Steve Stecklow is one of the few reporters that has continued to write about Iran’s acquisition of surveillance equipment for the past several years. At this point he has a good grasp of how the technology gets into the country, what’s done with it, and why and how vendors are evading sanctions. His article earlier this year provides a good look at how Huawei and ZTE alike have sold ‘lawful intercept’ equipment to the Iranian government. I’d highly recommend taking a look at what he’s written.
Category: Links
Ron Amadeo has a terrific and comprehensive post on all the various Android UI issues. Well worth the read if UI and UX is something you pay attention to.
Categories
The issue here is that data reduced to paper form loses much of its usefulness. The effect is to take power away from the recipient of the data (and by extension in this case from you as a citizen) and conserve it in a government institution as much as possible. Unless the user is bloody-minded enough to re-enter it manually, which of course is only possible at a certain scale.
On the topic of Canadian FOI responses; read the blog post here
Categories
Feudalism 2.0
Bruce Schneier has a clever piece discussing the contemporary model of ‘feudal security’, where user have committed themselves to differing lords of the Internet. As a taste:
Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.
These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them – or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.
Feudalism provides security. Classical medieval feudalism depended on overlapping, complex, hierarchical relationships. There were oaths and obligations: a series of rights and privileges. A critical aspect of this system was protection: vassals would pledge their allegiance to a lord, and in return, that lord would protect them from harm.
Of course, I’m romanticizing here; European history was never this simple, and the description is based on stories of that time, but that’s the general model.
And it’s this model that’s starting to permeate computer security today.
The rest of the piece is clever; highly recommend taking a read.
Kudos to the mayor of Saanich for, you know, obeying BC law with regards to ubiquitous license plate surveillance technologies that have been found to violate BC law. As the mayer says,
“Certainly [Saanich police] are finding it a useful tool, but because this thing is hosted by the RCMP, who isn’t subject to this oversight, there’s a glitch there,” Leonard said.
“Until it gets sorted out, we just voluntarily suspended use.”
It’s good to see ‘voluntary’ decisions to not violate BC law. Guess now we wait and see whether the other mayors of BC take similarly strong stances.
WPA2-PSK is recognized as a pretty reasonable way for most consumer to secure their wifi access point. That said, this mechanism falls pretty flat on its face when router manufacturers screw up, and it looks like Belkin has screwed up badly. From a Register article we see that:
Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the WAN MAC address using a static substitution table. Since the WAN MAC address is the WLAN MAC address + one or two (depending on the model), a wireless attacker can easily guess the wan mac address of the device and thus calculate the default WPA2 passphrase.
This is just really poor mechanism to calculate the password. At least the manufacturer has been totally silent on the issue, and unwilling to disclose how they intend to defray potential attacks; this gives the possibility that Belkin’ll fix things instead of just abandoning consumers (which seems to be, sadly, a pretty default vendor response when their errors undermine users’ privacy and security). Here’s hoping that Belkin decides to not be like most router vendors…
Categories
The Rationale for Retaining Passwords
Alec Muffett has a terrific piece that clearly articulates why, exactly, passwords are beneficial elements of a broader security apparatus. He also notes core ‘risks’ associated with passwords, and how many of these risks can be defrayed (spoiler alert: just use a strong password management system).
Categories
On Masons, Cryptography, and History
Wired has a terrific piece that details how a secret order in the 18th century used a combination of cryptography, obfuscation, and operational secrecy to either spy on the Masons, or keep the Masonic traditions and rituals alive during a time of persecution. It’s a longer read, but worth your time. Wired’s article also demonstrates the value of academic freedom: it gives scholars the ability to explore and solve intriguing problems. Their work may never provide a monetary ‘return on investment’ but it will likely enrich society and culture nevertheless .
Axel Arnbak and Nico van Ejik have a thought provoking paper about regulating systematic vulnerabilities in the HTTPS value chain. They focus on constitutional values to establish a baseline to measure regulation against; it’s a clever move that offers a good lens to critique legislative efforts mean to regulate SSL. The paper is here, and the full abstract is below:
Hypertext Transfer Protocol Secure (‘HTTPS’) has evolved into the de facto standard for secure web browsing. Through the certificate-based authentication protocol, web services and internet users protect valuable communications and transactions against interception and alteration by cybercriminals, governments and business. In only one decade, it has facilitated trust in a thriving global E-Commerce economy, while every internet user has come to depend on HTTPS for social, political and economic activities on the internet.
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a collapse of trust in these central mediators of HTTPS communications as they revealed ‘fundamental weaknesses in the design of HTTPS’ (ENISA 2011). In particular, the breach at Dutch CA Diginotar shows how a successful attack on one of the 650 Certificate Authorities across 54 jurisdictions enables attackers to create false SSL-certificates for any given website or service. Moreover, Diginotar kept the breach silent. So for 90 days, web browsers continued to trust Diginotar certificates, enabling attackers to intercept the communications of 300.000 Iranians. In its aftermath, Dutch public authorities overtook operations at Diginotar and convinced Microsoft to delay updates to its market-leading web browser to ensure ‘the continuity of the internet’. These bold interventions lacked a legitimate basis.
While serving as the de facto standard for secure web browsing, in many ways the security of HTTPS is broken. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem.
To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPS ecosystem are described through the lens of several landmark breaches. The paper then explores the rationales for regulatory intervention, discusses the EU eSignatures Regulation and abstracts from the EU proposal to develop general insights for HTTPS governance. Our findings should thus be relevant for anyone interested in HTTPS, cybersecurity and internet governance – both in Europe and abroad.
HTTPS governance apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of communication.
In the long term, a robust technical and policy overhaul must address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem. On the short term, specific regulatory measures to be considered throughout the value chain may include proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions.
The research finds that the EU eSignatures proposal lacks an integral vision on the HTTPS value chain and a coherent normative assessment of the underlying values of HTTPS governance. These omissions lead to sub-optimal provisions on liability, security requirements, security breach notifications and supervision in terms of legitimacy and addressing the systemic security vulnerabilities of the HTTPS ecosystem.
In his most recent op-ed, Morozov offers a good, if common, argument. Specifically, he argues that:
Quaint prudishness, excessive enforcement of copyright, unneeded damage to our reputations: algorithmic gatekeeping is exacting a high toll on our public life. Instead of treating algorithms as a natural, objective reflection of reality, we must take them apart and closely examine each line of code.
While I tend to agree with him, it’s important to recognize the actual value of what he’s written: he’s made rapidly accessible (though, with less subtly) what ethicists and scholars of contemporary digital technology have been writing about for over a decade. Read what he’s written – it’s good – but rather than stopping there go on to read Winner’s The Whale and the Reactor, sections from DeNardis’ excellent Opening Standards, and Lessig’s Code. In essence, it’s not that Morozov’s written anything badly, but what he’s written just touches the tip of the iceberg.
Excited Pixels 