What’s The Difference Between Whistleblower & Leaker?

Whistleblower
Whistleblower

Americans who get labeled a “whistleblower” become a hero. Get labeled a “leaker” and you could get branded a traitor and end up in jail. What’s the difference? It all depends on the status of information shared and the channels that the information travels through to become public.

Whistleblower Protections: In essence, a whistleblower is a leaker of information that certain parties would have preferred to remain secret. To encourage people to come forward with information out of concern for public safety, there are U.S. statutes that protect whistleblowers. However, there is a fine line between being a protected whistleblower or a criminal leaker.

Status Of Information: Any American citizen can disclose corporate or government information so long as it is not federally classified information or disclosures prohibited by the Uniform Trade Secrets Act.

  • Trade Secrets: A patented product or process is one tangible example of a trade secret. Patent information is protected for 17 years. But companies and individuals enjoy protection of certain trade related information other than what is covered by a patent. However a trade secret is specifically defined, it enjoys legal protection.
  • Federal Information: There are generally three categories of federally classified material: sensitive, secret and confidential. Category is determined by who might be harmed if the information went public. However, material must be de-classified after it ages past the 25-year mark unless it meets a narrow exemption, such as designs for nuclear weapons.
Whistleblower

Lifting The Veil: But what if it is in the best interest of the public that legally protected secrets be revealed? The difference between a whistleblower and a leaker is defined in the key decision on how to go about lifting the veil. To enjoy legal protection, a whistleblower must go through proper channels to bring the information to light. A leaker goes straight to the public. A whistleblower is legally protected from prosecution via the Whistleblower Protection Enhancement Act of 2012. A leaker doesn’t have the same protection. That is why leakers often exercise their freedom of speech in ways that protect their anonymity.

Information might be leaked anonymously to a news agency or journalist. Leaking directly to the public through the Internet is also popular. Platforms like OrangeWebsite are committed to supporting freedom of speech and make it easy to go public in a global forum.

Why Go Rogue? If there are legal protections in place that allow a concerned citizen to bring important information to the public’s attention, why risk legal trouble by becoming a leaker? There are usually three different circumstances that inspire a person to go rogue with classified information or trade secrets.

Whistleblower

1. Frustration: A person trying to serve public interest by first going through the proper channels may become frustrated if they experience stonewalling. The wheels of bureaucracy oftentimes churn quite slowly. A concerned citizen may have had every intention of being a protected whistleblower. They had a reasonable expectation of believing in “the system”. They wanted to put an end to improper corporate practices, abuse of authority or other circumstances they felt endangered the public or violated public trust. However, should they become anxious, awaiting results from their appropriate action of bringing attention to the matter within the proper channels, they might decide to go rogue. Especially if they believe that lives are at stake.

2. Money: Where trade secrets or military intelligence is concerned, the pay-out of a lifetime could become an irresistible temptation even for the most scrupulous concerned citizen. Enemies of the state and eagerly competitive entrepreneurs understand the value of such information. They are willing to pay to get their hands on what will surely be the information that will make their careers. The average citizen is no match for highly skilled negotiators tasked with securing sensitive information.

3. Political Motives: Although it is easy to ascribe political motives to many leaks that reveal embarrassing or compromising information about politicians, political motives can run much deeper. Sometimes there is real villainy attached to political motives behind a leak of classified information and trade secrets. Traditional politics can inspire a person to leak information that can endanger military and intelligence personnel. For countries engaged in wars, within the populace of their own country are those willing to do anything to resist and interfere in military action. But the definition of politics is more nuanced. Even a corporate environment has its own politics. A leaker of a trade secret could simply be a disgruntled employee seeking to sabotage an employer as a form of retribution.

