Tag: Security

Categories
Quotations

2014.2.26

The NSA can’t break Tor and it [ticks] them off. Most crypto drives the NSA batty,” [Bruce Schneier] said. “Encryption works and it works at scale. The NSA may have a large budget than all of the other intelligence agencies combined, but they are not made of magic. Our goal should be to make eavesdropping more expensive. We should have the goal of limiting bulk collection and forcing targeted collection.

Bruce Schneier, quoted in Dennis Fisher, “The NSA is ‘not made of magic’
Categories
Aside

Tumblr and Security PR

staff:

You can now take extra precaution against hackers and snoops by enabling SSL security on your Tumblr Dashboard. Just head over to your Account Settings and flip the switch.

“Any reason I shouldn’t do this?” Nope, not really. It doesn’t change anything about the dashboard, it just encrypts your connection to it. We’ve been using it for weeks and haven’t even noticed. So, yeah, turn it on and forget about it. Easy.

That this isn’t enabled by default shows that Tumblr is interested in the PR of offering security rather than giving enough of a damn to automatically enable SSL across the entire user-space.

Categories
Links

Experts weigh in on the state of Canada’s spying rules

On Tuesday, Interim Privacy Commissioner Chantal Bernier called for more surveillance disclosure and a rewrite of Canada™’s privacy laws

Christopher Parsons, a postdoctoral fellow at the Munk School of Global Affairs’ Citizen Lab, who studies state access to telecommunications data.Some of the recommendations in the report are similar to those made before – including a call for broader powers and more robust laws to allow watchdogs to do their job.

“Many of these suggestions the privacy commissioner has put forward are indicative of that office not being able to play its role. It doesn’t have the required powers to understand what’s going on in order to a) make things right or b) blow the whistle,” he said, later adding: “Should Canadians be concerned? Yeah. What the Commissioner’s office is saying is we do a good job, we do the best we can within our mandate, but our mandate is to narrow.”

Hopefully the Commissioner’s recommendations are implemented by the federal government given how pressing national security and signals intelligence issues have become.

Source: Experts weigh in on the state of Canada’s spying rules

Categories
Writing

Cyberstalking, Victimization, and the Experience of Fear

Ars Technica has a good piece on how cyberstalkers and bullies operate, with reporting based on studies (circa 2006, admittedly) and some anecdotal evidence. In effect, the mechanisms to stalk and bully online are often easy to use, reasonably accessible, and capable of significant intrusion into people’s lives. However, what struck me most poignantly was the concluding section of the article:

In this particular case, going to law enforcement wasn’t going to be much of an option. The woman said she had gotten rid of the BlackBerry, so there was no way to perform forensics on it to gather evidence. The same was true of her father’s computer, which the technician had wiped clean.

That’s a common problem in dealing with these sorts of cases, Southworth said. “Some victims just want their device clean and just want the stalking to stop. But if you clean off the device, you’re destroying the evidence.” And for victims who are trying to deal with an abusive relationship, trying to do anything to remove malware from a phone or computer could put the victim in danger. “Even looking for the spyware can raise the risk,” Southworth said, because the software could alert the attacker of the attempt and trigger violence.

And even when software is removed, the persistence of such stalkers usually means that they won’t stop their behavior—they’ll just take different approaches. That, paradoxically, is an upside for law enforcement, Southworth said. “They don’t stop, so if she wants law enforcement to get involved,” she said referring to the victim, “there’s likely another form of stalking going on for them to catch him with.”

People who haven’t experienced stalking, or the fear of stalking, may not appreciate the emotional desire to just make it stop. Such desires are often based on an attempt to feel ‘safe’ again, often when doing simple things like buying groceries, waiting for a bus, or just going home. As such, wanting to remove the suspicious tracking systems – instead of leaving them there, and maintaining the fear, in the hopes of a criminal arrest – will often take priority over ‘catching’ the perpetrator. But, at the same time, there is often a fear that the very act of ‘making the surveillance stop’ could lead to physical consequences. It’s a lose-lose experience, where any decision merely modifies the ‘kind’ of fear instead of terminating the experience of fear itself.

