Tag: Internet

Categories
Aside Links

The Big Threats to Internet Security

Dan Goodin has a good piece on one of Bruce Schneier’s recent talks. From the top of the article:

Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They’re also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don’t recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.

The notion that government – largely composed of security novices – large corporations, and a feudal security environment (where were trust Apple, Google, etc instead of having a generalizable good surveillance footprint) are key threats of security is not terribly new. This said, Bruce (as always) does a terrific job in explaining the issues in technically accurate ways that are simultaneously accessible to the layperson. Read the article; it’s well worth your time and will quickly demonstrate some of the ‘big’ threats to online security, privacy, and liberty.

Categories
Links

Is the spectrum crisis a myth?

Kevin Fitchard has written one of the better (popular) pieces on why we need to get past the spectrum crisis myth. Go read it.

Categories
Links Writing

Want to Claim Congestion? Then Expect Real Audits

Free is a really interesting new mobile carrier in France, which offers a cheap entry rate of service. It seems as though the incumbent they’re partnered with wasn’t expecting Free’s success and so they want to raise rates on the basis of congestion. Specifically,

France Telecom said its network was being stressed by a rapid growth in traffic brought on by its hosting of new mobile entrant Iliad and vowed to protect its clients from service interruptions, its CEO told magazine Le Point…Iliad’s Free Mobile service upended the French telecom market in January when it launched its main offer at 19.99 euros per month for unlimited calls to France and most of Europe and the United States, unlimited texts, and 3 gigabytes of mobile data.

It’s entirely possible that the network is stressed … but it’s equally possible that other issues are leading to stresses that are real or imagined. If incumbents get to call congestion whenever the market turns against them, then they should be subjected to real, honest to god, tests for congestion by engineers who are (at best) neutral. Ideally the engineers should be downright hostile in order to force the incumbent to demonstrate beyond a shadow of a doubt that the network is indeed strained, and that such strains aren’t the result of poor management, investment, or technical configuration.

If it turns out that the incumbent is responsible then they should pay for the audit and be required to meet contractual service demands that were offered to partners and be prohibited from engaging in predatory pricing in the future. Congestion is now a particularly tired big-bad-wolf, and it’s time that ISPs that call wolf are actually forced to demonstrate, in peer-reviewable empirical terms, that the wolf is actually at the doorsteps or ravaging the sheep.

Categories
Links Writing

SSL Skeleton Keys

From the Ars lede:

Critics are calling for the ouster of Trustwave as a trusted issuer of secure sockets layer certificates after it admitted minting a credential it knew would be used by a customer to impersonate websites it didn’t own.

The so-called subordinate root certificate allowed the customer to issue SSL credentials that Internet Explorer and other major browsers would accept as valid for any server on the Internet. The unnamed buyer of this skeleton key used it to perform what amounted to man-in-the-middle attacks that monitored users of its internal network as they accessed SSL-encrypted websites and services. The data-loss-prevention system used a hardware security module to ensure the private key at the heart of the root certificate wasn’t accidentally leaked or retrieved by hackers.

It’s not new that these keys are issued – and, in fact, governments are strongly believed to compel such keys from authorities in their jurisdiction – but the significance of these keys cannot be overstated. SSL is intended to encourage trust: if you see that a site is using SSL then that site is supposed to be ‘safe’. This is the lesson that the Internet industry has been pounding into end-users/consumers for ages. eCommerce largely depends on consumers ‘getting’ this message.

The problem is that the lesson is increasingly untrue.

Given the sale of ‘skeleton key’ certs, the hacking of authorities to generate (illegitimate) certs for major websites (e.g. addons.mozilla.com, hotmail.com, gmail.com, etc), and widespread backend problems with SSL implementation, it is practically impossible to claim the SSL makes things ‘safe’. While SSL isn’t in the domain of security theatre, it can only be seen as marginally increasing protection instead of making individuals, and their online transactions, safe.

This is significant for the end-user/consumer, because they psychologically respond to the difference between ‘safe’ and ‘safer’. Ideally a next-generation, peer-reviewable and trust agile, system will be formally adopted by the major players in the near future. Only after the existing problems around SSL are worked out – through trust agility, certificate pinning, and so forth – will the user experience be moved back towards the ‘safe’ position in the ‘safe/unsafe’ continuum.

