Archive for the ‘Privacy’ Category

Orwell: The surveillance game that puts you in Big Brother’s shoes [Echoes of Enders Game?]

Sunday, November 13th, 2016

Orwell: The surveillance game that puts you in Big Brother’s shoes by Claire Reilly.

From the post:

“Big Brother has arrived — and it’s you.”

As CNET’s resident privacy nark, I didn’t need much convincing to play a game all about social engineering and online surveillance.

But when I stepped into my role as a new recruit for the fictional Orwell internet surveillance program, I didn’t expect to find the rush of power so beguiling, or unsettling.

Developed by German outfit Osmotic Studios, Orwell sees you working as a new recruit in a surveillance agency of the same name, following a series of terrorist attacks in Bonton, the fictional capital of The Nation. As an agent, you are responsible for scraping social media feeds, blogs, news sites and the private communications of the Nation’s citizens to find those with connections to the bombings.

You start with your first suspect before working through a web of friends and associates. You’re after data chunks — highlighted pieces of information and text found in news stories, websites and blogs that can be dragged and uploaded into the Orwell system and permanently stored as evidence.

The whole game has a kind of polygon graphic aesthetic, making the news clippings, websites and social media feeds you’re trawling feel close to the real thing. But as with everything in Orwell, it’s viewed through a glass, darkly.

If you are a game player, this sounds wickedly seductive.

If your not, what if someone weaponized Orwell so that what appear to be “in the game” hacks are hacks in the “real world?”

A cybersecurity “Enders Game” where the identity of targets and consequences of attacks are concealed from hackers?

Are the identity of targets or consequences of attacks your concern? Or is credit for breaching defenses and looting data enough?

Before reaching that level of simulation, imagine changing from the lone/small group hacker model to a more distributed model.

Where anonymous hackers offer specialized skills, data or software in collaboration on proposed hacks.

Ideas on the requirements for such a collaborative system?

Assuming nation states get together on cybersecurity, it could be a mechanism to match or even out perform such efforts.

Another Day, Another Law To Ignore – Burner Drones Anyone?

Thursday, October 27th, 2016

Sweden bans cameras on drones, deeming it illegal surveillance by Lisa Vaas.

From the post:

Sweden last week banned the use of camera drones without a special permit, infuriating hobby flyers and an industry group but likely pleasing privacy campaigners.

Drone pilots will now have to show that there’s a legitimate benefit that outweighs the public’s right to privacy – and there are no exemptions for journalists, nor any guarantee that a license will be granted.

The cost of a license depends on variables such as the takeoff weight of the drone and whether it’s going to be flown further than the pilot can see, and none of the licenses are cheap. Costs range from an annual license fee of €1,200 right up to a maximum hourly fee of €36,000.

UAS Sweden (Unmanned Aerial System – SWEDEN) has objected to the ruling on the potential for loss of jobs.

The interests of the industry will be better met with development and advocacy of burner drones. Similar to a burner cellphone, it isn’t intended for recovery/re-use.

Burner drones are critical to reporting on government attacks like the one imminent on #NoDAPL camps (North Dakota).

Burner drones keep journalists beyond the reach of batons, tear gas and water canon, all good things.

Just searching quickly, Airblock has the right idea but its capabilities are too limited to make an effective burner drone for journalists.

Something on that order, with a camera, longer range/duration, modular is good, especially if you can add on parts that “bite.”

Privacy advocates miss the fact there is no privacy in the face of modern government surveillance. Banning drones only reduces the ability of people to counter-spy upon their less than truthful governments.

In case you are interested, the administrative court ruling in question:

The organization of camera on a drone but not for the camera in a car

Summary:

The Supreme Administrative Court has in two judgments found that a camera mounted on a drone requires a permit under camera surveillance law while a camera mounted behind the windscreen of a car or on a bicycle handlebar does not need permission.

Please ping me with notices of burner drone projects. Thanks!

Unmasking Tor users with DNS

Thursday, October 6th, 2016

Unmasking Tor users with DNS by Mark Stockley.

From the post:

Researchers at the KTH Royal Institute of Technology, Stockholm, and Princeton University in the USA have unveiled a new way to attack Tor and deanonymise its users.

The attack, dubbed DefecTor by the researchers’ in their recently published paper The Effect of DNS on Tor’s Anonymity, uses the DNS lookups that accompany our browsing, emailing and chatting to create a new spin on Tor’s most well established weakness; correlation attacks.

If you want the lay-person’s explanation of the DNS issue with Tor, see Mark’s post. If you want the technical details, read The Effect of DNS on Tor’s Anonymity.

The immediate take away for the average user is this:

Donate, volunteer, support the Tor project.

Your privacy or lack thereof is up to you.

Oversight Concedes Too Much

Wednesday, September 28th, 2016

It’s deeply ironic that the Electronic Frontier Foundation writes in: Police Around the Country Regularly Abuse Law Enforcement Databases:


The AP investigation builds off more than a year’s worth of research by EFF into the California Law Enforcement Telecommunications System (CLETS). EFF previously found that the oversight body charged with combatting misuse had been systematically giving law enforcement agencies a pass by either failing to make sure agencies filed required misuse data or to hold hearings to get to the bottom of persistent problems with misuse. As EFF reported, confirmed misuse cases have more than doubled in California between 2010 and 2015.

