Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links Writing

ThyssenKrupp secrets stolen in ‘massive’ cyber attack

Per Reuters:

ThyssenKrupp said it waited to publicize the attack while it identified, then cleansed infected systems in one concerted, global action before implementing new safeguards to monitor its computer systems. “It is important not to let the intruder know that he has been discovered,” a spokesman said.

A criminal complaint was filed with police in the state of North Rhine-Westphalia and an investigation is ongoing, it said. State and federal cyber security and data protection authorities were kept informed at each stage, as well as Thyssen’s board.

Secured systems operating steel blast furnaces and power plants in Duisburg, in Germany’s industrial heartland in the Ruhr Valley, were unaffected, the company said.

No breaches were found at its marine systems unit, which produces military submarines and warships.

A previous cyber attack caused physical damage to an unidentified German steel plant and prevented the mill’s blast furnace from shutting down properly.

The shift towards automation of critical infrastructure and industry systems means that we can reduce costs of production while (in many cases) improve worker safety by keeping workers away from particularly dangerous areas of manufacturing facilities. At the same time, however, by digitizing functions that were once performed using analogue or network-disconnected systems the attack surface of these facilities increases: whereas once a human insider might have been needed, now an attacker just needs an implanted computer that is on, or can gain access to, the relevent network.

The problems linked to digitizing infastructure and manufacturing systems are not going to improve quickly: attackers are just now really starting to launch targeted attacks, and the investmentments made by companies in their equipment are not going to be just thrown out. That means that many systems and companies will likely remain exposed to possible attack for years, if not decades, barring a significant shift in security culture.

Categories
Links Writing

Partnering to help curb the spread of terrorist content online

Facebook, Microsoft, Twitter, and YouTube are coming together to help curb the spread of terrorist content online. There is no place for content that promotes terrorism on our hosted consumer services. When alerted, we take swift action against this kind of content in accordance with our respective policies.

Starting today, we commit to the creation of a shared industry database of “hashes” — unique digital “fingerprints” — for violent terrorist imagery or terrorist recruitment videos or images that we have removed from our services. By sharing this information with each other, we may use the shared hashes to help identify potential terrorist content on our respective hosted consumer platforms. We hope this collaboration will lead to greater efficiency as we continue to enforce our policies to help curb the pressing global issue of terrorist content online.

The creation of the industry database of hashes both shows the world that these companies are ‘doing something’ without that something being particularly onerous: any change to a file will result it in having a different hash and thus undetectable by the filtering system being rolled out by these companies. But that technical deficiency is actually the least interesting aspect of what these companies are doing. Rather than being compelled to inhibit speech – by way of a law that might not hold up to a First Amendment challenge in the United States – the companies are voluntarily adopting this process.

The result is that some files will be more challenging to find without someone putting in the effort to seek them out. But it also means that the governments of the world cannot say that the companies aren’t doing anything, and most people aren’t going to be interested in the nuances of the technical deficits of this mode of censorship. So what we’re witnessing is (another) privatized method of censorship that is arguably more designed to rebut political barbs about the discoverability of horrible material on these companies’ services than intended to ‘solve’ the actual problem of the content’s creation and baseline availability.

While a realist might argue that anything is better than nothing, I think that the very existence of these kinds of filtering and censoring programs is inherently dangerous. While it’s all fine and good for ‘bad content’ to be blocked who will be defining what is ‘bad’? And how likely is it that, at some point, ‘good’ content will be either intentionally or accidentally blocked? These are systems that can be used in a multitude of ways once established, and which are often incredibly challenging to retire when in operation.

Categories
Links

The London Tube Is Tracking Riders with Their Phones

From Wired:

An agency like TfL could also use uber-accurate tracking data to send out real-time service updates. “If no passengers are using a particular stairway, it could alert TfL that there’s something wrong with the stairway—a missing step or a scary person,” Kaufman says. (Send emergency services stat.)

The Underground won’t exactly know what it can do with this data until it starts crunching the numbers. That will take a few months. Meanwhile, TfL has set about quelling a mini-privacy panic—if riders don’t want to share data with the agency, Sager Weinstein recommends shutting off your mobile device’s Wi-Fi.

So, on the one hand, they’ll apply norms and biases to ascertain why their data ‘says’ certain things. But to draw these conclusion the London transit authority will collect information from customers and the only way to disable this collection is to reduce the functionality of your device when you’re in a public space. Sounds like a recipe for great consensual collection of data and subsequent data ‘analysis’.

Categories
Links

Naqvi: Solution to Court Delays – Call off your Crowns

There can be no debate — delays in our justice system are a very bad thing. With every week, month and year of delay, memories fade, the quality of evidence degrades and victims are denied legal closure.

And, often intentionally overlooked is the reality that court delays mean that accused persons who are presumed (and often are) innocent suffer ongoing stigma, stress, loss of employment, oppressive bail conditions and incarceration waiting for their trial dates.

Let’s get one thing straight — there is not one accused person being held in our Dicken-sian provincial jails who is intentionally delaying their day in court. There is simply no benefit to do so. Ontario’s remand centres are violent, overcrowded, humanity-destroying hellscapes, which are completely devoid of any rehabilitation programming or basic human comforts.

Canadians only realize how broken the legal system is when they, or someone they know, is sucked into it.

