Surveillance is the business model of the Internet. We build systems that spy on people in exchange for services. Corporations call it marketing.
Bruce Schneier, security technologist, in a presentation at the SOURCE Boston conference.
Via Security Week:
The data economy—the growth of mass data collection and tracking—is changing how power is perceived, Schneier said in his keynote speech. The Internet and technology has changed the impact a group can have on others, where dissidents can use the Internet to amplify their voices and extend their reach. Governments already have a lot of power to begin with, so when they take advantage of technology, their power is magnified, he said.
“That’s how you get weird situations where Syrian dissidents use Facebook to organize, and the government uses Facebook to arrest its citizens,” Schneier said.
Over the past few years, it’s become easier and cheaper to store data and search for the necessary item rather than to sort and delete. Email is a very good example of this shift in behavior. This change, spurred by the popularity of mobile devices and the push to move more data and services to the cloud has also made it easier to track user behavior. When corporations track users for marketing purposes, it seems benign, but the same actions come across as sinister when it’s the government…
…The government didn’t tell anyone they have to carry around a tracking device, but people now carry mobile devices. The government doesn’t require users to notify any agency about their relationships. Users will tell Facebook soon enough, Schneier noted. “Fundamentally, we have reached the golden age of surveillance because we are all being surveilled ubiquitously.”
Somewhat related programming note: Read up on Heartbleed, change your passwords everywhere.
The choice is not whether to allow the NSA to spy. The choice is between a communications infrastructure that is vulnerable to attack at its core and one that, by default, is intrinsically secure for its users. Every country, including our own, must give intelligence and law-enforcement authorities the means to pursue terrorists and criminals, but we can do so without fundamentally undermining the security that enables commerce, entertainment, personal communication, and other aspects of 21st-century life. We urge the US government to reject society-wide surveillance and the subversion of security technology, to adopt state-of-the-art, privacy-preserving technology, and to ensure that new policies, guided by enunciated principles, support human rights, trustworthy commerce, and technical innovation.
As TechDirt points out, “One of the things that’s been glaring about all of the investigations and panels and research into these [surveillance] programs is that they almost always leave out actual technologists, and especially leave out security experts. That seems like a big weakness, and now those security researchers are speaking out anyway. At some point, the politicians backing these programs are going to have to realize that almost no one who actually understands this stuff thinks what they’re doing is the right way to go about this.
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on—the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
Ladar Levison, Owner and Operator, Lavabit LLC, in an open letter to users.
Background: Lavabit is an encrypted email service that was reportedly used by Edward Snowden, among 350,000 other customers. The Guardian reports that the closure occurred after the company rejected “a court order for cooperation with the US government to participate in surveillance on its customers.”
Related: Lavabit isn’t alone. Silent Circle, a company that creates encrypted communication applications for text, phone and video, is preemptively shutting down its email service. In a notice to its customers, the company writes:
Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.
However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.
Welcome to surveillance.
Information is an existential threat to these regimes.
James Lewis, a cybersecurity expert, to the Wall Street Journal. Chinese Hackers Hit U.S. Media.
Yesterday we noted that the hackers in China have infiltrated the New York Times’ computer systems.
Today, the Wall Street Journal reports that it — along with Reuters and Bloomberg among others — has also been hacked:
Chinese hackers for years have targeted major U.S. media companies with hacking that has penetrated inside newsgathering systems, several people familiar with the response to the cyberattacks said. Tapping reporters’ computers could allow Beijing to identify sources on articles and information about pending stories. Chinese authorities in the past have penalized Chinese nationals who have passed information to foreign reporters.
Journal sources on occasion have become hard to reach after information identifying them was included in emails. However, Western reporters in China long have assumed that authorities are monitoring their communications and act accordingly in sensitive cases…
…Among the targets were a handful of journalists in the Beijing bureau, including Jeremy Page, who wrote articles about the murder of British businessman Neil Heywood in a scandal that helped bring down Chinese politician Bo Xilai, people familiar with the matter said. Beijing Bureau Chief Andrew Browne also was a target, they said.
For its part, a spokesperson for the Chinese government rejects the allegation that it is behind the attacks.
UPDATE: Add the Washington Post to the list.
WhatsApp is set up to make the service friendly to new users who don’t have to provide their own combination of user name and password – they just use the existing info relating to their phone as login data. Telephone numbers are simply and clearly the basis for user names, and WhatsApp passwords — at least on Android phones — are clearly based on a phone’s IMEI serial number.
Granger discovered that to generate a password out of the IMEI number the app just changes the order of the digits – “your password is likely to be an inverse of your phones IMEI number with an MD5 cryptographic hash thrown on top of it.” What that means is that anybody who knows a phone’s IMEI number can figure out the password.
Many apps use IMEI numbers to identify phones, and any installed program can access that information and pass it on to an external database. In the event that what happened to iPhone this week (a hacker group released one million Apple UDIDs) happens to WhatsApp, and a database generated from the phone serial numbers were to be made public, WhatsApp user accounts would be compromised and become targets for spammers. Not that hackers have lost any time — on gray market sites, databases of Android phone serial numbers and corresponding cell phone numbers are sold under the keyword WhatsApp.
FJP: Filing this under- be smart and secure about your online and mobile life.
As crisis maps become more prominent, it’s increasingly important to consider them as contested spaces, and to take seriously the idea that adversaries will try to manipulate them.
Ethan Zuckerman, senior researcher at the Berkman Center for Internet and Society at Harvard University.
Erica Naone, Technology Review. Why Crisis Maps Can Be Risky When There’s Political Unrest: Crisis maps in hostile political situations can let the dictatorial governments, as well as the protesters, see where the action is.
The article reviews what hacktivists and organizations like Ushahidi are doing to tackle security issues as maps are deployed around the globe.
The Committee to Protect Journalists published an article yesterday exploring whether Google+ was a viable platform for journalists to interact with sources on sensitive topics.
In a generally positive review that outlines the dangers reporters and their sources face when communicating via digital channels the author writes:
So, how secure is Google+ for at-risk reporters? From Day 1, everything on Google+ is encrypted with https. That means that no one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations.
Let’s stop, pause, recalibrate and explore what HTTPS is and does.
HTTPS is a protocol that encrypts information shared at the point of contact between a User and the service that User is connecting with. You might know it from your experiences with online banking. That is, go to your bank’s Web site and instead of “http” at the beginning of the address, you”ll see an added “S” to the URL indicating that you’re now in a “secure” environment.
At a very high level, this is how it works: When you attempt to connect with a secure server, an encrypted “handshake” occurs. Basically, you say, “Hello” to the server, the server sends an encrypted message back which you (ie, your browser) then answer, and once the “handshake” is confirmed, the rest of your communications pass back and forth under this layer of encryption.
While secure for most purposes, it’s not fool proof. For example, “man in the middle" attacks can occur whereby an eavesdropping third party intercepts the initial request and fakes — and then controls — communication between the two parties.
Point being, to say, “[N]o one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations,” simply isn’t the case.
Beyond that, just because the servers are secure doesn’t mean they can’t be hacked or broken into. We need just look back a month to reports that Chinese hackers hacked Google’s Gmail which, yes, is HTTPS protected.
"As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals," George Kurtz, CTO of McAfee, a technology security firm, explained at the time. "These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file… Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system."
So, long story long: HTTPS isn’t a security panacea and we hope the CPJ amends their Google+ review with these considerable caveats.
There are, after all, reporters and activists around the globe that listen very carefully to what they have to say.