Boing Boing » lawful interception

Privacy, public health and the moral hazard of surveillance

Cory Doctorow — Wed, 22 May 2013 02:48:59 +0000

My new Guardian column, "Privacy, public health and the moral hazard of surveillance," discusses the way that the governments' reliance on social networks for intelligence purposes means that they can't intervene to help their populations get better at trading their privacy for services.

That's a crisis. If online oversharing is a public health problem, then the state's decision to harness it for its own purposes means that huge, powerful forces within government will come to depend on oversharing. It will be vital to their jobs – their pay-packets will literally depend on your inability to gauge the appropriateness of your online disclosure.
They will be on the same side as the companies that profit from oversharing, because they will, effectively, be just another firm that benefits from oversharing.
It's as though Scotland Yard decreed that obesity was critical to its ability to catch slow-moving, easily winded suspects. It's as though the NHS announced it would cope with the expense of an aging population by encouraging chain-smoking. The dangers of oversharing are hard enough to manage when it's just the private sector that benefits from them.

Privacy, public health and the moral hazard of surveillance

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

Cory Doctorow — Sat, 18 May 2013 15:15:46 +0000

I reviewed Ronald Diebert's new book Black Code in this weekend's edition of the Globe and Mail. Diebert runs the Citizen Lab at the University of Toronto and has been instrumental in several high-profile reports that outed government spying (like Chinese hackers who compromised the Dalai Lama's computer and turned it into a covert CCTV) and massive criminal hacks (like the Koobface extortion racket). His book is an amazing account of how cops, spies and crooks all treat the Internet as the same kind of thing: a tool for getting information out of people without their knowledge or consent, and how they end up in a kind of emergent conspiracy to erode the net's security to further their own ends. It's an absolutely brilliant and important book:

Ronald Deibert’s new book, Black Code, is a gripping and absolutely terrifying blow-by-blow account of the way that companies, governments, cops and crooks have entered into an accidental conspiracy to poison our collective digital water supply in ways small and large, treating the Internet as a way to make a quick and dirty buck or as a snoopy spy’s best friend. The book is so thoroughly disheartening for its first 14 chapters that I found myself growing impatient with it, worrying that it was a mere counsel of despair.
But the final chapter of Black Code is an incandescent call to arms demanding that states and their agents cease their depraved indifference to the unintended consequences of their online war games and join with civil society groups that work to make the networked society into a freer, better place than the world it has overwritten.
Deibert is the founder and director of The Citizen Lab, a unique institution at the University of Toronto’s Munk School of Global Affairs. It is one part X-Files hacker clubhouse, one part computer science lab and one part international relations observatory. The Citizen Lab’s researchers have scored a string of international coups: Uncovering GhostNet, the group of Chinese hackers taking over sensitive diplomatic computers around the world and eavesdropping on the private lives of governments; cracking Koobface, a group of Russian petty crooks who extorted millions from random people on the Internet, a few hundred dollars at a time; exposing another Chinese attack directed at the Tibetan government in exile and the Dalai Lama. Each of these exploits is beautifully recounted in Black Code and used to frame a larger, vivid narrative of a network that is global, vital and terribly fragile.
Yes, fragile. The value of the Internet to us as a species is incalculable, but there are plenty of parties for whom the Internet’s value increases when it is selectively broken.

How to make cyberspace safe for human habitation

Black Code: Inside the Battle for Cyberspace

Computer scientists to FBI: don't require all our devices to have backdoors for spies

Cory Doctorow — Fri, 17 May 2013 17:59:45 +0000

In an urgent, important blog post, computer scientist and security expert Ed Felten lays out the case against rules requiring manufacturers to put wiretapping backdoors in their communications tools. Since the early 1990s, manufacturers of telephone switching equipment have had to follow a US law called CALEA that says that phone switches have to have a deliberate back-door that cops can use to secretly listen in on phone calls without having to physically attach anything to them. This has already been a huge security problem -- through much of the 1990s, AT&T's CALEA controls went through a Solaris machine that was thoroughly compromised by hackers, meaning that criminals could listen in on any call; during the 2005/6 Olympic bid, spies used the CALEA backdoors on the Greek phone company's switches to listen in on the highest levels of government.

But now, thanks to the widespread adoption of cryptographically secured messaging services, law enforcement is finding that its CALEA backdoors are of declining utility -- it doesn't matter if you can intercept someone else's phone calls or network traffic if the data you're captured is unbreakably scrambled. In response, the FBI has floated the idea of "CALEA II": a mandate to put wiretapping capabilities in computers, phones, and software.

