How it works
So how does the GGD do that? Well, they first they send you a letter with login data. You can login on their website (not using SSL!) using a predefined code and you are ready to fill in the survey. And to be certain you didn’t forget, they send you the survey on paper, so people with no access or know how of the Internet can complete the survey as well.

Sensitive information
The questions they ask you are about your birth year, marital status, education, health, alcohol use, smoking, drug use, eating habits, social environment, violence at home and your work. A lot of sensitive information, some of which you probably don’t even voluntarily tell to your doctor, unless absolutely necessary.

Anonymity
Of course, you don’t have to be afraid that the data you fill in is connected to you as a person, because they offer you to conduct the survey anonymously. So, the GGD offers you a way to keep your privacy. They intent to do this by allowing you to rip off the first paper of the survey before sending it to them. Well ok, I ripp off the first page and my privacy is guaranteed. But then I started wondering what all the the bar codes and identification numbers are doing on each of the pages? (take a look at the first survey page snapshot below)

Anonymous or not anonymous, that’s the question
The thing that really scares me about this survey is the fact that they lie to the participants. This is not an anonymous survey, at least not to my definition of “anonymous”.
They GGD even mistakenly proofs to you that their survey is not really anonymous. How? Because they recently sent me a letter asking why I didn’t fill in the survey. Err wait, I could have submitted it to them anonymously (remember), so how could they possibly know I didn’t sent it to them or filled it in online already..? That’s the point. If it was really anonymous, they shouldn’t have known whether I sent them the survey!

My opinion
I think the GGD screwed up. Not because their survey was bad, nor is their intention to conduct this survey, but solely because they claim that it is anonymous, which it is certainly not! If they ever want to gain my trust again, or even receive sensitive information about myself, they should define what they mean by “anonymous” and provide a proper and clear privacy policy. Lying is not a good basis for gaining consumer trust.

References (the letters)

[Show as slideshow]

Vodafone voicemail and Skype

The problem is simple. Vodafone NL offers their customers a voicemail service. If you call the voicemail service from your own mobile phone, you get direct access to the voicemail inbox without needing any form of authorization. It seems the mobile’s caller ID is used for authentication.
Skype, on the other hand, has a ‘feature’ that allows you to assign your own mobile number as a caller ID for Skype-Out calls. This means you can spoof your caller ID, if you authorize it with Skype, for which you only need to respond to an SMS sent to the device once.

So, if I could trick a victim into lending me his/her mobile for only 5 minutes, I could abuse that moment to register the mobile number with a Skype account. This would allow me to access the victim’s Vodafone voicemail, because Skype allows you to spoof the number, and Vodafone authenticates you to a voicemail box based on the caller ID. So, I only need my Skype account to access the victim’s voicemail. An even simpler method could be by using a service provider that allows me to spoof a mobile number, like SpoofCard claims to do. You would then only require the victims mobile phone number. Scary!

Other services at risk?

So Vodafone voicemail (NL) is vulnerable for this “hack”. But what about other service providers that rely on the caller ID?

For example the ‘ABN AMRO Saldo voor de iPhone‘ [iTunes], a banking applications for the dutch ABN Amro bank that allows you to see your bank account’ balance (requires a 4-digit PIN).
Or what about the ‘Rabo Bankieren‘ [iTunes] used for banking with the dutch Rabobank that only requires a 5-digit PIN to see your bank account’ balance?
By circumventing the caller ID as being part of the authorization of these applications, the only security layer left is a 4 -or 5-digit PIN code, which IMHO is not enough any more.

Of course, the same principle applies to SMS text messages, like described in the article Twitter and Jott Vulnerable to SMS and Caller ID Spoofing by dhanjani.com, but for the sake of simplicity I will not go into that right now.

Questions and conclusion

So what do you think?

• Do you think this is a security risk or not?
• Is the caller ID something that is easy to fake?
• Why is Skype allowed to spoof the caller ID? Is this something anyone can do on any phone network?
• Should service providers be allowed to trust the caller ID for authentication purposes?
• Have you seen service providers using the caller ID for authentication purposes?

