Given how many web sites were vulnerable to the Heartbleed bug, Parsons says there is likely to be a great deal of reflection on how it could have been identified sooner. Some cryptographers have estimated it may have existed for years before it was discovered last week.
This past weekend, Bloomberg News published a story alleging the U.S. National Security Agency (NSA) knew about the Heartbleed vulnerability for two years and that it may have been using it to access personal data.
The NSA denies the charge, but Parsons says it raises serious questions about the Five Eyes, the surveillance partnership between Canada, the U.S., Great Britain, Australia and New Zealand, which collaborates to detect threats such as Heartbleed.
“This is supposed to be the sort of thing that they’re supposed to find and ideally report,” says Parsons.
“I think over the coming months, we need to figure out if they knew and if they didn’t, why didn’t they, because this is what we pay them to do. And if they did know, then why weren’t they protecting us?”
The NYT has an incredibly depressing view of the way that Brasil is moving forward; while much of it is shared by the citizens of that country the article is overly one-sided and generally lacks a comprehensive understanding of why some of the cost overruns and setbacks have happened. We read that environmental protections and efforts to work with aboriginal people’s have led to railroads being delayed: why were there such expectations of a smooth and quick development of such railroads in the first place? Perhaps because the ‘frictions’ of such development (i.e. environment and people living on the land) had been cast aside?
What is largely missing throughout the piece is the context: why were certain projects put forward and then abandoned? In the absence of such context we’re left with the impression that the setbacks are the result of poor management and bureaucracy but is this the case, or simply the projection of American values onto specific South American infrastructure decisions?
If you’re interested in why it’s so hard to patch a huge portion of the Internet in secret, and what forced the (relatively) early public disclosure of Heartbleed, then this is a good article to read.
The internet is currently atwitter with talk about Heartbleed bug, an encryption fault which caused a horrific ripple effect in the OpenSSL system that put your passwords on sites like RedTube, & Yahoo.
Chris Parsons nearly predicted the CRA’s vulnerability just before they decided to shut down their tax websites, while some of his colleagues and followers criticized the Canadian Cyber Incident Response Centre (CCIRC) for not alerting the public sooner, when it was already obvious the CRA was using a vulnerable version of SSL. Chris discussed the potential ramifications of the CRA’s Heartbleed vulnerability with me:
“A significant amount of highly sensitive tax-related personal information is passed through CRA’s online service gateways. A third-party could have, potentially, accessed logins and passwords of Canadians or the private keys of CRA’s services. The former set of information would let that party log into CRA and impersonate the person in question. The latter set of data could let the third-party decrypt previously captured client-server information and, as a result, decode not just passwords and logins but also the tax data that individuals provided to CRA.”
First time that I’ve been quoted (extensively) in Vice!
Source: Heartbleed Ripped a Hole in the Internet | VICE Canada
Categories
Heartbleed Warning
A really good example of how services can, and should, warn users about how to respond to the Heartbleed OpenSSL vulnerability.
Researchers have discovered a serious security flaw known as the “Heartbleed” bug in the software commonly used by thousands of Websites to encrypt and secure sensitive data being transmitted across the Internet
This was an absolute gift to intelligence agencies all over the world. And one that was – and is – being widely exploited in the wild by criminals and other unauthorized third-parties.
Source: Heartbleed bug found in key encryption technology risks exposing private data
Soon, there will be no way to escape the boss’ urgent email, even if you’re on a plane, as Air Canada announces deal to bring Wi-Fi to the skies.
Not only will you not be able to evade your boss but, given that Air Canada has partnered with GoGo, you’ll also be subject to unnecessarily broad state interception technologies. Air Canada: fly for the high prices, stay for the corporate-enabled excessive state surveillance!
Canadian spy agency head John Forster fielded questions from MPs, and says organization’s focus is foreign intelligence collection, not domestic
Takeaway from the article? CSEC boss “can’t really disclose” what kinds of access it could have to data flowing through Bell, Rogers and Telus.
Back in December, documents revealed the NSA had been using Google’s ad-tracking cookies to follow browsers across the web, effectively coopting ad networks into surveillance networks. A new paper from computer scientists at Princeton breaks down exactly how easy it is, even without the resources and access of the NSA.
Source: How advertising cookies let observers follow you across the web
The two associations representing police chiefs in B.C. should be subject to freedom of information laws, according to B.C. Privacy and Information Commissioner Elizabeth Denham.
After years spent covering the issue, journalist Rob Wipond is finally getting some transparency into how police chief organizations operate in BC!
Excited Pixels 