Monday, April 21, 2014

Russia's surveillance state

The autumn 2013 issue of the World Policy Journal has the best outline of Russian mass surveillance I've seen to date By Andrei Soldatov and Irina Borogan. Not so long ago, Western media and politicians would have been all over this, condemning the unethical behaviour of the Russian state. But I guess that's difficult and/or potentially embarrassing when you've spent a lot of effort defending the same behaviour on the part of Western governments.
"In March 2013, the Bureau of Diplomatic Security at the U.S. State Department issued a warning for Americans wanting to come to the Winter Olympics in Sochi, Russia next February: Beware of SORM. The System of Operative-Investigative Measures, or SORM, is Russia’s national system of lawful interception of all electronic utterances—an Orwellian network that jeopardizes privacy and the ability to use telecommunications to oppose the government. The U.S. warning ends with a list of “Travel Cyber Security Best Practices,” which, apart from the new technology, resembles the briefing instructions for a Cold War-era spy...
But the Russian surveillance effort is not limited to the Sochi area, nor confined to foreigners. For years, Russian secret services have been busy tightening their hold over Internet users in their country, and now they’re helping their counterparts in the rest of the former Soviet Union do the same. In the future, Russia may even succeed in splintering the web, breaking off from the global Internet a Russian intranet that’s easier for it to control.
Over the last two years, the Kremlin has transformed Russia into a surveillance state—at a level that would have made the Soviet KGB (Committe for State Security) envious. Seven Russian investigative and security agencies have been granted the legal right to intercept phone calls and emails. But it’s the Federal Security Service (FSB), the successor to the KGB, that defines interception procedures...
...In Russia, FSB officers are also required to obtain a court order to eavesdrop, but once they have it, they are not required to present it to anybody except their superiors in the FSB. Telecom providers have no right to demand that the FSB show them the warrant. The providers are required to pay for the SORM equipment and its installation, but they are denied access to the surveillance boxes.
The FSB has control centers connected directly to operators’ computer servers. To monitor particular phone conversations or Internet communications, an FSB agent only has to enter a command into the control center located in the local FSB headquarters. This system is replicated across the country. In every Russian town, there are protected underground cables, which connect the local FSB bureau with all Internet Service Providers (ISPs) and telecom providers in the region. That system, or SORM, is a holdover from the country’s Soviet past and was developed by a KGB research institute in the mid-1980s. Recent technological advances have only updated the system. Now, the SORM-1 system captures telephone and mobile phone communications, SORM-2 intercepts Internet traffic, and SORM-3 collects information from all forms of communication, providing long-term storage of all information and data on subscribers, including actual recordings and locations."
They are still working on how to deal with social networks but see mass surveillance, threats, net filtering, structural Balkanization of the net and the amoral self interest of the big tech companies (including Facebook and Google) as the key drivers of the evolution towards a much more controlled future.

Saturday, April 19, 2014

Intelligence Gathering and the Unowned Internet

The Berkman Center at Harvard has hosted a 90 minute discussion on  Intelligence Gathering and the Unowned Internet involving Yochai Benkler, Bruce Schneier and Jonathan Zittrain, Terry Fisher plus John DeLong and Anne Neuberger the latter two being from the National Security Agency.



The video is essential viewing and John Naughton's thoughts triggered by the discussion are also well worth a further 5 to 10 minutes of your time.

Thursday, April 17, 2014

Cory Doctorow & Barton Gellman at SXSW

Cory Doctorow and Barton Gellman discussing Edward Snowden, secure communications, encryption tools so easy your boss can use them, privacy, the revealing nature of metadata and mass surveillance, at SXSW should be required viewing.


Snowden quizzes Putin about mass surveillance on Russian TV

Edward Snowden just got to quiz Russian president Vladimir Putin about whether Russia engages in mass surveillance...


Guess what? Major surprise. Putin said no they don't. They fight crime and terrorism not like the rich Americans by spying on everyone but by engaging in surveillance controlled by the rule of law.

Call me a skeptic but it's a little unlikely Mr Putin has not heard of SORM not to mention a variety of other unethical surveillance and intelligence practices.

It is disappointing Edward Snowden would get sucked into such a publicity stunt though I guess he would not have had a lot of choice in the matter.

Update: Edward Snowden has defended his decision to participate in the TV show with Putin. In fairness, he makes a good case.