As Felten points out, this is a terrible idea. If your phone is designed to secretly record you or stream video, location data, and messages to an adverse party, and to stop you from discovering that it's doing this, it puts you at huge risk when that facility is hijacked by criminals. It doesn't matter if you trust the government not to abuse this power (though, for the record, I don't -- especially since anything mandated by the US government would also be present in devices used in China, Belarus and Iran) -- deliberately weakening device security makes you vulnerable to everyone, including the worst criminals:

Our report argues that mandating a virtual wiretap port in endpoint systems is harmful. The port makes it easier for attackers to capture the very same data that law enforcement wants. Intruders want to capture everything that happens on a compromised computer. They will be happy to see a built-in tool for capturing and extracting large amounts of audio, video, and text traffic. Better yet (for the intruder), the capability will be stealthy by design, making it difficult for the user to tell that anything is amiss.
Beyond this, the mandate would make it harder for users to understand, monitor, and fix their own systems—which is bad for security. If a system’s design is too simple or its operation too transparent or too easy to monitor, then wiretaps will be evident. So a wiretappability mandate will push providers toward complex, obfuscated designs that are harder to secure and raise the total cost of building and operating the system.
Finally, our report argues that it will not be possible to block non-compliant implementations. Many of today’s communication tools are open source, and there is no way to hide a capability within an open source code base, nor to prevent people from simply removing or disabling an undesired feature. Even closed source systems are routinely modified by users—as with jailbreaking of phones—and users will find ways to disable features they don’t want. Criminals will want to disable these features. Ordinary users will also want to disable them, to mitigate their security risks.

Felten's remarks summarize a report [PDF] signed by 20 distinguished computer scientists criticizing the FBI's proposal. It's an important read -- maybe the most important thing you'll read all month. If you can't trust your devices, you face enormous danger.

CALEA II: Risks of wiretap modifications to endpoints

Apple can decrypt iPhones for cops; Google can remotely "reset password" for Android devices

Cory Doctorow — Sun, 12 May 2013 15:49:04 +0000

Apple apparently has the power to decrypt iPhone storage in response to law-enforcement requests, though they won't say how. Google can remotely "reset the password" for a phone for cops, too:

Last year, leaked training materials prepared by the Sacramento sheriff's office included a form that would require Apple to "assist law enforcement agents" with "bypassing the cell phone user's passcode so that the agents may search the iPhone." Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.
Ginger Colbrun, ATF's public affairs chief, told CNET that "ATF cannot discuss specifics of ongoing investigations or litigation. ATF follows federal law and DOJ/department-wide policy on access to all communication devices."
...The ATF's Maynard said in an affidavit for the Kentucky case that Apple "has the capabilities to bypass the security software" and "download the contents of the phone to an external memory device." Chang, the Apple legal specialist, told him that "once the Apple analyst bypasses the passcode, the data will be downloaded onto a USB external drive" and delivered to the ATF.
It's not clear whether that means Apple has created a backdoor for police -- which has been the topic of speculation in the past -- whether the company has custom hardware that's faster at decryption, or whether it simply is more skilled at using the same procedures available to the government. Apple declined to discuss its law enforcement policies when contacted this week by CNET.

It's not clear to me from the above whether Google "resetting the password" for Android devices merely bypasses the lock-screen or actually decrypts the mass storage on the phone if it has been encrypted.

I also wonder if the "decryption" Apple undertakes relies on people habitually using short passwords for their phones -- the alternative being a lot of screen-typing in order to place a call.

Apple deluged by police demands to decrypt iPhones [Declan McCullagh/CNet]

(via /.)

CISPA is not dead! It's coming back -- get ready!

Cory Doctorow — Thu, 02 May 2013 20:42:33 +0000

Evan from Fight for the Future sez, "All of your phone calls, emails, petition signatures, and tweets are working. The privacy-killing back-from-the-dead zombie bill CISPA is a bit stalled in the Senate, with over $605 million in lobbying spent on it already, it's bound to be back to haunt us in some form soon. So we made an infographic to get everyone up to speed. This Spring, we'll be organizing the largest online privacy protest in history, to send this bill back where it belongs. Join us?"

Mozilla to FinSpy: stop disguising your "lawful interception" spyware as Firefox

Cory Doctorow — Wed, 01 May 2013 22:45:45 +0000

The Mozilla Foundation has sent a legal threat to Gamma International, a UK company that makes a product called "FinSpy" that is used by governments, including brutal dictatorships to spy on dissidents. FinSpy allows these governments to hijack their citizens' screens, cameras, hard-drives and keyboards. Gamma disguises this spyware as copies of Firefox, Mozilla's flagship free/open browser.

