Category: Links

Categories
Links

US Government’s Harassment Made Visible

When your government behaves in such a way that innocent citizens are forced to act as a spies to keep safe, then it’s evident that something has gone terribly awry. Laura Poitras, an American citizen and journalist, now lives like a spy: under the constant pressure of potential government harassment and surveillance of herself, her sources, and anyone that is particularly close to her.

Her crime? Being an award winning filmmaker who has produced films addressing the negative impacts of American imperialism abroad.

Glenn Greenwald has a terrific piece that unpacks what it means to be a prominent journalist, activist, or simple government contrarian who is willing to take entirely legal actions against the American state. Actions like speaking up or otherwise exercising basic civil rights. I won’t lie: it’s a long piece, probably not something you can skim in 2-3 minutes. But if you only read one thing that holds your attention for 10-15 minutes today, go read Glenn’s piece. It’s eye opening.

As a teaser:

In many instances, DHS agents also detain and interrogate her in the foreign airport before her return, on one trip telling her that she would be barred from boarding her flight back home, only to let her board at the last minute. When she arrived at JFK Airport on Thanksgiving weekend of 2010, she was told by one DHS agent — after she asserted her privileges as a journalist to refuse to answer questions about the individuals with whom she met on her trip — that he “finds it very suspicious that you’re not willing to help your country by answering our questions.” They sometimes keep her detained for three to four hours (all while telling her that she will be released more quickly if she answers all their questions and consents to full searches).

Poitras is now forced to take extreme steps — ones that hamper her ability to do her work — to ensure that she can engage in her journalism and produce her films without the U.S. Government intruding into everything she is doing. She now avoids traveling with any electronic devices. She uses alternative methods to deliver the most sensitive parts of her work — raw film and interview notes — to secure locations. She spends substantial time and resources protecting her computers with encryption and password defenses. Especially when she is in the U.S., she avoids talking on the phone about her work, particularly to sources. And she simply will not edit her films at her home out of fear — obviously well-grounded — that government agents will attempt to search and seize the raw footage.

(Read More)

 

Categories
Links Writing

Incumbent Beats Competitor. Again.

A major challenge facing Canada’s “new” mobile companies is this: how can they extend network coverage across Canada to increase the utility of their product offerings? One way they address the challenge involves entering roaming agreements with incumbent carriers. As Wind Mobile is finding out, Rogers Communications is willing to both do the least possible to enable roaming and fight at the CRTC to maintain this minimal standard.

Specifically, from The Telecom Blog we find that

…Wind Mobile complained again to the CRTC stating that Rogers continues to discriminate against its roaming customers. Though RIM managed to muster support from the Consumer Association of Canada, the CRTC has ruled again in favor of Rogers. The upstart carrier claims that currently there’s no way for Wind subscribers to continue a live call when they hop onto Rogers network. The call is dropped and the subscribers are forced to redial.

Though Wind has been lobbying hard to get seamless roaming onto the Rogers network, the CRTC declined the request stating that “in view of its determination that RCP had not granted itself a preference, it would be inappropriate to deal with the issue of mandating seamless call transition.”

Needless to say, these are the actions of an incumbent doing what it can to limit the appeal of competitors’ products. The reason that Rogers wasn’t found to have granted itself a preference was because Rogers hadn’t rejigged their network in response to the roaming agreement: Rogers simply made the decision not to make technical improvements that would enable seamless live call transitions.

Much of the issue around transitions, and other telecom-related battles between incumbents and competitors in Canada, stem from the CRTC’s basic position that the Canadian telecommunications market should be directed by facilities-based competition. In other words, the position is (generally stated!) that competitors are recognized as temporarily needing access to incumbent networks when they first incorporate, but that the same competitors should build out their own infrastructure over time.