Categories
Links

150 Filmmakers Want Nikon and Canon to Sell Encrypted Cameras. Here’s Why

From Wired:

Implementing that feature wouldn’t be simple—particularly in high-definition cameras that have to write large files to an SD card at a high frequency, says Jonathan Zdziarski, an encryption and forensics expert who also works a semi-professional photographer. Integrating encryption without slowing down a camera would likely require not just new software, but new microprocessors dedicated to encrypting files with maximum efficiency, as well as security engineering talent that camera companies likely don’t yet have. He describes the process as “feasible,” but potentially expensive. “I don’t expect Nikon or Canon to know how to do this the way computer companies do. It’s a significant undertaking,” says Zdziarski. “Their first question is going to be, ‘how do we pay for that?‘”

Adding in encryption is a non-trivial undertaking. It’s one that is often done badly. And strong encryption – such that no party can access the content absent a passphrase – also has drawbacks because it you forget that phrase then you’re permanently locked out of the data. As someone who has suffered data loss for exactly that reason I’m incredibly sympathetic that the level of security proposed – opt-in strong security – is not necessarily something that most users want, nor something that most companies want to field support calls over.

Categories
Links

The Perfect Weapon: How Russian Cyberpower Invaded the U.S.

As the year draws to a close, it now seems possible that there will be multiple investigations of the Russian hacking — the intelligence review Mr. Obama has ordered completed by Jan. 20, the day he leaves office, and one or more congressional inquiries. They will wrestle with, among other things, Mr. Putin’s motive.

Did he seek to mar the brand of American democracy, to forestall anti-Russian activism for both Russians and their neighbors? Or to weaken the next American president, since presumably Mr. Putin had no reason to doubt American forecasts that Mrs. Clinton would win easily? Or was it, as the C.I.A. concluded last month, a deliberate attempt to elect Mr. Trump?

In fact, the Russian hack-and-dox scheme accomplished all three goals.

This is an absolutely brilliant piece of journalism by Harris, Singer, and Shane. It unpacks the publicly available information about the intrusions into the Democratic National Committee’s systems and how information was subsequently mobilized and weaponized. These sorts of attacks will continue to be effective because all it takes is a single failure on the part of defenders, often in the face of hundreds or thousands of discrete attacks. As a result the remediation process is, today, arguably the most important of a cyber-security event because a dedicated and resourced attacker will eventually penetrate even the best secured networking infrastructure. And the Democratic National Committee, and Democratic Party more generally, still lacks a remediation policy months after the attacks.

Categories
Links

Privacy and Policing in a Digital World

As the federal government holds public consultations on what changes should be made to Bill C-51, the controversial anti-terrorism legislation passed by the Conservative government, various police agencies such as the RCMP and the Canadian Association of Chiefs of Police have petitioned to gain new powers to access telephone and internet data. Meanwhile nearly half of Canadians believe they should have the right to complete digital privacy. The Agenda examines the question of how to balance privacy rights with effective policing in the digital realm.

I was part of a panel that discussed some of the powers that the Government of Canada is opening for discussion as part of its National Security consultation, which ends on December 15, 2016. If you want to provide comments to the government, see: https://www.canada.ca/en/services/defence/nationalsecurity/consultation-national-security.html

Categories
Links

Donald Trump Is Gaslighting America

As a candidate, Trump’s gas lighting was manipulative, as President-elect it is a deliberate attempt to destabilize journalism as a check on the power of government.

To be clear, the “us” here is everyone living under Trump. It’s radical progressives, hardline Republicans, and Jill Stein’s weird cousin. The President of the United States cannot be lying to the American electorate with zero accountability. The threat of deception is not a partisan issue. Trump took advantage of the things that divide this country, pitting us against one another, while lying his way to the Oval Office. Yes, everything is painfully clear in hindsight, but let’s make sure Trump’s win was the Lasik eye surgery we all so desperately needed.

The good news about this boiling frog scenario is that we’re not boiling yet. Trump is not going to stop playing with the burner until America realizes that the temperature is too high. It’s on every single one of us to stop pretending it’s always been so hot in here.

Teen Vogue has one of the more biting analyses of Trump’s activities in the US media. Teen. Vogue.

Categories
Aside Links

The Subtle Ways Your Digital Assistant Might Manipulate You

From Wired:

Amazon’s Echo and Alphabet’s Home cost less than $200 today, and that price will likely drop. So who will pay our butler’s salary, especially as it offers additional services? Advertisers, most likely. Our butler may recommend services and products that further the super-platform’s financial interests, rather than our own interests. By serving its true masters—the platforms—it may distort our view of the market and lead us to services and products that its masters wish to promote.

But the potential harm transcends the search bias issue, which Google is currently defending in Europe. The increase in the super-platform’s economic power can translate into political power. As we increasingly rely on one or two head butlers, the super-platform will learn about our political beliefs and have the power to affect our views and the public debate.

The discussions about algorithmic bias often have an almost science fiction feel to them. But as personal assistant platforms are monetized by platforms by inking deals with advertisers and designing secretive business practices designed to extract value from users, the threat of attitude shaping will become even more important. Why did your assistant recommend a particular route? (Answer: because it took you past businesses the platform owner believes you are predisposed to spend money at.) Why did your assistant present a particular piece of news? (Answer: because the piece in question conformed with your existing views and thus increased time you spent on the site, during which you were exposed to the platform’s associated advertising partners’ content.)

We are shifting to a world where algorithms are functionally what we call magic. A type of magic that can be used to exploit us while we think that algorithmically-designed digital assistants are markedly changing our lives for the better.

Categories
Links

US-CERT: Stop using your remotely exploitable Netgear routers

From Network World:

In case you are wondering, that firmware for the R7000 – Nighthawk AC1900 smart router – is the newest firmware available by Netgear. Here are Netgear’s links to the R8000 – Nighthawk AC3200 tri-band gigabit router and the R6400. Hopefully those – and any other vulnerable models – will soon be updated with less insecure firmware.

Hopefully less insecure firmware will be provided to turn a burning dumpster fire into a merely-smouldering-mess. Hurray for (possible, but don’t bet on it) progress.