The FREAK (Factoring RSA Export Keys) flaw allows bad men to exploit those secret intimate moments shared between certain web browsers and HTTPS websites. Just when your copy of Safari begins rubbing the website’s knee and mumbling “you know you want it” in its ear, FREAK allows the hooligan element of the online world to tip-toe unnoticed into the room. By the time Safari has finished sweet-talking the website and is fumbling with its zip before establishing a “safe connection”, the rascals have stolen its johnnies.
The weakness in the connection security at this stage was the result of a governmental directive some 20 years ago that good encryption should not be exported to that dark and dangerous place outside the US known as “the rest of the world” (AKA “terrorists”).
In many cases, security flaws are loopholes left behind due to the complexity of the digital antagonism between trying to enable a thing while preventing that thing. FREAK, on the other hand, was created as a deliberate act of self-sabotage, determined by the Powers That Be in full knowledge of the potential consequences.
Blame politicians for their lack of long-term vision if you like, but this is hardly the point. Politicians come and go and fill their pockets and die: this is what we expect politicians to do and we vote them into office so that they can do it. If there’s any lack of forward-thinking involved, it starts at the ballot box.
But in this instance, lots of people at the time said that relaxing encryption was A Stupid Idea. So the politicians and their advisers knew it was daft and still went ahead.
Consider the Y2K bug or the 2038 bug or whatever. The very fact that these things have names suggests that someone somewhere had the foresight to think about them in advance. They began as oversights and go on to be exploited, and then go on to be fixed.
It strikes me that the IT industry enjoys watching security go titsup time and time again, simply so that it can fix it.
Despite what we already know, not least what we have learnt this FREAK week, someone somewhere is probably still advising the British prime minister that message encryption was invented by Osama bin Laden and should be zero-dark-thirtied at the first opportunity. National security, he is being advised, can only be achieved by criminalising er… security. Duh.
I blame these same advisors for the reckless re-emergence of biometric checks as a form of authentication. Surely it’s obvious to everyone that the fingerprint login on iPhones 6 and iPad Air devices is just a bit of fun, not a serious stab at effective security. Yet RBS and NatWest banks are introducing fingerprint access for accounts via mobile devices, and the scary bit is that they’re not laughing.
Biometrics are bollocks. Some El Reg readers may recollect Steve Jobs years ago demonstrating VoicePrint verification in Mac OS 9: “My name is my password”. It was just a little joke, though: a laugh, a trick to delight the kids. It certainly wasn’t secure.
By the way, if you do remember this short-lived feature, well done: most long-time Mac users have already forgotten this turd of biometric nonsense.
In sci-fi action films, when a retina scan or a fingerprint is required to gain access to the high-security lab of an evil genius, the hero plucks out or hacks off that item from an unsuspecting minion in a lab coat and simply waves the relevant bloodied body part in front of the clichéd scanner thingy. For voice-activation, I wouldn’t be surprised to see a cinematic hero trying to blow though the vocal cords he’d ripped out of the chief scientist’s neck.
Of course, for voice activation, all you’d need to do is to hire a voice actor for your crack team, or invite that bloke down the pub who can do impersonations. Just imagine if James Earl Jones had voice activation on his bank account: you could break into it using a Darth Vader voice-changer from a toy shop.
Category: Spying
Snowden Docs: New Zealand Spying On Friendly Neighboring Countries For The NSA
More Snowden docs have been released, covering the extent of GCSB’s (New Zealand’s intelligence agency) spying on supposedly “friendly” island nations. As is par for the course for intelligence programs, the documents show massive bulk collections of data and communications — all of which are immediately shared with the other members of the “Five Eyes” club.
Since 2009, the Government Communications Security Bureau intelligence base at Waihopai has moved to “full-take collection”, indiscriminately intercepting Asia-Pacific communications and providing them en masse to the NSA through the controversial NSA intelligence system XKeyscore, which is used to monitor emails and internet browsing habits.
This sort of spying — while apparently “normal,” in light of previously-released documents — indicates many governments enjoy spying for spying’s sake, rather than for the justifications they often offer in defense of untargeted surveillance.
The documents, provided by US whistleblower whistleblower Edward Snowden, reveal that most of the targets are not security threats to New Zealand, as has been suggested by the Government.
Instead, the GCSB directs its spying against a surprising array of New Zealand’s friends, trading partners and close Pacific neighbours. These countries’ communications are supplied directly to the NSA and other Five Eyes agencies with little New Zealand oversight or decision-making, as a contribution to US worldwide surveillance.
