Italy does not exactly have the greatest track record of being nice to Ethiopians. Things haven’t changed, as an Italian group is helping the Ethiopian government spy on uncooperative journalists.
Tag: Spying
New Zealand Prime Minister Retracts Vow To Resign if Mass Surveillance Is Shown
In August, 2013, as evidence emerged of the active participation by New Zealand in the “Five Eyes” mass surveillance program exposed by Edward Snowden, the country’s conservative Prime Minister, John Key, vehemently denied that his government engages in such spying. He went beyond mere denials, expressly vowing to resign if it were ever proven that his government engages in mass surveillance of New Zealanders. He issued that denial, and the accompanying resignation vow, in order to re-assure the country over fears provoked by a new bill he advocated to increase the surveillance powers of that country’s spying agency, Government Communications Security Bureau (GCSB) – a bill that passed by one vote thanks to the Prime Minister’s guarantees that the new law would not permit mass surveillance.
Since then, a mountain of evidence has been presented that indisputably proves that New Zealand does exactly that which Prime Minister Key vehemently denied – exactly that which he said he would resign if it were proven was done. Last September, we reported on a secret program of mass surveillance at least partially implemented by the Key government that was designed to exploit the very law that Key was publicly insisting did not permit mass surveillance. At the time, Snowden, citing that report as well as his own personal knowledge of GCSB’s participation in the mass surveillance tool XKEYSCORE, wrote in an article for the Intercept:
Let me be clear: any statement that mass surveillance is not performed in New Zealand, or that the internet communications are not comprehensively intercepted and monitored, or that this is not intentionally and actively abetted by the GCSB, is categorically false. . . . The prime minister’s claimto the public, that “there is no and there never has been any mass surveillance” is false. The GCSB, whose operations he is responsible for, is directly involved in the untargeted, bulk interception and algorithmic analysis of private communications sent via internet, satellite, radio, and phone networks.
Give biometrics the FINGER: Horror tales from the ENCRYPT
The FREAK (Factoring RSA Export Keys) flaw allows bad men to exploit those secret intimate moments shared between certain web browsers and HTTPS websites. Just when your copy of Safari begins rubbing the website’s knee and mumbling “you know you want it” in its ear, FREAK allows the hooligan element of the online world to tip-toe unnoticed into the room. By the time Safari has finished sweet-talking the website and is fumbling with its zip before establishing a “safe connection”, the rascals have stolen its johnnies.
The weakness in the connection security at this stage was the result of a governmental directive some 20 years ago that good encryption should not be exported to that dark and dangerous place outside the US known as “the rest of the world” (AKA “terrorists”).
In many cases, security flaws are loopholes left behind due to the complexity of the digital antagonism between trying to enable a thing while preventing that thing. FREAK, on the other hand, was created as a deliberate act of self-sabotage, determined by the Powers That Be in full knowledge of the potential consequences.
Blame politicians for their lack of long-term vision if you like, but this is hardly the point. Politicians come and go and fill their pockets and die: this is what we expect politicians to do and we vote them into office so that they can do it. If there’s any lack of forward-thinking involved, it starts at the ballot box.
But in this instance, lots of people at the time said that relaxing encryption was A Stupid Idea. So the politicians and their advisers knew it was daft and still went ahead.
Consider the Y2K bug or the 2038 bug or whatever. The very fact that these things have names suggests that someone somewhere had the foresight to think about them in advance. They began as oversights and go on to be exploited, and then go on to be fixed.
It strikes me that the IT industry enjoys watching security go titsup time and time again, simply so that it can fix it.
Despite what we already know, not least what we have learnt this FREAK week, someone somewhere is probably still advising the British prime minister that message encryption was invented by Osama bin Laden and should be zero-dark-thirtied at the first opportunity. National security, he is being advised, can only be achieved by criminalising er… security. Duh.
I blame these same advisors for the reckless re-emergence of biometric checks as a form of authentication. Surely it’s obvious to everyone that the fingerprint login on iPhones 6 and iPad Air devices is just a bit of fun, not a serious stab at effective security. Yet RBS and NatWest banks are introducing fingerprint access for accounts via mobile devices, and the scary bit is that they’re not laughing.
Biometrics are bollocks. Some El Reg readers may recollect Steve Jobs years ago demonstrating VoicePrint verification in Mac OS 9: “My name is my password”. It was just a little joke, though: a laugh, a trick to delight the kids. It certainly wasn’t secure.
By the way, if you do remember this short-lived feature, well done: most long-time Mac users have already forgotten this turd of biometric nonsense.
In sci-fi action films, when a retina scan or a fingerprint is required to gain access to the high-security lab of an evil genius, the hero plucks out or hacks off that item from an unsuspecting minion in a lab coat and simply waves the relevant bloodied body part in front of the clichéd scanner thingy. For voice-activation, I wouldn’t be surprised to see a cinematic hero trying to blow though the vocal cords he’d ripped out of the chief scientist’s neck.