Moreover, removing suspected surveillance-ware may not alleviate the fear of being monitored: most technical systems (effectively) operate like magic for the majority of the computer-using population. How the surveillance-ware was even installed, or if it was all purged, or if it could infect a person’s computer systems again, will often pervade how a person uses computers. In light of specific concerns (surveillance) that are imprecisely directed (i.e. is my phone, my computer, or other device infected and, if so, would I even know?) a person may simply avoid some actions or actively engage in deceptions to ‘throw off’ someone who might be watching.

In effect, concerns of possible but undetected surveillance are often accompanied by heightened privacy and security efforts. These efforts might be more or less effective (or even needed!), and taking such efforts will almost certainly diminish a person’s ‘normal’ uses of services (e.g. Facebook) that their (not-stalked/bullied) friends and colleagues get to enjoy. Moreover, the experience of having to use such privacy and security techniques is representative of the scarring left by online stalking and bullying: ‘normality’ becomes defined as a defensive posture online based on (often) physical fears. No one’s ‘normal’ should be predominantly defined by fear.

It’s this broader emotional fear that is challenging to address, both in terms of law (i.e. getting the data needed to pursue a meaningful conviction or punishment) and personal mental health (i.e. learning to ‘trust’ systems that aren’t really understood and that have previously compromised a person’s life possibilities).

In Canada, the federal government has recently introduced legislation ostensibly meant to crack down on cyberbullying linked to the unauthorized sharing of a person’s intimate images. While criminalizing the sharing of such images may be a helpful addition to the Criminal Code for certain kinds of cases, doing so doesn’t address the broader challenges linked to cyberstalking and cyberbullying. Addressing these challenges requires something else – though I don’t know what – that meaningfully responds to the societal issues associated with online stalking and bullying in a more holistic manner, a manner that frees people from the persistent fear of being a victim despite going to either law enforcement or removing the stalking-ware.

Categories
Writing

We Need Clarity on ‘National Security’ Rules for Telecommunications

The story of Blackberry has gripped many technology watchers, watchers who are bearing witness to the trials and tributations of the company as it struggles to compete in the increasingly populated smartphone market. To some, it seemed that one way ‘out’ for Blackberry was for the company to be purchased by another firm looking to aggressively enter this market. Based on recent reporting by the Globe and Mail, however, it looks like any hopes that Blackberry might be purchased could be scuttled for ‘national security’ reasons.

Specifically, Steven Chase and Boyd Erman write that,

Ottawa made it clear in high-level discussions with BlackBerry that it would not approve a Chinese company buying a company deeply tied into Canada’s telecom infrastructure, sources said. The government made its position known over the last one to two months. Because Ottawa made it clear such a transaction would not fly, it never formally received a proposal from BlackBerry that envisioned Lenovo acquiring a stake, sources said.

on Monday the Canadian official took pains to emphasize that concerns about BlackBerry are not part of a trend to shut out Chinese investment. “This is a company that has built its reputation and built its success on system security and its infrastructure. That’s one of the reasons businesses use BlackBerries. … The security is robust and we’d obviously have an interest in making sure we didn’t do anything or allow anything that would compromise Last fall, citing a rarely used national-security protocol, Ottawa has sent a signal to Chinese telecom equipment giant Huawei Technologies that it would block the firm from bidding to build the Canadian government’s latest telecommunications and e-mail network. Huawei, founded by a former People’s Liberation Army member, has on numerous occasions found itself having to reject claims its equipment could be used to enable spying.

In October. 2012, a senior spokesman for Prime Minister Stephen Harper publicly hinted Huawei would be left out the cold. “I’ll leave it to you if you think that Huawei should be a part of [the] Canadian government security system,” Mr. MacDougall said.

I’m particularly mindful of the possible security issues that may be linked to letting foreign-located businesses playing significant roles in Canadian telecommunications networks. But, at the same time, the present Canadian government seems to be applying ‘national security considerations’ in a manner that prevents market analysts and watchers from clearly assessing when such considerations might be applied.

Without clear criteria, what are the conditions under which a non-Canadian company could purchase Blackberry? Could a well-financed American company buy it, based on what we’ve learned about NSA surveillance? Could a company that was known to comply with foreign governments’ lawful interception requirements buy Blackberry, given that such requirements could have a global reach? Could Blackberry be purchased by companies that operate in countries that, if their governments had access to Blackberry communications, could gain an edge in international diplomatic engagements with Canada or its closest international partners?

