FA: " People hosting openPDS at home would always know when entities like the NSA request their data, because the law requires a warrant to access data stored in a private home."
Needs to be an appliance.. (Score:3, Interesting)
I already monitor all the traffic into and out of my network - there's lots you have no idea about.
Has to be an appliance.. but that's cheap. Making it easy to understand might open quite a few people's eyes...
Re: (Score:3)
I already monitor all the traffic into and out of my network - there's lots you have no idea about.
Has to be an appliance.. but that's cheap. Making it easy to understand might open quite a few people's eyes...
Really? All traffic?
Seems unlikely. Or, that your network actually does nothing, and has no significant data.
Because there are a million ways insiders can sneak data out, some of which requires visual
inspection. (That email with pictures? No algorithm is going to detect that it is a screen shot
of your secret stuff). That wrist watch? Its really a USB drive. Someone filling out a form
on a SSL website?
Re:Needs to be an appliance.. (Score:4, Interesting)
That spare core seems. .
Re: (Score:1)
Re: (Score:2)
Re:Needs to be an appliance.. (Score:5, Insightful)
It's quite easy to monitor all traffic.
Monitoring is not the same thing as analyzing.. but I am quite certain I know where my packets are headed - at least when they're sent from my gateway. That's how the internet works.
Re: (Score:2)
Monitoring is not the same thing as analyzing.. but I am quite certain I know where my packets are headed - at least when they're sent from my gateway. That's how the internet works.
But are you sure you know everything that is in those packets? Nothing extra in those DNS requests [google.com] leaving your network?
Oh the naivete!! (Score:1, Insightful)
How many times do you people need to be told? If it's on a network, any network, it is out of your control! You really think you can stop the NSA, Google, or any of them?
Re:Oh the naivete!! (Score:5, Funny)
You bet I can! I have my robots.txt file up to date, you know.
Re: (Score:3)
Re: (Score:1)
Redundant? Redundant?? I'll show you redu... oh wait, you're right. NSA and Google are redundant!
Oops..
I feel so very sorry...
More useful (Score:5, Insightful)
Instead of a gatekeeper, I'd rather have a layer of software that automatically lies about myself (such as always giving my name as "John Doe" or my GPS location as being somewhere in the open desert near Timbuktu or something), so that not only the data hoarders don't get my personal information, but their data pool gets polluted. Bad data is much more of a problem to them than no data at all.
Re:More useful (Score:4, Interesting)
not really they don't care about bad or missing data. the piles of data are to large.
Seriously my credit report lists a name of a relation that hasn't existed in 18+ years. And when it did exist it lasted less than 6 months.( a very short marriage of a relation,not mine). But nobody cares about accurate useful data, only if they have it or not.
Take Amazon. they have a record of every purchase I have made over a similar time span. yet they only ever show me adds for things i already have. amazon won't show me something new. What good is showing me stuff that I already own/watched?
I figure just let them keep on collecting it. sooner or later they will have so much useless old data clogging their systems that it will hide you better than trying to delete and police everything.
Re: (Score:3)
God help you if you order gifts through amazon as well. 'I saw you buy X, you might like Y.' Uh, nope. That was for my sister. Thanks for trying though.
Re: (Score:1)
There's specifically a feature to say "Don't take this into account in my buying history." It's just to give Amazon even more info of course, but the suggestions will go away.
Re: (Score:2)
the suggestions go away but it is buried deep under an odd name and your history is still there.
Re: (Score:2)
Re: (Score:3, Interesting)
Even better a botnet that does this - dictionary of names, generate pseudo-biographic info, but distributing across devices you own, device signatures similar to what you own, spoofing MAC addresses etc. Enough noise to reduce their quality & quantity of matches, but not to the point where positives csn stand out..
Now how to wreck matching against LexisNexis matches w/o wrecking Lexis-Nexis per se...
Re: (Score:1)
Look, they have all of the data and do not have to prove a thing. As far as you or anyone else knows, the whole story is bullshit and the NSA has nowhere near the ability that we are lead to believe.
However, since what I just said sounds so stupid and obnoxious, not to be taken seriously, you know, because it's so silly and stuff, but anyway, suppose that they want to lie about having data on you that links you to the scene of the crime, what the hell could you do to argue about it? They don't have to sta
Re: (Score:2, Informative)
If you use Android... openPDroid: http://forum.xda-developers.com/showthread.php?p=36678558
Re: (Score:3)
Potential problem (Score:5, Interesting)
Instead of a gatekeeper, I'd rather have a layer of software that automatically lies about myself (such as always giving my name as "John Doe" or my GPS location as being somewhere in the open desert near Timbuktu or something), so that not only the data hoarders don't get my personal information, but their data pool gets polluted. Bad data is much more of a problem to them than no data at all.
I've been doing that for some years.
In early September, my bank implemented a new type of authentication process. Before I could log in, it asked me a series of questions culled from the public records of my name - it said as much when it started.
The questions were multiple choice, five answers, and went like this:
In what town is 35 Granite Ave located?
. Greenville
. Lexington
. Berwick
. Nashua
. Holliston
Needless to say, I've never been to 35 Granite Ave (that I can remember), never lived there, and don't have the first clue what they were on about. My "polluted public records" came back to bite me.