This CRTC’s preferred mode of competition is incredibly expensive and is arguably redundant; structural separation is postulated as one means of addressing the issue, as are spectrum sharing, and improved infrastructure sharing agreements that are driven by federal institutions’ fiats. Regardless of the particular solution you favour – if you see a problem as existing, in the first place! – something should be done to better enable new competitors in Canada. The CRTC theoretically attempts to promote market competition so that services are less costly for Canadians while simultaneously ensuring that offered services are of high quality and are efficient. Where something so basic as call transitions isn’t addressed, one has to wonder whether some federal institution shouldn’t be a lot more involved than they are in enabling competition in Canada’s mobile marketplace.

Categories
Links Writing

Major Critical Infrastructure Vulnerabilities Disclosed

For years, researchers have warned that the systems that run critical infrastructure have systemic and serious code-based vulnerabilities. Unfortunately, governments have tended to use such warnings as a platform to raise ‘cyber-warfare’ arguments. Many such arguments are thinly-disguised efforts to assert more substantive government surveillance and control over citizens’ rights and expressions of freedom. Few of these arguments genuinely address the concerns researchers raise.

In the face of governmental lacklustre efforts to secure infrastructure, researchers have disclosed critical vulnerabilities in many of the systems responsible for manufacturing facilities, water and waste management plants, oil and gas refineries and pipelines, and chemical production plants. What’s incredibly depressing is this:

The exploits take advantage of the fact that the Modicon Quantum PLC doesn’t require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC—essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a “stop” command to halt the system from operating.

These kinds of ‘attacks’ or ‘exploits’ are possible because the most basic security precautions are not integrated into the logic controllers running such infrastructure. On the one hand this makes sense: many PLCs and the infrastructure they are embedded in were created and deployed prior to ‘the Internet’ being what it is today. On the other, however, one has to ask: if the money spent on security theatre at airports had been invested in hardening actual PLCs and other infrastructure, where would critical infrastructure security be today?

Categories
Links

US Looking to Expand CALEA?

From the New York Time we find that American officials are campaigning for updates to CALEA, a surveillance bill that was passed in 1994. The officials claim updates are needed because

some telecommunications companies in recent years have begun new services and made system upgrades that caused technical problems for surveillance.

Albert Gidari Jr., a lawyer who represents telecommunications firms, said corporations were likely to object to increased government intervention in the design or launch of services. Such a change, he said, could have major repercussions for industry innovation, costs and competitiveness.

“The government’s answer is ‘don’t deploy the new services — wait until the government catches up,’ ” Mr. Gidari said. “But that’s not how it works. Too many services develop too quickly, and there are just too many players in this now.”

In essence, it appears that the US government is advocating for updates to their laws that are similar to provisions in Canada’s lawful access legislation. The tabled Canadian legislation includes provisions that preclude interception capabilities from degrading over time (Section 8), mandate that interception capabilities continue to meet government requirements as telecommunications services providers upgrade their services (Section 9), and require new software and product offerings to be compliant with interception demands (Section 11). It would seem that, without these provisos, CALEA is showing its age: ISPs are deploying services that ‘break’ existing wiretap capabilities and that it takes some time to restore those capabilities. ISPs innovate, and then surveillance catches up.

Of course, it’s useful to remember that none of the details surrounding the FBI’s problems in maintaining wiretaps is really made clear in the article. The sources that the reporter draws upon are primarily from law enforcement agencies and, as we have seen in Canada and in prior US legislative gambits, such agencies are prone to overstating problems and understating their complicity in generating/maintaining them. It’s also unclear just how ‘impaired’ investigations actually were. In essence, a full accounting of the alleged problems is needed, and the accounting ought to be public. If the American public is going to shell out more money for surveillance, and potentially endanger next-generation telecommunications services’ innovative potentials, then the government has to come totally clean about their allegations so that a rational and empirically-grounded debate can occur.

Categories
Links Writing

Surprise: American Equipment Spies on Iranians

Steve Stecklow, for Reuters, has an special report discussing how Chinese vendor ZTE was able to resell American network infrastructure and surveillance products to the Iranian government. The equipment sold is significant;

Mahmoud Tadjallimehr, a former telecommunications project manager in Iran who has worked for major European and Chinese equipment makers, said the ZTE system supplied to TCI was “country-wide” and was “far more capable of monitoring citizens than I have ever seen in other equipment” sold by other companies to Iran. He said its capabilities included being able “to locate users, intercept their voice, text messaging … emails, chat conversations or web access.”