Categories
Links

Wind on a Leaf: Dear startups and other relevant parties: It’s 2012. It is no longer ok to

chartier:

  • Not offer a way to download our data in some sort of a standard, transparent, and at least somewhat human-siftable format
  • Hide or otherwise be opaque about precisely what personal data you smuggle out of our devices
  • Not offer a one-to-two-click process for deleting our accounts
  • Fail to actually remove our data from your servers after we delete our accounts (while complying with applicable regional laws governing data retention)
  • Believe that taking VC and selling your customers’s private information is the only way to get a company off the ground, let alone run a successful business
  • Not use SSL for passing even the slightest bit of private information

Did I miss anything?

One thing: use rhetoric and spin to try and convince users that rabidly anti-consumer practices (such as those noted above) are good for society and that this kind of ‘radical transparency’ (i.e. screwing the customer for the benefit of the bottom line) is somehow going to make the world a better and happier place.

Categories
Links

Skype, the FBI, and MegaUpload

In the aftermath of the MegaUpload seizures we’ll hopefully learn more about how the FBI gained access to Skype transcripts. As reported by CNet:

The FBI cites alleged conversations between DotCom and his top lieutenants, including e-mail and Skype instant-messaging logs. Some of the records go back nearly five years, to MegaUpload’s earliest days as a cyberlocker service–even though Skype says “IM history messages will be stored for a maximum of 30 days” and the criminal investigation didn’t begin until a few months ago.

Sources told CNET yesterday that Skype, the Internet phone service now owned by Microsoft, was not asked by the feds to turn over information and was not served with legal process.

The U.S. Department of Justice told CNET that it obtained a judge’s approval before securing the correspondence, which wouldn’t have been necessary in the case of an informant. “Electronic evidence was obtained though search warrants, which are reviewed and approved by a U.S. court,” a spokesman for the U.S. Attorney for the Eastern District of Virginia said.

Skype saves chat records with contacts in a directory on the local hard drive, which could be accessed by FBI-planted spyware.

While it wouldn’t necessarily be surprising if spyware was used, it would be interesting to see more details of this come to public light. Moreover, was the spyware/electronic access authorization acquired in the US and then the malware implanted on computers in foreign jurisdictions, or did it target local (American) computers? If it was implanted on foreign computers, were local authorities aware of what was going on and did they have to give their approval?

Categories
Links Writing

It’s Time to Stop Buying the Capacity Crisis Myth

From DSL Reports,

As usual though, actually bothering to listen to and look at the data tells a different story. Nobody argues that spectrum is infinite, but buried below industry histrionics is data noting that there really isn’t a spectrum crisis as much as a bunch of lazy and gigantic spectrum squatters, hoarding public-owned assets to limit competition, while skimping on network investment to appease short-sighted investors. Insiders at the FCC quietly lamented that the very idea of a spectrum crisis was manufactured for the convenience of government and industry.

Burstein correctly reminds us that there’s nothing to fear, and with modern technology like LTE Advanced and more-than adequate resources, any wireless company struggling to keep pace with demand is either incompetent or cutting corners (or both). The idea that our modern networks face rotating oblivion scenarios lest we not rush to do “X” is the fear mongering of lobbyists, politicians, and salesmen. All of them use fear by trade, but the key failure point when it comes to capacity hysteria seems to continually be the press, which likes to unskeptically repeatwhatever hysterical scenario gets shoveled their direction each month.

I think that this really strikes to the heart of things: while all parties recognize the (literally) physical differences between different physical layers that are used to deliver broadband services, hysterics (on both sides) have stifled rational discussion. We really need to have the engineers come forward to talk about things in a manner that lets them evade corporate ‘loyalties’. Moreover, we need to acknowledge that spectral bandwidth is one component of data transmission, not the entirety of it. New codecs, new compression algorithms, and new efficiency protocols can all enable much higher bandwidth volumes and throughput while using identical amounts of spectrum as older, less effective, means of using spectral resources. We need to holistically look at these resources, and get away from as much FUD as we can.

Categories
Writing

Browsing on Your Mobile Should Not Disclose Your Phone Number

In the past day or three, it’s come to light that O2 – a major mobile phone provider in the UK – made the very serious error of disclosing its users’ phone numbers in HTTP headers (i.e. the headers that are part of every single communication with a website). The researcher who discovered this – Lewis Peckover – has made available a site that will check whether your phone is disclosing its phone number when visiting websites. You don’t need to be an O2 customer to double check that your mobile provider is doing things (im)properly.