Gamma International markets its software as a “remote monitoring” program that government agencies can use to take control of computers and snoop on data and communications. In theory, it could be legitimately used for surveillance efforts by crime fighting agencies, but in practice, it has popped up as a spy tool unleashed against dissident movements operating against repressive regimes.
Citizen Lab researchers have seen it used against dissidents from Bahrain and Ethiopia. And in a new report, set to be released today, they’ve found it in 11 new countries: Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, and Austria. That brings the total number of countries that have been spotted with FinFisher to 36.
To date, Citizen Lab researchers have found three samples of FinSpy that masquerades as Firefox, including a “demo” version of the spyware according to Morgan Marquis-Boire, a security researcher at the Citizen Lab, who works as a Google Security Engineer. Marquis-Boire says his work at Citizen Lab is independent from his day job at Google.

Mozilla Takes Aim at Spyware That Masquerades as Firefox [Robert McMillan/Wired]

Why do governments get Internet surveillance so wrong?

Cory Doctorow — Mon, 29 Apr 2013 13:36:45 +0000

The UK Open Rights Group has just published "Why the Snoopers’ Charter is the wrong approach: A call for targeted and accountable investigatory powers," a digital paper on why and how governments go terribly wrong with Internet surveillance proposals, and what a reasonable and accountable form of surveillance would look like. Jim Killock from ORG sez,

After the Snoopers' Charter debacle, the Open Rights Group asks why intrusive new laws are being suggested, if they are needed at all and what the alternatives are. Some of the UK's most prominent surveillance experts examine the history of UK surveillance law and the challenges posed by the explosion of digital datasets. Contributors include journalist Duncan Campbell, legal expert Angela Patrick from Justice, Richard Clayton of Cambridge University Computer Labs and Peter Sommer, Visiting Professor at De Montfort University.

Digital Surveillance (Thanks, Jim!)

(Disclaimer: I am proud to have co-founded the Open Rights Group, and to volunteer on its advisory council)

CISPA is dead! (again) (for now)

Cory Doctorow — Fri, 26 Apr 2013 14:24:15 +0000

After months of activist agitation and a crushing disappointment from the cowards in the House of Representatives, the US senate has effectively killed CISPA, a sweeping Internet surveillance proposal. This is astoundingly great news! But CISPA died once before, and came back from the dead, and it will not likely stay dead this time around either. The price of liberty is eternal vigilance, etc etc etc:

Sen. Jay Rockefeller (D-WV), the chairman of the U.S. Senate Committee on Commerce, Science and Transportation, said in a statement on April 18 that CISPA's privacy protections are "insufficient."
A committee aide told ZDNet on Thursday that Rockefeller believes the Senate will not take up CISPA. The White House has also said the President won't sign the House bill.
Staff and senators are understood to be "drafting separate bills" that will maintain the cybersecurity information sharing while preserving civil liberties and privacy rights.
Rockefeller's comments are significant as he takes up the lead on the Commerce Committee, which will be the first branch of the Senate that will debate its own cybersecurity legislation.
Michelle Richardson, legislative council with the American Civil Liberties Union, told the publication she thinks CISPA is "dead for now," and said the Senate will "probably pick up where it left off last year."

CISPA 'dead' in Senate, privacy concerns cited [Zack Whittaker/ZDNet]

Snooper's Charter is dead! (for now)

Cory Doctorow — Fri, 26 Apr 2013 06:50:34 +0000

Aw, yeah! The UK Communications Data Bill -- AKA the "Snooper's Charter," a sweeping, totalitarian universal Internet surveillance bill that the Conservative government had sworn to pass -- is dead! Yesterday, Nick Clegg, leader of the Liberal Democrats in Parliament, announced that his party would not support the bill, and effectively killed it. Though I've been bitterly disappointed with some of the terminal compromises the LibDems have made, this makes me grateful to have them in Parliament. The kind of universal surveillance proposed in the Snooper's Charter was broadly supported by the last Labour government, which radically expanded state surveillance powers, and by the Tories -- thank goodness for the LibDems mustering a scrap of backbone at last!

The only downside is that the Open Rights Group had a whole series of great "Professor Elemental" videos that used pointed, excellent humour to mock and undermine the bill and drum up opposition to it, and now that's all going to go to waste (I blogged episode one yesterday).

Aw, who'm I kidding? This kind of thing never stays dead.

The snooper's charter has reminded Nick Clegg, finally, he is a liberal

UK ISPs betray customers, collaborate on government surveillance

Cory Doctorow — Tue, 23 Apr 2013 14:00:26 +0000

Britain's Communications Data Bill -- AKA the Snooper's Charter -- would effectively eliminate private communications in the UK, giving government and the police the power to spy on virtually everything you do online (which is rapidly merging with everything you do, full stop). The major ISPs in the UK have apparently been turned to the government's cause, and have been quietly supporting the bill, which strips their customers of any semblance of privacy.