The Tsarnaev Trial and the Blind Spots in ‘Countering Violent Extremism’
On April 19, 2013, as Dzhokhar Tsarnaev lay bleeding from gunshot wounds in a suburban Boston backyard, he scrawled a note that contained the following message:
“The US Government is killing our innocent civilians but most of you already know that….I don’t like killing innocent people it is forbidden in Islam but due to said [unintelligible] it is allowed…Stop killing our innocent people and we will stop.”
This message mirrored comments Tsarnaev would later give to investigators, in which he cited grievances over American wars in Afghanistan and Iraq as his motivation for the 2013 bombing of the Boston Marathon.
In his trial, which begins today, more details are expected to emerge about how he went from a popular college student to an alleged homegrown terrorist.
Widely described as a “self-radicalized” terrorist, Tsarnaev now serves as a prime example of the type of individual targeted by Countering Violent Extremist (CVE) programs. Yet in fact, Tsarnaev’s life trajectory leading up to the bombing does not resemble the “path to radicalization” identified in CVE frameworks — raising questions about the capacity of these programs to intervene effectively to preempt terrorism.
President Obama Complains To China About Demanding Backdoors To Encryption… As His Administration Demands The Same Thing
Back in January, we pointed out that just after US and EU law enforcement officials started freaking out about mobile encryption and demanding backdoors, that China was also saying that it wanted to require backdoors for itself in encrypted products. Now, President Obama claims he’s upset about this, saying that he’s spoken directly with China’s President Xi Jinping about it:
In an interview with Reuters, Obama said he was concerned about Beijing’s plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security “backdoors” in their systems to give Chinese authorities surveillance access.
“This is something that I’ve raised directly with President Xi,” Obama said. “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”
This comes right after the US Trade Rep Michael Froman issued a statement criticizing China for doing the same damn thing that the US DOJ is arguing the US should be doing:
U.S. Trade Representative Michael Froman issued a statement on Thursday criticizing the banking rules, saying they “are not about security – they are about protectionism and favoring Chinese companies”.
“The Administration is aggressively working to have China walk back from these troubling regulations,” Froman said.
Those claims would sound a hell of a lot stronger if they weren’t coming immediately after DOJ officials from Attorney General Eric Holder to FBI Director James Comey had more or less argued for the exact same thing.
A Few Comments on the David Petraeus Plea Deal: What Money And Connections Buy You
David Petraeus, who suffered a fall worthy of a Greek tragedy when was caught leaking classified information to his biographer-girlfriend, has reached a plea deal with the feds, in the person of the U.S. Attorney’s Office for the Western District of North Carolina.
As of now two documents are available online. There’s the Information, which is the charging document the feds use when grand jury indictment is not required or when the defendant waives that right. There’s also the factual basis — the narrative of facts to which Petraeus will admit. These documents reveal that Petraeus has agreed, in advance of charges being filed, to take a misdemeanor.
Generally, poor people react and rich people are proactive. Petraeus is sophisticated and has assets; he could afford to hire lawyers to negotiate with the feds before they charged him. As a result, he was able to secure a pretty good outcome that controlled his risks. The feds let him plead, pre-indictment, to a misdemeanor charge of improper removal and retention of classified documents under 18 USC section 1924. That means even if the federal judge who sentences him goes on a rampage, he can’t get more than a year in federal prison — and, given that it’s a misdemeanor, will very likely get far less. The Factual Basis includes a United States Sentencing Guideline calculation in which the government and Petraeus agree he winds up at an Adjusted Offense Level of 8, which means the judge can give him straight probation.
It is very difficult to get a misdemeanor out of the feds.
Petraeus’ factual basis reveals that he could have been charged with much, much worse. The statement discusses his “Black Books” containing his schedules and notes during his command in Afghanistan; those books contained “national defense information, including Top Secret/SCI code word information.” (Factual Basis at paragraphs 17-18.) Petraeus, after acknowledging that “there’s code word stuff in there,” gave the Black Books to his biographer/girlfriend at her private residence. “The DC Private Residence was not approved for the storage of classified information,” the statement notes dryly. (Factual Basis at paragraphs 22-25.) He retrieved the Black Books a few days later after she had been able to examine them, and retained them. Thereafter, when he resigned from the CIA, he signed a certification that he had no classified material in his possession, even though he had the Black Books. (Factual Basis at paragraph 27.) Later, when Petraeus consented to interviews with FBI agents1 he lied to them and told them that he had never provided classified information to his biographer/girlfriend. (Factual Basis at paragraph 32.)