Whistleblower

Where The Government Stands: Although it may seem that the U.S. government is always up to something nefarious, the truth is that agencies strenuously encourage blowing the whistle on misconduct or wrongful acts. There are hotlines provided, such as the Office of Inspector Generals (OIG). Presidential directives prohibit employer retaliation toward a whistleblower. The U.S. Occupational Safety and Health Administration (OSHA) has a whistleblower website. The Office of Special Counsel (OSC) is tasked with investigating and prosecuting allegations received from whistleblowers. By making it easy to communicate to federal officials about concerns, the government is signalling to concerned citizens that the State does, indeed, care about doing the right thing. But a whistleblower must be patient, understanding that the investigative process is tedious, lengthy and, by its very nature, quiet. It may seem like nothing is happening when the exact opposite is true.

The Risk Of Going Rogue: Should a whistleblower throw their hands up in the air, grow impatient and cross the line to become a leaker, they put themselves at risk for prosecution. Should a case be made against them, their motive will be the hinge upon which their case will turn. Even if a motive is concern for the public, but a whistleblower became impatient with the process, the mood of the country could still result in the full weight of the law coming down. In a national climate that is strained by war, hostile politics, and a number of public actors who became notorious leakers escaping justice, it could be that the federal government seeks to make an example of a leaker and any leaker will do. Even a leaker with noble intentions.

For more information on issues related to freedom of speech, security and online privacy, please contact us. That is our mission, to provide the world with a platform for the words they wish to share with the world.

Freedom of Speech Amendment

Freedom of Speech Amendment
Freedom of Speech Amendment

Freedom of Speech Amendment

How Orange Website Policies Promote Your Right to Publish Anything.

You may not be located in the U.S., but you know that nation has a freedom of speech amendment that protects individuals from being able to talk or publish on any topic — even controversial religious, political or sexual subjects. The First Amendment to the U.S. Constitution sets an ideal for the world in protecting your right to say what you think.

At the same time, under certain circumstances, even courts in the U.S. can require internet service providers or web hosting service providers to release data about their customers. One example is in cases where copyright may have been violated. Under the Digital Millennium Copyright Act (DMCA), companies who claim copyright violations can ask an internet service provider to remove websites that may contain copyrighted materials and can sue for information on the person who posted it. The problem with a DMCA Takedown request is that the requesting party may not even need to prove the copyright violation and it can be used to silence or remove controversial material. In some cases, the material in question was covered under fair use guidelines or was not even owned by the requester.

Outside the U.S., other nations may place tight restrictions on what you can say, even online. In March, an city civil court in India ruled that a news website had to remove two articles that criticized a local politician. Last year, news websites in Ecuador were told by the government to remove stories and images, and some sites suffered suspicious Denial-of-Service attacks that shut down their sites after publishing stories about potential corruption.

No matter where you’re located in the world, you want a truly free web hosting company that will completely protect your right to publish without harassment, censorship or legal threats. That’s where OrangeWebsite hosting comes in. We’re based in Iceland, where freedom of expression is protected by the constitution. In the global community, Iceland’s legislature is known for strongly advocating freedom of speech and a free press. Bloggers and journalists have the freedom to publish virtually anything without fear of being uncovered or legally prosecuted.

Freedom of Speech Amendment
Freedom of Speech Amendment - DMCA Take Down Notice

Freedom of Speech Amendment

OrangeWebsite can’t protect you from legal prosecution in your country, but we can ensure that your website that reports on the government won’t be taken down on the whim of an angry politician. We also do not respond to DMCA Takedown requests; any legal action to censor your website must be filed in Icelandic court and approved by an Icelandic judge. Because of our very lenient laws, this is rare.

Security and privacy matters. We don’t release your information to others and we don’t allow you to be censored, even if your published material is controversial. We do require that you follow our terms of service and the very liberal Icelandic laws to be our customer, but we think you’ll find there’s no better home for your site, no matter what you’re saying.

