Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Finnish Residents Briefly Left in Cold After DDoS Attack

Per Motherboard:

Simo Rounela, CEO of Valtia, a Finnish company that manages the buildings, told Motherboard that the attack hit a DNS service; that is, servers that translate human-readable internet domain names into computer IP addresses.

Shortly after, Valtia received a number of alerts from one of their building’s automation systems, made by a company called Fidelix.

“Remote connection was not working, so went on-site for more inspections,” Rounela explained. The automated system controlling the heating, ventilation and hot water for the homes kept rebooting every 5 minutes. Eventually, it just didn’t boot-up anymore, he said.

We generally don’t understand the full impacts of connecting things to the Internet; it’s a hugely complex system that we can’t easily ‘fault test’ without breaking a lot of different services and systems. The result is that an attack on one aspect of the Internet – such as the DNS infrastructure – can have unexpected impacts around the world. It’s this potential for untold, and cross-national, impacts linked to cyber attacks that makes many of them so risky and dangerous to the general public.

Categories
Links Quotations

RCMP is overstating Canada’s ‘surveillance lag’ | Toronto Star

From a piece that I wrote with Tamir Israel for the Toronto Star:

The RCMP has been lobbying the government behind the scenes for increased surveillance powers on the faulty premise that their investigative powers are lagging behind those foreign police services.

The centrepiece of the RCMP’s pitch is captured in an infographic that purports to show foreign governments are legislating powers that are more responsive to investigative challenges posed by the digital world. On the basis of this comparison, the RCMP appears to have convinced the federal government to transform a process intended to curb the excesses of Bill C-51 into one dominated by proposals for additional surveillance powers.

The RCMP’s lobbying effort misleadingly leaves an impression that Canadian law enforcement efforts are being confounded by digital activities.

An Op-ed that I published with a colleague of mine, Tamir Israel, earlier this week that calls out the RCMP for deliberately misleading the public with regards to government agencies’ existing surveillance powers and capabilities.

Categories
Links

Hackers and Law Enforcement Could Hijack Wi-Fi Connections to Track Cellphones

From The Intercept:

But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.

This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.

O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.

Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.

Yet another time that Apple has dedicated engineering resources to better protect their customers whereas their major competitor has declined to do so. And this wasn’t even an Apple or Google problem, per se, but a protocol level issue.

Categories
Links Quotations

Pleading the Case: How the RCMP Fails to Justify Calls for New Investigatory Powers

The powers that the government is proposing in its national security consultation — that all communications made by all Canadians be retained regardless of guilt, that all communications be accessible to state agencies on the basis that any Canadian could potentially commit a crime, that security of communications infrastructure should be secondary to government access to communications — are deeply disproportionate to the challenges government agencies are facing. The cases chosen by authorities to be selectively revealed to journalists do not reveal a crisis of policing but that authorities continue to face the ever-present challenges of how to prioritize cases, how to assign resources, and how to pursue investigations to conclusion. Authorities have never had a perfect view into the private lives of citizens and that is likely to continue to be the case, but they presently have a far better view into the lives of most citizens, using existing powers, than ever before in history.

The powers discussed in its consultation, and that the RCMP has implicitly argued for by revealing these cases, presume that all communications in Canada ought to be accessible to government agencies upon their demand. Implementing the powers outlined in the national security consultation would require private businesses to assume significant costs in order to intercept and retain any Canadian’s communications. And such powers would threaten the security of all Canadians — by introducing backdoors into Canada’s communications ecosystem — in order to potentially collect evidence pursuant to a small number of cases, while simultaneously exposing all Canadians to the prospect of criminals or foreign governments exploiting the backdoors the RCMP is implicitly calling for.

