Privacy issues could not be ignored in 2014 (Transcript Summary):
Telecom and online security expert Christopher Parsons, post-doctoral fellow at the University of Toronto’s Citizen Lab and director of the Telecom Transparency Project, reviews how Canadians’ shifted in 2014 and what to expect in the new year.
U.S. Cyber Command investment ensures hackers targeting America face retribution :
Later that summer, Marine Lt. Gen. Richard P. Mills bluntly told a conference in Baltimore that commanders under his control in Afghanistan routinely used cyberwarfare tactics to attack and disable al Qaeda and Taliban enemies.
“I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyberoperations against my adversary with great impact,” Gen. Mills was quoted at the time as saying. “I was able to get inside his nets, infect his command and control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.”
While the military is developing the capability, the political and policy realm is struggling with the right parlance.
If that’s the language that US generals are using to explain what ‘cyber’ is then I think that the executive-class is clueless about the things that their ‘cyberwarriors’ are up to. And if they’re this clueless then how can they be relied on (or quoted in anything other than a mocking way?) to provide expert advice to policy makers, politicians, or the public?
Hacking Our Humanity: Sony, Security and the End of Privacy :
The lesson here isn’t that Hollywood executives, producers, agents and stars must watch themselves. It isn’t to beware of totalitarian states. It’s to beware, period. If it isn’t a foreign nemesis monitoring and meddling with you, then it’s potentially a merchant examining your buying patterns, an employer trawling for signs of disloyalty or indolence, an acquaintance turned enemy, a random hacker with an amorphous grudge — or of course the federal government.
And while this spooky realization prompts better behavior in certain circumstances that call for it and is only a minor inconvenience in other instances, make no mistake: It’s a major loss. Those moments and nooks in life that permit you to be your messiest, stupidest, most heedless self? They’re quickly disappearing if not already gone.
Though I find various aspects of Bruni’s article insulting (e.g. “…the flesh that Jennifer Lawrence flashed to more people than she ever intended…”) the discussion of who are the most common threat actors that people have to worry about is a fair point. It’s also important to discuss, and discuss regularly, that the ‘defences’ which are commonly preached to protect our privacy are fraught with risk. While being silent, not associating with one another, or not reading certain things online might keep one ‘safe’, engaging in such censorious activities runs counter to the freedoms that we ought to cherish.
Such responses ignore the costs — often paid in blood or years of people’s lives— that have gone into fighting for the freedoms that we now enjoy and that are engrained in our constitutions, our laws, and our social norms. They forget the men and women who fight and die on battlefields to protect the freedoms of citizens of other nations. And, perhaps most significantly, such responses demonstrate how larger social movements directed at enshrining our freedoms through collective action are set aside, often cynically, so that we can try and resolve the problems we all face as individuals instead of as collective political actors. Self-censorship isn’t just a means of ensuring self-protection; it’s an exhibition of citizens’ unwillingness to at try and utilize our political processes to resolve common social ills.
Public and private sector companies vulnerable to Sony-like attacks :
Christopher Parsons, the managing director of a telecom transparency project in The Citizen Lab at the University of Toronto, said agrees with Tobok; it’s not enough for companies to leave digital security to their designated IT employees or mid-level management.
“It’s an increasingly serious issue; companies not treating it at the top do so at their own peril.”
Bigger security breaches are a reality of a more digitally-literate world, Parsons said.
“If you’re dealing with a well-resourced attacker with lots of time, there’s a reasonable chance they will find some way through.”
That’s why companies also need to invest in a strong remediation strategy in case an attack does occur, he said.
I should be particularly emphatic on one point: the hack of Sony does not constitute ‘cyberwar’. To begin, the very definition of the term is ambiguous at best. Moreover, the attack on a non-critical-systems company cannot be understood as an assault on critical infrastructure systems (e.g. dams, power grids, etc) that could be interpreted as an undeclared war-like action. What has happened to Sony is a corporate tragedy and one for the textbooks on remediation and mitigation strategies. To be clear: this is a lesson for business and security textbooks, not military strategy textbooks.
Claims that the attacks on Sony are some kind of ‘warlike’ behaviour operate on the assumption that we can attribute who is responsible for the attacks. We are unable to so ascribe action at the moment. And until the NSA or the other SIGINT agencies pull stuff from their bags of tricks to more positively establish a link between the attacks on Sony and a specific nation-state threat actor with obvious war-based intentionality, any calls that we are witnessing some kind of ‘cyberwar’ are ill-considered at best, and outright ignorant at worst.
