Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links Writing

An Interesting USB-Drive Encryption System

A group of my colleagues and I are always on the hunt for affordable, easy-to-use,  secure drive encryption tools that can be deployed to non-technically savvy individuals. The most recent piece of software we’ve come across is LaCie’s Public-Private encryption which, as far as I can tell, is a pretty front-end for TrueCrypt.

I’ve reached out to the company in the hopes of learning what, if anything, they’ve done in making TrueCrypt a tiny bit easier for people to use. TrueCrypt is one of the more secure means of protecting data. LaCie’s software itself is free – available here – and runs on any USB drive, so you can use the software without having to purchase anything from the company. The only deficit that I’ve come across thus far is that you can only create 4GB partitions; this means that if you want to encrypt everything on an 8GB drive then you’ll need to establish two separate partitions.

I’ll be updating this site once/if I hear back from the company.

Categories
Links

US Government’s Harassment Made Visible

When your government behaves in such a way that innocent citizens are forced to act as a spies to keep safe, then it’s evident that something has gone terribly awry. Laura Poitras, an American citizen and journalist, now lives like a spy: under the constant pressure of potential government harassment and surveillance of herself, her sources, and anyone that is particularly close to her.

Her crime? Being an award winning filmmaker who has produced films addressing the negative impacts of American imperialism abroad.

Glenn Greenwald has a terrific piece that unpacks what it means to be a prominent journalist, activist, or simple government contrarian who is willing to take entirely legal actions against the American state. Actions like speaking up or otherwise exercising basic civil rights. I won’t lie: it’s a long piece, probably not something you can skim in 2-3 minutes. But if you only read one thing that holds your attention for 10-15 minutes today, go read Glenn’s piece. It’s eye opening.

As a teaser:

In many instances, DHS agents also detain and interrogate her in the foreign airport before her return, on one trip telling her that she would be barred from boarding her flight back home, only to let her board at the last minute. When she arrived at JFK Airport on Thanksgiving weekend of 2010, she was told by one DHS agent — after she asserted her privileges as a journalist to refuse to answer questions about the individuals with whom she met on her trip — that he “finds it very suspicious that you’re not willing to help your country by answering our questions.” They sometimes keep her detained for three to four hours (all while telling her that she will be released more quickly if she answers all their questions and consents to full searches).

Poitras is now forced to take extreme steps — ones that hamper her ability to do her work — to ensure that she can engage in her journalism and produce her films without the U.S. Government intruding into everything she is doing. She now avoids traveling with any electronic devices. She uses alternative methods to deliver the most sensitive parts of her work — raw film and interview notes — to secure locations. She spends substantial time and resources protecting her computers with encryption and password defenses. Especially when she is in the U.S., she avoids talking on the phone about her work, particularly to sources. And she simply will not edit her films at her home out of fear — obviously well-grounded — that government agents will attempt to search and seize the raw footage.

(Read More)

 

Categories
Aside

Is Your Phone Being Wiretapped?

Categories
Writing

Less Than Impressed With 1Password

First, the good news: 1Password has released a new version of their product on iOS. The company outlines a whole pile of reasons for supposedly delaying security upgrades – some of which include the updates will slow the speed at which users can access their encrypted data – but fail to identify what I suspect is a key motive behind the upgrade. If you recall, I wrote a while ago about key failures in mobile password managers. 1Password was amongst those who had flawed security implementations.

To be clear: security, especially good security, is damn hard to engineer. 1Password didn’t have the gaping flaw that others did – i.e. storing passwords in plaintext!! – but it was flawed. In the security community this (ideally) is resolved when someone critiques your secured infrastructure. In today’s world you should also credit the security researcher(s) who identified the flaw.

Unfortunately, this isn’t what 1Password has done. As far as I can tell, there is no formal recognition from the company that they have had flaws in their mobile security model pointed out by a third-party. This is a shame, given that a key factor that builds genuine trust in security is transparency. It seems like 1Password is willing to address problems – they’re not dwelling in a security by obscurity paradigm, to be sure! – but not credit others with finding those problems in the first place.

Update: My very, very bad. I missed an earlier piece from 1Password, where they note the research. That is available here. It would have been ideal to see a reference to this in their update but, admittedly, credit had previously been given.

Categories
Quotations

… there is never a single, ideal type towards which any given technology will inevitably evolve. Specific technologies are developed to solve specific problems, for specific users, in specific times and places. How certain problems get defined as being more in need of a solution, which users are considered more important to design for, what other technological systems need to be provided or accounted for, who has the power to set certain technical and economic priorities–these are fundamentally social considerations that deeply influence the process of technological development.

Nathan Ensmenger; The Computer Boys Take Over: Computers, Programmers, and the Politics of Technical Expertise
Categories
Quotations

Something like missionary reductionism has happened to the internet with the rise of web 2.0. The strangeness is being leached away by the mush-making process. Individual web pages as they first appeared in the early 1990s had the flavor of personhood. MySpace preserved some of that flavor, though a process of regularized formatting had begun. Facebook went further, organizing people into multiple-choice identities, while Wikipedia seeks to erase point of view entirely.

If a church or government were doing these things, it would feel authoritarian, but when technologists are the culprits, we seem hip, fresh, and inventive. People will accept ideas presented in technological form that would be abhorrent in any other form.

Jaron Lanier, You Are Not A Gadget
Categories
Links Writing

Incumbent Beats Competitor. Again.