I don’t dispute that national security may sometimes demand terminating business deals that would violate the national interest. However, given that incredibly large investments are being killed by the federal government of Canada it is imperative that the government make clear what ‘national security’ interests are at play, and the security models that motivate terminating such deals. To date, neither the interests nor models are particularly clear. As a result, analysts are forced to read the outcome of federal decisions without the benefit of understanding the full rationale of what went into them in the first place. The result has been to make it incredibly uncertain whether foreign businesses will be legally permitted to engage in market operations with Canadian companies.

Canadians are all to aware that the current federal government has failed on its promise to provide a digital strategy for the Canadian marketplace. In the absence of such a strategy, perhaps the federal government could at least provide its rules for determining when a business proposal runs counter to national security?

Categories
Links

iCloud Keychain isn’t the same as Lightroom!

Jon Brodkin, writing for Ars Technica:

Unfortunately, it’s kind of a mess. iCloud Keychain does accomplish the most basic things you’d expect a password manager to do, but it often does so in an awkward manner. Important functionality is hard enough to find that it may be effectively hidden from the average user, particularly on iPhones and iPads.

Ultimately, iCloud Keychain can be put to good use if you’ve carefully examined what it does well and doesn’t do well. It works best as a complement to a complete service like 1Password or LastPass, but it just isn’t convenient and robust enough to act as a standalone password manager.

I think it’s a bit harsh to call it a “mess”, but Brodkin provides a good overview of what iCloud Keychain does. Complaining that it’s not as full-featured as 1Password is like complaining that iPhoto doesn’t do everything Lightroom or Aperture do.

Comparing iCloud Keychain and Lightroom is a bit odd. One helps to manage the security of one’s online life and is meant to resolve a security problem for anyone who uses the Web. Lightroom is a specialist product that caters to experts in a particular field. The two products may have an overlapping user base (i.e. individuals who want secured usernames and passwords) but otherwise bear little resemblance to one another.

Categories
Links Quotations

There are two types of laws in the U.S., each designed to constrain a different type of power: constitutional law, which places limitations on government, and regulatory law, which constrains corporations. Historically, these two areas have largely remained separate, but today each group has learned how to use the other’s laws to bypass their own restrictions. The government uses corporations to get around its limits, and corporations use the government to get around their limits.

This partnership manifests itself in various ways. The government uses corporations to circumvent its prohibitions against eavesdropping domestically on its citizens. Corporations rely on the government to ensure that they have unfettered use of the data they collect.

Here’s an example: It would be reasonable for our government to debate the circumstances under which corporations can collect and use our data, and to provide for protections against misuse. But if the government is using that very data for its own surveillance purposes, it has an incentive to oppose any laws to limit data collection. And because corporations see no need to give consumers any choice in this matter – because it would only reduce their profits – the market isn’t going to protect consumers, either.

Schneier’s article, “The Public/Private Surveillance Partnership,” does a terrific job in striking to the heart of the ‘arrangements’ between our corporate partners and America’s governing bodies.
Categories
Writing

The Painful Process of Updating Android

Android fragmentation is a very real problem; not only does it hinder software developers’ abilities to build and sell apps but, also, raises security issues. In a recent report from Open Signal, we learn that 34.1% of Android users are using the 2.3.3–2.3.7 version of Android, whereas just 37.9% of users using 4.x versions of the operating system, most of whom are themselves using a years-old version of Android. In effect, an incredibly large number of Android users are using very outdated versions of their mobile phone’s operating systems.

It’s easy to blame this versioning problem on the carriers. It’s even easier to blame the issue on the manufacturers. And both parties deserve blame. But perhaps not just for the reasons that they’re (rightly!) often crucified for: I want to suggest that the prevalence of 2.3.x devices in consumers’ hands might have as much to do with consumers not knowing how to update their devices, as it does with updates simply not being provided by carriers and manufacturers in the first place.

Earlier this month I spent some time with ‘normal’ gadget users: my family. One family member had a Samsung Galaxy S2…which was still using version 2.x of the Android operating system. Since February 2013, an operating system update has been available for the phone that would bring it up to Android version 4.1.2, but my family member neither knew or cared that it was available.