Contrast that post with:

NSA’s Failure to Report Shadow Broker Vulnerabilities Underscores Need for Oversight and What to Do About Lawless Government Hacking and the Weakening of Digital Security, both of which are predicated on what? Oversight.

Sorry, it is one of those “facts” everyone talks about in the presidential debates that both the Senate select Committee on Intelligence and the House Permanent Select Committee on Intelligence have been, are and in all likelihood will be, failures in terms of oversight of intelligence agencies. One particularly forceful summary of those failures can be found in: A Moon Base, Cyborg Army, and Congress’s Failed Oversight of the NSA by Eli Sugarman.

Eli writes:

Does the U.S. government have a moon base? How about a cyborg army? These questions were not posed by Stephen Colbert but rather by Rep. Justin Amash (R-MI) to highlight the futility of Congress’s intelligence oversight efforts. Amash decried how Congress is unable to reign in troubling NSA surveillance programs because it is not adequately informed about them or permitted to share the minimal information it does know. Congress is instead forced to tease out nuggets of information by playing twenty questions with uncooperative intelligence officials in classified briefings.

Oversight? When the overseen decide if, when, where and how much they will disclose to the overseers?

The EFF and others need to stop conceding the legitimacy of government surveillance and abandon its quixotic quest for implementation of a strategy, oversight, which is known to fail.

For anyone pointing at the latest “terrorism” attack in New York City, consider these stats from the Center for Disease Control (CDC, 2013):

Number of deaths for leading causes of death:

  • Heart disease: 614,348
  • Cancer: 591,699
  • Chronic lower respiratory diseases: 147,101
  • Accidents (unintentional injuries): 136,053
  • Stroke (cerebrovascular diseases): 133,103
  • Alzheimer’s disease: 93,541
  • Diabetes: 76,488
  • Influenza and Pneumonia: 55,227
  • Nephritis, nephrotic syndrome and nephrosis: 48,146
  • Intentional self-harm (suicide): 42,773

Do you see terrorism on that list?

Just so you know, toddlers with guns kill more people in the United States than terrorists.

Without terrorism, one of the knee-jerk justifications for government surveillance vanishes.

The EFF should be challenging the factual basis of government justifications for surveillance one by one.

Conceding that any justification for surveillance exists without contesting its factual basis is equivalent to conceding the existence of an unsupervised surveillance state.

Once surveillance is shown to have no factual justification, then the dismantling of the surveillance state can begin.

Tor 0.2.8.8 is released, with important fixes

Friday, September 23rd, 2016

Tor 0.2.8.8 is released, with important fixes

Source available today, packages over the next week.

Privacy is an active, not passive stance.

Steps to take:

  1. Upgrade your Tor software.
  2. Help someone upgrade their Tor software.
  3. Introduce one new person to Tor.

If you take those steps with every upgrade, Tor will spread more quickly.

I have this vision of James Clapper (Director of National Intelligence), waking up in a cold sweat as darkness spreads across a visualization of the Internet in real time.

Just a vision but an entertaining one.

Google Allo – Goodbye!

Thursday, September 22nd, 2016

Google Allo: Don’t use it, says Edward Snowden by Liam Tung.

From the post:

Google’s Allo messaging app and its Assistant bot have finally arrived, but Allo has been slammed for reneging on a promise that it would, by default, make it more difficult to spy on.

Because of the missing privacy feature, NSA-contractor-turned-whistleblower Edward Snowden’s first take of Allo after yesterday’s US launch is that it’s just a honeypot for surveillance.

The main complaints are that security is off by default and that chat logs are stored until deleted by users.

Google made a conscious choice on both of those features.

Now is your opportunity to make a conscious choice about Allo. Goodbye!

Don’t be mis-led into thinking end-to-end encryption ends the danger from preserving chat logs.

Intelligence agencies have long argued knowing who calls who is more important than the content of phone calls. Same is true for chats.

Google has chosen a side other than consumers, that’s enough to avoid it whenever possible.

Tails [Whatever The Presidential Race Outcome]

Tuesday, September 20th, 2016

Tails – theamnesicincognitolivesystem

From the about page:

Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.

Whatever your prediction for the US 2016 presidential election, Hairy Thunderer or Cosmic Muffin, you are going to need Tails

For free speech and/or privacy in 2017, get Tails.

It really is that simple.

Investigatory Powers Bill As Amended In Committee

Tuesday, September 13th, 2016

For those of you watching the UK’s plunge into darkness, the Investigatory Powers Bill, as amended in committee, has been posted online.

Apologies for the lite amount of posting today but a very large data dump was released earlier today that distracted me from posting. 😉

Invite Government Into The Cellphone Fish Bowl

Monday, September 12th, 2016

Long-Secret Stingray Manuals Detail How Police Can Spy On Phones by Sam Biddle.

Sam summarizes the high points from around 200 pages of current but never seen before Harris instruction manuals. Good show!

From the post:


Harris declined to comment. In a 2014 letter to the Federal Communications Commission, the company argued that if the owner’s manuals were released under the Freedom of Information Act, this would “harm Harris’s competitive interests” and “criminals and terrorist[s] would have access to information that would allow them to build countermeasures.”

Creating countermeasures?

Better, treat these documents as a basis for reverse-engineering Harris Stingrays into DIY kits.

False promises from known liars on use of “Stingray”s or “IMSI catchers are not going to combat government abuse of this technology.

