Category: Links

Categories
Aside Links

Ethical hackers say government regulations put information at risk

Ethical hackers say government regulations put information at risk:

Why “white hat” hackers – who cyber security experts argue are vital to security research – are sometimes leery of reporting vulnerabilities.

…according to Parsons, reporting those findings to vendors risks bringing on defamation or SLAPP (Strategic Litigation Against Public Participation) suits – a long and costly legal endeavour.

“Let’s say you discovered that there was vulnerability in something the CRA was running separate to Heartbleed – the CRA purchased that from a vendor, so the vendor would have an interest in that not becoming public because it could damage them,” he said.

“They will say if you disclose this we will sue you – and it might be a SLAPP case, but unless you are well-off financially the cost of defending yourself against a SLAPP suit could cost hundreds of thousands of dollars.”

Global News contacted Shared Services Canada, the agency responsible for IT infrastructures for all government departments, for comment regarding whether outside researchers would be allowed to report vulnerabilities found within government websites without risking legal action.

Shared Services Canada did not immediately respond to a request for comment.

The chilling effect of vulnerability disclosure stems from potential legal liability for reporting vulnerabilities to software vendors. While it’s often (though not always) the case that technical staff understand the problems and may work to mitigate them, things can go to hell pretty quickly once non-technical staff such as legal or public relations get involved.

In effect, the incentive model for White Hats to come forward to help the commons of software users breaks down incredibly quickly in the face of harsh penalties for individuals ‘breaking digital locks’ or found to violate terms of service, penalties that corporate vendors can (and do) leverage in order to maintain their public reputations.

Categories
Links Writing

Low-level federal judges balking at law enforcement requests for electronic evidence

Low-level federal judges balking at law enforcement requests for electronic evidence:

Among the most aggressive opinions have come from D.C. Magistrate Judge John M. Facciola, a bow-tied court veteran who in recent months has blocked wide-ranging access to the Facebook page of Navy Yard shooter Aaron Alexis and the iPhone of the Georgetown University student accused of making ricin in his dorm room. In another case, he deemed a law enforcement request for the entire contents of an e-mail account “repugnant” to the U.S. Constitution.

For these and other cases, Facciola has demanded more focused searches and insisted that authorities delete collected data that prove unrelated to a current investigation rather than keep them on file for unspecified future use. He also has taken the unusual step, for a magistrate judge, of issuing a series of formal, written opinions that detail his concerns, even about previously secret government investigations.

“For the sixth time,” Facciola wrote testily, using italics in a ruling this month, “this Court must be clear: if the government seizes data it knows is outside the scope of the warrant, it must either destroy the data or return it. It cannot simply keep it.”

Broad based access to telecommunications information can be extremely revealing: law enforcement know this, civil advocates (and defence attorneys) know this, and (increasingly) justices know this. And as justices in particular become more cognizant of just what law enforcement agencies are accessing, and of authorities’ decisions to not target their searches but instead collect (and retain) the entirety of people’s personal information, we’ll see more and more pushback against authorities’ overreaches.

Politics and justice tend to move slowly, often to the point where they ‘lag’ a decade or more behind technology and social norms. However, even these conservative systems tend to eventually correct themselves. As federal American judges ‘balk’ at over collection we’ll see these issues of evidence collection rise through the courts until, hopefully, a good ruling is issued by the Supreme Court of the United States. And then we’ll move onto the next overreach that authorities identify and begin exploiting…

Categories
Links Writing

CMHC again moves to tighten mortgage insurance rules as housing market cools

The government continues to engage in (somewhat) quiet actions to reduce its exposure to a mortgage or more general financial crisis. At this point we’ve seen shifts in EI, routine concern about Canadian debt levels and risk of increased interest rates, and now tightening of the mortgage insurance rules. CMHC’s decision parallel’s former Minister Flaherty’s earlier comments, summarized as:

Former finance minister Jim Flaherty had also expressed concern that CMHC had become too large a player in the market, needlessly exposing Canadian taxpayers to risk should there be a housing crash. The agency currently has about $560 billion in outstanding mortgage insurance on its books.

When/if there is a mortgage crisis in Canada that leads to substantial job loss, I don’t think Canadians are going to be thrilled by how their social infrastructures have been quietly reshaped around them. Or the relative lack of monetary policies that are the result of long-term low interest rates. Let’s hope nothing happens to make Canadians practically realize the implications of the past 3-4 years EI, monetary, and now CMHC changes.

Categories
Aside Links

Canada Bought $50 Million Worth of ‘Secure’ Phone Systems from the NSA

Canada Bought $50 Million Worth of ‘Secure’ Phone Systems from the NSA:

Technically, the Canadian Prime Minister shouldn’t have to worry about being snooped on. Declassified information on the so-called Five Eyes partnership—an intelligence-sharing agreement between America, Canada, the United Kingdom, Australia, and New Zealand—supposedly forbids the five friendly governments from snooping on each other. But we don’t know what caveats exist in that agreement, because it’s kept top secret. We do know, however, that the NSA was operating in Toronto during the G8 and G20—and that CSE knew about it. That sort of cooperation, Parsons says, is to be expected by the Five Eyes partners.