In my opinion trusting the called id for authentication purposes imposes a security risk. Developers should be aware that trusting a caller ID should not be an authentication method solely by itself, but always as an addition to another. In my opinion, service providers should not use the caller ID alone for authentication!

And remember, if Paris Hilton can hack into a voicemail, anyone can!

Update 24-03-2011: I merely used the examples of the ABN Amro and the Rabo Bankieren application as an example to think deeper about security and privacy concerning the use of these (very handy!) financial applications, but its clear that they do not rely (and probably also not even send) the caller ID to the bank’ server, so a probable risk with using the caller ID as authentication for these applications is irrelevant.

I, as a curious Dutch citizen want to test what my government is doing to my Internet accessibility, after hearing rumors of blocks being applied. And to be very honest, I am also interested in the technical solution.
So, where do you start if you want to test this? Well, not with a Dutch government site where the magic black list is hosted of course, but by just reading slashdot.org that links you (indirectly) to wikileaks.org where a list of pages blocked by the Danish government was posted:
https://secure.wikileaks.org/wiki/Denmark:_3863_sites_on_censorship_list%2C_Feb_2008
Gosh, I wonder if this list might point me to some sites that are blocked in the Netherlands as well…

So, I started looking up url’s in the list at random. Most of them appear to be bogus sites, captured by domain hijackers and filled with total nonsense. But after 10 clicks or so, I found a website that was blocked: www dot am using – ki ds dot com. When opening this site via Dutch ISP UPC, I find the page to be on the Dutch black list, resulting in a “STOP” warning, as you can see here:

(the page doesn’t look very professional, which shows similarities to the technical solution that is used to block websites)

A remarkable thing is, that when I make a request for the site via dutch ISP XS4ALL, (I happen to have two Internet connections at my disposal) the site isn’t blocked at all. I know XS4ALL criticizes the way this filtering is implemented, but not blocking access to the site…
Well, it could be that they just have a more recent version of the black list already, who knows. But still, I’m curious whether other Dutch ISP’s like Tiscali, Planet, KPN and even SurfNet (a provider for educational and research facilities) block this site and others do not…
Update: I found out the blocking is an ongoing experiment in which UPC participates.

Above all of this, I very much agree child porn should be stopped because it harms children, but not by bringing down the Freedom of Speech and the Internet, while not solving the underlying problem at all. If there has to be a black list for the common Internet surfer (by that I mean that it helps against the creation and distribution of child pornography), then so be it.
But why can’t it be an open list, a list that is verifiable by everyone on the world, and a list that is used only for blocking what is considered real child pornography hosted on servers that cannot be taken down otherwise (because the server is located in a country where the Dutch government has no jurisdiction). The list should not be abused for blocking anything else but child pornography.

This obvious risk here is that the owner of the list might abuse it for blocking content that is unrelated to child pornography, but for example (seemingly) illegal content (warez) or blog posts with undesirable political content.

The problem with child pornography is way bigger then the Internet. Censoring the Internet in the current way it is done is not really going to do any good against child abusers. So why spend taxes on this solution that is probably not solving anything? Wouldn’t it be more effective to try and find the people creating and distributing the CP?

Access to whatever material cannot be blocked unless you apply strategies like described in Orwell’s 1984, where you have total control over people, where in this case you apply total control over the way in which the Internet can be accessed. The nature of the Internet makes this practically impossible without severely limiting ones freedom on the Internet, thus block a few sites by poisoning the ISP’s DNS server, like is currently done, is not going to work.

Governments should invest in catching the sick people creating and distributing the CP. As I see it, that is not done by obfuscating DNS request. IMHO the collateral damage violates the privacy and freedom of the common Internet user.

If you want to view the Dutch “STOP” website, you can just visit it:
http://212.142.48.139 (please note the stop sign, it animates, so cool)