The bank representative couldn't help because they don't make the web page, the web page techs can't help because they outsource to a service, &c &c. It took extreme measures from one very helpful bank rep to allow me to log in, on a system which had been giving me no problems for many yeas. I'd be screwed if it were the cable, ISP, or phone company.
I'm still in favour of polluting records. If the person asking doesn't have any business knowing whatever it is they're asking, I will lie.
It looks like I'll have to start keeping track of the lies.
Re: (Score:3)
It looks like I'll have to start keeping track of the lies.
Or get a new bank. I've heard of similar things - like BofA asking what color your first car was. The thing is that the low quality of information in these databases is well known. If a bank doesn't have a way to deal with their pseudo-authentication data being bad then they are just negligent - maybe ignorant, maybe sold snake-oil by the data 'proprietor' but either way it is a level of failure that should cause you to question how competent they are in other areas.
Re: (Score:1)
What's even worse is when the bank asks where you stash the bodies as a recovery question...
Re: (Score:1)
It looks like I'll have to start keeping track of the lies.
Or else maybe train your system to send null data rather than fake stuff? I'm going to investigate openPDroid that AC mentioned earlier. Looks like a start...
Re: (Score:2)
It looks like I'll have to start keeping track of the lies.
Use mnemonics - if you invent an address, make the first letter of the street and the town identical. If you invent a birthday, use the same day and vary years, or the other way around. Some people use spam-catch email addresses including the sites name - e.g. tom.nameofthesite@mydomain.com - so if they get spam they know who sold their address. You can use the same trick in your invented personal data. So your G+ address is 1 Google Ave. while your FB address is 1 Facebook Road. Stuff like that.
Re: Potential problem (Score:3)
Uh, why aren't you using a password manager and adding a note about the fake data in the notes/extra info field??
Re:More useful (Score:4, Insightful)
Depends on what they are using it for. If the purpose is individual identification, the data doesn't have to be correct, just unique. If they want to track you, behavior is more important than data, and so on.
But in general, I agree. When those "bonus card" systems for the supermarket etc. came to Europe, I was the guy at the CCCamp to propose everyone in the room stand up and exchange their cards with someone else at random.
But life is turning into a cyberpunk story in one important regard: The vast majority of the population doesn't know nor care about fighting this crap. Those of us who do, we are very few. We are the 1% in this aspect. Your and my data polluting doesn't change a thing in the big picture.
And that's where you are right on the money: If someone came up with a device that does that automatically, and had some other benefit related to this feature so it is of interest to grandma to use it, then you'd have ruined the current Internet top dogs business model in one brave stroke.
A little misleading (Score:2)
This seems to be an Android only app. What did I miss?
Re:A little misleading (Score:4, Insightful)
You are missing the fact that the the summary, the article, and the so called detail description give not a single
clue about how it works, or even precisely what it does.
One would have to assume its some sort of elaborate ruse to see if they can sucker more people into handing over more data by offering a nebulously described so called private data gatekeeper as a free app. Undomesticated equines could not drag me to installing that app.
Re: (Score:1)
You are missing the fact that the the summary, the article, and the so called detail description give not a single clue about how it works, or even precisely what it does.
You can thank the /. editors for that. (Sigh...)
In my (now totally re-written) submission I provided a link to the actual NS article (which is still up there on the main page) and a detailed description from the developers here [idcubed.org] (PDF).
HTH.
Re: (Score:2)
it's a joke.
how the fuck could the app know if your information was requested from google by the nsa? it couldn't. furthermore google wouldn't be at the liberty to tell you.
They can still hack the guard software (Score:2)
From TFA:
People hosting openPDS at home would always know when entities like the NSA request their data, because the law requires a warrant to access data stored in a private home.
They disregard the constitution and you want them to respect the law? Indeed the government will not physically get into your house without a warrant, but we know they have no problem remotely hacking your computer [wired.com].
Re: (Score:2)
The residents of Watertown might disagree:
https://www.youtube.com/watch?v=YWsbBhzxYw8 [youtube.com]
Re: (Score:2)
Fine-grained permissions? (Score:3)
I never felt the need for fine-grained permissions. Here is the configuration that I use:
permissions {
deny all;
}
If you need something that doesn't pass through that filter, come and see me.
Taking Back Control of Your Data... Pfft! (Score:1)
All *your* data are buried in the wall [slashdot.org]...
Sounds eerily familiar [classicshorts.com]...
Easier to configure than SELinux? (Score:2)
Configuring it is always the hardest problem, even if everything else worked right.
Lessons of SELinux (Score:3)
If the control is too fine grained, people give up and just turn off the controls altogether. I see this constantly with SELinux and complex firewalls and filesytem permissions, and two-part authentication.
Permissions? (Score:2)
...the Personal Data Store includes a mechanism for fine-grained management of permissions for sharing of data ...
You mean like in Oracle, where the list of system and object privileges cover 14 pages in the manual (version 12)? In my experience this is simply too unwieldy to use in practice; in most cases you end up defining a small handful of roles (in Oracle: a bundle of privileges) that are used for everybody. Or if you are the average, lazy guy, you just grant dba to all users; you wouldn't believe how many Oracle instances I have come across, where the SYS account still had password "CHANGE_ON_INSTALL".
There is
Oh Great... (Score:2)
The stuff that isn't in the summary (Score:2)
Their video http://www.youtube.com/watch?v=eS1LgeQTO1A [youtube.com]
The product page - http://openpds.media.mit.edu/ [mit.edu]