Want to know more about why we’re the best fit for you? Here’s a quick rundown:

  • We’re located in a convenient geographical location. Because we’re halfway between North America and the European continent, we can offer blazing fast connection speeds to customers in either location. (At last measure, you could connect from Europe in 29 ms and the U.S. in 39 ms — pretty speedy.) That means your site will load quickly and perform well for visitors from either location, and for that matter, around the world.
  • You don’t have to provide personal data. Well, we do need an email address so we can contact you, but we don’t ask for any other details. We’ve found we can provide excellent service to our customers without needing to know names, addresses or other contact information. While we take every possible step to protect our servers, we also know you’ll be happy that hackers can’t ever access your personal data — because it’s not there to take.
  • We don’t reveal any of your information. We don’t have to legally make any customer details available to the Icelandic government — or any other government or organization in the world. Even though we don’t store your details, we don’t have to give up even the little we do have to anyone who asks. Your identity is protected with us.
  • We accept BitCoin. BitCoin is the world’s most popular cryptocurrency. You can use BitCoin to pay your invoices without sharing any personal details. Plus, there are no transaction fees for using BitCoin. We use the current exchange rate between euros and BitCoin.
  • We’ll keep your website safe from attack. Attackers have increased as their methods have become more sophisticated and widely shared. If you’re running a controversial website, it may be more likely to be targeted by folks who don’t like you or consider themselves your competition. We’re one of the few companies in the world to offer high-end DDoS protection methods, including against Layer 7 (application layer) attacks. You pay for the level of protection you need.
  • We require two-factor authentication. Another way to protect against your information being stolen or used, or your website being taken down, is to require two-factor authentication. Each time you log in, your phone gets an automatic text message with a code that you use for access. Use any number capable of receiving SMS data — it doesn’t have to be connected to your name in any way. Two-factor authentication virtually guarantees that even if your password gets cracked, an intruder can’t get into your website files.
  • We’re proactive against all types of security threats. Our team includes server security specialists and “ethical hackers” who are constantly checking our systems for issues. We also keep our software updated with the latest security patches and perform regular audits to ensure there are no easy ways to access our servers. Every connection to our servers goes through a 256-bit SSL layer just to make absolutely certain your information isn’t getting viewed or captured by an outside source.
Freedom of Speech Amendment

Freedom of Speech Amendment:

Picture of the Bill of Rights First Amendment.

What’s more, we are there for you, no matter where you’re located. Our 24-hour response team is available to help if you run across any issues with your service, and an authorized staff member is always keeping an eye on our security. Our professional support staff can customize solutions for you if you need specialized assistance.

You may also be pleased to know that we do all this with a focus on sustainability. While it doesn’t impact your ability to remain private, you should know our servers run on 100 percent green energy. Iceland is home to many options for renewable resources and we take full advantage of these to power our servers and reduce pollution from traditional energy sources.

Do you have more questions about Freedom of Speech Amendment and how we can maintain your privacy and security as a publisher, blogger or journalist, no matter where in the world you’re physically located? We’d be happy to talk to you and set up a custom plan that meets your needs. Contact us for information about our security or our server plans.

The Importance of Using Anonymous Website Services Online

Anonymous Website Services
Anonymous Website Services

In a world that is becoming more interconnected with more and more powerful governments and corporations moving through it by the day, anonymous internet services are becoming increasingly more and more critical. Here’s some information about these types of services, including why they are important and how they can be used.

Internet Hosting Anonymity Services Tips: Overview and Bitcoin

Anonymity should be one of the most important things you focus on when you go to look at potential web host options. After all, this is going to be one of the areas where you could have your identity revealed or have sensitive information get out if this is something that you’re worried about currently.

This means that you have to focus on a few particular options within this area in order to from the basis of your decision. For example, one question that it’s worth asking early is whether or not a hosting company takes Bitcoin or not.

This is important for a number of reasons. It’s important for the obvious reason, which is that this would allow you to pay for your hosting with Bitcoin, which is a more anonymous way to pay for everything than the other common means of payment which often include PayPal and credit cards right at the top of the list.

These aren’t especially anonymous because they both tend to require that you hand out full details about yourself such as address and name. In the case of PayPal, there’s even a push to connect it with a bank account in order to get full functionality.  When it comes to credit cards, many of them even ask for a whole lot of information such as your social security system in the United States, for example.