The government defends this proposal by saying that they're not intercepting "messages," only "envelopes." That is, they'll get the subject lines, social graph data, who is talking, where, how often, and who replies, how long the messages are, and so on. I like to imagine Alan Turing taking this approach to informational significance: "Mr Churchill, I'm sorry, there's no point in what you're asking us to do: all we can decode from the Nazis is who is sending messages, who receives them, what they're about, where they're sent from, how often they're sent, and how long they are. Nothing compromising." (Then I imagine the ghost of Turing haunting Home Secretary Teresa May, who claims that none of that kind of data compromises Britons' privacy).

In an open letter to the major ISPs, the Open Rights Group, Big Brother Watch, and Privacy International accuse the ISPs of entering into a conspiracy of silence on the surveillance system:

It has become clear that a critical component of the Communications Data Bill is that UK communication service providers will be required by law to create data they currently do not have any business purpose for, and store it for a period of 12 months.
Plainly, this crosses a line no democratic country has yet crossed – paying private companies to record what their customers are doing solely for the purposes of the state.
These proposals are not fit for purpose, which possibly explains why the Home Office is so keen to ensure they are not aired publicly.
There has been no public consultation, while on none of your websites is there any reference to these discussions. Meetings have been held behind closed doors as policy has been developed in secret, seemingly the same policy formulated several years ago despite widespread warnings from technical experts.
That your businesses appear willing to be co-opted as an arm of the state to monitor every single one of your customers is a dangerous step, exacerbated by your silence
Consumers are increasingly concerned about their privacy, both in terms of how much data is collected about them and how securely that data is kept. Many businesses have made a virtue of respecting consumer privacy and ensuring safe and secure internet access.
Sadly, your customers have not had the opportunity to comment on these proposals. Indeed, were it not for civil society groups and the media, they would have no idea such a policy was being considered.
We believe this is a critical failure not only of Government, but a betrayal of your customers' interests. You appear to be engaged in a conspiracy of silence with the Home Office, the only concern being whether or not you will be able to recover your costs.

ISPs In ‘Conspiracy Of Silence’ With Government On Snooper’s Charter (via ./)

Canadian cops can use electronic surveillance without reporting it

Cory Doctorow — Wed, 20 Feb 2013 18:48:57 +0000

Nicholas Koutros sez,

Bill C-30 in Canada argued that police need new lawful access powers in order to keep up with modern criminals. This paper examines the police's own reports to demonstrate that the use of electronic surveillance is actually on the decline over the past 30 years; down nearly elevenfold. While it may be true that the process has become too onerous, as the police claim, we argue that this decline is the result of police not being compelled to report on new methods of surveillance.
The current report is antiquated and can't incorporate new methods of surveillance such as production orders. With Bill C-55 (which imposes new reporting requirements on emergency intercepts) currently being debated in the House of Commons it appears that MPs are finally recognizing the failings of the current transparency regime.

Big Brother's Shadow: Historical Decline in Electronic Surveillance by Canadian Federal Law Enforcement

Leaked: ITU's secret Internet surveillance standard discussion draft

Cory Doctorow — Thu, 06 Dec 2012 07:54:23 +0000

Yesterday morning, I wrote about the closed-door International Telecommunications Union meeting where they were working on standardizing "deep packet inspection" -- a technology crucial to mass Internet surveillance. Other standards bodies have refused to touch DPI because of the risk to Internet users that arises from making it easier to spy on them. But not the ITU.

The ITU standardization effort has been conducted in secret, without public scrutiny. Now, Asher Wolf writes,

I publicly asked (via Twitter) if anyone could give me access to documents relating to the ITU's DPI recommendations, now endorsed by the U.N. The ITU's senior communications officer, Toby Johnson, emailed me a copy of their unpublished policy recommendations.
OOOPS!
5 hours later, they emailed, asking me not to publish it, in part or in whole, and that it was for my eyes only.
Please publish it (credit me for sending it to you.)
Also note:
1. The recommendations *NEVER* discuss the impact of DPI.
2. A FEW EXAMPLES OF POTENTIAL DPI USE CITED BY THE ITU:
"I.9.2 DPI engine use case: Simple fixed string matching for BitTorrent"
"II.3.4 Example “Forwarding copy right protected audio content”"
"II.3.6 Example “Detection of a specific transferred file from a particular user”"
"II.4.2 Example “Security check – Block SIP messages (across entire SIP traffic) with specific content types”"
"II.4.5 Example “Identify particular host by evaluating all RTCP SDES packets”"
"II.4.6 Example “Measure Spanish Jabber traffic”"
"II.4.7 Example “Blocking of dedicated games”"
"II.4.11 Example “Identify uploading BitTorrent users”"
"II.4.13 Example “Blocking Peer-to-Peer VoIP telephony
with proprietary end-to-end application control protocols”"
"II.5.1 Example “Detecting a specific Peer-to-Peer VoIP telephony with proprietary end-to-end application control protocols”"