Or, alternately, such calls might constitute efforts on the parts of those with Top Secret/Special Compartmentalized information to raise awareness about some kind of ‘behind the scenes’ action. I strongly doubt those calling the Sony attacks cyberwar have access to such kinds of deeply sensitive operational, and classified, information. But perhaps I’m wrong. And, if I am, I hope they’re leaking with authorization or have particularly terrific counsel to defend them against allegations of leaking classified information.
Canada asks app stores to mandate privacy policies:
“Developers are asking for information they have no real business accessing,” said Christopher Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab. “If a flashlight app is asking to read your SMS messages, that’s a step too far.”
According to Parsons, many app developers participate in a “grey market” of personal information.
“The value is not in selling apps,” he said. “The value is in collecting information about individuals and then turning around and selling it to third parties.”
Requiring developers to include privacy plans alongside their apps “is a step in the right direction,” Parsons said, but many policies are written in “boilerplate legalese,” meaning even if they’re available, many consumers won’t be able to interpret them.
“What commissioners could do is say that if you’re going to develop a privacy policy… you should be providing a simple, accessible version of what you’re doing,” he said.
However, making privacy policies mandatory could allow agencies like the privacy commissioner’s office to better target companies who violate their own terms of service.
“What it means is that when and if a company says something in its privacy policy that’s not true, there’s an actionable legal case against them,” Parsons said.
Social Media Privacy – Part I:
One in three anglophone Canadians say that not a single day goes by without checking into their social media feeds. Use of such applications has increased. On top of that, there is growing concern over how much information is being shared online and who may have access to it. Has the government been doing enough to protect Canadians? Is the social media industry being proactive or reactive? Will government institutions such as CSIS and CSES increase their monitoring of users in light of recent events? We will explore the current situation, what the future holds and what social media users can do to protect their information.
This week’s expert guests are:
- Christopher Parsons, Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting
- Avner Levin, Director of the Privacy and Cyber Crime Institute at Ryerson University, Associate Professor at the Ted Rogers School of Management, and Chair of the Law & Business Department
- Sharon Polsky, President of the Privacy and Access Council of Canada
Cyber-security in 2014: What we learned from the Heartbleed bug:
Parsons warned that the fallout from Heartbleed may not be over for web users.
We still don’t know just how much information was stolen or accessed as a result of the bug. Stolen login credentials and user information is likely to be leaked by hackers, putting users at risk for additional hacks.
The problem is hackers could leak this information at any time.
“If logins and passwords were successfully extracted – and I’m willing to say 99.9 per cent of people haven’t changed all of their passwords – people still could be affected,” he said.
…
“Always expect at some point, possibly through no fault of your own, you will be compromised,” Parsons warned.
“Then think, ‘What would I do if my personal information was leaked?’ Thinking before these things happen can help you come up with a recovery strategy.”
Should you worry about social media surveillance?
Citizen Lab’s Christopher Parsons joins guest host Piya Chattopadhyay to discuss the Canadian government’s growing interest in the real-time contents of social
Is Uber’s rider database a sitting duck for hackers?:
Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.
Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.
…
“It’s a huge trove of data that could be used for a whole number of uses,” said Christopher Parsons, a digital privacy expert at Citizen Lab, a research center at the University of Toronto.
I just set up SSLTLS on my web site. Everything can be had via https://wingolog.org/, and things appear to work. However the process of transitioning even a simple web site to SSL is so clownshoes bad that it’s amazing anyone ever does it. So here’s an incomplete list of things that can go wrong when you set up TLS on a web site.
…
Now you start to add secure features to your web app, safe with the idea you have SSL. But better not forget to mark your cookies as secure, otherwise they could be leaked in the clear, and better not forget that your website might also be served over HTTP. And better check up on when your cert expires, and better have a plan for embedded browsers that don’t have useful feedback to the user about certificate status, and what about your CA’s audit trail, and better stay on top of the new developments in security! Did you read it? Did you read it? Did you read it?
It’s a wonder anything works. Indeed I wonder if anything does.
Without any doubt this is one of the better(?) rants about SSL/TLS that I’ve read recently. And given my own recent experiences in setting up SSL/TLS on another site I entirely empathize: it was a horrible experience that involved tracking down what was causing things to break, when they were breaking, and how to remedy them. It was a non-trivial learning experience and that was a very simple site. Large sites….well, I shudder to consider the work entailed in securing them.
(As a sidenote: yes, SSL/TLS is broken. But it adds friction to mass surveillance processes and at little cost to the visitor of websites/users of web services. It’s a pain for those delivering content, but that’s a pain that it’s arguably appropriate for those content providers to bear.)
Excited Pixels