But, with Bitcoin, once you fund your wallet, you can divorce the payment from yourself a bit. There are strategies to swap around coins too in order to make it even more anonymous. You can pay with cash at certain terminals that accept conversion from cash to Bitcoin directly.

Internet Hosting Tips: Other Markers to Look For

Besides Bitcoin or other anonymous options, there are other services within the hosting service that can be important in your determination about whether a company is going to be worth it to you if anonymity is your primary concern. For example, the country that a company is located in can make a major difference in terms of how safe you feel getting hosting services from them.

One example of this is OrangeWebsite, which has operations in Iceland. This country is often lauded for their privacy laws so this could be a good choice if you check out Iceland yourself and come to the same conclusion. Other people might simply try to avoid hosting services in countries they don’t trust due to poor privacy laws. There are also other nations out there that might be good for this such as Canada, which has user privacy protections, or Switzerland, which is often known for being neutral and not accepting demands for information from other countries that easily.

Anonymous Website Services

VPN Services

Another important privacy service worth mentioning is a Virtual Private Network. This is something that connects your computer’s Internet to a third party before it connects to a website. As a result, you’re able to make it seem like a different IP address, that is, a different computer other than yours connects to wherever online.

This extends to all of your connections, including anything you download or upload with other programs, for example. It can protect the security and privacy of a Skype video call, Facebook Facetime, or anything else that you want to keep protected. These services often use much higher level encryption than they would have otherwise, even the AES 256-bit encryption that’s known as being so secure plenty of corporations used it. This is actually important with services like Skype because they don’t really offer encryption on their own much of the time. The person you’re talking to will also not automatically get your IP address so you can keep it private.

Many people online speak of the importance of making sure that you pay for a VPN, because if you try to use a free one, there’s always the chance that the VPN is selling your information because, the idea is, if they don’t sell a product, then the product could be you and your data.

If you have some reason especially to make sure you can’t be traced, such as dealing with a government that has reason to snoop on you, then it’s important to try to have the whole package deal when it comes to your security and anonymity. That’s exactly why it’s helpful to pair a privacy and security conscious hosting service with a VPN for added security when you’re running a website and are trying to make sure that you can say what you want without being snooped on by governments, third party organizations, hackers, or anyone else that has no business looking into yours.

Proxy Services

One alternative to a VPN if you don’t need or don’t want to secure every connect, is to instead use another type of Internet privacy service called a proxy. These will mostly just secure your web browsing itself directly.

It can be a secondary option that will work well for you if you find one in a country you trust with a company you trust so that you can do what you have to do online anonymously, including running your website through a reputable company, for example.

For more information on privacy services including secure hosting and others, please contact us today.

Hacking Scandals: The Biggest, Baddest, And Scariest

Biggest Hacking Scandals of all Times

The Internet is a worldwide platform for sharing information. It is a community of common interests. No country is immune to such global challenges as cybercrime, hacking, and invasion of privacy.

—Lu Wei

Biggest Hacking Scandals of all Times

Biggest Hacking Scandals of all Times

Knives and guns are no longer the weapons of choice for criminals. A keyboard is. Hacking has become the most effective way to either gain the most reward or do the most damage in a single crime. And due to the fact that individuals and companies care more about locking their doors and installing security cameras than encrypting and protecting their digital information, it is arguably easier to rob data than a house or an office building. Additionally, as hacking has popularized, a hacking community has emerged, creating competition for the biggest or baddest hack. Here are just a few of the worst:

1. and 2. Yahoo

Yahoo takes the cake when it comes to data breaches. Two breaches that their systems have undergone hold the top two places on this list. In September of 2016, Yahoo announced that two years prior 500 million Yahoo accounts had been breached. The evidence, according to Yahoo, pointed to a state-sponsored actor. A few months later, at the end of 2016, another Yahoo hacking incident came to light. A much bigger one. Yahoo announced that in August of 2013, 1 billion accounts had been breached, making it the largest hack on record. From the evidence that investigators found, the two hacking incidents were not linked. However, in both hacking incidents, everything from dates of birth and email addresses to encrypted security questions and answers and hashed passwords were stolen. Fortunately, no financial information was taken.