Hit the jump for more of Asher's analysis and the download link:

3. Security threats against DPI entities is listed as:
- Destruction of DPI-related information;
- Corruption or modification of DPI-related information;
- Theft, removal or loss of DPI-related information;
- Disclosure of DPI-related information;
- Interruption of services (specifically mentions DoS.)

DRAFT NEW RECOMMENDATION ITU-T Y.2770 PROPOSED FOR APPROVAL AT THE WORLD TELECOMMUNICATION STANDARDIZATION CONFERENCE (WTSA-12) [ZIPped DOCX file]

DRAFT NEW RECOMMENDATION ITU-T Y.2770 PROPOSED FOR APPROVAL AT THE WORLD TELECOMMUNICATION STANDARDIZATION CONFERENCE (WTSA-12) [ZIPped DOCX file] CoralCache mirror

(Thanks, Asher!)

UN's International Telecommunications Union sets out to standardize bulk surveillance of Internet users by oppressive governments

Cory Doctorow — Wed, 05 Dec 2012 13:53:18 +0000

The International Telecommunications Union, a UN agency dominated by veterans of incumbent telcoms who mistrust the Internet, and representatives of repressive governments who want to control it, have quietly begun the standardization process for a kind of invasive network spying called "deep packet inspection" (DPI). Other standards bodies have shied away from standardizing surveillance technology, but the ITU just dived in with both feet, and proposed a standard that includes not only garden-variety spying, but also spying "in case of a local availability of the used encryption key(s)" -- a situation that includes the kind of spying Iran's government is suspected of engaging in, when an Iranian hacker stole signing keys from the Dutch certificate authority DigiNotar, allowing for silent interception of Facebook and Gmail traffic by Iranian dissidents.

The ITU-T DPI standard holds very little in reserve when it comes to privacy invasion. For example, the document optionally requires DPI systems to support inspection of encrypted traffic “in case of a local availability of the used encryption key(s).” It’s not entirely clear under what circumstances ISPs might have access to such keys, but in any event the very notion of decrypting the users’ traffic (quite possibly against their will) is antithetical to most norms, policies, and laws concerning privacy of communications. In discussing IPSec, an end-to-end encryption technology that obscures all traffic content, the document notes that “aspects related to application identification are for further study” – as if some future work may be dedicated to somehow breaking or circumventing IPSec.
Several global standards bodies, including the IETF and W3C, have launched initiatives to incorporate privacy considerations into their work. In fact, the IETF has long had a policy of not considering technical requirements for wiretapping in its work, taking the seemingly opposite approach to the ITU-T DPI document, as Germany pointed out in voicing its opposition to the ITU-T standard earlier this year. The ITU-T standard barely acknowledges that DPI has privacy implications, let alone does it provide a thorough analysis of how the potential privacy threats associated with the technology might be mitigated.
These aspects of the ITU-T Recommendation are troubling in light of calls from Russia and a number of Middle Eastern countries to make ITU-T Recommendations mandatory for Internet technology companies and network operators to build into their products. Mandatory standards are a bad idea even when they are well designed. Forcing the world’s technology companies to adopt standards developed in a body that fails to conduct rigorous privacy analysis could have dire global consequences for online trust and users’ rights.

Adoption of Traffic Sniffing Standard Fans WCIT Flames [CDT]

UK home secretary says Britain needs more data retention, cites an example where a corrupt cop gave murdered victims' details to crime boss

Cory Doctorow — Mon, 03 Dec 2012 21:53:12 +0000

This morning saw the publication of an editorial in The Sun by Theresa May, the UK home secretary, defending her bulk Internet surveillance proposal, the Communications Data Bill, AKA the "Snooper's Charter."

In the article, May cites a submission by by Peter Davies (Chief Executive of the Child Exploitation and Online Protection centre) as an example of why all Internet communications should be stored and made accessible to police without a warrant. Davies told the story of a murder that had been difficult to solve, and suggests that dragnet surveillance would have made the police's job simpler.

