Category: Writing

Categories
Links Writing

Marking 70 years of eavesdropping in Canada

Bill Robinson at Open Canada:

Another new factor is the presence of Canadians in CSE’s hunting grounds. CSE was unable to assist during the FLQ crisis in 1970—it had no capability to monitor Canadians. In the post-2001 era, that is no longer true: the Internet traffic of Canadians mixes with that of everybody else, and CSE encounters it even when it is trying not to. When operating under judicial warrants obtained by CSIS or the RCMP, it deliberately goes after Canadian communications. CSE also passes on information about Canadians collected by its Five Eyes partners.

A special watchdog—the CSE Commissioner—was established in 1996 to monitor the legality of CSE’s activities. Over the years, Commissioners have often reported weaknesses in the measures the agency takes to protect Canadian privacy, but only once, last year, has a Commissioner declared CSE in non-compliance with the law.

Whether CSE’s watchdog is an adequate safeguard for the privacy of Canadians is a matter of continuing debate. One thing, however, is clear: As CSE enters its 71st year, the days when its gaze faced exclusively outward are gone for good.

Bill Robinson has done a terrific job providing a historical overview of Canada’s equivalent of the National Security Agency (NSA). His knowledge of the Communications Security Establishment (CSE) is immense.

Canadians now live in a country wherein this secretive institution, the CSE, is capable of massively monitoring our domestic as well as foreign communications. And, in fact, a constitutional challenge is before the courts that is intended to restrain CSE’s domestic surveillance. But before that case is decided CSE will analyze, share, and act on our domestic communications infrastructure without genuine public accountability. As an intelligence, as opposed to policing, organization its methods, techniques, and activities are almost entirely hidden from the public and its political representatives, as well as from most of Canada’s legal profession. A democracy can easily wilt when basic freedoms of speech and association are infringed upon and, in the case of CSE, such freedoms might be impacted without the speakers or those engaging with one another online ever realizing that their basic rights were being inhibited. Such possibilities raise existential threats to democratic governance and need to be alleviated as much as possible if our democracy is to be maintained, fostered, and enhanced.

Categories
Links Writing

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good

Google rebuilt a core part of Android to kill the Stagefright vulnerability for good:

Android’s security team patched the initial bug within weeks, but it inspired a wave of new attacks on the way Android processes audio and video files. The first copycat bugs were reported just days after the first patch, with more serious exploits arriving months later. The most recent Android patch report, released today, patches three separate vulnerabilities in Android’s media-processing function, including one critical flaw that could be used for remote code execution.

Now, Android is rebuilding that system from the ground up. When Android 7.0 Nougat began rolling out to phones last month, it came with a rebuilt media playback system, specifically designed to protect against the Stagefright family of attacks. In a post today, Android’s security team revealed new details on exactly how Nougat security has changed and what the team learned from last year’s string of bugs.

The vulnerability is more fully and truly patched! Hurray!

A shame that few users will ever receive an update to the new version of Android, let alone the patches in the previous (version 6) of Android. The best/easiest way for most users to ‘update’ an Android-based mobile phone is to throw their current phone in the trash and buy a new one…and even then, the phone they buy will likely lack recent patches. Heck, they’ll be lucky if it has the most recent operating system!

This stands directly in contrast to iOS. Apple can push out a global patch and there are remarkably high levels of uptake by end-users. Google’s method of working with handset manufacturers and carriers alike puts end-users are greater and greater risk. They’re simply making available dangerous products. They’re behaving worse than Microsoft in the Windows XP days!