They didn’t know about the update because they had received no explicit notice that an update was available, or at least didn’t recall being notified. To be clear, they hadn’t updated the phone even once since purchasing the device about two years ago, and there have been a series of updates to the operating system since purchase time.

The family member also didn’t care about there being an update, because they only used the phone for basic functions (e.g. texting, voice calls, the odd game, social networking). They’re not a gadget monkey and so didn’t know about any of the new functions incorporated into the updated Android operating system. And, while they appreciate some of the new functionality (e.g. Google Now) they wouldn’t have updated the device unless I had been there.

A key reason for having not updated their phone was the absolute non-clarity in how they were supposed to engage in this task: special software had to be downloaded from Samsung to be installed on their computer,[1] and then wouldn’t run because the phone’s battery had possess at least a 50% charge,[2] and then it took about 3 hours because the phone couldn’t be updated to the most recent version of Android in one fell swoop. Oh, and there were a series of times when it wasn’t clear that the phone was even updating because the update notices were so challenging to understand that they could have been written in cipher-text.

Regardless of whether it was Rogers’, Samsung’s, Google’s, or the tooth fairy’s fault, it was incredibly painful to update the Android device. Painful to the point that there’s no reason why most people would know about the update process, and little reason for non-devoted Android users to bother with the hassle of updating if they knew what a pain in the ass it was going to be.

The current state of the Android OS ecosystem is depressing from a security perspective. But in addition to manufacturers and carriers often simply not providing updates, there is a further problem that Android’s OS update mechanisms are incredibly painful to use. Only after the significant security SNAFUs of Windows XP did Microsoft really begin to care about desktop OS security, and Google presently has a decent update mechanism for their own line of Nexus devices. What, exactly, is it going to take for mobile phone manufacturers (e.g. Samsung, HTC) and mobile phone carriers (e.g. Rogers, TELUS) to get their acts together and aggressively start pushing out updates to their subscribers? When are these parties going to ‘get’ that they have a long-term duties and commitments to protect their subscribers and consumers?[3]

  1. In theory there is an over the air update system that should have facilitated a system update in a relatively painless way. Unfortunately, that system didn’t work at all and so Samsung’s software had to be used to receive the updates.  ↩
  2. Really, this made no sense. To update the device it had to be plugged into a computer; why, then, did the phone (which was charging because it was plugged into the computer) need to have a 50%+ charge?  ↩
  3. I actually have a few ideas on this that will, hopefully, start coming to fruition in the coming months, but I’m open to suggestions from the community.  ↩
Categories
Links Writing

Another ‘Victory’ for the Internet of Things

Researchers have found, once again, that sensitive systems have been placed on the Internet without even the most basic of security precautions. The result?

Analyzing a database of a year’s worth of Internet scan results [H.D. Moore]’s assembled known as Critical.io, as well as other data from the 2012 Internet Census, Moore discovered that thousands of devices had no authentication, weak or no encryption, default passwords, or had no automatic “log-off” functionality, leaving them pre-authenticated and ready to access. Although he was careful not to actually tamper with any of the systems he connected to, Moore says he could have in some cases switched off the ability to monitor traffic lights, disabled trucking companies’ gas pumps or faked credentials to get free fuel, sent fake alerts over public safety system alert systems, and changed environmental settings in buildings to burn out equipment or turn off refrigeration, leaving food stores to rot.

Needless to say, Moore’s findings are telling insofar as they reveal that engineers responsible for maintaining our infrastructures are often unable to secure those infrastructures from third-parties. Fortunately, it doesn’t appear that a hostile third-party has significantly taken advantage of poorly-secured and Internet-connected equipment, but it’s really only a matter until someone does attack this infrastructure to advance their own interests, or simply to reap the lulz.

Findings like Moore’s are only going to be more commonly produced as more and more systems are integrated with the Internet as part of the ‘Internet of Things’. It remains to be seen whether vulnerabilities will routinely be promptly resolved, especially with legacy equipment that enjoys significant sunk costs and limited capital for ongoing maintenance. Given the cascading nature of failures in an interconnected and digitized world, failing to secure our infrastructure means that along with natural disasters we may get to ‘enjoy’ cyber disasters that are both harder to positively identify or subsequently remedy when/if appropriately identified.

Categories
Aside

WiFi “Security”

This really isn’t the warning you want to get when signing into a wifi-portal.