While the government routinely frames lawful interception, mandated decryption, and other investigatory powers as principally a ‘privacy-vs-security’ debate, the debate can be framed as one of ‘security-or-less-security’. Do Canadians want to endanger their daily communications and become less secure in their routine activities so that the RCMP and our security services can better intercept data they cannot read, or retain information they cannot process? Or do Canadians want the strongest security possible so that their businesses, personal relationships, religious observations, and other aspects of their daily life are kept safe from third-persons who want to capture and exploit their sensitive and oftentimes confidential information? Do we want to be more safe from cybercriminals, or more likely to be victimized by them by providing powers to government agencies?

 

Categories
Links

Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say – NYTimes.com

From the New York Times:

International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.

Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. “Even if you wanted to, you wouldn’t have known about it,” he said.

The manufacturer of the American branded phones didn’t know of this exfiltration vector. Consumers had no idea of the vector. And Google apparently had no idea that this data was being exfiltrated. But trust mobile devices for moderately-confidential work…

Categories
Links

On Interning at Slack – Code Like A Girl

From On Interning at Slack – Code Like A Girl:

I’ve had a rough year so far. After coming back to college, I got hit by a car and my grandfather passed away within two weeks of each other. I was diagnosed with a mental disorder. My grades slipped from As to Ds. I had to discontinue my classes in April, and missed two months of classes. I developed PTSD around cars and loud noises, and mourned my grandfather. I partied to not feel the pain and the fear of going outside. In May, I admitted myself to a psychiatric hospital so I could be sure that I wouldn’t hurt myself.

This probably doesn’t seem like it’s relevant. But it is. It felt like everything that could have gone wrong did. Slack was at every point in the process to support me.

I was given permission to call in black. I was allowed to work from home on the days I was too afraid to go outside. I was given a week to help transition my puppy to my house before he was to begin his service dog training. My mentor and manager, a woman and a woman of color, checked in with me at least once a week to make sure I was ok and asked about the ways they could best support me. I called in sick often on the days where every noise made me fear my life. I drew support from the greater Slack community when I needed help.

I made friends with other interns, and didn’t treat me differently after talking about my disabilities. I bonded over boba and makeup with the other engineers and writers at Slack. I spammed the #dogs channel with pictures of my dogs, and created #acai-bowls for those trendy connoisseurs. I was no longer a brown female queer intern with the service dog, but just another engineer. I gave a presentation to the Slack community about ableism and why it was important. And people listened.

This is what a company that genuinely commits to inclusivity and supporting employees looks like.

Categories
Links

Privacy experts fear Donald Trump accessing global surveillance network

Thomas Drake, an NSA whistleblower who predated Snowden, offered an equally bleak assessment. He said: “The electronic infrastructure is fully in place – and ex post facto legalised by Congress and executive orders – and ripe for further abuse under an autocratic, power-obsessed president. History is just not kind here. Trump leans quite autocratic. The temptations to use secret NSA surveillance powers, some still not fully revealed, will present themselves to him as sirens.”

Bush and Cheney functionally authorized the NSA to undertake unlawful operations and actively sought to hinder authorizing courts from understanding what was going on. At the same time, that administration established black sites and novel detention rules for persons kidnapped by the CIA from around the world.

Obama and Biden developed legal theories that were accompanied by authorizing legislation to make the NSA’s previously unlawful activities lawful. The Obama presidency also failed to close Gitmo or convince the American public that torture should be forbidden or that criminal (as opposed to military) courts are the appropriate ways of dealing with suspected terror suspects. And thoughout the NSA deliberately misled and lied to its authorizing court, the CIA deliberately withheld documents from investigators and spied on those working for the intelligence oversight committees, and the FBI continued to conceal its own surveillance operations as best it could.

There are a lot of things to be worried about when it comes to the United States’ current trajectory. But one of the more significant items to note is that the most sophisticated and best financed surveillance and policing infrastructure in the world is going to be working at the behest of an entirely unproven, misogynistic, racist, and bigoted president.

It’s cause to be very, very nervous for the next few years.