Wednesday, April 16, 2014

Suing the state: hidden rules within the EU-US trade deal

Thanks to Glyn Moody for pointing me at this excellent short video explaining the dangers of the investor state dispute settlement (ISDS) provisions in the proposed EU-US trade deal.



Additionally it is really worth reading Corporate Europe Observatory's excellent analysis of ISDS, Still not loving ISDS: 10 reasons to oppose investors’ super-rights in EU trade deals.

Tuesday, April 15, 2014

ORG Stop UK Internet Censorship Campaign

The Open Rights Group want to launch a campaign to educate the public about the dangers of software filters.



They need help to accumulate the requisite finances.

UK media ignore Guardian's Pulitzer Prize

We learned last night that the Guardian and the Washington Post have shared the Pulitzer prize for public service for their stories, based on documents leaked by Edward Snowden, on the US and UK governments' mass surveillance practices.

The story of the award has topped the news agenda all over the world - NYT, LA Times, The Times of Israel, Le Monde. The Times of India, even Fox News offered grudging repect whilst not missing the chance to denigrate Snowden.

In the UK the accolade has been ignored by The Times, The Daily Telegraph and the Daily Mail, though it got coverage from the BBC, The Indpendent and the FT.

A reminder. perhaps, of the need, always, to be alert to the underlying agenda(/s), motives and values of the controlling mind(/s) of the organisations from which we source our news.

Friday, April 11, 2014

What do you need to know about the Heartbleed security vulnerability?

Simon Budgen at OpenLearn asked yesterday if I could offer some ordinary-mortal-interpretable thoughts on the Heartbleed OpenSSL security earthquake.

I offered Simon the rambling steam of consciousness below which he kindly edited into a more ordered Q&A here.
There is a lot of panic, misreporting and bad advice going round about Heartbleed as you say. Though there are a few key things it is worth making sure get included in any article.

Include the Heartbleed link http://heartbleed.com/ which outlines  the problem -

" The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

That's about as bad as it gets security wise. Security expert Bruce Schneier has described it as “catastrophic” and I wouldn’t disagree with that.

The OpenSSL bug has compromised half a million plus sites from what we're able to tell.

Ordinary internet users should change their passwords on sites affected but generally only after - the companies running the websites concerned have done a security audit to check if they are affected, patched their systems if they are, acquired a new public/private key pair and new SSL certificate, tested the patched systems, informed the user they have done all this and determined the system to be secure (and preferably pro-actively changed passwords that might have been affected). Now the news on the bug is out credible commercial entities are keen to do this in double quick time and many have already done so.

It’s not the best advice to change your password before a website has been patched as that might expose your details to a higher risk of being compromised and will certainly expose your new details/passwords. Some mainstream news media are informing people they should change all passwords immediately – not great advice if it leads you to assume your new credentials are safe when in fact they won’t be, if the site has not been patched yet. People should check with or have confirmation from the company or an independent trustworthy source that they have fixed their systems first. (Though if someone with existing compromised credentials chooses to use those for nefarious ends, in the window between now and the site being patched, then there may be a slight preference in favour of changing passwords temporarily and then changing again once the fix is done. None of this is really straightforward unfortunately).

All the usual advice about choosing strong passwords applies – change them regularly, don’t use the same ones on different sites, don’t use dictionary words or names, make them long, include upper and lower case, numbers and symbols.

If there are several layers of authentication use them for stronger security e.g. pin numbers, passwords, tokens etc.

It may be the time now people begin to realise how many passwords they are actually using, to consider investing in a password manager like LastPass, SplashID or Password Genie – software which does all the heavy lifting on choosing long difficult passwords and managing and “remembering” them for you.

Also note since the bug has been around for a couple of years that it is almost certain that a multitude of organised crime gangs will likely have gathered the encryption keys to all compromised sites, as will intelligence and security services like the NSA and GCHQ. Just to be clear on this – the usernames and passwords used on these sites will likely be in the hands of organised criminal gangs and intelligence services.

The other big issue for ordinary users is to find out exactly what sites have been compromised and where and when they need to go about changing passwords. Various news sites are providing lists of affected sites and those that have been patched but you need to choose your sources of information carefully. Mainstream news sites are not always the best guide. We do know the big guys like Google, Facebook and Yahoo! were compromised and appear to be patched. Apple and eBay we’re not sure, Tumblr yes, big banks apparently not (but don’t quote me on that), Linkedin apparently not, Amazon no, though Amazon cloud services yes. It’s basically taking quite some sorting out.