But as the Open Rights Group points out, the case in question is anything but a defense of bulk data-retention. Indeed, it involves a corrupt police officer who improperly used retained records to find information to pass on to a crime boss about a couple who were subsequently murdered. In other words, logging and storing information made it possible for a criminal and a corrupt cop to track people down.

It's nothing short of bizarre for Theresa May to cite this as a reason to retain more information, on more people, and to give access to that information to more agencies.

Tales of the Unexpected: the Communications Data Bill

Speaking in London on Nov 24 about the Snooper's Charter

Cory Doctorow — Thu, 15 Nov 2012 11:14:37 +0000

Hey, Londoners! I'm speaking at one of the Open Rights Group's meetings on the Snooper's Charter (the proposed new mass-scale network spying bill) in London on Nov 24. It's free, but they'd like you to register so they know how many to plan for.

UK surveillance bill: 19,000 letters opposing, 0 in favour

Cory Doctorow — Fri, 12 Oct 2012 19:00:50 +0000

The Snooper's Charter is Britain's pending Internet surveillance law, which requires ISPs, online services and telcoms companies to retain enormous amounts of private online transactions, and to hand them over to government and law enforcement employees without a warrant. A public campaign on the bill had 19,000 responses, every one of which opposed the legislation. 19,000 against, 0 for. The question is, will the government (which ran in part by opposing similar legislation proposed by the previous Labour government) actually pay attention? Here's Glyn Moody in Computerworld:

Got that? Out of 19,000 emails received by the Committee on the subject of the proposed Draft Communications Bill, not a single one was in favour of it, or even agreed with its premise. Has there ever been a bill so universally rejected by the public in a consultation? Clearly, it must be thrown out completely.

Snooper's Charter: 19,000 Emails Against, 0 In Favour (via /.)

CryptoParty: like a Tupperware party for learning crypto

Cory Doctorow — Fri, 12 Oct 2012 17:00:54 +0000

CryptoParty is a global movement for people who want to teach their neighbors how to use cryptography to protect themselves from snoopers, especially broad government surveillance. It was kicked off by @Asher_Wolf in response to the broad, sweeping Australian Internet surveillance bill, and involves throwing parties where folks who know how to use disk encryption, email encryption, and similar projects teach their neighbors to use it too.

There's a crowdsourced book -- "The CryptoParty Handbook," 400+ pages written in less than 24 hours by activists all over the world -- and other instructional materials to help you get started.

What is CryptoParty? Interested parties with computers, devices, and the desire to learn to use the most basic crypto programs and the fundamental concepts of their operation! CryptoParties are free to attend, public, and are commercially non-aligned.

CryptoParty (via Techdirt)

Australian Attorney General says that public scrutiny of spying bill would not be in the public interest

Cory Doctorow — Thu, 11 Oct 2012 15:43:12 +0000

The Australian government is following the UK, US and Canadian governments' examples and establishing a secretive, no-holds-barred snooping regime. The "data retention" bill that's been prepared by the Federal Attorney-General’s Department requires ISPs to store all communications for two years, and grants wide access to those stored records, as well as allowing snooping on residents' social networking activities. What's more, the Attorney General has denied a Freedom of Information request for a look at the draft legislation from the Pirate Party, saying that public scrutiny of spying laws is "not in the public interest" and would be prejudicial to the decision-making process.

The Pirate Party, which is an activist and political organisation which lobbies to maintain and extend Australians’ digital rights and freedoms, issued a media release this morning noting that it had filed a Freedom of Information request with the department, seeking draft national security legislation which had been prepared in 2010 with respect to the current proposal. The draft legislation had been mentioned by the Sydney Morning Herald in an article in August.
However, the Attorney-General’s Department wrote back to the organisation this week, noting that the request had been denied. Logan Tudor, a legal officer with the department, wrote that he had decided that the draft legislation was exempted from being released because it contained material which was being deliberated on inside the department. “… the release of this material would, in my view, be contrary to the public interest,” Tudor wrote.
In the Pirate Party’s statement, its treasurer Rodney Serkowski described the response by the Attorney-General’s Department as “disgraceful and troubling”.
“They have completed draft legislation, prior to any transparent or consultative process, and are now denying access to that legislation, for reasons that are highly dubious and obviously politically motivated,” wrote Serkowski. “The Department is completely trashing any semblance or notion of transparency or participative democratic process of policy development.”

Govt censors pre-prepared data retention bills (via /.)