Categories
Links

How sexism and bigotry won Donald Trump the presidency

This election is already being spun as “voter backlash,” as if the most widely touted legislative policies and court decisions over the last eight years – the Affordable Care Act, same-sex marriage, the end of Don’t Ask, Don’t Tell – don’t say something about the people who wish to reverse them. There will soon be conversations about the transformation of the American electoral landscape which dance around the deliberate naming of sexism and bigotry as the proximate cause for nearly causing President-elect Donald Trump. All of this misses the point unless that darker urge in American politics is finally identified and examined.

That urge to halt progress, to let people who traditionally have not held power know their proper place in the hierarchy, is a familiar one. That a man as unpopular, temperamental, and inexperienced as Donald Trump could pull this off speaks not only to the inevitability of this cycle, but to the fact that even the worst possible candidate can be the best possible President when the mood is right.

God help us all.

The implications of this election are entirely unknowable: America has done something that is practically unthinkable. Everyone who examines and advocates for policies, regardless of political stripe or interest, has no idea what is going to follow. And it’s not evident that the lack of stability is a problem given that a significant swathe of Americans have given a mandate to a man who possesses a resevoir of ideology and, at best, a thimble of policy prescriptions.

Categories
Links Writing

WikiLeaks Isn’t Whistleblowing

Mass data releases, like the Podesta emails, conflate things that the public has a right to know with things we have no business knowing, with a lot of material in the middle about things we may be curious about and may be of some historical interest, but should not be released in this manner.

All campaigns need to have internal discussions. Taking one campaign manager’s email account and releasing it with zero curation in the last month of an election needs to be treated as what it is: political sabotage, not whistle-blowing.

These hacks also function as a form of censorship. Once, censorship worked by blocking crucial pieces of information. In this era of information overload, censorship works by drowning us in too much undifferentiated information, crippling our ability to focus. These dumps, combined with the news media’s obsession with campaign trivia and gossip, have resulted in whistle-drowning, rather than whistle-blowing: In a sea of so many whistles blowing so loud, we cannot hear a single one.

This is one of the best arguments against the recent activities of Wikileaks. Not because Wikileaks is operating as a front for Russia. Not because the contents of the recent leaks aren’t newsworthy. Not because the public doesn’t find the revelations to be interesting and fun.

No, the core issue with the latest rafts of leaks is that they were not sufficiently currated, with the impact being that obstensibly private information is taken and circulated and mischaracterized. This has the effect of stunting the electoral process while, simultaneously, reconfirming to persons in power that they need to adopt a culture of oral communications and decisions. This is not a governance direction that is in the public’s best interests.

However, it’s important to also situate Wikileaks’ activities in some context. Wikileaks is designed to clog up the machinery of government states and bureaucracies. Part of its mission is to scare organizations with the threat of leaks in an effort to hinder what Julian Assange/Wikileaks regards as harmful or objectional activities. So the leaks associated with the DNC and staff affiliated with Clinton are perfectly aligned with Wikileaks’ raison d’être. In the past such activities may have been regarded are more legitimate – the organization was principally focused on state level activities – but it is now focused on deliberately releasing information at core points in an electoral cycle. Doing so may have affected the unfolding of the election but it’s important to acknowledge that Wikileaks’ intent was not driven by Russia (presuming that was a source of at least some of the leaked information): instead, this was a case where Russian and Wikileaks just happened to have directly overlapping objectives.

Categories
Links Writing

Dissecting CSIS’ Statement Concerning Indefinite Metadata Retention

The Canada Security Intelligence Service (CSIS) released a public statement after the Federal Court found the Service to be breaking the law by permanently retaining metadata they had been collecting. To date, the Public Safety Minister has refused to clarify the numbers of Canadians who have been caught up in this ‘catch once, catch forever’ surveillance regime.

The Service’s statement is incredibly misleading. It is designed to trick Canadians and parliamentarians into thinking that CSIS didn’t do anything that was really ‘that’ bad. I fundamentally disagree with CSIS’ activities in this regard and, as a result, I’ve conducted a detailed evaluation of each sentence of the Service’s statement.

You can read my dissection of CSIS’ statement at Technology, Thoughts, and Trinkets.