Categories
Links Writing

BlackBerry DTEK50 Review: Secure, reasonably priced but light on battery life

BlackBerry DTEK50 Review: Secure, reasonably priced but light on battery life:

But the software on the DTEK50 is the same as the Priv’s – hardened Android 6.0.1 (Marshmallow), FIPS 140-2 compliant full disk encryption, hardware root of trust, and BlackBerry Integrity Detection that monitors for compromises, with BlackBerry extras like the Hub (a unified inbox for all communications), calendar, contacts, password keeper, device search, launcher, and the DTEK security app for which the phone was named. Once you’ve used the BlackBerry software, most other offerings seem severely wanting. DTEK deserves special mention. It evaluates the device’s security posture, recommends changes, and allows you to see exactly what rights each app is using, and how often. You can also revoke individual privileges for an app if, for example, you see no reason why a flashlight app should have access to your contacts.

On what possible grounds can the reviewer – or the editor, who presumably assigned the title to this article – assert that the new Blackberry device is ‘secure’? We know that Blackberry’s consumer-grade options do not encrypt messaging data. We know that other implementations of Android, such as CopperheadOS, actually contribute code to the Android Open Source Project that is meant to reduce vulnerabilities.

We also know that Blackberry refuses to disclose how often they receive, and respond to, government requests for assistance. And we don’t know which countries Blackberry provides assistance to, under what specific terms, or the types of data that the company discloses. But all of this speaks to Blackberry being able to access consumers’ data…which is the definition of a service being insecure insofar as non-authorized actors can read or copy the data in question.

Before journalists or editors make assertions regarding security of mobile devices (or any other product for that matter) they should be obligated to contact experts in the field of mobile security. And preferably they’d actually contact people who actively test the security of mobile devices. Or, you know, at the very least they’d read the news and realize that the security afforded by Blackberry to its retail customers if more like propoganda than based in reality.

Categories
Writing

So Hey You Should Stop Using Texts for Two-Factor Authentication

One of the problems with contemporary computer systems is that they rely on login and password information, and both of these kinds of information are routinely either disclosed through data breaches or are configured by users such that it is relatively easy to guess the login and password combination. Two-factor authentication is designed to alleviate these problems by issuing a second code to a user, which they input in order to access the service. This ‘other factor’ is meant to prevent unauthorized third-parties from accessing protected systems (e.g. email, social media accounts).

However, many of these second-factor codes are delivered over text messages. The problem is that there are a litany of ways that texts can be either intercepted or diverted and, thus, reduce the efficacy of the two-factor system. Some companies have moved away, partially, from SMS-based second factors but others such as Twitter have not. The aim of the article is to suggest that it’s important for users to themselves migrate from text-based second factors to a more secure method.

This is entirely accurate…when individuals are being targeted. But when an attacker is unwilling to invest much time or effort — such as running password lists or otherwise just ‘testing’ accounts without seriously attacking them — then even text-based two-factor authentication can suffice. While I agree that ideally individuals will move to a second-factor that isn’t SMS-based there is a significant degree of friction in getting individuals to download new applications and ‘token-based’ modes of authentication can be challenging to deploy because they get lost/damaged/forgotten/etc. In effect: while the call from the author is good I have to ask whether this ‘solution’ is the one that we should be spending years shuffling users towards or if we should instead wait for a superior alternative.

Categories
Writing

The Fourth Amendment in the Information Age

Litt’s article focuses on finding new ways of conceptualizing privacy such that the current activities of intelligence agencies and law enforcement organizations are made legal, and thus shift the means by which their activities are legally and constitutionally evaluated. While his proposal to overturn much of the third-party doctrine coheres with the positions of many contemporary scholars his suggested replacement — that we should no longer focus on collecting data, but on use of collected data — would eviscerate basic privacy protections. In particular, I think that it’s important we not just ignore the ‘search’ aspect of fourth amendment law: we need to recalibrate what a search is within the context of today’s reality. And that doesn’t mean just letting the government collect with fewer baseline restrictions but instead modifying what a ‘search’ is itself.