The ZTE-TCI documents also disclose a backdoor way Iran apparently obtains U.S. technology despite a longtime American ban on non-humanitarian sales to Iran – by purchasing them through a Chinese company.

ZTE’s 907-page “Packing List,” dated July 24, 2011, includes hardware and software products from some of America’s best-known tech companies, including Microsoft Corp, Hewlett-Packard Co, Oracle Corp, Cisco Systems Inc, Dell Inc, Juniper Networks Inc and Symantec Corp.

ZTE has partnerships with some of the U.S. firms. In interviews, all of the companies said they had no knowledge of the TCI deal. Several – including HP, Dell, Cisco and Juniper – said in statements they were launching internal investigations after learning about the contract from Reuters.

The sale of Western networking and surveillance equipment/software to the Iranian government isn’t new. In the past, corporate agents for major networking firms explained to me the means by which Iran is successfully importing the equipment; while firms cannot positively know that this is going on, it’s typically because of an intentional willingness to ignore what they strongly suspect is happening. Regardless, the actual sale of this specific equipment – while significant – isn’t the story that Western citizens can do a lot to change at this point.

Really, we should be asking: do we, as citizens of Western nations, believe that manufacturing of these kinds of equipment is permissible? While some degree of surveillance capacity is arguably needed for lawful purposes within a democracy it is theoretically possible to design devices such that they have limited intercept and analysis capability out of the box. In essence, we could demand that certain degrees of friction are baked into the surveillance equipment that is developed, and actively work to prevent companies from producing highly scaleable and multifunctional surveillance equipment and software. Going forward, this could prevent the next sale of significant surveillance equipment to Iran on grounds that the West simply doesn’t have any for (legal) sale.

In the case of government surveillance inefficiency and lack of scaleability are advantageous insofar as they hinder governmental surveillance capabilities. Limited equipment would add time and resources to surveillance-driven operations, and thus demand a greater general intent to conduct surveillance than when authorities have access to easy-to-use, advanced and scalable, surveillance systems.

Legal frameworks are insufficient to protect citizens’ rights and privacy, as has been demonstrated time and time again by governmental extensions or exploitations of legal frameworks. We need a normatively informed limitation of surveillance equipment that is included in the equipment at the vendor-level. Anything less will only legitimize, rather than truly work towards stopping, the spread of surveillance equipment that is used to monitor citizens across the globe.

Categories
Links Writing

Huawei Blocked on National Security Grounds

We recently learned that the Australian government had blocked Huawei from tendering contracts for Australia’s National Broadband Network. The government defended their position, stating that:

As such, and as a strategic and significant government investment, we have a responsibility to do our utmost to protect its integrity and that of the information carried on it.

Of note, internally Huawei had been a preferred choice but the company was ostensibly blocked for political/security, rather than economic, reasons. This decision isn’t terribly surprising given that American, Australian, and United Kingdom national intelligence and security agencies have all come out against using Huawei equipment in key government-used networks. The rationale is that, even were a forensic code audit possible (and likely wouldn’t be, on grounds that we’re talking millions of lines of code) it wouldn’t be possible to perform such an audit on each and every update. In effect, knowing that a product is secure now isn’t a guarantee that the product will remain secure tomorrow after receiving a routine service update. The concern is that Huawei could, as a Chinese company, be compelled by the Chinese government to include such a vulnerability in an update. Many in the security community suspect that such vulnerabilities have already been seeded.

Does this mean that security is necessarily the real reason for the ‘national security card’ being played in Australia? No, of course not. It’s equally possible that calling national security:

  • let’s the government work with a company that it already has ties with and wants to support;
  • is the result of the government being enticed – either domestically or from foreign sources – to prefer a non-Huawei alternative;
  • permits purchases of a non-Huawei equipment from vendors that are preferred for political reasons; perhaps buying Chinese goods just wouldn’t be seen as a popular move for the government of the day.

