Josh.Folland: Did you see this article? “Feds Walk Into A Building, Demand Everyone’s Fingerprints To Open Phones.” Katherine.Gorham: Wow. Dystopian much? Josh.Folland: Very. But I was always under the impression the law could compel you to give up your fingerprint. Trevor.Pott: Josh is correct. Josh.Folland: Them storming a building to collect them en masse is mildly frightening. (I use mildly because this sh*t just doesn’t surprise me anymore). Katherine.Gorham: They had a warrant. A super-vague warrant, to be sure, but it wasn’t totally random. Trevor.Pott: I don’t care. They eliminated the presumption of innocence for an entire building’s worth of people.That’s bulls**it. Josh.Folland: They had a warrant to try to find evidence to get a less-stupid warrant. Katherine.Gorham: I’m not saying it was a good move. Just not a warrantless bad one. Also, what’s the data retention policy on randomly collected fingerprints? Forever? Josh.Folland: I can only imagine it goes in “your file”, yeah. Prosecutors would love if they had every person’s fingerprint forever, no? As opposed to waiting until they get put into the system. Trevor.Pott: They collected my fingerprints at the airport when I applied for a NEXUS card, and told me they would be retained by both nations, presumably forever. Once they have that info, does anyone expect them to give it up? Katherine.Gorham: No. But I wondered if there was any specific legislation about it. Trevor.Pott: There’s lots of precedent in the UK for Law Enforcement Agencies (LEAs) to not delete fingerprints, DNA and more when they are supposed to. I expect all members of the Five Eyes to carry equal antipathy towards their own citizens. In Canada, we have Bill C-51, which effectively hands our LEAs carte blanche to do anything they want. Katherine.Gorham: I don’t really care if...
LinkedIn Security/Information Risks with Exchange
posted by Adam Fowler
Originally posted on adamfowlerit.com Today after logging on to LinkedIn, I was greeted with a new screen I found rather worrying. It is commonplace for services like LinkedIn and Facebook to scan through your address book, and ask for credentials to do so (which is rather concerning already), but a new option has popped up: This is asking for your work username and password. No 3rd party should be asking for corporate credentials like this, even more so a company that’s been hacked before http://www.pcworld.com/article/257045/6_5m_linkedin_passwords_posted_online_after_apparent_hack.html . I tried this with a test account, entering the username and temporary password. It then asked for further information, which was the address for the Outlook webmail link and then connected and started showing contacts. LinkedIn on this page says “We’ll import your address book to suggest connections and help you manage your contacts. And we won’t store your password or email anyone without your permission.” which is a start, but it’s just such a bad practise to get into, and encouraging people to do this is irresponsible of LinkedIn in my opinion. On top of this, it’s providing an easy mechanism for staff to mass extract their contacts outside the company, which many companies frown upon or even have strict policies in place. You can’t stop people from entering in these details of course, but you can block the connection from working at the Exchange end, as long as you have at least Exchange 2010 SP1. There are a few settings to check. First, under the Set-OrganizationConfig area, you’ll need to check that EwsApplicationAccessPolicy is set to ‘EnforceBlockList’. If it’s not, it’s going to be “EnforceAllowList” and you’re probably OK, as it’s using a whitelist for access to only what’s listed rather than a blacklist, to only block...