The core aspects of the article that give a flavour of the entire argument are:

I suggest that—at least in the context of government acquisition of digital data—we should think about eliminating the separate inquiry into whether there was a “reasonable expectation of privacy” as a gatekeeper for Fourth Amendment analysis. In an era in which huge amounts of data are flowing across the Internet; in which people expose previously unimagined quantities and kinds of information through social media; in which private companies monetize information derived from search requests and GPS location; and in which our cars, dishwashers, and even light bulbs are connected to the Internet, trying to parse out the information in which we do and do not have a reasonable expectation of privacy strikes me as a difficult and sterile task of line-drawing. Rather, we should simply accept that any acquisition of digital information by the Government implicates Fourth Amendment interests.

After all, the concept of a “reasonable expectation of privacy” as a talisman of Fourth Amendment protection is not found in the text of the Fourth Amendment itself, which says merely that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” It was only in 1967, in Katz, that the Supreme Court defined a search as the invasion of a “reasonable expectation of privacy.” Katz revisited Olmstead v. United States after 40 years; the accelerating pace of modern technological change suggests to me that fifty years is not too soon to revisit Katz. My proposal is that the law should focus on determining what is unreasonable rather than on what is a search.

What I have suggested, however, is that—at least in the area of government collection of digital data—we eliminate the preliminary analysis of whether someone has a reasonable expectation of privacy in the data and proceed directly to the issue of whether the collection is reasonable; that the privacy side of that analysis should be focused on concrete rather than theoretical invasions of privacy; and that courts in evaluating reasonableness should look at the entirety of the government’s activity, including the “back end” use, retention restrictions, and the degree of transparency, not just the “front end” activity of collection.

Categories
Links Writing

Rape Culture Is Surveillance Culture

Scaachi Koul has written a piece that draws on her own experiences of men attempting to prey on her because she is a woman and while she engages in socially normal behaviour. Men who sought to prey on her were explicit in attempting to determine how they could take advantage, drug, or otherwise use her body without attempting to secure her genuine consent.

Koul’s writing makes clear the very normal, human, experiences of being targeted by men and how the intent of those attackers and potential attacker is normalized in contemporary society. The result is that Koul — and other women just like her — must treat social scenarios as a possible environments for attack or abuse. Her lived reality thus turns even seemingly benign situations into ones filled with risk. Koul’s ability to write as clearly and powerfully as she does should make clear to anyone who absolves sexual abuse on grounds of drinking that alcohol is not the problem: men who have internalized their own privilege and power and treat women as objects around them to be used are the problem.

Categories
Links Writing

The Top-Secret Cold War Plan to Keep Soviet Hands Off Middle Eastern Oil

This article discusses how, following the Second World War and advent of the Cold War, the United States and British governments worked with oil companies to plan ‘denial’ operations should the USSR invade the Middle East. Core to the plan was for combined CIA and military, along with corporate employees, efforts to strategically blow up parts of the refineries such that the Soviets would be unable to take advantage of the oil reserves and thus empower the West to invade and ideally retake the strategic resource.

The efforts were developed and iterated on for almost a decade, though towards the end the focus shifted from the USSR and towards nationalist governments in the region. Moreover, what started as a denial approach transformed into one where oil production would be maintained: the thirst for oil on the part of the United States and Britain meant that turning off the taps could be a serious blow to their economic and military efforts.

These were contingency operations but they were taken seriously. Explosives were moved and put in place and the British even established plans for nuclear assaults to prevent the fields from falling into non-Western hands. It raises the question of whether similar kinds of activities are planned, today, or whether cooler heads now are responsible for establishing contingency plans when it comes to core resources that contemporary Western economies rely upon. And would nuclear or other explosives be used, now, or is this where we would see a first and genuinely far-reaching aspect of hard ‘cyber’ power?

Categories
Links Writing

New York DA Wants Apple, Google to Roll Back Encryption

New York DA Wants Apple, Google to Roll Back Encryption:

[Manhattan District Attorney Cyrus Vance Jr.] said that law enforcement officials did not need an encryption “backdoor,” sidestepping a concern of computer-security experts and device makers alike.

