Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Ants are destroying your plants by nurturing perfect aphid colonies

Ars Technica:

The results were stark. All but one of the aphid colonies that were not tended by ants went extinct. Of the surviving aphid colony, only one aphid remained. Without ants to protect them, the aphids were eaten by predators like ladybug larvae and parasitoid wasps. Apparently, ants remove these predators from their herds when they come to milk the aphids for honeydew. The ants win, the aphids win, but the mugwort suffers. A version of this scenario plays out all over the world, where ant invasions often mean aphid invasions, too.

Ants: the protectors of the aphid world, apparently.

This also explains a lot about the challenges I’ve experienced dealing with aphid infestations in the past!

Categories
Links

Two critical bugs and more malicious apps make for a bad week for Android

Ars Technica:

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google’s official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren’t eligible to receive the fixes. Even those that do qualify don’t receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.

The bag of hurt continues unabated.

Categories
Links

Location Privacy: The Purview of the Rich and Indigent

Krebs on Security:

In Texas, the EFF highlights how state and local law enforcement agencies have free access to ALPR equipment and license plate data maintained by a private company called Vigilant Solutions. In exchange, police cruisers are retrofitted with credit-card machines so that law enforcement officers can take payments for delinquent fines and other charges on the spot — with a 25 percent processing fee tacked on that goes straight to Vigilant. In essence, the driver is paying Vigilant to provide the local cops with the technology used to identify and detain the driver.

“The ‘warrant redemption’ program works like this,” the EFF wrote. “The agency is given no-cost license plate readers as well as free access to LEARN-NVLS, the ALPR data system Vigilant says contains more than 2.8-billion plate scans and is growing by more than 70-million scans a month. This also includes a wide variety of analytical and predictive software tools. Also, the agency is merely licensing the technology; Vigilant can take it back at any time.”

That’s right: Even if the contract between the state and Vigilant ends, the latter gets to keep all of the license plate data collected by the agency, and potentially sell or license the information to other governments or use it for other purposes.

Another case of the private surveillance sector overcoming state institutions, and to the detriment of citizens’ rights to privacy.

Categories
Links

For some safety experts, Uber’s self-driving taxi test isn’t something to hail

Washington Post:

Even so, the effort is raising concern from safety experts who say the technology has major limitations that can be very dangerous. Self-driving cars have trouble seeing in bad weather. Sudden downpours, snow and especially puddles make it difficult for autonomous vehicles to detect lines on pavement and thereby stay in one lane.

Walker Smith added that self-driving cars have sometimes confused bridges for other obstacles. “People need to understand both the potential and the limitations of these systems, and inviting them inside is part of that education,” he said.

The vehicles also have difficulty understanding human gestures — for example, a crosswalk guard in front of a local elementary school may not be understood, said Mary Cummings, director of Duke University’s Humans and Autonomy Lab, at a Senate hearing in March. She recommended that the vehicles not be allowed to operate near schools.

Then there’s a the human factor: Researchers have shown that people like to test and prank robots. Today, a GPS jammer, which some people keep in their trunks to block police from tracking them, will easily throw off a self-driving car’s ability to sense where it is, Cummings said.

Current self-driving cars often cannot see which lane they’re in, if it’s raining. They don’t understand what a bridge is versus other road-terrain. They don’t understand what a cross-walk guard is. And they are reliant on a notoriously brittle location technology.

What can go wrong with testing them in urban centres then, exactly?

Categories
Links

Russian Hackers Now Targeting U.S. Think Tanks That Specialize in Russia

Russian Hackers Now Targeting U.S. Think Tanks That Specialize in Russia:

“Any respectable think tank has been hacked,” Lewis told Defense One on Monday. “The Russians just don’t get the idea of independent institutions, so they are looking for secret instructions from Obama. Another benefit is they can go to their bosses and show what they took to prove their worth as spies.”

Any respectable think tank is proud to have such garbage security that the intellectual property it hopes to profit from, to say nothing of political advocacy, is available to unauthorized third parties.

Right….

Categories
Links Writing

Marking 70 years of eavesdropping in Canada

Bill Robinson at Open Canada:

Another new factor is the presence of Canadians in CSE’s hunting grounds. CSE was unable to assist during the FLQ crisis in 1970—it had no capability to monitor Canadians. In the post-2001 era, that is no longer true: the Internet traffic of Canadians mixes with that of everybody else, and CSE encounters it even when it is trying not to. When operating under judicial warrants obtained by CSIS or the RCMP, it deliberately goes after Canadian communications. CSE also passes on information about Canadians collected by its Five Eyes partners.

A special watchdog—the CSE Commissioner—was established in 1996 to monitor the legality of CSE’s activities. Over the years, Commissioners have often reported weaknesses in the measures the agency takes to protect Canadian privacy, but only once, last year, has a Commissioner declared CSE in non-compliance with the law.

Whether CSE’s watchdog is an adequate safeguard for the privacy of Canadians is a matter of continuing debate. One thing, however, is clear: As CSE enters its 71st year, the days when its gaze faced exclusively outward are gone for good.

Bill Robinson has done a terrific job providing a historical overview of Canada’s equivalent of the National Security Agency (NSA). His knowledge of the Communications Security Establishment (CSE) is immense.