“There is of course a concern that in the Five Eyes agreement there is an proviso that members of the Five Eyes network can engage in surveillance on other partners if it’s in their sovereign interest,” Parsons said.

It’s certainly interesting (and newsworthy) that Canada is buying cryptographically-secure systems from the NSA, though not necessarily surprising: the NSA is recognized as a leader in this technical space and has economies of scale that could reduce the cost of the equipment. These isn’t, however, any indication whether CSEC examines or tests the devices for backdoors. Presuming that the math hasn’t been compromised, and the phones and faxes aren’t being compromised by our close ally, then there are presumably (relatively) few worries with the Canadian procurement strategy and lots of benefits.

Categories
Aside Links

Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL

Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL:

OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.

That’s never been the case with OpenSSL, but the Linux Foundation wants to change that. The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars.

To be clear, the money will go to multiple open source projects—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million. The initiative will identify important open source projects that need help in addition to OpenSSL.

This is really excellent news: the large companies and organizations that rely on open-source critical infrastructure projects need to (ideally) contribute back through either code contributions of financial support. Hopefully we’ll not just see money but efforts to improve and develop the code of these projects, projects which often are the hidden veins that enable contemporary Internet experiences.

Categories
Links Writing

Testing for “reverse” Heartbleed

Testing for “reverse” Heartbleed:

The Heartbleed vulnerabilityin OpenSSL allows a malicious TLS implementation to extract random chunks of memory from an unpatched peer. If you’re not up to speed on Heartbleed, check out the excellent documentation on that site andcheck your servers ASAPto see if you might be vulnerable.

Most of the attention around the Heartbleed attack has focused on the simplest and most obvious scenario: a malicious client attacking an HTTPS server to steal cookies, private keys, and other secrets. But this isn’t the only attack possible: a malicious server can also send bad heartbeat packets to a client that uses OpenSSL and extract data from that client. The TLS heartbeats used in this attack aresymmetric: they can be initiated by either the “client” or the “server” in a TLS connection, and both endpoints use the same vulnerable parsing code.

Importantly, even if the server that you are querying (e.g. Tumblr.com) is patched against this OpenSSL vulnerability the servers behind the front-end of the server may not be. As a result, payment gateways, agents responsible for fetching URLs, some identity federation protocols, and so forth may also be vulnerable. In Meldium’s tests, who have they announced was vulnerable?

  • An unnamed top 5 social network (we’re waiting for confirmation of their fix) that fetched our URL to generate a preview. The memory we extracted from their agent included results from internal API calls and snippets of python source code.
  • Reddit, which can use a URL to suggest a name for a new post, used a vulnerable agent that they’ve now patched. The memory we were able to extract from this agent was less sensitive, but we didn’t get as many samples because they patched so quickly (nice work!).
  • We registered a webhook to our malicious URL at rubygems.org to notify us whenever a gem was published. Within a few minutes, we captured chunks of S3 API calls that the Rubygems servers were making. After the disclosure, they quickly updated OpenSSL and are now protected (really nice work, especially from an all-volunteer staff!).

This is just a very, very small snippet of vulnerable parties. And given how many backend systems will simply not be updated for fear of breaking compatibility (e.g. in the case of payment gateways) this will be a long-term vulnerability.

SSL: the solution to a problem that is persistently generating problems unsolvable by SSL itself.

Categories
Aside Links

How Heartbleed transformed HTTPS security into the stuff of absurdist theater

I think the link between absurdist theatre and SSL certificate revocation checking is a (bit) tenuous, but nevertheless Dan Goodin’s article over at Ars Technica does a good job in describing (in less technical language than Adam Langley’s post) why having your browser check for revoked SSL certificates really isn’t all that effective.

Categories
Aside Links

Google is researching ways to make encryption easier to use in Gmail

Google is researching ways to make encryption easier to use in Gmail:

In response to Edward Snowden’s mass surveillance revelations, Google is working to make complex encryption tools, such as PGP, easier to use in Gmail.

PGP, or Pretty Good Privacy, is an encryption utility that historically has been difficult to break. But Google has “research underway to improve the usability of PGP with Gmail,” according to a person at the company familiar with the matter.

If Google is actually going to throw engineers and designers (most important: lots, and lots, and lots of UI and UX designers!) towards improving the basic usability of PGP that would be incredible. However, given people’s suspicion of the company given the NSA disclosures I have to wonder whether any public offering from Google will be regarded as some kind of a trojan horse by some civil liberties groups and the cynical public alike.

Categories
Aside Links

Outrageous cost estimates for open records requests

Some real gems in that post. Highly recommended if you want to understand why researchers/journalists complain vociferously about the hell of FOIA/ATIP laws.

Categories
Links

Air Canada flight from Vancouver carried child with measles

Air Canada flight from Vancouver carried child with measles:

Health officials in Edmonton are issuing warnings after a passenger who arrived in the city on a flight from Vancouver was later diagnosed with measles, but similar warnings have not been issued in Vancouver.

I think that bad movies, and unpleasant contagious outbreaks, are premised on such realities.