Of course, for voice activation, all you’d need to do is to hire a voice actor for your crack team, or invite that bloke down the pub who can do impersonations. Just imagine if James Earl Jones had voice activation on his bank account: you could break into it using a Darth Vader voice-changer from a toy shop.
President Obama Complains To China About Demanding Backdoors To Encryption… As His Administration Demands The Same Thing
Back in January, we pointed out that just after US and EU law enforcement officials started freaking out about mobile encryption and demanding backdoors, that China was also saying that it wanted to require backdoors for itself in encrypted products. Now, President Obama claims he’s upset about this, saying that he’s spoken directly with China’s President Xi Jinping about it:
In an interview with Reuters, Obama said he was concerned about Beijing’s plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security “backdoors” in their systems to give Chinese authorities surveillance access.
“This is something that I’ve raised directly with President Xi,” Obama said. “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”
This comes right after the US Trade Rep Michael Froman issued a statement criticizing China for doing the same damn thing that the US DOJ is arguing the US should be doing:
U.S. Trade Representative Michael Froman issued a statement on Thursday criticizing the banking rules, saying they “are not about security – they are about protectionism and favoring Chinese companies”.
“The Administration is aggressively working to have China walk back from these troubling regulations,” Froman said.
Those claims would sound a hell of a lot stronger if they weren’t coming immediately after DOJ officials from Attorney General Eric Holder to FBI Director James Comey had more or less argued for the exact same thing.
Australian Secretary Of Defense Not Concerned About Phone Hack; Doesn’t Think People Want To Spy On His Phone
If you were the Secretary of Defense of a large country, you might think you’d be slightly concerned that foreign agents would want to spy on you. Not so down in Australia apparently, where the current Secretary of Defense, insists that he’d be “surprised” if anyone wanted to find out what was on his phone. Seriously.
We’ve written about the recent story, revealed in documents leaked by Ed Snowden, that the NSA and GCHQ were able to hack into the systems of Gemalto, the world’s largest maker of SIM cards for mobile phones, and obtain the encryption keys used in those cards. While Gemalto insists that the hack didn’t actually get those encryption keys, not everyone feels so comfortable with Gemalto’s own analysis of what happened.
Senator Scott Ludlam (who we’ve written about a few times before) reasonably found the story of the Gemalto hack to be concerning, and went about asking some questions of the government to find out what they knew about it. The results are rather astounding. First he had asked ASIO, the Australian Security Intelligence Organization, and they said it wasn’t their area, but it might be ASD (the Australian Signals Directorate). The video below shows Ludlam asking the ASD folks for more information about the hack and being flabbergasted that they basically say they haven’t even heard about the hack at all:
Right at the beginning, the first person says he’s not aware of the situation, and Ludlam asks “are you aware of the broad outlines?” and gets a “no I am not” response, leading to a rather dry “Really?!? Okay, this is going to be interesting” reply from Ludlam. It goes on in this nature for a while, with the various people on the panel playing dumb, and Ludlam repeatedly (and rightly) appearing shocked that they appear to have no idea about the story.
But the really incredible part comes in the last minute of the video, in which Ludlam asks the Australian Secretary of Defense, Dennis Richardson, about his own concerns about his phone being spied on:
Ludlam: Do you use an encrypted phone, Mr. Richardson?
Richardson: No, I don’t.
Ludlam: Right. Okay. Do you use a commercial — I’m not asking you to name names — but do you use a commercial telecommunications provider?
Richardson: Yeah, yeah, yes.
Ludlam: So there might be a SIM card in your phone or mind. Does this alarm you at all?
Richardson: No.
Ludlam: No?
Richardson: No.
Ludlam: Why is that?
Richardson: Well, because I don’t particularly deal with people who… if anyone wants to listen to my telephone calls they can. I’d be surprised if they do, but I don’t particularly have conversations which I’m particularly worried about.
[Laughter all around the room]
Ludlam: So it’s okay if foreign spooks have hacked every mobile handset in the country because you don’t have anything in particular…
Richardson: It’s possible some might try to.
Ludlam: It’s possible some just have.
Richardson: [shrugs] Well, it’s possible.
So there you have it, folks. The Australian Secretary of Defense says that anyone is allowed to listen in to his calls, because there’s nothing secret about any of them. I’m not quite familiar with public records/freedom of information laws in Australia, but is it possible for someone to put in a request for recording all of the Secretary of Defense’s phone calls?
AT&T’s $30 ‘Don’t Be Snooped On’ Fee Is Even Worse Than Everybody Thought
Last week we noted that while AT&T has been trying to match Google Fiber pricing in small portions of several markets, it has been busily doing it in a very AT&T fashion. While the company is offering a $70, 1 Gbps service in some locations, the fine print indicates that users can only get that price point if they agree to AT&T’s Internet Preferences snoopvertising program. That program uses deep packet inspection to track your online behavior down to the second — and if you want to opt out, that $70 1 Gbps broadband connection quickly becomes significantly more expensive.