Inviting governments to join the general public in the cellphone fish bowl might.

Can you imagine the reaction of your local sheriff, district attorney, judge, etc. when they are being silently tracked?

Not just in their routine duties but to mistresses, drug dens, prostitutes, porn parlors and the like?

We won’t have to wait long for the arrival of verifiable, secure cellphones.

Cop Stuff Catalog (dated, from 2014)

Thursday, September 1st, 2016

Introduction to Cobham Tactical Communications and Surveillance (PDF)

As a world-leader in its field, providing products and integrated surveillance solutions to law enforcement, military, national security and border patrol agencies, Cobham Tactical Communications & Surveillance offers innovative video, audio, tracking, locating, sensor, and covert surveillance solutions for government and civil agencies. (from page 2 of the PDF)

This catalog, described as “confidential” in Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police started circulating on Twitter, 1 September 2016.

The catalog is a hoot to read but if you follow the URL at the bottom of each page, www.cobham.com/tcs, you will be taken to later, public information on the same products.

More recent information I might add, as the catalog does not list the High Bandwidth Mesh – P5 (PDF), which is listed on the website.

I did not see online video concealment suggestions:

cobham-01-460

So, perhaps the catalog is more useful than its date might indicate.

I understand the emphasis on U.S. police but this type of equipment is used by governments worldwide.

Counter measures and/or duplicating these capabilities so the watchers can be watched are always a good idea.

PS: The outdoor trash can looks way too clean to be plausible. Besides, there are ways to create surprises with outdoor trash cans.

“…without prior written permission…” On a Public Website? Calling BS!

Saturday, August 27th, 2016

I mentioned in Your assignment, should you choose to accept it…. that BAE Systems has been selling surveillance technology to the United Arab Emirate, the nice people behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.

Since then, Joseph Cox posted: British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes.

From his post:

Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas.

Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology.

“At a time when the use of these surveillance tools is still highly controversial in the UK, it is completely unacceptable that companies are allowed to export the same equipment to countries with atrocious human rights records or which lack rule of law altogether. There is absolutely a clear risk that these products can be used for repression and abuses,” Edin Omanovic, research officer at Privacy International, told Motherboard in an email.

Joseph’s report explains the technology and gives examples of some of the sales to the worst offenders. He also includes a link to the dataset of export sales.

Joseph obtained a list of the exporters from the UK Department for International Trade. But that list is included as an image. I created this HTML list from that image:

In an attempt to seem fierce, Cellxion Ltd has this unfriendly greeting at the bottom of their public homepage:

Your IP address, [**.**.**.**], has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. (emphasis added, I obscured my IP number)

What does Dogbert say? Oh, yeah,

Cellxion, kiss my wager!

As you already know, use TAILS, Tor and VPN as you pursue these leads.

Good hunting!

Germany and France declare War on Encryption to Fight Terrorism

Friday, August 26th, 2016

Germany and France declare War on Encryption to Fight Terrorism by Mohit Kumar.

From the post:

Yet another war on Encryption!

France and Germany are asking the European Union for new laws that would require mobile messaging services to decrypt secure communications on demand and make them available to law enforcement agencies.

French and German interior ministers this week said their governments should be able to access content on encrypted services in order to fight terrorism, the Wall Street Journal reported.
(emphasis in original)

On demand decryption? For what? Rot-13 encryption?

The Franco-German text transmitted to the European Commission.

The proposal wants to extend current practices of Germany and France with regard to ISPs but doesn’t provide any details about those practices.

In case you have influence with the budget process at the EU, consider pointing out there is no, repeat no evidence that any restriction on encryption will result in better police work combating terrorism.

But then, what government has ever pushed for evidence-based policies?

Your assignment, should you choose to accept it….

Friday, August 26th, 2016

You may (may not) remember the TV show, Mission Impossible. It had a cast of regulars who formed a spy team to undertake “impossible” tasks that could not be traced back to the U.S. government.

Stories like: BAE Systems Sells Internet Surveillance Gear to United Arab Emirates make me wish for a non-nationalistic, modern equivalent of the Mission Impossible team.

You may recall the United Arab Emirates (UAE) were behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.

So much for the UAE needing spyware for legitimate purposes.

From the article:


In a written statement, BAE Systems said, “It is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organizations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles.”

The Danish Business Authority told Andersen it found no issue approving the export license to the Ministry of the Interior of the United Arab Emirates after consulting with the Danish Ministry of Foreign Affairs, despite regulations put in place by the European Commission in October 2014 to control exports of spyware and internet surveillance equipment out of concern for human rights. The ministry told Andersen in an email it made a thorough assessment of all relevant concerns and saw no reason to deny the application.

It doesn’t sound like any sovereign government is going to restrain BAE Systems and/or the UAE.

Consequences for their mis-deeds will have to come from other quarters.

Like the TV show started every week:

Your assignment, should you choose to accept it….

Secret Cameras Recording Baltimore’s…. [Watching the Watchers?])

Wednesday, August 24th, 2016

Secret Cameras Recording Baltimore’s Every Move From Above by Monte Reel.

Unknown to the citizens of Baltimore, they have been under privately funded, plane-based video surveillance since the beginning of 2016.

The pitch to the city:

“Imagine Google Earth with TiVo capability.”

