Radsoft
	`About \| Buy \| News \| Products \| Rants \| Search \| Security`

Home » Security

DoubleClick to a Whole New Level

They not only track you - they know exactly who you are. And they tell all their friends.

Get It

Try It

> > Yup. Your CC data from both the Apple Store and iTMS are intimately tied to your Apple ID along with billing and shipping information. > Those assholes take DoubleClick to a whole new level. I'm pretty sure you are reading my replies to Apple Tracks in the forum at the moment as I have looked into the iTMS debacle redux. Not that I am defending Google (as they are just as evil) but as I said you can theoretically use Android without a Google account. Of course, you'd need to be rooted with an AOSP build and running FOSS alternatives (such as K9 in place of the standard mail client) and a third party market. It's not easy, but it can be done. You can also get by on Android without making any app purchases whatsoever. For example, with Cyanogenmod I have SetCPU to govern my OC kernel (free from XDA Developers but of course you can donate), DroidWall (front end to iptables) to block certain apps from phoning home or using in-app advertising, AdFree to modify the hosts file, and Terminal Emulator to gain CLI access. But even if you do have your Android married to a Google account, CC info is voluntary and only needed when purchasing through the market or Google Checkout. Google does not require you to register a CC when activating an Android phone. Neither does your carrier or the store you purchased it from. (Costco doesn't take major credit cards. Cash is king.) Compare and contrast with Apple who requires you to furnish a CC and a *social security number* upon activating an iOS-powered device. http://support.apple.com/kb/ht1381 The fanboy will go hysteric in at this point: 'BUT THAT'S FOR THE ORIGINAL iPHONEZ!!111one!' Um, if Apple engaged in that practice before, what makes you think they're suddenly a benevolent company now? Today they turn you over to other sharks instead - see immediately below. Moreover, AT&T conducts a credit check on you. (I don't ever remember needing a credit check with Verizon but then again things may have changed.) http://www.creditcards.com/credit-card-news/credit-checks-required-by-Apple-1275.php Yup, the same AT&T who is more than happy to turn all of your information over to the NSA. http://www.usatoday.com/news/washington/2006-05-10-nsa_x.htm https://www.eff.org/nsa/faq#8 So Apple has your credit card, billing and shipping information, phone information (tied to AT&T), your contacts, call history, location, and anything else they can extract from your iOS-device per their privacy policy. You can TRY to use alt. addresses and contact info, but that won't fly considering you underwent a credit check which reveals every single financial account you have ever had and every place you have ever lived at. Not to mention...well...they have your address book anyway. Unless you populate it with your alt. address as well as alt. addresses for family members, it won't be hard to track you down...especially if that information got into the wrong hands. And we haven't even covered AT&T, who also has a treasure trove of info on you, especially if you also subscribe to other services such as a landline, DSL, or U-Verse. Then my TL;DR advice goes out the door as they obviously would know where you live (since they would have to provide service to your physical address). That is unless the utilities are under another name with a designated alt. address. But then that is even beyond my realm of knowledge as I'm not trying to seek witness-grade protection. ;) Lucky for me, all of the info I registered online with these companies is pretty useless. Any address I provide is a private mailbox. Any number I provide is a 'junk' GV number which forwards to VOIP accounts I created. I boycotted the iTMS after I freed the last of my music way back when I moved to Ubuntu. So Apple has nothing... no CC info... nothing but addresses and phone numbers that go nowhere. Now think about how screwed all of the rest of the unwashed masses are. Looking back, I'm glad I put those privacy measures into place when I could. This Epsilon breach is turning out to be much bigger than anyone has imagined.

CHARLOTTE — Today many large corporations including Best Buy, Chase Bank, BJs, and more began notifying their customers of a security breach at Epsilon, a company that many corporations use to send emails to their customers.

Customer names and email address from some of America's largest companies, like JPMorgan Chase and Kroger, have been compromised by a data security breach at email marketing vendor Epsilon.

What's being described as a 'massive' security breach at email marketing firm Epsilon has compromised the customer names and emails of some of the largest companies in the US, including seven of Fortune's top 10 institutions, reports SecurityWeek.

Epsilon reportedly sends out 40 billion emails each year for more than 2,500 clients. SecurityWeek reports that clients of Epsilon affected by the infiltration include: TiVo, US Bank, JPMorgan Chase, Verizon, Capital One, Marriott Rewards, Ritz-Carlton Rewards, Citi, Brookstone, McKinsey & Co., New York & Co, Kroger and Walgreens.

Epsilon has refused to confirm the full list of companies hit by the breach.

Some may dismiss the type of data harvested as a minor threat, but having access to customer lists opens the opportunity for targeted phishing attacks to customers who expect communications from these brands. Being able to send a targeted phishing message to a bank customer and personally address them by name will certainly result in a much higher 'hit rate' than a typical 'blind' spamming campaign would yield. So having access to this information will just help phishing attacks achieve a higher success rate.

The Victims (Some of Them)

Security Week's list of major brands known to have been compromised.

Ameriprise Financial, Best Buy, Brookstone, Capital One, Citi, Disney Destinations, Home Shopping Network, JPMorgan Chase, Kroger, LL Bean Visa Card, Marriott Rewards, McKinsey & Company, New York & Company, Ritz-Carlton Rewards, Robert Half Technologies, The College Board, TiVo, US Bank, Walgreens.

All told, Epsilon handle about 2,500 corporate clients.

Trusting Epsilon was irresponsible. Are their clients going to take action against them for criminal negligence?

Is It Any Wonder?

Epsilon are of course using Microsoft web technology. What else? Is it any wonder then that all their clients - and all those millions of innocent people who are their clients' clients - have been victimised when those responsible at Epsilon show so little intelligence in trusting Microsoft (of all companies) for security? The breach doesn't have to come here - yet the judgement of any company trusting in a client with a track record like Microsoft's has to be called into question.

HEAD epsilon.com/ HTTP/1.1

HTTP/1.1 200 OK
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8

Below is a Microsoft web server call graph. It shows what happens with Microsoft's wacky technology when you make a single request - for a webpage, an image on the webpage, whatever. A single HTTP request.

Click the image to read the original article. Should you find the image confusing then imagine what Microsoft's hapless programmers think.

And iTunes has been compromised - yet again. If it's not the marketing geckos then it's the incompetent managers and the lost and bumbling programmers. And the safety of ordinary people is yet again compromised.

Daytona & Hawkeye

Read more about cellphone surveillance technologies used against you by the NSA and AT&T.

Everything they 'steal and store' about you can be stolen from them in turn. Which is exactly what's happened in the Epsilon breach. The problem isn't how greedy corporations fail to safeguard your personal information; the problem is they shouldn't be allowed to have that information in the first place.

And that means you too, Steve Jobs.

Outsourcing Your Security

Anytime you entrust your private data to someone else, you're entrusting it to everyone else. Think STDs.

The Best Buy / Geek Squad 'recommendations' are a slap in the face. They presume you're as dumb as they are; they take no responsibility for their criminal negligence; they're like someone who admitted infecting you with an STD now telling you that you should be more careful.

But go ahead: be more careful. Get off Windows so you're not exploited there anymore; and don't give your private data to corporations you can't trust. Don't give it away unless you absolutely have to. Absolutely don't trust Best Buy. And absolutely don't believe their 'six steps' are going to keep you safe. Get away from Windows and don't trust anyone or any corporation using Microsoft products.

Start by reading here.