3. Myspace

This massive data breach garnered nowhere as much news as Yahoo and other lesser hacks. But that is not because it was not on a wide scale, it is simply because Myspace is no longer a company that garners as much news. The attack compromised 360 million Myspace accounts sometime before June of 2013. Usernames, email addresses, and passwords were all stolen. Myspace, its owner Time Inc., and investigators have not been able to nail down an exact date for when the attack took place, which is not uncommon as many hackers can get access to a system and stay there for months without being detected.

Biggest Hacking Scandals of all Times

4. eBay

In early 2014, the massive online auction house was hacked. 145 million accounts were breached. It was a similar hack to the Yahoo ones, with email addresses, mailing addresses, birth dates and more being stolen. And still similarly to Yahoo’s hacks, no financial information was taken. The route of the hacking was identified: The hackers managed to obtain employee login credentials, which gave them access to the company’s corporate network.

5. LinkedIn

The LinkedIn hack was a special one because the information that was stolen was very publicly sold. In May of 2016, the hacker who stole the information, an individual going by the name ‘Peace’, attempted to sell 117 million LinkedIn emails and passwords—this was 100 million more accounts than the company had originally believed to have been affected by they 2012 hack.

6. Target

The Target hack may not be the largest hack of all time, but it has arguably been the most destructive hack. So destructive, in fact, that Target had to pay out $10 million to the victims of the massive data breach. The breach itself happened in 2013 and it affected 110 million individuals, who had all of their credit or debit card information stolen. This included everything from customer names and card numbers to the magnetic strip code and PIN data. Each victim, who could prove that their card information had been used or their credit history had been tarnished, could claim up to $10,000.

7. AOL

In 2003, a crime was committed by an AOL employee. He hacked into the corporate system to steal a list of AOL customers, their emails, and their screen names. The employee sold this list of 92 million email addresses for $28,000. It was then circulated among spammers who sent unwarranted marketing emails to all of the addresses on the list. It cost the company $400,000, not to mention the loss in customers that it likely triggered. The employee was found guilty in court, sentenced to 15 months in prison and slapped with a hefty fine.

8. Ashley Madison

While no financial harm came to any of the individuals who had their information stolen in the Ashley Madison hack, it has arguably become the most famous hack in recent years. The main reason for this is the loss of privacy. For a dating website that caters to married people, privacy is key. This privacy was lost when, first, the website was hacked and 32 million users’ information was stolen and then, second, that information was posted online for the world to see who was cheating on their spouse. The released data included user information, such as their names, addresses, passwords, and phones numbers, as well as transaction history on the website and descriptions of what the individual users were looking for.

These are just a handful of the hacks that have been perpetrated over the last few years. And these type of attacks are only becoming more and more common. Businesses, of every size and in every sector, as well as individuals, need to protect themselves. This is exactly what OrangeWebsite helps people and organizations do. We provide the highest level of protection against both hacking and governmental collection of private information. Try out our services with a 30-day money back guarantee, utilize our 24/7 technical support, and protect yourself, your information, and the information of those you do business with. For more information, please contact us.

The Increasing OAuth Phishing Threat

OAuth Phishing Threat
OAuth Phishing Threat

OAuth Phishing Threat

People are gradually growing more careful about phishing schemes that impersonate websites and ask for their passwords. But what if they don’t have to give a password to let an unauthorised party get at their data? That’s exactly what happened in a recent phishing campaign aimed at Google users. Hard numbers aren’t available on how many people were affected, but Google said the number was “fewer than 0.1% of Gmail users,” which could be as many as a million.

The Google Docs spoof

People received a message on their Gmail accounts, usually from an address they knew, asking them to open a “Google Doc.” If they did, it asked them to give Google Docs certain permissions, including permission to “read, send, delete, and manage your email.” No password confirmation was necessary, since the victim was already logged in. The only trouble was that the application wasn’t Google Docs but a malicious lookalike web app.