Ubiquitous surveillance rap

Cory Doctorow — Thu, 13 Sep 2012 02:00:49 +0000

The latest edition of Juice Rap News, "Big Brother is WWWatching You," is a catchy little rap ditty about how the Internet is being remade as a total information awareness panopticon:

September 2012 rocks around with some crucial developments in the ongoing struggle over the future of the internet. Will it remain the one open frequency where humanity can bypass filters and barriers; or become the greatest spying machine ever imagined? The future is being decided as we type. Across Oceania, States have been erecting and installing measures to legalise the watching, tracking and storage of data of party-members and proles alike. If such plans materialize, will this place ever be the same? And what will be the evolutionary consequences for our human journey? Join our plucky host Robert Foster as he conducts an incisive analysis of the situation at hand. Joining him are newly appointed Thought Police General at the Pentopticon, Darth O'Brien Baxter, and a surprisingly lucid Terence Winston Moonseed. Once again, in the midst of this Grand Human Experiment, we are forced to ask tough questions about our future. Will it involve a free internet which will continue to revolutionise the way the world communicates with itself? Or is our picture of the future a Boot stamping on this Human InterFace forever?

I like the guest appearance from George TORwell.

RAP NEWS 15: Big Brother is WWWatching You

Your cellphone is a tracking device that lets you make calls

Cory Doctorow — Tue, 04 Sep 2012 22:55:13 +0000

Just in case you had any doubts about how much of a security risk your mobile phone presents, have a read of Jacob Appelbaum's interview with N+. Jake's with both the Tor and Wikileaks projects, and has been detained and scrutinized to a fare-thee-well.

Appelbaum: Cell phones are tracking devices that make phone calls. It’s sad, but it’s true. Which means software solutions don’t always matter. You can have a secure set of tools on your phone, but it doesn’t change the fact that your phone tracks everywhere you go. And the police can potentially push updates onto your phone that backdoor it and allow it to be turned into a microphone remotely, and do other stuff like that. The police can identify everybody at a protest by bringing in a device called an IMSI catcher. It’s a fake cell phone tower that can be built for 1500 bucks. And once nearby, everybody’s cell phones will automatically jump onto the tower, and if the phone’s unique identifier is exposed, all the police have to do is go to the phone company and ask for their information.
Resnick: So phones are tracking devices. They can also be used for surreptitious recording. Would taking the battery out disable this capability?
Appelbaum: Maybe. But iPhones, for instance, don’t have a removable battery; they power off via the power button. So if I wrote a backdoor for the iPhone, it would play an animation that looked just like a black screen. And then when you pressed the button to turn it back on it would pretend to boot. Just play two videos.
Resnick: And how easy is it to create something like to that?
Appelbaum: There are weaponized toolkits sold by companies like FinFisher that enable breaking into BlackBerries, Android phones, iPhones, Symbian devices and other platforms. And with a single click, say, the police can own a person, and take over her phone.

You may be saying here, "Huh, I'm sure glad that I'm not doing anything that would get me targeted by US spooks!" Think again. First, there's the possibility that you'll be incorrectly identified as a bad guy, like Maher Arar< who got a multi-year dose of Syrian torture when the security apparatus experienced a really bad case of mistaken identity.

But second, remember that whatever governments can do with technology, organized criminals can do too (this is doubly true of back-doors that governments mandate in telecoms equipment and software to make spying easier -- they can be used by anyone, not just "good guys").

And finally, remember that whatever the leet haxxors of the mafia are doing today on the cutting edge will be reduced to a short script that can be run by fatfingered noobie script kids tomorrow, in automated attacks that are indiscriminately ranged against tens of millions of devices in the hopes of finding a few that are vulnerable.

Or as Jake says:

The first response people have is, whatever, I’m not important. And the second is, they’re not watching me, and even if they were, there’s nothing they could find because I’m not doing anything illegal. But the thing is, taking precautions with your communications is like safe sex in that you have a responsibility to other people to be safe—your transgressions can fuck other people over. The reality is that when you find out it will be too late. It’s not about doing a perfect job, it’s about recognizing you have a responsibility to do that job at all, and doing the best job you can manage, without it breaking down your ability to communicate, without it ruining your day, and understanding that sometimes it’s not safe to undertake an action, even if other times you would. That’s the education component.
So security culture stuff sounds crazy, but the technological capabilities of the police, especially with these toolkits for sale, is vast. And to thwart that by taking all the phones at a party and putting them in a bag and putting them in the freezer and turning on music in the other room—true, someone in the meeting might be a snitch, but at least there’s no audio recording of you.

Leave Your Cellphone at Home (via /.)

