Category: Links

Categories
Links Writing

Attacks on the Press: A Moving Target – Committee to Protect Journalists:

While not every journalist is an international war correspondent, every journalist’s cellphone is untrustworthy. Mobile phones, and in particular Internet-enabled smartphones, are used by reporters around the world to gather and transmit news. But mobile phones also make journalists easier to locate and intimidate, and confidential sources easier to uncover. Cellular systems can pinpoint individual users within a few meters, and cellphone providers record months, even years, of individual movements and calls. Western cellphone companies like TeliaSonera and France Telecom have been accused by investigative journalists in their home countries of complicity in tracking reporters, while mobile spying tools built for law enforcement in Western countries have, according to computer security researchers working with human rights activists, been exported for use against journalists working under repressive regimes in Ethiopia, Bahrain, and elsewhere.

 

“Reporters need to understand that mobile communications are inherently insecure and expose you to risks that are not easy to detect or overcome,” says Katrin Verclas of the National Democratic Institute. Activists such as Verclas have been working on sites like SaferMobile, which give basic advice for journalists to protect themselves. CPJ recently published a security guide that addresses the use of satellite phones and digital mobile technologies. But repressive governments don’t need to keep up with all the tricks of mobile computing; they can merely set aside budget and strip away privacy laws to get all the power they need. Unless regulators, technology companies, and media personnel step up their own defenses of press freedom, the cellphone will become journalists’ most treacherous tool.

Network surveillance is a very real problem that journalists and, by extension, their sources have to account for. The problem is that many of the security tools that are used to protect confidential communications are awkward to use, provide to sources, and use correctly without network censors detecting the communication. Worst is when journalists simply externalize risk, putting sources at risk in the service of ‘getting the story’ in order to ‘spread the word.’ Such externalization is unfortunately common and generates fear and distrust in journalists.

Categories
Aside Links

What Canadian Political Parties Know About You

Colin J. Bennett, writing in Policy Options, explains how Canadian political parties collect and use voters’ personal information. It’s a quick, and valuable, read; highly recommended.

Categories
Aside Links

If You Can’t Breach the OS, Target Developer Watering Holes

F-Secure has a good, quick, overview of the recent attacks against Facebook, Twitter, and (presumably) other mobile developers. Significantly, we’re seeing an uptick in attacks against developers rather than just against platform manufacturers. The significance? Even though the phone OS may be ‘secure’, the applications you’re loading onto those devices may have been compromised at inception.

Smartphones: the source of anxiety and worry for IT managers that keeps on going.

Categories
Links Writing

Facebook: Yes, it can get more invasive

Grace Nasri has a good – if worrying – story that walks through how Facebook could soon use geolocational information to advance its digital platform. One item that she focuses on is Facebook’s existing terms of service, which are vague enough to permit the harvesting of such information already. As much as it’s non-scientific I think that the company’s focus on knowing where its users are is really, really creepy.

I left Facebook after seeing they’d added phone numbers to my Facebook contacts for people who’d never been on Facebook, who didn’t own computers, and for who I didn’t even have the phone numbers. Seeing that Facebook had the landline numbers for my 80+ year old grandparents was the straw that broke my back several years ago; I wonder if this degree of tracking will encourage other Facebook users to flee.

Categories
Links

What Sophisticated Security Tests Should Look Like

Facebook and a few other large corporations understand just how serious contemporary data intrusions and exfiltrations are. They spend a lot of money preparing for attacks. Why, if private companies, are taking collected data so seriously do our governments seem to remain so cavalier with their data collection, retention, and security practices?

Categories
Links Writing

Lawful Access is Dead, Long Live Lawful Intercept!

So, the takeaway from this post is that Industry Canada’s proposed modifications significantly expand the volume and types of communications that ISPs must be able to intercept and preserve. Further, the Department is considering expanding interception requirements across all wireless spectrum holders; it needn’t just affect the LTE spectrum. We also know that Public Safety is modifying how ISPs have to preserve information related to geolocational, communications content, or transmission data. Together, these Departments’ actions are expanding government surveillance capacities in the absence of the lawful access legislation.