This significant release of information occurred because:

“Technical changes we [O2] implemented as part of routine maintenance had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site,” the company wrote.

However, the company added that it had previously disclosed this information, but only when “absolutely required by trusted partners”.

“When you browse from an O2 mobile, we add the user’s mobile number to this technical information, but only with certain trusted partners.”

The company said this was needed to manage “age verification, premium content billing, such as for downloads, and O2’s own services”.

However the technical glitch meant the sharing went further it said: “In addition to the usual trusted partners, there has been the potential for disclosure of customers’ mobile phone numbers to further website owners.”

In light of this ‘glitch’ I would hope that a more secure way of confirming age/purchasing credentials is rapidly rolled out. Significantly, not only every website visited had access to mobile phone numbers but every advertising server potentially had access to this information as well. This would include Google, Quantcast, and so forth.

It will be incredibly curious to see how the ICO treats this data leak. I think that core failures like the O2 phone leak demonstrate just how linked many of our communications systems and identifiers are, and speak volumes to the need for significantly better evaluation of network upgrades before they are rolled out to live environments.

Categories
Links

Iran clamps down on internet use

From the Guardian a while back, we learn:

 Iran is clamping down heavily on web users before parliamentary elections in March with draconian rules on cybercafes and preparations to launch a national internet.

Tests for a countrywide network aimed at substituting services run through the world wide web have been carried out by Iran’s ministry of information and communication technology, according to a newspaper report. The move has prompted fears among its online community that Iran intends to withdraw from the global internet.

The police this week imposed tighter regulations on internet cafes. Cafe owners have been given a two-week ultimatum to adopt rules requiring them to check the identity cards of their customers before providing services.

Since the Green Revolution the Iranian government has massively committed resources to identifying and undermining Iranian citizens’ ability to communicate with one another using electronic systems. From their integration of deep packet inspection into their main ISP networks – and configuring them to identify and stop some kinds of encrypted traffic – to the creation of cyber-police, and now attempts to physically identify those who use public computers, it is getting harder and more dangerous for Iranians to communicate with one another over the Internet.

 

Iran clamps down on internet use

Categories
Links

An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

You should go read Chris’ paper, available at SSRN. Abstract below:

Today, when consumers evaluate potential telecommunications, Internet service or application providers – they are likely to consider several differentiating factors: The cost of service, the features offered as well as the providers’ reputation for network quality and customer service. The firms’ divergent approaches to privacy, and in particular, their policies regarding law enforcement and intelligence agencies’ access to their customers’ private data are not considered by consumers during the purchasing process – perhaps because it is practically impossible for anyone to discover this information.

A naïve reader might simply assume that the law gives companies very little wiggle room – when they are required to provide data, they must do so. This is true. However, companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the exigent circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests. As such, there are substantial differences in the privacy practices of the major players in the telecommunications and Internet applications market: Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide government agencies access to user data – one carrier even argued in court that its 1st amendment free speech rights guarantee it the right to do so, while other companies refuse to voluntarily disclose data without a court order; some companies charge government agencies when they request user data, while others disclose it for free. As such, a consumer’s decision to use a particular carrier or provider can significantly impact their privacy, and in some cases, their freedom.

Many companies profess their commitment to protecting their customers’ privacy, with some even arguing that they compete on their respective privacy practices. However, none seem to be willing to disclose, let alone compete on the extent to which they assist or resist government agencies’ surveillance activities. Because information about each firm’s practices is not publicly known, consumers cannot vote with their dollars, and pick service providers that best protect their privacy.

In this article, I focus on this lack of information and on the policy changes necessary to create market pressure for companies to put their customers’ privacy first. I outline the numerous ways in which companies currently assist the government, often going out of their way to provide easy access to their customers’ private communications and documents. I also highlight several ways in which some companies have opted to protect user privacy, and the specific product design decisions that firms can make that either protect their customers’ private data by default, or make it trivial for the government to engage in large scale surveillance. Finally, I make specific policy recommendations that, if implemented, will lead to the public disclosure of these privacy differences between companies, and hopefully, create further market incentives for firms to embrace privacy by design.