There is nothing yet on the AShimmy Blog – organizer of the Security Blogger Awards. But Tripwire, a Platinum Sponsor of the awards, knows the results. “We are pleased to announce that Tripwire’s The State of Security has been selected as the ‘most entertaining security blog’ at the annual Security Bloggers Network Awards for 2014,” it announced yesterday.
This will come as a mortal blow to Kevin Townsend, who learnt a few weeks ago that he had been nominated for the same award despite not being a member of the Security Bloggers Network. But, tragically, it seems to be true. Kevin Townsend’s security blog, euphemistically known as Kevin Townsend’s Security Blog, lost out to Tripwire in the annual ‘most entertaining security blog’ award.
Townsend could not be found at his offices, known as the ‘cupboard under the stairs’; but was eventually located heavily sedated and under 24-hour suicide watch at the local home for the desolate.
Questioned over this latest failure, he was magnanimous in defeat. “We lost,” he said, “to the more entertaining blog. Me and my three-legged cat and $40k company lost to a $100 million company with 400 employees. Tripwire sponsors the awards so deserves its success. I wish them well.”
We asked if he would carry on despite this latest setback, but had to explain that his reply is neither biologically nor physiologically possible. He took one of the grapes we had brought him, but he spat it out, hissing, “sour!” — and he seemed to drift back into a delirium-soaked half-life, mumbling about tents and the direction of the wind.
Sadly, we have to report that Townsend’s blog is likely to hang around. Once they let him out of the home, that is.
When I wrote the piece, Is the AV industry in bed with the NSA, I concluded that on balance it probably is. I have no evidence. It’s just that I cannot believe that an organization complicit in developing and deploying its own malware, and able to ‘socially engineer’ RSA into doing its bidding, would leave AV untouched.
Obviously I spoke to people in the industry. In private conversation with one contact, while accepting his own protestations of innocence, I asked, “What about McAfee and Symantec?” He paused; but then said, “If I had to question anyone, those are the two names that would come to mind.”
I should say, again, that I have no evidence. It’s just doubts born out of the repetition of hyped-up statistics, frequently used by government to justify its actions, and what appears to be preferential treatment from government.
A couple of months later, the Dutch digital liberty group Bits of Freedom wrote to the leading AV companies for a formal position. One of the questions it asked was, “Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software?”
My understanding is that some, but not all, AV companies replied, in writing, that they do not collaborate with governments.
F-Secure’s Mikko Hyppönen spoke yesterday at the TrustyCon conference. I wasn’t there, so this is from The Register’s report:
A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure’s malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday…
While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed.
Same names. Coincidence? I wonder.
The American tech giants – Facebook in this instance – still don’t get it over the NSA spying programmes
The following is a transcription of a brief interview given by Mark Zuckerberg. The original can be found on TechCrunch here.
I’ve tidied it up a bit – removed the ‘ums’ and ‘rights’ and ‘you knows’ – just to make it more legible. I struggled over that because they clearly demonstrate where Zuckerberg is comfortable and where he is not comfortable with what he says; but I went ahead because what he says rather than his level of comfort is important to me. Anyway, here’s what is left:
We take our role really seriously. I think its my job and our job to protect everyone who uses Facebook and all the information that they share with us. It’s our government’s job to protect all of us and also to protect our freedoms and protect the economy, and companies; and I think they did a bad job of balancing those things. So frankly I think that the government blew it. I think that they blew it on communicating what they [were doing]; basically the balance of what they were going for.
The morning after the start of [the scandal] breaking, people asked [the government] what they thought; and the government’s comment was, “Oh don’t worry, basically we’re not spying on any Americans.”
Right. Wonderful. That’s really helpful to companies who are trying to serve people around the world, and [it's] really gonna inspire confidence in American internet companies. Thanks for going out there and being really clear about what you’re doing. I think that was really bad.
We’ve being pushing just to get more transparency on this, and I actually think we’ve made a big difference. The big question that you get from all the coverage is, what’s the volume of the total number of requests going on? Is it closer to a thousand requests that the government is making of us, or is it closer to 100 million? I mean, from the coverage and from what the government has said you would not know the difference. But we worked really hard with the government, behind the scenes, to get to the point where we could release the aggregate number of requests. It was around 9000 in the last half year.
Does that number tell us everything we want? No. And that’s why when the conversations get to the point where we weren’t going to make further progress, we decided to sue them so that we could reveal, is it 1000 or 2000 or 3000 or 4000 or 8000 of the 9000 requests. But the reality is, because of the transparency that we pushed for, now people can know and deserve to know that the number of requests that the government is making is closer to 1000 (it’s 9000 or less in the last six months), and definitely not, you know, 10 million or 100 million…
Really, Mark? Do you think that knowing the NSA made just over 1000 requests for your customers’ details rather than 9000 makes it all right – and that they can carry on, without judicial oversight, as they are? It’s the fact, not the volume, of NSA spying that is wrong, just plain wrong. Until the American tech giants stop hiding behind their really quite meaningless ‘transparency’ demands and empty successes over the NSA, then anger – and especially non-American anger – will remain at a high level.