If the victim gave permission, the attacker could then use the account to send the same email to the victim’s contacts. This could have spread without limit if Google hadn’t promptly shut the application down.

The deception took advantage of design and implementation weaknesses in the widely used OAuth2 specification, which allows one Web application privileged access to another. Researchers had warned in 2011 that this kind of spoofing was possible, creating a proof-of-concept application. The 2017 attack may have drawn directly on that code.

What made the attack plausible

A combination of design issues with OAuth, social factors, and implementation choices by Google made the spoofing plausible to anyone without a strong understanding of security issues. The application was in fact hosted on Google, which lets users develop applications for public use. It was a reasonable imitation of Google Docs; the URL was wrong, but it was a Google URL. The mail came from trusted accounts.

The application was called “Google Docs.” Until very recently, Google didn’t prevent user applications from using its name. It still doesn’t provide any warning when an application making this type of request isn’t under Google’s control.

There’s no good reason Google Docs should ask for access to the user’s Gmail account, but people are used to wildly excessive requests for authorization. Websites that let your account connect to a LinkedIn account often ask for permission to post on your behalf. Most people apparently grant it without worrying.

OAuth Phishing Threat

The trouble with OAuth

The deeper problems, which aren’t restricted to Google, lie in the OAuth standard. It’s an authorization system which is weak on authentication. Without strong protections, it makes it easy to trick users into giving untrustworthy applications access to their private data.

In brief, OAuth2 lets a client application request permissions from a server. Only authorized applications can make requests. An application that’s allowed to use OAuth receives a client ID, which is public information, and a client secret (or key), which is confidential.

When the client app invites the user to give it permission, it redirects the user to a server URL. The server will inform the user of the request and give a choice of denying or allowing authorization. If the user allows it, the server redirects back to the client and sends an authorization code, which the client has to retain for as long as it wants to keep the permission. This could be just for a session or permanent. The server can limit its duration.

An obvious problem with this arrangement is that the server needs to trust a client over which it has no control. The client might be trustworthy at the time it gets permission, but a change of policy or a malware infection could change that. Theoretically, users should trust only applications in which they have very high confidence, but many people are far too trusting. The organization operating the server needs to carefully limit the clients it will give access to.

A poor implementation lets a client pretend to be a trusted application. The server has some control over this, since it knows what application is making the request, but it may or may not make it obvious to the user. If it just displays the application’s self-selected name, that’s weak protection.

Users who authorize a rogue application may not even realize there’s a problem. Google and other sites that use OAuth normally make a list of authorized applications available to the user and allow revocation, but it’s buried somewhere in the user settings.

Future risks

It’s a lucky thing that the Gmail attack apparently did little damage. One thing Google did right was to catch the rogue application and revoke its credentials within an hour. We can be sure others will try similar tricks, sometimes with services that don’t react so quickly. Any organization that uses OAuth to grant third-party applications access to its site should review its implementation and policy to make sure it isn’t vulnerable.

The most important precaution is to screen applicants for credentials carefully. A lot of users will give permission to any application that seems to do something useful, so it isn’t enough to trust them to exercise discretion.

Even if what an application currently does is legitimate, the applicant’s reputation needs to be good enough that it isn’t likely to misuse its authorization in the future. Clients should be periodically reviewed to make sure they still deserve trust. If there’s any sign they don’t, it’s important to follow up quickly and, if necessary, revoke authorization. Even an honest organization could have its credentials stolen or its code infected.

The organization should think carefully about what kinds of access it should authorize. The power to speak for the user can be used for fraudulent purposes. The power to read private data could allow theft of secrets. There needs to be a convincing case that the benefits from the application justify the risks.

Authorizing third-party applications can greatly increase the value of a service, but it carries serious responsibility. Anyone who implements it needs to be aware of its dangers and make choices that minimize the chances of abuse.

If you’re concerned with the security of your planned website, OrangeWebsite will provide hosting that will satisfy  your needs. Contact us to learn more.