Rob Graham has a good look at the challenges facing SandForce controllers – which are used by a large number of the solid state hard drives on the consumer market – as related to disk encryption. I highly recommend reading it but, if you just don’t have the time, here’s the key takeaway: “The problem with a SandForce controller is that all its features are lost when using full disk encryption, but all its downsides remain. Thus, if you plan on using an SSD for your notebook computer, you should plan on getting something other than a SandForce controller.”
Category: Links
In a word: No.
Nulpunt is an online database that lets individuals subscribe to topics and, when a freedom of information request on the topic becomes available, ‘pushes’ the content to the user. This mediates the present format for such requests, where individuals tend to be hunting for specific information and the population generally has no effective means to see or understand the information divulged to fellow citizens.
The aspiration of the service is that government secrecy can be undermined by making information more prominently available. I’m not confident that this can possibly be the case because the service fails to address the primary means by which states keep citizens in the dark: it does not prevent state agents from refusing requests nor from redacting significant elements from released documents.
While it may be effective in nations such as the Netherlands, which have recently adopted new transparency laws, I can’t imagine Canada or the US moving to entirely new document release processes without a significant stick. Nulpunt is not, and cannot, function as that stick so long as governments refuse to recognize their situatedness as servants, rather than masters, of the population at large.
The risks that onerous copyright laws pose for law enforcement are rarely considered, despite such laws (potentially) threatening national security operations. In Sweden, following efforts to dissuade file sharing, the population is increasingly moving to encrypted VPN connections to continue their sharing. From an article over at Torrentfreak,
according to new research from the Cybernorms research group at Sweden’s Lund University, an increasing proportion of the country’s population are taking measures to negate the effects of spying on their online activities.
The study reveals that 700,000 Swedes now make themselves anonymous online with paid VPN services such as The Pirate Bay’s iPredator.
What does this have to do with law enforcement? As the Swedish population moves to encrypted communications it limits authorities’ insights into the data traffic moving through Swedish networks. Consequently, the copyright lobby is (unintentionally) increasing the challenges of applying digital ‘wiretaps’ on Swedish citizens. While not something that the copyright lobbies are necessarily concerned with, these developments can be problematic for national security agencies.
I’m not advocating that communications should necessarily be easier for such agencies to investigate – far from it – but do I think that before aligning legislative efforts with copyright groups it is critical for legislators to think of the broader implications associated with ‘strong’ copyright laws. While such laws might dissuade some file sharing, are the benefits derived from limiting file sharing sufficient to justify disadvantaging national security and intelligence operation?
A great of speculation exists around mobile companies of all stripes: are they secure? Do they secretly insert backdoors for government? What kinds of assurances do customers and citizens have around the devices?
Recently these concerns exploded (again) following a Reuters article that notes serious problems in ZTE mobile phones. There are a series of reasons that security agencies can, and do, raise concerns about foreign built equipment (some related more to economics than good security practice). While it’s possible that ZTE’s vulnerabilities were part of a Chinese national-security initiative, it’s entirely likely (and more probable) that ZTE’s backdoor access into their mobiles is a genuine, gigantic, mistake. Let’s not forget that even ‘our’ companies are known for gross security incompetence.
In the ZTE case it doesn’t matter if the backdoor was deliberate or not. It doesn’t matter if the company patches the devices, either, because a large number of customers will never apply updates to their phones. This means that, for all intents and purposes, these devices will have well publicized security holes for the duration of their existence. It’s that kind of ongoing vulnerability – one that persists regardless of vendor ‘patches’ – that is increasingly dangerous in the mobile world, and a threat that is arguably more significant (at the moment) than whether we can trust company X or Y.
National mail carriers are important for loads of reasons, including legal protections around letters carried by them versus those carried by couriers. These mail carriers are far less agile than their private competitors and have been incredibly slow to recognize the need to change existing processes and practices. They desperately need to find new growth avenues to remedy declining gross and net revenues.
As a demonstration of how little Canada Post ‘gets’ the market and business it’s in today, we can turn to this comment:
Canada Post chief executive officer Deepak Chopra foresees a future in which consumers receive and pay their bills, get their paycheques, renew drivers’ licences, pay parking tickets, buy magazines and receive personalized ad pitches – all online, through ePost.
This isn’t a future: it’s the present. The only ‘future’ part of what he is outlining is that all these (already daily) functions would be routed through ePost. Unless Canada Post has an incredible value proposition – security, government mandates, or somehow implementing these functions better than existing services are mechanisms that immediately come to mine – I can’t see how the organization will exist in any semblance of what it is today, tomorrow.