While most people thought this was rather dumb, AT&T actually received kudos on some fronts for trying something new. Apparently, the logic goes, AT&T charging you a major monthly fee to not be snooped on will result in some kind of privacy arms race resulting in better services and lower prices for all. While sometimes that sort of concept works (Google and Apple scurrying to profess who loves encryption more, for example), anybody who believes this is a good precedent doesn’t know the U.S. telecom market or AT&T very well.
As Stacey Higginbotham at GigaOM notes, it’s not as simple as just paying AT&T a $30 to not be snooped on. AT&T actually makes it very difficult to even find the “please don’t spy on me option,” and saddles the process with a number of loopholes to prevent you from choosing it. In fact, you’re not even able to compare prices unless you plug in an address that’s in AT&T’s footprint, but currently doesn’t have AT&T service. Meanwhile, according to Higginbotham’s math, even if you’re successful in signing up, that $30 privacy fee is actually much more depending on your chosen options. If you just want broadband, opting out of AT&T snoopvertising will actually run you $44
Here’s 140 Fully-Redacted Pages Explaining How Much Snowden’s Leaks Have Harmed The Nation’s Security
If the US intelligence committee is concerned about the status of “hearts and minds” in its ongoing NSA v. Snowden battle, it won’t be winning anyone over with its latest response to a FOIA request.
Various representatives of the intelligence community have asserted (sometimes repeatedly) that Snowden’s leaks have caused irreparable harm to intelligence-gathering efforts and placed the nation in “grave danger.” But when given the chance to show the public how much damage has been done, it declares everything on the subject too sensitive to release. EVERYTHING.
AT&T Charging Customers to Not Spy on Them
AT&T is charging a premium for gigabit Internet service without surveillance:
The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program “works independently of your browser’s privacy settings regarding cookies, do-not-track and private browsing.” In other words, AT&T is performing deep packet inspection, a controversial practice through which internet service providers, by virtue of their privileged position, monitor all the internet traffic of their subscribers and collect data on the content of those communications.
What if customers do not want to be spied on by their internet service providers? AT&T allows gigabit service subscribers to opt out — for a $29 fee per month.
I have mixed feelings about this. On one hand, AT&T is forgoing revenue by not spying on its customers, and it’s reasonable to charge them for that lost revenue. On the other hand, this sort of thing means that privacy becomes a luxury good. In general, I prefer to conceptualize privacy as a right to be respected and not a commodity to be bought and sold.
Lawmaker Who Said Snowden Committed Treason, Now On The Other Side Of Metadata Surveillance
Rep. Aaron Schock is frequently referred to as a “rising star” in Congress, but this week, the Associated Press reported on a scandal involving Schock and his use of taxpayer and campaign funds for things like flights on private jets (owned by key donors) and a Katy Perry concert. Frankly, I think some of the “scandal” here is a bit overblown. But what struck me is part of how the AP tracked these details about Schock down:
The AP tracked Schock’s reliance on the aircraft partly through the congressman’s penchant for uploading pictures and videos of himself to his Instagram account. The AP extracted location data associated with each image then correlated it with flight records showing airport stopovers and expenses later billed for air travel against Schock’s office and campaign records.
In short, the metadata brought Schock down. Of course, as we’ve been describing, anyone who says that we shouldn’t be concerned about the NSA’s surveillance of metadata, or brushes it away as “just metadata,” doesn’t understand how powerful metadata can be. As former NSA/CIA boss Michael Hayden has said, the government kills people based on metadata.
But it does seem noteworthy that Schock was one of those who claimed that Ed Snowden’s leaking of how the NSA collected metadata on nearly everyone amounted to treason. I wonder if he still feels that way…
Leaky battery attack reveals the paths you walk in life
Here’s another one that shows how seemingly anonymous data is never truly anonymous:
More than 100 mobile apps leak users’ location regardless of whether they opt to keep the information private, according to researchers.
Power consumption data is the source of the leaks, which make it possible to determine users’ whereabouts with 90 percent accuracy.
A quartet from Stanford University and Israeli defence contractor Rafael developed an app called PowerSpy to demonstrate the leak.
“Modern mobile platforms like Android enable applications to read aggregate power usage on the phone … We show that by simply reading the phone’s aggregate power consumption over a period of a few minutes an application can learn information about the user’s location,” the team wrote in the paper PowerSpy: Location Tracking using Mobile Device Power Analysis (PDF).
“Aggregate phone power consumption data is extremely noisy due to the multitude of components and applications simultaneously consuming power.
“Nevertheless, we show that by using machine learning techniques, the phone’s location can be inferred.”
Power consumption increases the further a user is from a base station and the more objects are in the line of sight between the two.
If an attacker has a general idea where their target is they can track them by plotting these variations, the boffins say.