You need to read Monte’s article in full and there are names you will recognize if you watch PBS:

Last year the public radio program Radiolab featured Persistent Surveillance in a segment about the tricky balance between security and privacy. Shortly after that, McNutt got an e-mail on behalf of Texas-based philanthropists Laura and John Arnold. John is a former Enron trader whose hedge fund, Centaurus Advisors, made billions before he retired in 2012. Since then, the Arnolds have funded a variety of hot-button causes, including advocating for public pension rollbacks and charter schools. The Arnolds told McNutt that if he could find a city that would allow the company to fly for several months, they would donate the money to keep the plane in the air. McNutt had met the lieutenant in charge of Baltimore’s ground-based camera system on the trade-show circuit, and they’d become friendly. “We settled in on Baltimore because it was ready, it was willing, and it was just post-Freddie Gray,” McNutt says. The Arnolds donated the money to the Baltimore Community Foundation, a nonprofit that administers donations to a wide range of local civic causes.

I find the mention of Freddie Gray ironic, considering how truthful and forthcoming the city and its police officers were in that case.

If footage exists for some future Freddie Gray-like case, you can rest assured the relevant camera failed, the daily data output failed, a Rose Mary Wood erasure accident happened, etc.

From Monte’s report, we aren’t at facial recognition, yet, assuming his sources were being truthful. But we all know that’s coming, if not already present.

Many will call for regulation of this latest intrusion into your privacy, but regulation depends upon truthful data upon which to judge compliance. The routine absence of truthful data about police activities, both digital and non-digital, makes regulation difficult to say the least.

In the absence of truthful police data, it is incumbent upon citizens to fill that gap, both for effective regulation of police surveillance and for the regulation of police conduct.

The need for an ad-hoc citizen-based surveillance system is clear.

What isn’t clear is how such a system would evolve?

Perhaps a server that stitches together cellphone video based on GPS coordinates and orientation? From multiple cellphones? Everyone can contribute X seconds of video from any given location?

Would not be seamless but if we all target known police officers and public officials…, who knows how complete a record could be developed?

Crowdsourced-Citizen-Surveillance anyone?

Tor 0.2.8.7 is released, with important fixes

Wednesday, August 24th, 2016

Tor 0.2.8.7 is released, with important fixes

From the post:

Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses option in 0.2.8.6, and replaces a retiring bridge authority. Everyone who sets the ReachableAddresses option, and all bridges, are strongly encouraged to upgrade.

You can download the source from the Tor website. Packages should be available over the next week or so.

For some reason, a link to the Tor website was omitted.

Upgrade and surf somewhat more securely. (Security never being absolute.)

Defame the French Police Today!

Wednesday, August 24th, 2016

Nice Officials Say They’ll Sue Internet Users Who Share Photos Of French Fashion Police Fining Women In Burkinis by Mike Masnick.

From the post:

This seems pretty ridiculous on all sorts of levels, but never think things are so ridiculous that some politicians can’t make them worse. Guillaume Champeau from the excellent French site Numerama alerts me to the news that the deputy mayor of Nice, Christian Estrosi is threatening to sue those who share these images over social media. Yup, France, a country that claims to pride itself on freedom is not just telling women that they can’t cover themselves up too much on the beach, but that it’s also illegal to report on the police following through on that. Here’s is the awkward Google translation of the French report:

Christian Estrosi … has published a press release by the city of Nice, to announce that he would file a complaint against those who would broadcast pictures of municipal police verbalize women guilty of exercising what they believed to be their freedom to dress from head to feet on the beaches.

” Photos showing municipal police of Nice in the exercise of their functions have been circulating this morning on social networks and raise defamation and threats against these agents ,” the statement said.

Wait. Showing accurate photos creates defamation against the police? How’s that work? Estrosi apparently says that legal actions have already been filed, though Numerama was unable to confirm any legal actions as yet. The article also notes that despite Estrosi implying otherwise, police do not have any sort of special protections that say they cannot be photographed while in public.

It’s not clear if you have to take the picture or merely share the picture.

Just in case sharing is enough, here is the picture from Mike’s post:

nice-burkini-01-460

There are a number of variations on this image. I suppose all of them count as far as “defamation” of the police.

If reposting isn’t sufficient to defame the French police enforcing the burkiki ban, please consider this post an active request for images of French police enforcing that ban.

What is a Stingray?

Monday, August 22nd, 2016

Pitched at an adult Sunday School level, which makes this perfect for informing the wider public about government surveillance issues.

Share this video far and wide!

For viewers who want more detail, direct them to: How IMSI Catchers Work by Jason Hernandez.

Every group has a persecution story so tie present day government surveillance to “…what if (historical) X had surveillance…” to drive your point home.

Report of the Bulk Powers Review

Friday, August 19th, 2016

Report of the Bulk Powers Review (PDF) by David Anderson Q.C. Independent Reviewer of Terrorism Legislation. (Web version)

From its webpage:

This report includes the findings of the independent review of the operational case for bulk powers, which will inform scrutiny of the Investigatory Powers Bill.

If you find yourself dissatisfied with the sound bite and excerpt commentaries on this report, you may find the two hundred and three (203) full version more to your likely. At least in terms of completeness.

I have glanced at the conclusions but will refrain from commenting until reading the report in full. It is possible that Anderson will persuade me to change my initial impressions, although I concede that is highly unlikely.