I admit it: I’m really curious to see how NFC technologies are adopted by various vendors and developers. To date, however, the integration has been poor and what adoption there has been tends to focus on payment solutions. Payment solutions scare the crap out of me because they increase the reasons attackers have to compromise my phone: it’s bad enough they want my personal information; I don’t want them after my digital wallet as well!
RIM has a neat bit of technology they’ve recently released, which leverages the NFC functionality in their new phones with Bluetooth pairing systems. Specifically, it enables rapid syncing between phones and audio-output devices (i.e., speakers). While the product is pretty “meh” as released today, it could be pretty exciting were vehicle manufacturers and speaker manufacturers to generally integrate NFC-pairing capabilities with their respective products. It’s presently a pain to listen to music stored on a mobile through vehicle speakers (using Bluetooth) or a friend’s speakers in their home. RIM has offered a partial solution to the Bluetooth pairing problem; now it’s up to the larger ecosystems to actually integrate RIM’s idea in a omnipresent and highly functional way.
Ars Technica has reported that a German court has found a victim of a phishing attack liable for successfully being phished. The finding is, at least in part, based on the bank’s position that they had previously warned customers about phishing attacks.
The court’s placement of liability is significant for a variety of reasons. Of course it’s important that the individual was victimized. The liability placement also defers expenses (likely through insurance) that the bank would have to assume were they at least partially liable for the customers’ actions. This said, we can understand (and perhaps disagree…) that, from a liberal position, individual citizens are responsible for their actions.
What is most significant are the consequences of placing liability on the individual. Specifically, it reduces the incentive that banks have to exercise their influence to address phishing. I’m not suggesting that the banks could hope to eliminate phishing by waving a gold-plated wand, but they are financially in a position to influence change and act on a global scale. Individuals – save for the ultra-rich – lack this degree of influence and power. While banks will be motivated to protect customers – and, more importantly, their customers’ money – if banks were found even partially liable for successful phishing attacks they would be significantly more motivated to remedy these attacks.
Categories
Nice Overview of Encryption Tools
While it’s certainly not definitive, and it doesn’t walk you through using each and every tool, Edwards has a good high-level overview piece that is worth reading.
There genuinely are bad people in the world, individuals and agents who largely exist to cause serious harm to citizens around the world in democratic states. These individuals cannot, however, be permitted to destabilize an entire population nor operate as reasons for totalizing mass surveillance. In the UK an incredibly senior and prominent security and intelligence expert, Sir David Omand, has nevertheless called for the following:
In a series of recommendations to the government, Sir David – the Cabinet Office’s former Security and Intelligence co-ordinator – said out-dated legislation needed to be reformed to ensure an ethical and legal framework for such intelligence gathering, which was clear and transparent.
The report recommends that social media should be divided into two categories, the first being open source information which public bodies could monitor to improve services while not identifying individuals without permission.
On the more contentious category of monitoring private social media, Sir David said it needed to be properly authorised – including the need for warrants when it was considered “genuine intrusion” – only used as a last resort when there was substantial cause and with regard to “collateral damage” to any innocent people who might have been in contact with a suspect.
It must repeatedly, and emphatically, be stated that ‘transparency’ in the intelligence world does not mean that citizens will actually know how collected data is used. Neither does codifying surveillance practices in law minimize citizens’ concerns around surveillance. No, it instead operates as a legal shield that protects those engaged in oft-times secretive actions that are inappropriately harmful to innocent citizens. Such changes in law must be incredibly carefully examined by the public and opposed or curtailed whenever there is even the slightest possibility of abuse or infringement of citizens’ reasonable normative expectations of privacy from state intrusion and surveillance.
The Guardian has an excellent bit of coverage on UK-led rendition practices. These practices entailed collaborating with Libya and China to turn over members of the Libyan Islamic Fighting Group, an anti-Gaddafi organization. Ian Cobain, the journalist, precisely notes the kinds of experiences that UK and American agents subjected members of the organization to during their capture and transit to Libya.
It’s a harrowing read, but important, as it details the significance and associated dangers of the state’s secret extension of powers. It also recognizes that states will ‘turn’ on individuals and groups that they had once supported on the basis of building economic relations with a new ‘friend’. Perhaps most ominously, the article outlines how the secret court processes – where neither the accused nor their counsel are permitted to view or argue about evidence against the accused – have had their rulings ignored. Even the judges in these secret cases cannot impose their power on the state, indicating that arms of the government are entirely divorced from the accountability required for democratic institutions to (normatively) survive.
The only way to stop these kinds of practices is for the public to stop quietly ignoring the erosion of their democracies, civil liberties, and basic freedoms. It remains unclear how this can be done, but given the expansion of the state’s perception of its executive powers, it is imperative that citizens vigorously and actively begin protecting their democracies before the last shreds of democracy are truly lost.
Excited Pixels 