Given how many web sites were vulnerable to the Heartbleed bug, Parsons says there is likely to be a great deal of reflection on how it could have been identified sooner. Some cryptographers have estimated it may have existed for years before it was discovered last week.
This past weekend, Bloomberg News published a story alleging the U.S. National Security Agency (NSA) knew about the Heartbleed vulnerability for two years and that it may have been using it to access personal data.
The NSA denies the charge, but Parsons says it raises serious questions about the Five Eyes, the surveillance partnership between Canada, the U.S., Great Britain, Australia and New Zealand, which collaborates to detect threats such as Heartbleed.
“This is supposed to be the sort of thing that they’re supposed to find and ideally report,” says Parsons.
“I think over the coming months, we need to figure out if they knew and if they didn’t, why didn’t they, because this is what we pay them to do. And if they did know, then why weren’t they protecting us?”
Category: Links
The NYT has an incredibly depressing view of the way that Brasil is moving forward; while much of it is shared by the citizens of that country the article is overly one-sided and generally lacks a comprehensive understanding of why some of the cost overruns and setbacks have happened. We read that environmental protections and efforts to work with aboriginal people’s have led to railroads being delayed: why were there such expectations of a smooth and quick development of such railroads in the first place? Perhaps because the ‘frictions’ of such development (i.e. environment and people living on the land) had been cast aside?
What is largely missing throughout the piece is the context: why were certain projects put forward and then abandoned? In the absence of such context we’re left with the impression that the setbacks are the result of poor management and bureaucracy but is this the case, or simply the projection of American values onto specific South American infrastructure decisions?
If you’re interested in why it’s so hard to patch a huge portion of the Internet in secret, and what forced the (relatively) early public disclosure of Heartbleed, then this is a good article to read.
The internet is currently atwitter with talk about Heartbleed bug, an encryption fault which caused a horrific ripple effect in the OpenSSL system that put your passwords on sites like RedTube, & Yahoo.
Chris Parsons nearly predicted the CRA’s vulnerability just before they decided to shut down their tax websites, while some of his colleagues and followers criticized the Canadian Cyber Incident Response Centre (CCIRC) for not alerting the public sooner, when it was already obvious the CRA was using a vulnerable version of SSL. Chris discussed the potential ramifications of the CRA’s Heartbleed vulnerability with me:
“A significant amount of highly sensitive tax-related personal information is passed through CRA’s online service gateways. A third-party could have, potentially, accessed logins and passwords of Canadians or the private keys of CRA’s services. The former set of information would let that party log into CRA and impersonate the person in question. The latter set of data could let the third-party decrypt previously captured client-server information and, as a result, decode not just passwords and logins but also the tax data that individuals provided to CRA.”
First time that I’ve been quoted (extensively) in Vice!
Source: Heartbleed Ripped a Hole in the Internet | VICE Canada
Researchers have discovered a serious security flaw known as the “Heartbleed” bug in the software commonly used by thousands of Websites to encrypt and secure sensitive data being transmitted across the Internet
This was an absolute gift to intelligence agencies all over the world. And one that was – and is – being widely exploited in the wild by criminals and other unauthorized third-parties.
Source: Heartbleed bug found in key encryption technology risks exposing private data
Soon, there will be no way to escape the boss’ urgent email, even if you’re on a plane, as Air Canada announces deal to bring Wi-Fi to the skies.
Not only will you not be able to evade your boss but, given that Air Canada has partnered with GoGo, you’ll also be subject to unnecessarily broad state interception technologies. Air Canada: fly for the high prices, stay for the corporate-enabled excessive state surveillance!
Canadian spy agency head John Forster fielded questions from MPs, and says organization’s focus is foreign intelligence collection, not domestic
Takeaway from the article? CSEC boss “can’t really disclose” what kinds of access it could have to data flowing through Bell, Rogers and Telus.
Back in December, documents revealed the NSA had been using Google’s ad-tracking cookies to follow browsers across the web, effectively coopting ad networks into surveillance networks. A new paper from computer scientists at Princeton breaks down exactly how easy it is, even without the resources and access of the NSA.
Source: How advertising cookies let observers follow you across the web
The two associations representing police chiefs in B.C. should be subject to freedom of information laws, according to B.C. Privacy and Information Commissioner Elizabeth Denham.
After years spent covering the issue, journalist Rob Wipond is finally getting some transparency into how police chief organizations operate in BC!
The border agency says that in 2012, only 25 of its 19,000 requests were refused by the telecoms, and only 13 customers were notified that the government had sought their records. Aspects of the handovers seem to happen automatically – with the telecoms typically charging only $1 to $3 for a “BSI” request and the answers usually coming back within three business days.
Every other federal investigative agency says it cannot or will not publicly provide such precise details of their relationships with the telecoms.
…
In this context, the CBSA disclosure is important and unprecedented, say digital privacy experts, who argue that the agency’s numbers suggest many more exchanges are occurring between the telecoms and other government agencies as well.
“It makes me wonder what other structures and costs are in place,” said Christopher Parsons, a researcher at the University of Toronto’s Citizen Lab. He pointed out that the Mounties and Canada’s intelligence agencies failed to release data.
Though CBSA is being pilloried at the moment for the number of times that it accessed telecommunications data (18,849 times in 2012), the agency should be congratulated as comprehensively responding to MP Borg’s questions. Only the Transportation Safety Board provided a comparable degree of accountability to the Parliamentarian. While I’d like CBSA to go further – we shouldn’t depend on a Parliamentarian’s curiosity to learn about state surveillance practices – the agency has, ultimately, created the model that other federal institutions ought to be forced to follow.
Source: Border agency asked for Canadians’ telecom info 18,849 times in one year
Excited Pixels 