How To Detect and Find Rogue Cell Towers

Wednesday, August 10th, 2016

How To Detect and Find Rogue Cell Towers by Brian Benchoff

Great promise but less than great delivery. Detection rig is described in general terms, but so general that replication would be quite time consuming.

A generally available solution to detect rogue cell towers has yet to appear.

When they do, will this sign be useful?:

No_cellphone.svg-460

What about custom balloons with that logo?

Think of detection and warning of rogue cell towers as a civic duty.

Telephone Metadata Can Reveal Surprisingly Sensitive Personal Information

Wednesday, August 3rd, 2016

Stanford computer scientists show telephone metadata can reveal surprisingly sensitive personal information by Bjorn Carey.

The intelligence community assertion that telephone metadata only enables “connecting the dots,” has been confirmed to be a lie.

From the post:

Most people might not give telephone metadata – the numbers you dial, the length of your calls – a second thought. Some government officials probably view it as similarly trivial, which is why this information can be obtained without a warrant.

But a new analysis by Stanford computer scientists shows that it is possible to identify a person’s private information – such as health details – from metadata alone. Additionally, following metadata “hops” from one person’s communications can involve thousands of other people.

The researchers set out to fill knowledge gaps within the National Security Agency’s current phone metadata program, which has drawn conflicting assertions about its privacy impacts. The law currently treats call content and metadata separately and makes it easier for government agencies to obtain metadata, in part because it assumes that it shouldn’t be possible to infer specific sensitive details about people based on metadata alone.

The findings, reported today in the Proceedings of the National Academy of Sciences, provide the first empirical data on the privacy properties of telephone metadata. Preliminary versions of the work, previously made available online, have already played a role in federal surveillance policy and have been cited in litigation filings and letters to legislators in both the United States and abroad. The final work could be used to help make more informed policy decisions about government surveillance and consumer data privacy.

The computer scientists built a smartphone application that retrieved the previous call and text message metadata – the numbers, times and lengths of communications – from more than 800 volunteers’ smartphone logs. In total, participants provided records of more than 250,000 calls and 1.2 million texts. The researchers then used a combination of inexpensive automated and manual processes to illustrate both the extent of the reach – how many people would be involved in a scan of a single person – and the level of sensitive information that can be gleaned about each user.

From a small selection of the users, the Stanford researchers were able to infer, for instance, that a person who placed several calls to a cardiologist, a local drugstore and a cardiac arrhythmia monitoring device hotline likely suffers from cardiac arrhythmia. Another study participant likely owns an AR semiautomatic rifle, based on frequent calls to a local firearms dealer that prominently advertises AR semiautomatic rifles and to the customer support hotline of a major firearm manufacturer that produces these rifles.

One of the government’s justifications for allowing law enforcement and national security agencies to access metadata without warrants is the underlying belief that it’s not sensitive information. This work shows that assumption is not true.

See Carey’s post for the laypersons explanation of the Stanford findings or dive into Evaluating the privacy properties of telephone metadata by Jonathan Mayera, Patrick Mutchler, and John C. Mitchell, for more detailed analysis. (Thankfully open access.)

Would law enforcement and national security agencies think telephone metadata is not sensitive if hackers were obtaining it from telecommunication companies and/or from the electromagnetic field where communication signals are found?

If you were interested only in law enforcement, national security agencies and governments, a much smaller set of data for tracking and processing.

Sounds like a business opportunity, depending on what country, their degree of technology, market conditions for pro/anti government data.

U.S. government satellites collect such data but it is shared (or not) for odd and obscure reasons.

I’m thinking more along the lines of commercial transactions between willing sellers and buyers.

Think of it as a Rent-An-NSA type venture. Customers don’t want or need 24×7 rivals for power. Properly organized, they could buy as much or as little intelligence as they need. Exclusive access to some intelligence would be a premium product.

The Right to be Forgotten in the Media: A Data-Driven Study

Wednesday, July 27th, 2016

The Right to be Forgotten in the Media: A Data-Driven Study by , , , , .

Abstract:

Due to the recent “Right to be Forgotten” (RTBF) ruling, for queries about an individual, Google and other search engines now delist links to web pages that contain “inadequate, irrelevant or no longer relevant, or excessive” information about that individual. In this paper we take a data-driven approach to study the RTBF in the traditional media outlets, its consequences, and its susceptibility to inference attacks. First, we do a content analysis on 283 known delisted UK media pages, using both manual investigation and Latent Dirichlet Allocation (LDA). We find that the strongest topic themes are violent crime, road accidents, drugs, murder, prostitution, financial misconduct, and sexual assault. Informed by this content analysis, we then show how a third party can discover delisted URLs along with the requesters’ names, thereby putting the efficacy of the RTBF for delisted media links in question. As a proof of concept, we perform an experiment that discovers two previously-unknown delisted URLs and their corresponding requesters. We also determine 80 requesters for the 283 known delisted media pages, and examine whether they suffer from the “Streisand effect,” a phenomenon whereby an attempt to hide a piece of information has the unintended consequence of publicizing the information more widely. To measure the presence (or lack of presence) of a Streisand effect, we develop novel metrics and methodology based on Google Trends and Twitter data. Finally, we carry out a demographic analysis of the 80 known requesters. We hope the results and observations in this paper can inform lawmakers as they refine RTBF laws in the future.

Not collecting data prior to laws and policies seems to be a trademark of the legislative process.

Otherwise, the “Right to be Forgotten” (RTBF) nonsense that only impacts searching and then only in particular ways could have been avoided.

