Category: Links

Categories
Links

How Canada’s Anti-Cyberbullying Law Is Being Used to Spy on Journalists

From Motherboard:

According to Citizen Lab researcher Christopher Parsons, these same powers that target journalists can be used against non-journalists under C-13. And the only reason we know about the aforementioned cases is that the press has a platform to speak out.

“This is an area where transparency and accountability are essential,” Parsons said in an interview. “We’ve given piles and piles of new powers to law enforcement and security agencies alike. What’s happened to this journalist shows we desperately need to know how the government uses its powers to ensure they’re not abused in any way.”

“I expect that the use of these particular powers will become more common as the police get more used to using it and more savvy in using them,” Parsons said.

These were powers that were ultimately sold to the public (and passed into law) as needed to ‘child pornography’. And now they’re being used to snoop on journalists to figure out who their sources are, without being mandated to report on the regularity at which the powers are used to the efficacy of such uses. For some reason, this process doesn’t inspire a lot of confidence in me.

Categories
Links

Donald Trump’s companies destroyed or hid documents in defiance of court orders

Newsweek:

Trump’s use of deception and untruthful affidavits, as well as the hiding or improper destruction of documents, dates back to at least 1973, when the Republican nominee, his father and their real estate company battled the federal government over civil charges that they refused to rent apartments to African-Americans. The Trump strategy was simple: deny, impede and delay, while destroying documents the court had ordered them to hand over.

Shortly after the government filed its case in October, Trump attacked: He falsely declared to reporters that the feds had no evidence he and his father discriminated against minorities, but instead were attempting to force them to lease to welfare recipients who couldn’t pay their rent.

The debates about who had hidden the most, and the significance of such hiding, continues unabated in the American election…

Categories
Links

Why DDoS attacks matter for journalists

Two reasons that journalists should be concerned about DDoS attacks:

First, while the use of common household devices to execute the attacks against Krebs and Dyn was novel, the hackers got control of those devices using one of the oldest and easiest methods out there: bad passwords, a vulnerability most journalists share.

The second reason journalists should attend to these attacks is that strategic use of both DDoS attacks (for example, recent attacks on Newsweek and the BBC) and DNS manipulation are common tools for censorship. This is in part because they are cheap, easy (the software credited with Friday’s attack was posted openly just a few weeks ago), and highly effective in preventing some or all internet users from accessing the content they target.

We’re at the edge of a particularly bad security chasm we’re just about to fall into (if we haven’t already!). The question is whether we can actually avoid the fall or whether the best we can do right now is lessen the hurt on the way down.

Categories
Links

How one rent-a-botnet army of cameras, DVRs caused Internet chaos

Ars Technica:

But even in the midst of the Dyn attack, some of the Mirai-infected devices were being used to attack another target—the infrastructure of a gaming company, according to Allison Nixon, the director of security research at security company Flashpoint. That idea matches up with what others who had some insight into the attack have told Ars confidentially—that it was also pointed at Sony’s PlayStation Network, which uses Dyn as a name service provider.

For now, it’s not clear that the attacks on Dyn and the PlayStation Network were connected. And with a criminal investigation underway, a Dyn spokesperson declined to confirm or deny that Sony was also a target. “We are continuing to work closely with the law enforcement community to determine the root cause of the events that occurred during the DDoS attacks last Friday,” Adam Coughlin, Dyn’s director of corporate communications, told Ars. “Since this is an ongoing investigation, we cannot speculate on these events.”

Regardless of the reasons behind it, the attack on Dyn further demonstrates the potential disruptive power of the millions of poorly protected IoT devices. These items can be easily turned into a platform for attacking anything from individual websites to core parts of the Internet’s infrastructure. And Mirai has demonstrated that it doesn’t take “zero-day” bugs to make it happen; attackers only need poorly implemented security on devices that can’t be easily fixed.

This is definitely one of the best writeups of the DDoS attacks launched againgst Dyn last week, which led to the downtime of major Internet properties. If you want to understand some of the security-related issues associated with the Internet of Things as well as challenges of attributing attacks to different attack infrastructures and intents, this is worth your time.

Categories
Links

Android phones rooted by “most serious” Linux escalation bug ever

Ars Technica:

Just as Dirty Cow has allowed untrusted users or attackers with only limited access to a Linux server to dramatically elevate their control, the flaw can allow shady app developers to evade Android defenses that cordon off apps from other apps and from core OS functions. The reliability of Dirty Cow exploits and the ubiquity of the underlying flaw makes it an ideal malicious root trigger, especially against newer devices running the most recent versions of Android.

“I would be surprised if someone hasn’t already done that this past weekend,” Manouchehri said.

Another week, another extremely serious Android vulnerability that will remain unpatched for the majority of consumers until they throw out their current Android phone and purchase another one (though even that new one might lack the patches!). I wonder what serious vulnerability will come through next week?

Categories
Links

Alibaba’s Jack Ma Urges China to Use Data to Combat Crime

Bloomberg reporting on Alibaba’s Jack Ma:

In his speech, Ma stuck mainly to the issue of crime prevention. In Alibaba’s hometown of Hangzhou alone, the number of surveillance cameras may already surpass that of New York’s, Ma said. Humans can’t handle the sheer amount of data amassed, which is where artificial intelligence comes in, he added.

“The future legal and security system cannot be separated from the internet and big data,” Ma said.

