When I wrote the piece, Is the AV industry in bed with the NSA, I concluded that on balance it probably is. I have no evidence. It’s just that I cannot believe that an organization complicit in developing and deploying its own malware, and able to ‘socially engineer’ RSA into doing its bidding, would leave AV untouched.
Obviously I spoke to people in the industry. In private conversation with one contact, while accepting his own protestations of innocence, I asked, “What about McAfee and Symantec?” He paused; but then said, “If I had to question anyone, those are the two names that would come to mind.”
I should say, again, that I have no evidence. It’s just doubts born out of the repetition of hyped-up statistics, frequently used by government to justify its actions, and what appears to be preferential treatment from government.
A couple of months later, the Dutch digital liberty group Bits of Freedom wrote to the leading AV companies for a formal position. One of the questions it asked was, “Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software?”
My understanding is that some, but not all, AV companies replied, in writing, that they do not collaborate with governments.
F-Secure’s Mikko Hyppönen spoke yesterday at the TrustyCon conference. I wasn’t there, so this is from The Register’s report:
A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure’s malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday…
While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed.
Same names. Coincidence? I wonder.
Blogs are different to newspapers. You can get away with greater subjectivity in a blog than you can in a newspaper. But newspapers cannot absolve themselves of their responsibility for pure objective fact by calling a particular section a blog.
So when Martha Gill wrote about Anonymous in the Telegraph blog, it was wrong. Her headline says it all: Anonymous have been exposed as hypocrites. Watch them try to wriggle out of it (6 November 2013). You can hear the glee in her voice – this is personal, not factual.
Anonymous responded with an open letter to the media in general. It accused Gill of being inaccurate in one of her two accusations (that their masks are produced in what she strongly implies is a sweatshop) and hypocritical in another (that Warner Bros benefits from every sale of a mask). On the latter, Anonymous suggests that royalties are a sad fact of life; and wonders how many Telegraph staff support Foxconn by using Apple or Dell, Sony or HP equipment. “Since 2010, at least 17 deaths occurred when employees committed suicide by jumping from the roof of the building. To use a phrase from Martha Gill’s article, these are certainly ‘unpleasant conditions.’”
But in reality, this incident is just a small local battle in a much larger war. Anonymous – and it’s not alone – believes that much of the media has been bought and usurped by government and big business; and supports the agenda of government and big business to the exclusion of truth. It is no coincidence that there is a nationwide (US) march against corporate media planned for next Saturday:
We are planning a march and rally in Washington DC to raise awareness of the privatization, corporatization, and monopolization of the mainstream media and the corruption of our fifth estate. The failure of the corporate networks to adequately cover critical social issues has allowed for the rampant corruption of our political and economic system to go unquestioned and unchallenged.
March against mainstream media
If you have already thought about this, it cannot be denied. A few (very few) newspapers have kicked back in recent months with the Snowden revelations (notably the Guardian, Washington Post and Der Spiegel); but it’s also noticeable that the Guardian is under threat of prosecution in the UK for doing so.
And if you want a specific current example of this media betrayal, consider an EFF blog from Thursday: How Can the New York Times Endorse an Agreement the Public Can’t Read?
The New York Times’ editorial board has made a disappointing endorsement of the Trans-Pacific Partnership (TPP), even as the actual text of the agreement remains secret. That raises two distressing possibilities: either in an act of extraordinary subservience, the Times has endorsed an agreement that neither the public nor its editors have the ability to read. Or, in an act of extraordinary cowardice, it has obtained a copy of the secret text and hasn’t yet fulfilled its duty to the public interest to publish it.
TPP is the successor to ACTA. ACTA was defeated by European activism. It is dead. TPP allows the same provisions to be established everywhere else without European involvement. Once this is achieved, the new discussions on an EU/US trade agreement will be dragged into the same agreements – it will be inevitable.
But where is the mainstream media’s concern over either? In defeating ACTA, the people made it very clear that they do not want ACTA – more specifically the internet-controlling, copyright-enforcing aspects of it. To understand the great Battle of ACTA, read Monica Horten’s new book, A Copyright Masquerade.
Rather than accept the will of the people, big business and government withdrew, regrouped, renamed and returned from a different direction, calling it TPP and being equally if not more secretive.
