Tag: Intelligence

Categories
Aside Links

Turning security flaws into cyberweapons endangers Canadians, experts warn

Turning security flaws into cyberweapons endangers Canadians, experts warn:

“The Snowden docs demonstrate that CSE is active in identifying vulnerabilities,” Christopher Parsons, a post-doctoral fellow at Citizen Lab, told CBC.

“The fact that CSE identifies vulnerabilities and is not reporting them means users are not receiving patches in order to secure their networks.”

Parsons said this “creates a really dangerous scenario.”

“Canadians need to have a discussion about this. Do we want to live in a world in which we’re protecting our own citizens? Or should the priority of Canadian government organizations [like CSE] be first and foremost hacking foreign systems?”

Canadian politicians, judges, journalists and business leaders use smartphones vulnerable to the flaws now fixed by Apple — and to flaws still unknown. The country’s infrastructure is increasingly networked and vulnerable to sabotage by a foreign intelligence agency.

In such a world, Parsons wondered, does national security mean using security flaws against potential enemies? Or disclosing and fixing them?

“We haven’t had that debate in this country,” he said.

It’s increasingly looking like we are going to have the debate concerning whether the Canadian government should be stockpiling vulnerabiltiies or actively working to close identified vulnerabilties. Let’s hope that the debate tilts in favour of protecting the citizenry instead of leaving it vulnerable to domestic and foreign attackers.

Categories
Links Writing

New Additions to the Canadian SIGINT Summaries

I’ve added three new items to the Canadian SIGINT Summaries. The Summaries include downloadable copies of leaked Communications Security Establishment documents, along with summary, publication, and original source information (CSE).1 CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),2 and Government Communications Security Bureau (GCSB)).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

Categories
Links

Uber’s ‘God View’ Was Once Available to Drivers

Uber’s ‘God View’ Was Once Available to Drivers:

I reached out to Chris Parsons, a cybersurveillance researcher at the University of Toronto’s Citizen Lab, to discuss Uber’s God View and the ramifications for users.

“Uber understandably has infrastructure in place to monitor where its drivers are and a business case can be made for some degree of monitoring of how, and how often, their clients use the service,“ he said. “However, such data must be carefully controlled with strict security, privacy, and access safeguards. At this point it doesn’t appear that such have been stringently developed or applied.”

“We know that national security and intelligence agencies are deeply interested in where people travel to, and in understanding the movement patterns of individuals regardless of their being identified as ‘targets’ of government surveillance,” Parsons continued. “And Uber’s seeming failure to secure its data—to the point where developers have already found ways of querying the data by reverse-engineering Uber’s mobile client software—would suggest that an intelligence or security service that was sufficiently motivated could do the same.”

“There’s no evidence that such a security or intelligence service has ‘cracked’ Uber but past Snowden revelations have revealed that the NSA and its partners are voracious collectors of all kinds of tracking data,” Parsons concluded. “There’s no reason why these agencies wouldn’t be as interested in Uber’s data as other services’ data that could identify where, and how often, people travel around their cities and around the world.”

 

Categories
Aside

German spy agency seeks millions to monitor social networks outside Germany

The BND also wants to spend €4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers. That program, called “Nitidezza”, should also provide better protection for government networks, German weekly Der Spiegel said in a separate report on BND’s budget requests.

Moreover, a plan to monitor Internet exchanges outside Germany is also in the works. Next year, the agency wants to spend €4.5 million on a program called “Swop” to provide additional hidden access to a non-German exchange, the newspaper report said.

Because the solution to the ‘cybersecurity problem’ is to undermine the capacity for secure communications rather than working to strengthen what we have…

Categories
Links

A Crisis of Accountability — The Canadian Situation

A Crisis of Accountability — The Canadian Situation:

The significance of Edward Snowden’s disclosures is an oft-debated point; how important is the information that he released? And, equally important, what have been the implications of his revelations? Simon Davies, in association with the Institute of Information Law of the University of Amsterdam and Law, Science, Technology & Social Studies at the Vrie Universiteit of Brussels, has collaborated with international experts to respond to the second question in a report titled A Crisis of Accountability: A global analysis of the impact of the Snowden revelations.

You can read about the state of Canada, as well as the rest of the report, over at Technology, Thoughts, and Trinkets.

Categories
Aside Quotations

2014.4.19

the [Australian Security Intelligence Organization] ASIO said that Snowden’s leaks will make it more difficult for the organization to collect meaningful data about a person, so the organization should be given more leeway to perform its surveillance duties. In its proposal, the ASIO asserted that certain technological advances are detrimental to its spying on bad actors (a refrain that is not often heard, as it’s generally accepted that technology is making it easier to spy on citizens).