To federal prosecutors, that last paragraph of facts is like “Free Handjob And iPad Day” at Walt Disney World. First, you’ve got the repeated false statements to the government, each of which is going to generate its own charge under 18 U.S.C. 1001, which makes it illegal for you to lie to your government no matter how much your government lies to you. Then you’ve got the deliberate leaking of top secret/code word defense data to a biographer. An aggressive prosecutor might charge a felony under 18 U.S.C. section 793 (covering willful disclosure of national defense information) or 18 U.S.C. section 798 (covering disclosure of classified communications intelligence materials or information derived therefrom), both of which have ten-year maximum penalties. Those charges don’t seem to require any intent to harm the U.S. — only disclosure of information which could harm the U.S. if distributed. Other than that? You better believe there would be a conspiracy count for Petraeus’ interaction with his girlfriend.
If Petraeus were some no-name sad-sack with an underwater mortgage and no connections and no assets to hire lawyers pre-indictment, he’d almost certainly get charged a lot more aggressively than he has been. This administration has been extremely vigorous in prosecuting leakers and threatening the press.
So why is Petraeus getting off with a misdemeanor and a probable probationary sentence? Two reasons: money and power. Money lets you hire attorneys to negotiate with the feds pre-charge, to get the optimal result. Power — whether in the form of actual authority or connections to people with authority — gets you special consideration and the soft, furry side of prosecutorial discretion.
This is colloquially known as justice.
Australian Secretary Of Defense Not Concerned About Phone Hack; Doesn’t Think People Want To Spy On His Phone
If you were the Secretary of Defense of a large country, you might think you’d be slightly concerned that foreign agents would want to spy on you. Not so down in Australia apparently, where the current Secretary of Defense, insists that he’d be “surprised” if anyone wanted to find out what was on his phone. Seriously.
We’ve written about the recent story, revealed in documents leaked by Ed Snowden, that the NSA and GCHQ were able to hack into the systems of Gemalto, the world’s largest maker of SIM cards for mobile phones, and obtain the encryption keys used in those cards. While Gemalto insists that the hack didn’t actually get those encryption keys, not everyone feels so comfortable with Gemalto’s own analysis of what happened.
Senator Scott Ludlam (who we’ve written about a few times before) reasonably found the story of the Gemalto hack to be concerning, and went about asking some questions of the government to find out what they knew about it. The results are rather astounding. First he had asked ASIO, the Australian Security Intelligence Organization, and they said it wasn’t their area, but it might be ASD (the Australian Signals Directorate). The video below shows Ludlam asking the ASD folks for more information about the hack and being flabbergasted that they basically say they haven’t even heard about the hack at all:
Right at the beginning, the first person says he’s not aware of the situation, and Ludlam asks “are you aware of the broad outlines?” and gets a “no I am not” response, leading to a rather dry “Really?!? Okay, this is going to be interesting” reply from Ludlam. It goes on in this nature for a while, with the various people on the panel playing dumb, and Ludlam repeatedly (and rightly) appearing shocked that they appear to have no idea about the story.
But the really incredible part comes in the last minute of the video, in which Ludlam asks the Australian Secretary of Defense, Dennis Richardson, about his own concerns about his phone being spied on:
Ludlam: Do you use an encrypted phone, Mr. Richardson?
Richardson: No, I don’t.
Ludlam: Right. Okay. Do you use a commercial — I’m not asking you to name names — but do you use a commercial telecommunications provider?
Richardson: Yeah, yeah, yes.
Ludlam: So there might be a SIM card in your phone or mind. Does this alarm you at all?
Richardson: No.
Ludlam: No?
Richardson: No.
Ludlam: Why is that?
Richardson: Well, because I don’t particularly deal with people who… if anyone wants to listen to my telephone calls they can. I’d be surprised if they do, but I don’t particularly have conversations which I’m particularly worried about.
[Laughter all around the room]
Ludlam: So it’s okay if foreign spooks have hacked every mobile handset in the country because you don’t have anything in particular…
Richardson: It’s possible some might try to.
Ludlam: It’s possible some just have.
Richardson: [shrugs] Well, it’s possible.
So there you have it, folks. The Australian Secretary of Defense says that anyone is allowed to listen in to his calls, because there’s nothing secret about any of them. I’m not quite familiar with public records/freedom of information laws in Australia, but is it possible for someone to put in a request for recording all of the Secretary of Defense’s phone calls?