A major challenge facing Canada’s “new” mobile companies is this: how can they extend network coverage across Canada to increase the utility of their product offerings? One way they address the challenge involves entering roaming agreements with incumbent carriers. As Wind Mobile is finding out, Rogers Communications is willing to both do the least possible to enable roaming and fight at the CRTC to maintain this minimal standard.

Specifically, from The Telecom Blog we find that

…Wind Mobile complained again to the CRTC stating that Rogers continues to discriminate against its roaming customers. Though RIM managed to muster support from the Consumer Association of Canada, the CRTC has ruled again in favor of Rogers. The upstart carrier claims that currently there’s no way for Wind subscribers to continue a live call when they hop onto Rogers network. The call is dropped and the subscribers are forced to redial.

Though Wind has been lobbying hard to get seamless roaming onto the Rogers network, the CRTC declined the request stating that “in view of its determination that RCP had not granted itself a preference, it would be inappropriate to deal with the issue of mandating seamless call transition.”

Needless to say, these are the actions of an incumbent doing what it can to limit the appeal of competitors’ products. The reason that Rogers wasn’t found to have granted itself a preference was because Rogers hadn’t rejigged their network in response to the roaming agreement: Rogers simply made the decision not to make technical improvements that would enable seamless live call transitions.

Much of the issue around transitions, and other telecom-related battles between incumbents and competitors in Canada, stem from the CRTC’s basic position that the Canadian telecommunications market should be directed by facilities-based competition. In other words, the position is (generally stated!) that competitors are recognized as temporarily needing access to incumbent networks when they first incorporate, but that the same competitors should build out their own infrastructure over time.

This CRTC’s preferred mode of competition is incredibly expensive and is arguably redundant; structural separation is postulated as one means of addressing the issue, as are spectrum sharing, and improved infrastructure sharing agreements that are driven by federal institutions’ fiats. Regardless of the particular solution you favour – if you see a problem as existing, in the first place! – something should be done to better enable new competitors in Canada. The CRTC theoretically attempts to promote market competition so that services are less costly for Canadians while simultaneously ensuring that offered services are of high quality and are efficient. Where something so basic as call transitions isn’t addressed, one has to wonder whether some federal institution shouldn’t be a lot more involved than they are in enabling competition in Canada’s mobile marketplace.

Categories
Links Writing

Major Critical Infrastructure Vulnerabilities Disclosed

For years, researchers have warned that the systems that run critical infrastructure have systemic and serious code-based vulnerabilities. Unfortunately, governments have tended to use such warnings as a platform to raise ‘cyber-warfare’ arguments. Many such arguments are thinly-disguised efforts to assert more substantive government surveillance and control over citizens’ rights and expressions of freedom. Few of these arguments genuinely address the concerns researchers raise.

In the face of governmental lacklustre efforts to secure infrastructure, researchers have disclosed critical vulnerabilities in many of the systems responsible for manufacturing facilities, water and waste management plants, oil and gas refineries and pipelines, and chemical production plants. What’s incredibly depressing is this:

The exploits take advantage of the fact that the Modicon Quantum PLC doesn’t require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC—essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a “stop” command to halt the system from operating.

These kinds of ‘attacks’ or ‘exploits’ are possible because the most basic security precautions are not integrated into the logic controllers running such infrastructure. On the one hand this makes sense: many PLCs and the infrastructure they are embedded in were created and deployed prior to ‘the Internet’ being what it is today. On the other, however, one has to ask: if the money spent on security theatre at airports had been invested in hardening actual PLCs and other infrastructure, where would critical infrastructure security be today?

Categories
Quotations

It is not for innocent people to justify why the state should not spy on them.

Categories
Links

US Looking to Expand CALEA?

From the New York Time we find that American officials are campaigning for updates to CALEA, a surveillance bill that was passed in 1994. The officials claim updates are needed because

some telecommunications companies in recent years have begun new services and made system upgrades that caused technical problems for surveillance.

Albert Gidari Jr., a lawyer who represents telecommunications firms, said corporations were likely to object to increased government intervention in the design or launch of services. Such a change, he said, could have major repercussions for industry innovation, costs and competitiveness.

“The government’s answer is ‘don’t deploy the new services — wait until the government catches up,’ ” Mr. Gidari said. “But that’s not how it works. Too many services develop too quickly, and there are just too many players in this now.”

In essence, it appears that the US government is advocating for updates to their laws that are similar to provisions in Canada’s lawful access legislation. The tabled Canadian legislation includes provisions that preclude interception capabilities from degrading over time (Section 8), mandate that interception capabilities continue to meet government requirements as telecommunications services providers upgrade their services (Section 9), and require new software and product offerings to be compliant with interception demands (Section 11). It would seem that, without these provisos, CALEA is showing its age: ISPs are deploying services that ‘break’ existing wiretap capabilities and that it takes some time to restore those capabilities. ISPs innovate, and then surveillance catches up.

Of course, it’s useful to remember that none of the details surrounding the FBI’s problems in maintaining wiretaps is really made clear in the article. The sources that the reporter draws upon are primarily from law enforcement agencies and, as we have seen in Canada and in prior US legislative gambits, such agencies are prone to overstating problems and understating their complicity in generating/maintaining them. It’s also unclear just how ‘impaired’ investigations actually were. In essence, a full accounting of the alleged problems is needed, and the accounting ought to be public. If the American public is going to shell out more money for surveillance, and potentially endanger next-generation telecommunications services’ innovative potentials, then the government has to come totally clean about their allegations so that a rational and empirically-grounded debate can occur.