The article does helpfully outline how to discover delistings, of which they discovered 283 known delisted links.

Seriously? Considering that Facebook has 1 Billion+ users, much ink and electrons are being spilled over a minimum of 283 delisted links?

It’s time for the EU to stop looking for mites and mole hills to attack.

Especially since they are likely to resort to outright censorship as their next move.

That always ends badly.

Gasp! “The Jihadists’ Digital Toolbox:…”

Tuesday, July 26th, 2016

The Jihadists’ Digital Toolbox: How ISIS Keeps Quiet on the Web by Jett Goldsmith.

From the post:

As the world dives deeper into the digital age, jihadist groups like ISIS and the Taliban have taken increasingly diverse measures to secure their communications and espouse their actions and ideas across the planet.

Propaganda has been a key measure of any jihadist group’s legitimacy since at least 2001, when al-Qaeda operative Adam Yahiye Gadahn established the media house As-Sahab, which was intended to spread the group’s message to a regional audience throughout Pakistan and Afghanistan.

Over the years, jihadist propaganda has taken a broader and more sophisticated tone. Al-Qaeda published the first issue of its digital newsmagazine, Inspire, in June of 2010. Inspire was aimed at an explicitly Western audience, and intended to call to jihad the would-be mujahideen throughout Europe and the United States.

When ISIS first took hold in Iraq and Syria, and formally declared its caliphate in the summer of 2014, the group capitalized on the groundwork laid by its predecessors and established an expansive, highly sophisticated media network to espouse its ideology. The group established local wilayat (provincial) media hubs, and members of its civil service distributed weekly newsletters, pamphlets, and magazines to citizens living under its caliphate. Billboards were posted in major cities under its control, including in Raqqah and Mosul; FM band radio broadcasts across 13 of its provinces were set up to deliver a variety of content, from fatwas and sharia lessons to daily news, poetry, and nasheeds; and Al-Hayat Media Center distributed its digital newsmagazine, Dabiq, in over a dozen languages to followers across the world.

Jeff covers:

  • Secure Browsers
  • Proxy Servers and VPNs
  • Propaganda Apps (read cellphone apps)
  • Encrypted Email
  • Mobile Privacy Apps
  • Encrypted Messages

That Jihadists or anyone else are using these tools maybe a surprise to some Fortune or Economist readers, but every conscious person associated with IT can probably name one or more instances for each category.

I’m sure some Jihadists drive cars, ride hoverboards, or bicycles, but dramatic recitations on those doesn’t advance a discussion of Jihadists or their goals.

Privacy software is a fact of life in all walks and levels of a digital environment.

Crying “Look! Over there! Someone might be doing something we don’t like!” isn’t going to lead to any useful answers, to anything. Including Jihadists.

1960’s Flashback: Important Tor Nodes Shutting Down

Tuesday, July 19th, 2016

Swati Khandelwal reports the departure of Lucky Green from the Tor project will result in the loss of several critical Tor nodes and require an update to Tor code. (Core Tor Contributor Leaves Project; Shutting Down Important Tor Nodes)

Here’s the Tonga (Bridge Authority) Permanent Shutdown Notice in full:

Dear friends,

Given recent events, it is no longer appropriate for me to materially contribute to the Tor Project either financially, as I have so generously throughout the years, nor by providing computing resources. This decision does not come lightly; I probably ran one of the first five nodes in the system and my involvement with Tor predates it being called “Tor” by many years.

Nonetheless, I feel that I have no reasonable choice left within the bounds of ethics, but to announce the discontinuation of all Tor-related services hosted on every system under my control.

Most notably, this includes the Tor node “Tonga”, the “Bridge Authority”, which I recognize is rather pivotal to the network

Tonga will be permanently shut down and all associated crytographic keys destroyed on 2016-08-31. This should give the Tor developers ample time to stand up a substitute. I will terminate the chron job we set up so many years ago at that time that copies over the descriptors.

In addition to Tonga, I will shut down a number of fast Tor relays, but the directory authorities should detect that shutdown quickly and no separate notice is needed here.

I wish the Tor Project nothing but the best moving forward through those difficult times,

–Lucky

As I mentioned in Going Dark With Whisper? Allies versus Soul-Mates it is having requirements other than success of a project that is so damaging to such efforts.

I could discover that IS is using the CIA to funnel money from the sales of drugs and conflict diamonds to fund the Tor project and it would not make any difference to me. Even if core members of the Tor project knew that and took steps to conceal it.

Whether intended or not, the only people who will benefit from Lucky’s decision will be opponents of personal privacy and the only losers will be people who need personal privacy.

Congratulations Lucky! You are duplicating a pattern of behavior that destroyed the Black Panthers, the SDS and a host of other groups and movements before and since then.

Let’s hope others don’t imitate Lucky’s “I’ll take my ball and go home” behavior.

Securing A Travel iPhone

Tuesday, July 5th, 2016

Securing A Travel iPhone by Filippo Valsorda.

From the post:

These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order.

I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and knobs. This list optimizes for security versus convenience.

Don’t to use anything older than an iPhone 5S, it wouldn’t have the TPM.

Needless to say, use long unique passwords everywhere.

There are more than forty (40) tasks/sub-tasks to securing a travel iPhone so you best start well ahead of time.

No security is perfect but if you follow this guide, you will be more secure than the vast majority of travelers.