In North America, we’re trialling automated bail systems, where the amount set and likelihood of receiving bail is predicated on big data algorithms. While it’s important to look abroad and see what foreign countries are doing we mustn’t forget what is being done here in the process.

Categories
Aside Links

Imagine if Donald Trump Controlled the NSA

Wired:

And exactly what could a President Trump do with the NSA? First, Hennessey says, there’s the question of what he could undo: He could, for instance, rescind the executive actions of President Obama aimed at reforming the NSA after Snowden’s revelations. Presidential Policy Directive 28, for example, issued in 2014, was designed to ensure that the NSA’s signals intelligence branch wouldn’t use its powers to promote American business interests or suppress political dissent abroad, and that it would minimize its invasion of the privacy of not just Americans but also non-Americans whenever possible. Trump could also defang or coopt the executive branch’s Privacy and Civil Liberties Oversight Board, which opposed and helped to end the NSA’s mass collection of Americans’ cell phone records last year.

More fundamentally, Hennessey and other former NSA staffers worry that Trump could redefine the priorities of the NSA’s foreign intelligence mission. He could, for instance, refocus American spying efforts to take the agency’s eyes off Russia and instead target that country’s adversaries, like Georgia, Ukraine, or even the European Union. Given Trump’s murky financial ties to Russia, it’s still not clear how he would approach its authoritarian government if he were to take power. “Trump has indicated he has unusual views about Vladimir Putin as an individual and Russian activity around the world that’s very problematic for the security interests of the US,” Hennessey says. “We shouldn’t underestimate the importance of the intelligence community’s high level priorities and the ability of the president to shift them.”

Despite what people believe, the NSA is significantly restrained in some of its activities as compared to its compatriots. As an example, there is still no evidence that the NSA conducts economic espionage for the purpose of enhancing specific American business’ interests. The United States does conduct economic espionage for trading and global threat assessments, but not to share the collected information with domestic businesses. A Trump presidency could change that and, in the course, truly blend best-of-class government surveillance with nationalist economic policies. While that might sound appealing to Americans it could also initiate a full-scale trade war…and one where the people of the world would likely come out far poorer.

Categories
Links

More Thoughts on the Yahoo Scan

Macy Wheeler:

To sum up: ex-Yahoo employees want this story to be about the technical recklessness of the request and Yahoo’s bureaucratic implementation of it. Government lawyers and spooks are happy to explain this was a traditional FISA order, but want to downplay the intrusiveness and recklessness of this by claiming it just involved adapting an existing scan. And intelligence committee members mistakenly believed this scan happened under Section 702, and wanted to make it a 702 renewal fight issue, but since appear to have learned differently.

This is the definitive summarization of what Yahoo! (likely) did when they monitored all of their customers’ emails for the US government. Well worth the read for its content and, also, to see what goes into a critical media evaluation of an unfolding intelligence-related series of news stories.

Categories
Links Writing

Apple Logs Your iMessage Contacts — and May Share Them With Police

The Intercept:

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

That Apple has to run a lookup to see whether to send a message securely using Messages or insecurely using SMS isn’t surprising. And the 30 day retention period is likely to help iron out bugs associated with operating a global messaging system: when things go wonky (and they do…) engineers need some kind of data to troubleshoot what’s going on.

Importantly, Apple is not logging communications. Nor is it recording if you communicate with someone who is assigned a particular phone number. All that is retained is the lookup itself. So if you ever type in a wrong number that lookup is recorded, regardless of whether you communicate with whomever holds the number.

More troubling is the fact that Apple does not disclose this information when an individual formally requests copies of all their personal information that Apple retains about them. These lookups arguably constitute personal information, and information like IP addresses etc certainly constitute this information under Canadian law.

Apple, along with other tech companies, ought to release their lawful access guides so that users know and understand what information is accessible to authorities and under what terms. It isn’t enough to just disclose how often such requests are received and complied with: customers should be able to evaluate the terms under which Apple asserts it will, or will not, disclose that information in the first place.

Categories
Links

Yahoo May Have Exposed Rogers Customer Emails to US Spies

Motherboard:

“Any program that scans all the mail that Yahoo has access to would have scanned this email,” Gillmor wrote me in a message.

“If Yahoo chose to segment their scanning by limiting it only to mails that have ‘@yahoo.com’ email addresses [and omitted those sent from @rogers.com], of course, then they would have chosen to exclude this email from the scan,” Gillmor continued. “It’s not clear to me whether any such constraint was in place, though.”

“I’d imagine that, yes, the program would have applied to Rogers customer emails, unless Yahoo elected to specifically exclude them,” wrote Marczak in an email.

Yahoo declined to comment on whether the alleged system filtered out emails from Rogers customers.

Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner, confirmed that Rogers consulted the office in the wake of the Yahoo hack. But as far as the possibility that Rogers customer emails had been siphoned into a surveillance dragnet goes, “Given we don’t have detailed information about the matter, we are not in a position to comment,” Cohen wrote.

When asked if Rogers was aware of the allegations against Yahoo or if the company is concerned that a backdoor could have affected its customers, spokesperson Garas referred me to Yahoo’s statement and wrote that “as such, we believe this matter is closed.”

Great to know that Rogers thinks it shouldn’t (or, worse, doesn’t have to) explain how one of its contracted service providers may have grossly violated the privacy of Rogers’ customers.