Canadians now live in a country wherein this secretive institution, the CSE, is capable of massively monitoring our domestic as well as foreign communications. And, in fact, a constitutional challenge is before the courts that is intended to restrain CSE’s domestic surveillance. But before that case is decided CSE will analyze, share, and act on our domestic communications infrastructure without genuine public accountability. As an intelligence, as opposed to policing, organization its methods, techniques, and activities are almost entirely hidden from the public and its political representatives, as well as from most of Canada’s legal profession. A democracy can easily wilt when basic freedoms of speech and association are infringed upon and, in the case of CSE, such freedoms might be impacted without the speakers or those engaging with one another online ever realizing that their basic rights were being inhibited. Such possibilities raise existential threats to democratic governance and need to be alleviated as much as possible if our democracy is to be maintained, fostered, and enhanced.

Categories
Links

On Encryption and Terrorists

On Encryption and Terrorists:

I’ve come to see encryption as the natural extension a computer scientist can give a democracy. A permeation of the simple assurance that you can carry out your life freely and privately, as enshrined in the constitutions and charters of France, Lebanon as well as the United States. To take away these guarantees doesn’t work. It doesn’t produce better intelligence. It’s not why our intelligence isn’t competing in the first place. But it does help terrorist groups destroy the moral character of our politics from within, when out of fear, we forsake our principles.

If we take every car off the street, every iPhone out of people’s pockets and every single plane out of the sky, it wouldn’t do anything to stop terrorism. Terrorism isn’t about means, but about ends. It’s not about the technology but about the anger, the ignorance that holds a firm grip over the actor’s mind.

Nadim’s explanation of what encryption is used for, and his correlates between using encryption or automobiles for terror-related activties, is amongst the clearest I’ve read. It’s worth the 5-7 minutes it’ll take you to read.

Categories
Links

Police Using Journalists’ Metadata to Hunt Down Whistleblowers

Police Using Journalists’ Metadata to Hunt Down Whistleblowers:

In the past year, the Australian Federal Police has been asked to investigate a piece in The Australian about the Government’s’ leaked Draft Defence White Paper, and a Fairfax Media story on a proposal to reform to citizenship laws.

Just last week, police raided Parliament House in an attempt to track down the source of an embarrassing leak about the National Broadband Network. It’s feared that these investigations, along with increased penalties for whistleblowers, are hindering the ability of journalists to hold policymakers to account.

It was with this in mind that the Opposition eventually voted for the amendments that created the Journalist Information Warrant scheme, and allowed the Data Retention laws to pass last year. In a last minute effort to shore up support for the legislation, the Government agreed to add provisions for ‘safeguards’ that would, in theory, prevent the scheme being used to target journalists’ sources. However, a closer look at the scheme reveals its flaws.

When a democracy creates warranting schemes solely to determine who is willing to speak with journalists, the democracy is demonstrably in danger of slipping free of the grasp of the citizenry.

Categories
Links Writing

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good:

Android’s security team patched the initial bug within weeks, but it inspired a wave of new attacks on the way Android processes audio and video files. The first copycat bugs were reported just days after the first patch, with more serious exploits arriving months later. The most recent Android patch report, released today, patches three separate vulnerabilities in Android’s media-processing function, including one critical flaw that could be used for remote code execution.

Now, Android is rebuilding that system from the ground up. When Android 7.0 Nougat began rolling out to phones last month, it came with a rebuilt media playback system, specifically designed to protect against the Stagefright family of attacks. In a post today, Android’s security team revealed new details on exactly how Nougat security has changed and what the team learned from last year’s string of bugs.

The vulnerability is more fully and truly patched! Hurray!

A shame that few users will ever receive an update to the new version of Android, let alone the patches in the previous (version 6) of Android. The best/easiest way for most users to ‘update’ an Android-based mobile phone is to throw their current phone in the trash and buy a new one…and even then, the phone they buy will likely lack recent patches. Heck, they’ll be lucky if it has the most recent operating system!

This stands directly in contrast to iOS. Apple can push out a global patch and there are remarkably high levels of uptake by end-users. Google’s method of working with handset manufacturers and carriers alike puts end-users are greater and greater risk. They’re simply making available dangerous products. They’re behaving worse than Microsoft in the Windows XP days!

Categories
Aside Links

Turning security flaws into cyberweapons endangers Canadians, experts warn

Turning security flaws into cyberweapons endangers Canadians, experts warn:

“The Snowden docs demonstrate that CSE is active in identifying vulnerabilities,” Christopher Parsons, a post-doctoral fellow at Citizen Lab, told CBC.

“The fact that CSE identifies vulnerabilities and is not reporting them means users are not receiving patches in order to secure their networks.”

Parsons said this “creates a really dangerous scenario.”

“Canadians need to have a discussion about this. Do we want to live in a world in which we’re protecting our own citizens? Or should the priority of Canadian government organizations [like CSE] be first and foremost hacking foreign systems?”

Canadian politicians, judges, journalists and business leaders use smartphones vulnerable to the flaws now fixed by Apple — and to flaws still unknown. The country’s infrastructure is increasingly networked and vulnerable to sabotage by a foreign intelligence agency.

In such a world, Parsons wondered, does national security mean using security flaws against potential enemies? Or disclosing and fixing them?

“We haven’t had that debate in this country,” he said.

It’s increasingly looking like we are going to have the debate concerning whether the Canadian government should be stockpiling vulnerabiltiies or actively working to close identified vulnerabilties. Let’s hope that the debate tilts in favour of protecting the citizenry instead of leaving it vulnerable to domestic and foreign attackers.