Breaking Honeypots For Fun And Profit – Detecting Deception

Monday, July 4th, 2016

by Dean Sysman & Gadi Evron & Itamar Sher

The description:

We will detect, bypass, and abuse honeypot technologies and solutions, turning them against the defender. We will also release a global map of honeypot deployments, honeypot detection vulnerabilities, and supporting code.

The concept of a honeypot is strong, but the way honeypots are implemented is inherently weak, enabling an attacker to easily detect and bypass them, as well as make use of them for his own purposes. Our methods are analyzing the network protocol completeness and operating system software implementation completeness, and vulnerable code.

As a case study, we will concentrate on platforms deployed in real organizational networks, mapping them globally, and demonstrating how it is possible to both bypass and use these honeypots to the attacker’s advantage.

The slides for the presentation.

This presentation addresses the question of detecting (identifying) a deception.

Detection of the following honeypots discussed:

Artillery: https://github.com/BinaryDefense/artillery (Updated URL)

BearTrap: https://github.com/chrisbdaemon/BearTrap

honeyd: http://www.honeyd.org

Dionaea: http://dionaea.carnivore.it/ (timed out on July 4, 2016)

Glastopf: http://glastopf.org/

Kippo: https://github.com/desaster/kippo

KFSensor: http://www.keyfocus.net/kfsensor/

Nova: https://github.com/DataSoft/Nova

Identification of an attack was argued to possibly result in the attack being prevented in all anti-attack code, whereas identification of an attacker, could have consequences for the attack as an operation.

Combining an IP address along with other dimensions of identification, say with a topic map, could prove to be a means of sharpening the consequences for attackers.

Of course, I am assuming that at least within an agency, agents share data/insights towards a common objective. That may not be the case in your agency.

While looking for other resources on honeypots, I did find Collection of Awesome Honeypots, dating from December of 2015.

Thomas Jefferson (Too Early For Tor – TEFT)

Monday, July 4th, 2016

Official Presidential portrait of Thomas Jefferson (by Rembrandt Peale, 1800)

Thomas Jefferson lived centuries before the internet and the rise of Tor but he is easy to see as a Tor user.

He was the author of the Declaration of Independence, which if you read the details, is a highly offensive document:


He has affected to render the Military independent of and superior to the Civil Power.

He has combined with others to subject us to a jurisdiction foreign to our constitution, and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

For quartering large bodies of armed troops among us:

For protecting them, by a mock Trial from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us in many cases, of the benefit of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences:

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation, and tyranny, already begun with circumstances of Cruelty & Perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

Update the language of “For transporting us beyond Seas to be tried for pretended offences” to “Transporting people to Guantanamo Bay prison for unlawful detention” and you have a good example of what FBI wants discussed in clear text.

Make no mistake, the FBI of today, working for George III, would have arrested Thomas Jefferson if it caught wind of the Declaration of Independence. At that time, Jefferson was not the towering figure of liberty that he is today. Then he was the opponent of a nation-state.

Jefferson was too early for Tor but he is the type of person that Tor protects.

Do you want to be on the side of George III or Jefferson in history?

Support Tor!

Secret FBI National Security Letter (NSL) Attacks on Reporters – Safe Leaking?

Thursday, June 30th, 2016

Secret Rules Make It Pretty Easy For The FBI To Spy On Journalists by Cora Currier.

For those of us who suffer from reflexive American exceptionalism, that press censorship happens “over there,” Cora’s story is a sobering read.

From the post:

Secret FBI rules allow agents to obtain journalists’ phone records with approval from two internal officials — far less oversight than under normal judicial procedures.

The classified rules, obtained by The Intercept and dating from 2013, govern the FBI’s use of National Security Letters, which allow the bureau to obtain information about journalists’ calls without going to a judge or informing the news organization being targeted. They have previously been released only in heavily redacted form.

Media advocates said the documents show that the FBI imposes few constraints on itself when it bypasses the requirement to go to court and obtain subpoenas or search warrants before accessing journalists’ information.

Cora goes on to point out that the FBI issued nearly 13,000 NSLs in 2015.

After great coverage on the FBI and its use of NSLs, Cora concludes:


For Brown, of the Reporters Committee, the disclosure of the rules “only confirms that we need information about the actual frequency and context of NSL practice relating to newsgathering and journalists’ records to assess the effectiveness of the new guidelines.”

That’s the root of the problem isn’t it?

Lack of information on how NSLs are being used against journalists in fact.

Care to comment on the odds of getting an accurate accounting of the FBI’s war on journalists from the FBI?

No? I thought not.

So how can that data be gathered?

Question for discussion (NOT legal advice)

In 2005, the non-disclosure requirements for NSLs were modified to read:

18 U.S. Code § 2709 – Counterintelligence access to telephone toll and transactional records

(2) Exception.—

(A)In general.—A wire or electronic communication service provider that receives a request under subsection (b), or officer, employee, or agent thereof, may disclose information otherwise subject to any applicable nondisclosure requirement to—

(i) those persons to whom disclosure is necessary in order to comply with the request;

(ii) an attorney in order to obtain legal advice or assistance regarding the request; or

(iii) other persons as permitted by the Director of the Federal Bureau of Investigation or the designee of the Director.

Each person in the chain of disclosure has to be advised of the requirement to keep the NSL secret.