Oh; and did I mention the word ‘hypocrite’? Facebook suggesting that the NSA isn’t taking sufficient care over users’ privacy? Really?
There was never any doubt that the detention of David Miranda at Heathrow under section 7 of the Terrorism Act was in fact legal. Now the arbiters of The Law have confirmed it in a judgment delivered earlier this week.
There is some good news, some bad news and a lot of not-unexpected news in this judgment. The not-unexpected news is that the Terrorism Act allows GCHQ to do just about whatever it pleases. The manufactured War against Terror has had the effect of turning the UK into a police state under the control of the security services and enforced by Her Majesty’s Constabulary. Anything can be defined, with a little imagination, as a potential act of terrorism; and therefore under the jurisdiction of the over-broad power of the Terrorism Act.
The good news is that the police did not immediately nor automatically accept GCHQ’s request for a port stop (ie, detention) on David Miranda as he passed through Heathrow. It was not until the police received a detailed request precisely applied to the Terrorism Act that they were effectively forced to respond. From the ruling:
“We assess that MIRANDA is knowingly carrying material, the release of which would endanger people’s lives. Additionally the disclosure, or threat of disclosure, is designed to influence a government, and is made for the purpose of promoting a political or ideological cause. This therefore falls within the definition of terrorism and as such we request that the subject is examined under Schedule 7.”
from the David Miranda judgment
Compare this to my assessment at the time:
So, three tests for terrorism. Applying these to David Miranda, and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),
- the stated purpose of the leaks is to influence government
- the stated purpose could be described as both ‘political’ and ‘ideological’
- the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).
I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
Was David Miranda’s detention a legal and reasonable application of the Terrorism Act?
The bad news is that this is absurd. David Miranda is clearly not a terrorist. That means that what he was doing was an act of terrorism. That means that helping a journalist (in this case Glenn Greenwald) do his job, which most people would define as being in the public interest, can in itself be an act of terror — and that, frankly, is scary.
The Arbiters of The Law effectively confirm that the invocation of the Terrorism Act removes all other freedoms and rights:
In my judgment the Schedule 7 stop was a proportionate measure in the circumstances. Its objective was not only legitimate, but very pressing. The demands of journalistic free expression were qualified in the ways I have explained. In a press freedom case, the fourth requirement in the catalogue of proportionality involves as I have said the striking of a balance between two aspects of the public interest: press freedom itself on one hand, and on the other whatever is sought to justify the interference: here national security. On the facts of this case, the balance is plainly in favour of the latter.
This is a sad day for natural justice. But we cannot blame the judges. Their function is to interpret the law. Nor can we blame the police. Their function is to enforce the law. The blame rests solely on our weak politicians, under the sway of over-powerful intelligence services, who make the laws. It is the intelligence services, through threats and blackmail, who get their wishes translated into law. It is weak politicians who have sold out the people.
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.
Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.
To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.
But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.
Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.
FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?
Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.
Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations
So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.
This is not the behaviour of a country that is taking Europe seriously.
Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.
Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)
Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.
Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)
Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.
So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.
I had to speak to my GP today. It was a telephone consultation with what is, generally speaking, a pretty good surgery.
When we finished, I said, “While I’ve got you, I’d like to state my objection to inclusion in care.data.”
“In what?” he replied. “Care…?”
I explained. “I want to stress that I must not personally be identifiable with any health data that leaves your premises, nor any data that leaves HSCIC.”
“Oh,” he said. “You’ll have to write to the practice manager about that.” (Well, I have already done that; but the advantage of repeating it here is that I now have a recording of the event. Letters can be lost or denied; a recording in my possession cannot. It’s good, this VoIP thing.)
“No,” I said. “According to the official NHS documentation, all I have to do is tell you.”
“Oh, all right. I’ll pass it on to the practice manager. She’s probably got a form for you to fill in.”
“While we’re at it,” I added, “I’d like a comment added to my notes, please. I object to any of my personal records leaving your care at all. It is my opinion that if that happens, it will be in contravention of the European Union’s Data Protection Directive.”
I’m not a lawyer, obviously — but then neither is he.
But actually I do believe it would contravene the data protection principles for two basic reasons. Despite all the publicity about an explanatory leaflet from the NHS, I have never received one. That means that I have not been informed that my personal data is going to be passed to a third-party, nor have I had the process explained to me; and that while I should have to opt in to this process, I haven’t even been given the opportunity to opt out.
It all just goes to show that the whole thing is a deceitful farce.