Moreover, simply because Australia isn’t tendering contracts from Huawei doesn’t suggest that whatever equipment is purchased will be any more secure. In theory, were Cisco equipment used to power the National Broadband Network then the American government could similarly compel Cisco to add vulnerabilities into routers.

In part, what this comes down to is who do you trust to spy on you? If you see the Americans as more friendly and/or less likely to involve themselves closely in your matters of state, then perhaps American companies are preferred over your economic and geographical next-door neighbours.

I should note, just in closing, that Huawei has contracts with most (though not quite all) of Canada’s largest mobile and wireline Internet companies. Having spoken with high-level governmental officials about security concerns surrounding Huawei’s equipment there seems to be a total lack of concern: just because GCHQ, NSA, and ASIO have publicly raised concerns about the company’s equipment doesn’t seem to raise any alarm bells or worries with our highest government officials.

Categories
Links Writing

The Problems With Smartphone Password Managers

In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.

Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.

In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.

The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.

Abstract:

In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection

Access the paper (.pdf)

The Problems With Smartphone Password Managers

Categories
Links

A Pedophile Survivor on Bill C-30

Anne Rector gives voice to many who were systematically abused as children and who, often as a result of the abuse, are now ardent protectors of basic privacy rights. From her piece:

While I’m fairly openly about many things, my privacy has been savagely breached quite enough in this life. I should be able to preserve the tatters of personal privacy that remain, as I wish.

But this Conservative crime bill targets my privacy’s safeguards, and it’s inappropriate of politicians to use ‘pedophiles’ to strip me of them.

Just try claiming that I support child pornographers… and I’ll impart what fierce really is.

Go read the piece. It’s short. It does a good job identifying just how hurtful and harmful the Canadian Government’s equivalency of privacy advocates and child pornographers is for those who have suffered at the hands of child abusers.

Categories
Links

Fallout from Comodo and DigiNotar Hacks Continues

The hacking of major certificate authorities, Comodo and DigiNotar, has been somewhat addressed by certificate blacklists and revocations. Despite these measures, however, the fallout of the hacks continues. As picked up by PC Magazine,

This week Kaspersky has discovered malicious droppers – programs that install malware – bearing stolen VeriSign certificates originally issued to a Swiss company called Conpavi AG.

One of the droppers carries a 32-bit driver containing a malicious DLL, which gets injected into your Internet browser process. A malicious 64-bit dropper injects the DLL directly.

From there, the DLL reroutes all your search queries in Google, Yahoo!, and Bing, to a pay-per-click search engine called Search 123. Search 123 makes money off people who search and click on their results.

As a colleague of mine commented, this is just another nail in X.509’s coffin. Let’s just hope that not too many innocents are buried along with it.

Categories
Links

Google Chrome Addons Fingerprinting

Krzysztof Kotowicz has recently published the first part of a Chrome hacking series. In what went up mid-March, he provides the proof of concept code to ID the addons that users have installed. (The live demo – avoid if you’re particularly privacy conscious – is here.) There are various advantages to knowing what, specifically, browser users are running:

  • It contributes to developing unique browser fingerprints, letting advertisers track you passively (i.e. without cookies);
  • It enables an attacker to try and compromise the browser through vulnerabilities in third-party addons;
  • It lets websites deny you access to the site if you’re using certain extensions (e.g. a site dependent on web-based ad revenue might refuse to show you any content if you happen to be running adblock or Ghostery)

Means of uniquely identifying browsers have come and gone before, and this will continue into the future. That said, as more and more of people’s computer experiences occur through their browsers an ever-increasing effort will be placed on compromising the primary experience vector. It will be interesting to see if Google – and the other major browser vendors – decide to see this means of identifying customer-selected elements of the browser as a possible attack vector and consequently move to limit addon-directed surveillance.