Canada's telcos secretly backing revival of "dead" warrantless surveillance bill

Cory Doctorow — Tue, 22 May 2012 17:40:29 +0000

Michael Geist sez,

Canada's proposed Internet surveillance was back in the news last week after speculation grew that government intends to keep the bill in legislative limbo until it dies on the order paper. Public Safety Minister Vic Toews denied the reports, maintaining that Bill C-30 will still be sent to committee for further study. My weekly technology law column reveals that behind the scenes, Canada's telecom companies have worked actively with government officials to identify key issues and to develop a secret Industry - Government Collaborative Forum on Lawful Access.
The secret working group includes virtually all the major telecom and cable companies, whose representatives have been granted Government of Canada Secret level security clearance and signed non-disclosure agreements. The group is led by Bell Canada on the industry side and Public Safety for the government. It is designed to create an open channel for discussion between telecom providers and government. As the uproar over Bill C-30 was generating front-page news across the country, Bell reached out to government to indicate that "it was working its way through C-30 with great interest" and expressed desire for a meeting to discuss disclosure of subscriber information. A few weeks later, it sent another request seeking details on equipment obligations to assist in its costing exercises.
At a September 2011 meeting that included Bell Canada, Cogeco, RIM, Telus, Rogers, Microsoft, and the Information Technology Association of Canada, government officials provided a lawful access regulations policy document that offered guidance on plans for extensive regulations that will ultimately accompany the Internet surveillance legislation. The 17-page document indicates that providers will be required to disclose certain subscriber information without a warrant within 48 hours and within 30 minutes in exceptional circumstances. Interceptions of communications may also need to be established within 30 minutes of a request with capabilities that include simultaneous interceptions for five law enforcement agencies.

How Canada's Telecom Companies Have Secretly Supported Internet Surveillance Legislation

Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors

Cory Doctorow — Fri, 30 Mar 2012 22:42:57 +0000

The Electronic Frontier Foundation's Marcia Hoffman writes about security research companies that work to discover "zero day" vulnerabilities in software and operating systems, then sell them to governments and corporations that want to use them as a vector for installing spyware. France's VUPEN is one such firm, and it claims that it only sells to NATO countries and their "partners," a list that includes Belarus, Azerbaijan, Ukraine, and Russia. As Hoffman points out, even this low standard is likely not met, since many of the governments with which VUPEN deals would happily trade with other countries with even worse human rights records -- if Russia will sell guns to Syria, why not software exploits? VUPEN refuses to disclose their discoveries to the software vendors themselves, even for money, because they want to see to it that the vulnerabilities remain unpatched and exploitable for as long as possible.

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.
While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million. But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.

EFF calls out governments for trafficking in these vulnerabilities, rather than demanding their disclosure and repair. Any unpatched vulnerability puts every user of the affected software at risk. For a government to appropriate a vulnerability to itself and keep it secret in the name of "national security," rather than fixing it for the nation's citizens, is "security for the 1%."

“Zero-day” exploit sales should be key point in cybersecurity debate

Canadian tweeps bare all for spying MP

Cory Doctorow — Thu, 16 Feb 2012 22:44:17 +0000

Canadian MP Vic Toews is pushing bill C-30, a domestic spying bill that requires ISPs to log your online activity and give it to police without a warrant. He says that if you don't support this, you "stand with child pornographers." Canadians are giving MP Toews what he wants: on Twitter, Canadians are flooding his account with the hashtag TellVicEverything, spilling the intimate secrets of their lives: "Had impure thought," Jeremy Klaszus. (Thanks, pbrstreetgang!)

Canada's spying bill: be very afraid

Cory Doctorow — Wed, 15 Feb 2012 05:31:03 +0000

Canadian comedy hero Rick Mercer nails the new Canadian spying bill and the political tactics that gave rise to it. Bravo!

Rick Mercer: Rant: Be Afraid (Thanks, James!)

Brochures from the companies that sell malware to governments

Cory Doctorow — Mon, 05 Dec 2011 14:31:05 +0000

Ars Technica has a small gallery of the latest Wikileaks dump, consisting of brochures from companies that sell malicious software to governments for use in spying on their citizens. I spoke at length with one of the sources for these and we agreed that it was freakishly weird and scary -- I've spent the past two months in a bit of a paranoid stupor as a result. On the other hand, I have seen enough product brochures to know that companies often stretch the truth when they're pimping their products, and I wouldn't expect truth-in-advertising ethics from vichy nerds that specialize in violating the UN Declaration of Human Rights.

One product marketed by HackingTeam is the Remote Control System, malware that infects computers and smartphones in order to enable covert surveillance. The company says that its trojan can intercept encrypted communication, including Skype voice calls. They prominently advertise the fact that the malware can be installed remotely. They say that it can scale up to monitor "hundreds of thousands of targets" and is capable of being deployed to Apple, Android, Symbian, and Blackberry mobile devices.

Gallery: how the surveillance industry markets spyware to governments