Instead, Vance said, he only wanted the encryption standards rolled back to the point where the companies themselves can decrypt devices, but police cannot. This situation existed until September 2014, when Apple pushed out iOS 8, which Apple itself cannot decrypt.

“Tim Cook was absolutely right when he told his shareholders that the iPhone changed the world,” Vance said. “It’s changed my world. It’s letting criminals conduct their business with the knowledge we can’t listen to them.”

Vance cited a recording of a telephone call made from New York City’s Riker’s Island jail to an outside line. In the call, a defendant in a sex-crimes case tells a friend about the miraculous powers of the new smartphone operating systems.

“Apple and Google came out with these softwares that can no longer by encrypted by the police,” the defendant allegedly said, mixing up encryption with decryption. “If our phones [are] running on iOS 8 software, they can’t open my phone. That might be another gift from God.”

Correct me if I’m wrong but if you’re able to quote the conversation they had about the encryption of the device, then isn’t it the case that law enforcement can, in fact, listen in to at least some of these supposedly sophisticated criminals? Regardless of their adoption of consumer-grade (i.e. incredibly common) tools and security protocols?

But more to the point: it has never been the case that government agencies have been able to compel, or access, all of the information they might find useful in the course of their investigations. That’s normal. Government agencies enjoyed incredible access to persons’ information for the course of a decade or so, as technology companies matured into firms that took the security and privacy of their customers seriously. Asking for the industry to return to a less-mature state is bad for everyone.

Finally: while domestic agencies might be worried about the situations where they cannot access the data at rest on the device, you can be sure that governmental staff who are abroad are very happy that they can use their devices with the knowledge that even foreign state actors will be challenged in accessing the data at rest which is stored on their smartphones. American (and Canadian) law enforcement agencies are understandably pushing for greater access to information but, by the same token, their success would mean that their compatriots in China, Brazil, France, Israel, and other friendly and unfriendly states would be able to lawfully gain entry to foreign agents’ devices. I’m pretty sure that diplomatic staff and military personel abroad are pleased that such an attack vector has been narrowed by Apple’s actions.

Categories
Links Writing

As the Olympics Near, Brazil and Rio Let the Bad Times Roll

We are getting closer and closer to the Summer Olympics and, as they approach, more critical eyes are turned to Rio and the city’s state of preparation. The New York Times, in particular, has done a good job of synthesizing the various concerns and critiques associated with Brazil hosting the games: corruption and a functional coup have absorbed the electorate’s attention, costs are overrunning and major projects may only barely be finished on time, pollution at venues may lead to health issues with athletes, and the general economic and security conditions of the city are poor at best.

There is almost no doubt that Rio would not win the bid were they bidding for the games, today, given the state of things. But I also think that it’s important to remember that almost all countries and host-cities face incredible criticism in the run-up to any games. This was true of Beijing, of Vancouver, and of the various venues which have recently held the World Cup.

What will perhaps be most telling is the impact of the games after everyone has left. Will it be the case that the spending on infrastructure for the games prevents Rio from investing in desperately needed additional kinds of services for those worst off? Or will it be that many of the legacy improvements — such a the alert system that was set up to warn those in favelas of forthcoming major storms that could lead to mudslides — that are less talked about will genuinely improve the status of the most impoverished? And what, if anything, will be the lasting effects of Pacification that has taken place in recent years after the major events are over and the economy continues to contract?

Categories
Links Writing

Can @Jack Save Twitter?

A long read by the author of Hatching Twitter: A True Story of Money, Power, Friendship, and Betrayal, which unpacks the return of one of Twitter’s co-founders. It’s an instructive read into the poisonous culture of Twitter and the backbiting that characterizes the company…and seemingly has meant that it’s been unable to really determine what it’s about, for whom, and how it will be profitable to investors. The end is particularly telling, insofar as Twitter is seen as having one last chance — to succeed in ‘live’ events — or else have to potentially sell to a Microsoft or equivalent staid technology company.