Smaller state police organizations joined the ASIO in asking that telecom companies be obligated to retain customers’ metadata for a substantial period of time. (The ASIO cited as a preferred model President Obama’s proposal earlier this year to compel telecom companies to keep customer data rather than having the NSA siphon that data into its own repositories.) But police organizations like the Northern Territory Police and the Victoria Police also went further in requesting that the Australian government require companies to keep IP addresses and Web browsing history as part of its metadata collection.

The Northern Territory Police, for example, argued for a two-year retention of Web browsing history. The Sydney Morning Herald reports that the police thought “a shift away from traditional telephony services to Facebook, Twitter, Google Plus, and others meant that data may be included in browser histories and was ‘as important to capture as telephone records.’”

Megan Geuss, “After Snowden, Australia’s cops worry about people using crypto

So, given that Australians are decreasing their trust in their government based on what they’re learning their intelligence services are presently doing, the same services argue that they should have even more access to Australians’ private communications? Because more data retention combined with shadowy access to telecommunications data will improve trust in government and, as a result, strengthen the democratic spirit of the Australian people, right?

Categories
Links

Experts weigh in on the state of Canada’s spying rules

On Tuesday, Interim Privacy Commissioner Chantal Bernier called for more surveillance disclosure and a rewrite of Canada™’s privacy laws

Christopher Parsons, a postdoctoral fellow at the Munk School of Global Affairs’ Citizen Lab, who studies state access to telecommunications data.Some of the recommendations in the report are similar to those made before – including a call for broader powers and more robust laws to allow watchdogs to do their job.

“Many of these suggestions the privacy commissioner has put forward are indicative of that office not being able to play its role. It doesn’t have the required powers to understand what’s going on in order to a) make things right or b) blow the whistle,” he said, later adding: “Should Canadians be concerned? Yeah. What the Commissioner’s office is saying is we do a good job, we do the best we can within our mandate, but our mandate is to narrow.”

Hopefully the Commissioner’s recommendations are implemented by the federal government given how pressing national security and signals intelligence issues have become.

Source: Experts weigh in on the state of Canada’s spying rules

Categories
Aside Humour

Spy Agency Spies “Incidentally”

mebuell:

Meme: Spy agency admits it spies on citizens “incidentally”

And don’t worry about those incidents because they’re all dealt with in ‘privacy protective’ ways. (And just trust CSEC on the latter, even though CSEC redacts its privacy protective practices for when incidentally collecting Canadians’ information.)

Categories
Writing

How Not To Defend Your Signals Intelligence Agency

Many Canadians, at this point, will have heard that our foreign signals intelligence agency has reportedly been spying in Brasil. Specifically, the Communications Security Establishment Canada (CSEC) has been accused of using “email and phone metadata to map internal communications within Brazil’s Mines and Energy Ministry through a software program called Olympia.” This has created quite a stir and forced the federal government of Canada to defend itself, and CSEC’s actions.

However, at a technology conference the head of CSEC tried to pacify Canadians by stating that there was already appropriate oversight of the agency’s actions. Referring to the independent commissioner overseeing CSEC, John Foster said, the commissioner “and his office have full access to every record, every system and every staff member to ensure that we follow Canadian laws and respect Canadians’ privacy.”

Foster is playing a game with Canadians. And it’s not a very good one. Given the CSEC reputedly engages in more ‘transactions’ each day than all of the banks in Canada combined, and given the relative size of the commissioner’s staff (usually a dozen or less) compared to CSEC’s staff (roughly 2,000), and the blurriness of the law guiding CSEC’s actions, I really can’t imagine how Canadians could possibly be reassured from Foster’s statements. No, what is clear is that rather than wanting to have a meaningful discussion – perhaps acknowledging deficiencies in oversight, the need to mediate CSEC’s actions so they align with Canada’s foreign policy positions, or something along those lines – he has purely said that Canadians should be satisfied with how things are today.

If Mr. Foster wants to be taken seriously then perhaps as a first, very small, bit of ‘goodwill’ he will disclose how exactly CSEC respects Canadians’ privacy: information on how this is ensured was redacted in documents from CSEC (see page 23). Providing the plaintext would be one first, good, step towards actually – instead of rhetorically – assuaging concerns Canadians might have over how signals intelligence is conducted in Canada.

Categories
Quotations

2013.8.2

One reason for the “stamp and leak” culture is the institutional failure of the intelligence community to find an effective way of allowing people uncomfortable with certain secrets to protest them without leaking to the public. Channels that allow for proper and credible adjudication are essential. David Grannis, the staff director of the Senate Select Committee on Intelligence, says he is not aware of a single instance where a whistleblower from within the community successfully navigated the complex rules set up by agencies to handle complaints. And simply put, the people who work with secrets have little faith in the inspectors general, no matter how independent they are, and have every reason to believe, because they can read newspapers, that their whistleblowing will end their careers if done internally.

Marc Ambinder and D.B. Grady, Deep State: Inside the Government Secrecy Industry