Unless the law has changed more radically than I imagine, the burden of proving a criminal offense still rests with the government.

If I am served with an NSL and I employ one or more attorneys, who have assistants working on my case, and the NSL is leaked to a public site, it remains the government’s burden to prove who leaked the NSL.

The government cannot force the innocent in the chain of disclosure to exculpate themselves and leave only the guilty party to face justice. The innocence can remain mute, as is the privilege of every criminal defendant.

Is that a fair statement?

If so, how many brave defendants are necessary in the chain of disclosure per NSL?

As Jan says in Twitter and the Monkey Man:

“It was you to me who taught
In Jersey anything’s legal, as long as you don’t get caught”

If that sounds anarchistic, remember the government chose to abandon the Constitution, first. If it wants respect for law, it should respect the Constitution.

World-Check Database Leak Teaser

Thursday, June 30th, 2016

Chris Vickery posted to Reddit: Terrorism Blacklist: I have a copy. Should it be shared?, which reads in part as follows:

…A few years ago, Thomson Reuters purchased a company for $530 million. Part of this deal included a global database of “heightened-risk individuals” called World-Check that Thomson Reuters maintains to this day. According to Vice.com, World-Check is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms. The current-day version of the database contains, among other categories, a blacklist of 93,000 individuals suspected of having ties to terrorism.

I have obtained a copy of the World-Check database from mid-2014.

No hacking was involved in my acquisition of this data. I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time.

This copy has over 2.2 million heightened-risk individuals and organizations in it. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.

I am posting this message in order to ask, “Should I release this database to the world?”. I want your opinion.

Yeah, right.

Chris’s question: “Should I release this database to the world?,” was moot from the outset.

This is pandering for attention at its very worst.

Chris could have put all of us on par with $1 million subscribers to the World-Check database but chose attention for himself instead.

There are only three sources of data:

  • Clients – Confidential until the client says release it, even in the face of government pressure (just good professional ethics).
  • Contract – Limited to by the terms you used for access. If you don’t want to agree to the terms, find another means of access. (falls under the “don’t lie” principle, governments do enough of that for all of us)
  • Other – Should be shared as widely and often as possible.

The World-Check database clearly falls under “other” and should have been shared as widely as possible.

Thomas Reuters and similar entities survive not because of merit or performance, but because people like Chris compensate for their organizational and technical failures. The public interest is not being served by preservation of a less than stellar status quo.

Not to mention leaking the list would create marketing opportunities. The criminal defense bar comes to mind.

Don’t tease, leak!

How Secure Are Emoji Ciphers?

Wednesday, June 29th, 2016

You Can Now Turn Messages Into Secret Code Using Emoji by Joon Ian Wong.

From the post:

Emoji are developing into their own language, albeit a sometimes impenetrable one. But they are about to become truly impenetrable. A new app from the Mozilla Foundation lets you use them for encryption.

The free web app, called Codemoji, lets users write a message in plain-text, then select an emoji “key” to mask the letters in that message with a series of emoji. To decrypt a message, the correct key must be entered in the app, turning emoji back into the alphabet.

Caesar ciphers (think letter substitution) are said to be “easy” to solve with modern computers.

Which is true, but the security of an Emoji cipher depends on how long the information must remain secret.

For example, you discover a smart phone at 11:00 AM (your local) and it has the following message:

Detonate at 12:15 P.M. (your local)

but that message is written in Emoji using the angry face as the key:

emoji-code

That Emoji coded message is as secure as a message encoded with the best the NSA can provide.

Why?

If you knew what the message said, detonation time, assuming that is today, is only 75 minutes away. Explosions are public events and knowing in hindsight that you had captured the timing message, but broke the code too late, isn’t all that useful.

The “value” of that message being kept secret expires at the same time as the explosion.

In addition to learning more about encryption, use Codemoji as a tool for thinking about your encryption requirements.

Some (conflicting) requirements: Ease of use, resistance to attack (how to keep the secret), volume of use, hardware/software requirements, etc.

Everyone would like to have brain-dead easy to use, impervious to even alien-origin quantum computers, scales linearly and runs on an Apple watch.

Not even the NSA is rumored to have such a system. Become informed so you can make informed compromises.

Slouching Towards Total Surveillance – Investigatory Powers Bill Update

Wednesday, June 29th, 2016

Investigatory Powers Bill 2015-16 to 2016-17.

Bill Summary:

A Bill to make provision about the interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information; to make provision about the treatment of material held as a result of such interception, equipment interference or acquisition or retention; to establish the Investigatory Powers Commissioner and other Judicial Commissioners and make provision about them and other oversight arrangements; to make further provision about investigatory powers and national security; to amend sections 3 and 5 of the Intelligence Services Act 1994; and for connected purposes.

Whatever criticisms you may have of the UK Parliment, you must admit its delivery of legislative information is quite nice.

Via email today I received notice of “sitting” and “provisional sitting” on the Investigatory Powers Bill. A quick check of their glossary reveals that “sitting” is another term for committee meeting.

The first “sitting” or committee meeting on this bill will be 11.07.2016.

A process described on the homepage of this bill as:

Committee stage – line by line examination of the Bill – is scheduled to begin on 11 July.

Considering its progress so far, I’m not expecting “line by line examination” to impede its progress.

Still, it’s not, yet, a law so delay, diversion, dilution, remain possibilities.

The privacy you protect could well be your own.