There are sites that enable you to test whether a service you use has been compromised by Heartbleed eg http://filippo.io/Heartbleed/ or https://www.ssllabs.com/ssltest/ Just enter the url you are concerned about and click the Go!/Submit button. These are not 100% reliable and will generate false positives (alerts on sites that are patched) and occasionally false negatives (giving the all clear to insecure sites). Do be a little careful with these too as there will be false test sites which attempt to mislead people about the security of sites which remain compromised.

If people have not heard from the sites they use, they should actively contact them to ask – if they have done the requisite Heartbleed related security audit, if they have been compromised and if they have patched any vulnerabilities; and don’t stop asking until a definitive answer is forthcoming. Then if necessary change their passwords once the fix is implemented.

Hope that gives you something to start with.
Comments welcome here or over at OpenLearn.

Thursday, April 10, 2014

European Court of Justice annuls 2006 data retention directive

On Tuesday, 8 April, 2014, the Court of Justice of the European Union, (also known as the European Court of Justice) in a scathing indictment of widespread mass surveillance practices, abolished the 2006 EU data retention directive. The Court said the directive was a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights.

The directive constituted such a serious interference with the fundamental right to privacy that it had to be annulled - it was an affront to liberty that should never have existed.

TJ McIntyre of Digital Rights Ireland (DRI), the heroic litigants in chief, has made a copy of the full decision available at scribd and it will appear on the Court website in due course. Credit also to the 11,130 Austrian citizens whose case was joined to that of DRI since they had challenged the directive on similar grounds.

For the uninitiated, the data retention directive was the instrument through which the EU required communications service providers, both fixed line and mobile, to store details of everything everyone does on the telephone or internet; for a period of between 6 months and two years. The details of what should be collected are laid out in article 5 of the directive and the only thing not allowed was recording of the content of calls or messages.

It's actually worth spending 5 or 10 minutes looking at that list of things in Article 5 that has been gathered by communications service providers throughout the EU. At first pass it seems a bit legalistic but if you cut through that and think about it – names, addresses, who spoke to whom, where, when, for how long, on what device, how often, websites visited etc. etc. This all paints a very detailed picture and most people don’t know it is going on. The who, where, why, how, what and when of individual lives is all there in this metadata.

With what may be interpreted as half and eye on the Edward Snowden revelations, the Grand Chamber of the Court, effectively condemned pre-emptive, suspicionless, warrantless mass surveillance and consequent "interference with the fundamental rights of practically the entire European population". The case is the first major court decision on mass surveillance since the Snowden stories started to break in June 2013. Though high courts in Romania (2009), Germany (2010), Bulgaria (2010),  the Czech Republic (2011) and Cyprus (2011) have all declared the data retention directive unconstitutional and/or a disproportionate unjustified interference with the fundamental right to privacy, free speech and confidentiality of communications. As recently as 2011 following the national courts' striking down of regulations implementing data retention, the European Commission were hounding Germany and Romania to re-implement the directive. The Commission subsequently sued Romania which went on to pass a widely criticised version of data retention law in 2012, nicknamed "Big Brother". The Commission had also previously sued Greece, the Netherlands, Austria and Sweden for failing to implement the directive by the due date of September 15 2007.

The previous UK Labour government were one of the key driving forces behind the original implementation of the the data retention directive. The current UK government is one of the biggest cheerleaders for and operators of mass surveillance standards and practices. Though the UK government was not involved directly in the case, (and are scrambling madly to find a way to circumvent the decision as, sadly, are the Commission), both the current and the previous administrations' behavior, in the data retention context, is considered so heinous in law that it should never have happened; and the laws facilitating that behavior should never have existed.

Some commentators have also suggested the Court was firing a message not just to the UK but across the pond (2 min 40sec audio) to the effect that US mass surveillance standards are totally unacceptable in an EU context.

I have now managed to read the decision in full (in fits and starts) and will endeavour to post an analysis here at the earliest opportunity. (Aka when grown up admin duties allow and I can construct a sufficiently robust buffer between me and the zombiecrats to take a sustained run at it).

Appelbaum on mass surveillance

Take 5 minutes 33 seconds to listen to Jacob Appelbaum on mass surveillance and the  WePromiseEU 10 point charter for digital rights