AT&T’s $30 ‘Don’t Be Snooped On’ Fee Is Even Worse Than Everybody Thought
Last week we noted that while AT&T has been trying to match Google Fiber pricing in small portions of several markets, it has been busily doing it in a very AT&T fashion. While the company is offering a $70, 1 Gbps service in some locations, the fine print indicates that users can only get that price point if they agree to AT&T’s Internet Preferences snoopvertising program. That program uses deep packet inspection to track your online behavior down to the second — and if you want to opt out, that $70 1 Gbps broadband connection quickly becomes significantly more expensive.
While most people thought this was rather dumb, AT&T actually received kudos on some fronts for trying something new. Apparently, the logic goes, AT&T charging you a major monthly fee to not be snooped on will result in some kind of privacy arms race resulting in better services and lower prices for all. While sometimes that sort of concept works (Google and Apple scurrying to profess who loves encryption more, for example), anybody who believes this is a good precedent doesn’t know the U.S. telecom market or AT&T very well.
As Stacey Higginbotham at GigaOM notes, it’s not as simple as just paying AT&T a $30 to not be snooped on. AT&T actually makes it very difficult to even find the “please don’t spy on me option,” and saddles the process with a number of loopholes to prevent you from choosing it. In fact, you’re not even able to compare prices unless you plug in an address that’s in AT&T’s footprint, but currently doesn’t have AT&T service. Meanwhile, according to Higginbotham’s math, even if you’re successful in signing up, that $30 privacy fee is actually much more depending on your chosen options. If you just want broadband, opting out of AT&T snoopvertising will actually run you $44
DOJ Inspector General Tells Congress That FBI Isn’t Letting His Office Do Its Job… Again
The FBI is still actively thwarting its oversight. Last fall, DOJ Inspector General Michael Horowitz informed the House Judiciary Committee that the FBI was routinely denying his office documents it needed to perform investigations. The withheld documents included everything from electronic surveillance information to organizational charts. Not only did the FBI refuse to hand over requested documents, but it also stonewalled OIG investigations for so long that “officials under review [had] retired or left the agencies before the report [was] complete.”
Nearly six months later, the situation remains unchanged. Horowitz is again informing the House Judiciary Committee that the FBI is still less than interested in assisting his office. The same stonewalling tactics and withholding of information continues, preventing the IG from fully examining the DEA’s use of administrative subpoenas.
Chicago’s “Black Site” Detainees Speak Out
On Tuesday, The Guardian’s Spencer Ackerman reported on the “equivalent of a CIA black site” operated by police in Chicago. When computer program analyst Kory Wright opened the story, he told me, “I immediately recognized the building” — because, the Chicago resident says, he was zip-tied to a bench there for hours in an intentionally overheated room without access to water or a bathroom, eventually giving false statements to try and end his ordeal.
A friend of Wright’s swept up in the same police raid described his own brutal treatment at the facility, known as Homan Square, including attacks to his face and genitals. The experiences of the two men line up with the way defense attorneys described the “black site” warehouse to Ackerman: as a place where detainees were held off the books, without access to lawyers, while being beaten or shackled for long periods of time.
Wright claims that nine years ago, he spent “at least six [brutal] hours” at the Homan facility on his 21st birthday. He says that he was never read his Miranda rights, and that his arrest was not put into the police system until after his ordeal was over. Wright was reminded of the facility again this week when he noticed a tweet from a writer he admires, The Atlantic’s Ta-Nehisi Coates, linking to Ackerman’s story. Ackerman compared Homan Square to the network of shadowy torture centers built by the CIA across the Middle East — but focused “on Americans, most often poor, black and brown,” rather than on purported overseas terrorists.
But unlike CIA black sites, Homan Square wasn’t a completely furtive enterprise. Several lawyers and anti-police brutality advocates with whom I spoke knew that suspects were routinely detained at Homan. The facility houses many of the police department’s special units, including the anti-gang and anti-drug task forces, along with the evidence-retrieval unit. Once suspects arrived at Homan, they did not have to be booked immediately, at least not as far as the police department was concerned, according to the people with whom I spoke. In fact, it was possible that a suspect’s arrest report wouldn’t show that he or she had ever been to Homan. Further, police could detain individuals at Homan for hours, or disappear them, before shipping them off to a district station for processing.
The Chicago Police Department declined to address the specific allegations from Wright and his friend, providing only a general statement denying abuses at Homan Square. (The same statement also appears in Ackerman’s story.) “CPD abides by all laws, rules and guidelines pertaining to any interviews of suspects or witnesses, at Homan Square or any other CPD facility,” the statement read. “There are always records of anyone who is arrested by CPD, and this is not any different at Homan Square.”
Kory Wright disagrees.