Industry Canada’s and Public Safety’s changes to how communications are intercepted should be put on hold until the government can convince Canadians about the need for these powers, and pass legislation authorizing the expansion of government surveillance. Decisions that are made surrounding interception capabilities are not easily reversed because once the technology is in place it is challenging to remove; as such, the government’s proposed modifications to intercept capabilities should be democratically legitimated before they are instantiated in practice.

Categories
Links Writing

Fragmentation leaves Android phones vulnerable to hackers

Via the Washington Post:

“You have potentially millions of Androids making their way into the work space, accessing confidential documents,” said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the ACLU. “It’s like a really dry forest, and it’s just waiting for a match.”

The high degrees of fragmentation in the Android ecosystem are incredibly problematic; fragmentation combined with delays in providing updates effectively externalizes the security-related problems stemming from mobile OS vulnerabilities on individual owners of phones. Those owners are (typically) the least able parties in the owner/carrier/manufacturer/OS creator relationship to remedy the flaws. At the moment, Google tends to promptly (try) to respond to flaws. The manufacturers and vendors then have to certify and process any updates, which can take months. It’s inexcusable that these parties can not only sit on OS updates, but they can continue to knowingly sell vulnerable phones.

Imagine if, after a car line was reported to have some problem that required the line’s recall and refurbishment, dealers continued to sell the car. They didn’t even notify the person buying the car that there was a problem, just that ‘enhancements’ (i.e. the seat didn’t eject when you hit something at 60Km/hr, plus a cool new clock display on the dashboard) were coming. The dealers would be subject to some kind of legal action or, failing that, consumers could choose to work with dealers who sold safe cars. Why, exactly, aren’t phone carriers being subjected to the same scrutiny and held to the same safety standards?

Categories
Links

Packets of Death

cleverhacks:

very nice detective work, in which we discover that a single ill-favored packet can completely kill certain Intel gigabit NICs (to the point that a power cycle is required to resurrect them). Excellent writeup (and I discovered a new tool: open source packet generation suite Ostinato, which aims to be “wireshark in reverse”).

The significance, via Slashdot: “With a modified HTTP server configured to generate the data at byte value (based on headers, host, etc) you could easily configure an HTTP 200 response to contain the packet of death and kill client machines behind firewalls!”

Categories
Links

South Korea to Ban Profanity and Porn from Teens’ Smartphones?

The supposed ban is meant to, in part, crack-down on cyberbullying. To be clear, such bullying is serious, but introducing security deficits into smartphones – for the children! – really isn’t the way to solve this social problem. You don’t solve social ills by turning to technological filters and blocks. Especially not when trying to get between a teenager and porn.

Categories
Links Writing

Casey Johnston!: I have this seminar I’m running for free for college students and I’m…

caseyj:

I have this seminar I’m running for free for college students and I’m going to show them this picture before we start. It’s a picture of someone graduating from college. You can’t tell, but you can guess that they’re probably $150,000 in debt. Written on the top of their mortarboard with masking tape it says, “Hire me.” The thing about the picture that’s pathetic, beyond the notion that you need to spam the audience at graduation with a note saying you’re looking for a job, is that you went $150,000 in debt and spent four years of your life so someone else could pick you. That’s ridiculous. It really makes me sad to see that.

While I understand what Seth Godin is suggesting, I also think that it’s largely reflective of his incredibly privileged position. When people are leaving schools with that amount of debt, with knowledge that they want to start a family and not suffer (total) financial ruin by starting something and failing, then those individuals may quite reasonably want full-time regular employment.

Godin’s most common response is that ‘such employment doesn’t really exist anymore – so adapt!’ While it’s a great response for some people who are willing to take on heightened risks in their lives it isn’t one that ought to be imposed on all individuals. Moreover, the thought that it’s “ridiculous” to want to be picked and work at a meaningful job and launch a career with a business that is compatible with your training and expertise shouldn’t make anyone sad. Instead, what should be “sad” is that such aspirations are less and less likely to be realized as companies abandon long-term commitment to employees and instead harden their ‘flexible’ hiring strategies that facilitate profits at the expense of human life.