The problem is that the mainstream media is not on the side of its readers, but on the side of its owners.
Quite simply, the majority of US news outlets are owned by the same media companies that are lobbying in favour of trade agreements that will take over control of what appears on the internet, who can see what, and who goes where. Quite frankly, we can no longer believe what we read in the press any more than we can believe what government tells us.
If you are suffering from ‘shock fatigue‘ (and who isn’t?) over the never-ending revelations on the extent and degree of NSA surveillance on all of us, then I can do no better than recommend you view NSA Files: Decoded – What the revelations mean for you. It is a single document that provides an overview of what we’ve learnt so far, and is interspersed throughout with brief videos on viewpoints from both sides of the fence.
If you are American, then you should be proud of the public debate that these revelations have prompted. If you are British, you should be worried about the lack of any public debate at all.
Britain’s spy agency GCHQ has secretly gained access to the network of cables which carry the world’s phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency (NSA)…
“It’s not just a US problem. The UK has a huge dog in this fight,” Snowden told the Guardian. “They [GCHQ] are worse than the US.”
Guardian, Friday 21 June 2013
But where is the public debate in the UK? It doesn’t exist.
To understand why, you have to consider the nature of the two countries. America was founded on a distrust of government (ironically, specifically the British government). Protection against government authority is built into the American Constitution. And to this day, Americans instinctively distrust big government.
Britain is different. Its democracy has grown slowly and peacefully over a thousand years. Brits instinctively believe that their government is good; Brits instinctively trust big government.
The result of Snowden’s revelations is that both governments are trying to justify their surveillance practices; but while the American government is on the defensive, the British government is decidedly offensive.
Meanwhile, in Britain, prime minister David Cameron accused the Guardian of damaging national security by publishing the revelations, warning that if it did not “demonstrate some social responsibility it would be very difficult for government to stand back and not to act”.
NSA Files: Decoded
Meanwhile, in Britain, government agents forced the physical destruction of the Guardian disks containing Snowden files:
The intelligence men stood over Johnson and Blishen [Guardian staff] as they went to work on the hard drives and memory chips with angle grinders and drills, pointing out the critical points on circuit boards to attack. They took pictures as the debris was swept up but took nothing away.
NSA files: why the Guardian in London destroyed hard drives of leaked files
Meanwhile, in Britain, Glen Greenwald’s boyfriend David Miranda was detained at Heathrow for 9 hours and had his computer equipment confiscated because he was suspected of being a terrorist:
At the time I said that all the police had to do was justify the suspicion that Miranda was a terrorist as defined in the Terrorism Act; which would be easy.
Britain: the Miranda detention proves it is a police state in action
Meanwhile, in Britain, an emergency debate in Parliament did not discuss GCHQ overreach, but instead discussed the Guardian’s support for terrorists:
This debate, however, focuses on a narrower and darker issue: the responsibility of the editors of The Guardian for stepping beyond any reasonable definition of journalism into copying, trafficking and distributing files on British intelligence and GCHQ. That information not only endangers our national security but may identify personnel currently working in our intelligence services, risking their lives and those of their families.
Parliamentary debate: National Security (The Guardian)
Incidentally, Paul Flynn (a Labour MP) attempted a ‘point of order’:
On a point of order, Mr Caton. You are the guardian of the reputation of this debate, and so far it has demeaned Parliament’s reputation, because we have had two speeches that were written and read with no attempt to engage us in debate. This is McCarthyite scaremongering that disgraces Parliament.
Meanwhile, in Britain, the government’s pet poodle paper (The Daily Mail, if you hadn’t guessed) attacked the Guardian:
Stupendous arrogance: By risking lives, I say again, the Guardian is floundering far out of its depth in realms where no newspaper should venture…
Stephen Glover, 9 October 2013
Put quite simply, the British government has very successfully managed to turn attention away from its surveillance programmes and against, instead, the newspaper that exposed it. The message is irrelevant, it suggests — it is the messenger that should be shot.
It is time, I suggest, for the British people to understand that its government cares not a jot for the British people, nor for democracy, nor freedom, nor liberty. It cares more for secrecy; and demands to be left alone to carry on unchecked. It is time for Brits to learn to distrust their government.
To find the criminal, you must follow the money. To find the collaborator, you should follow the favours.
Now, if this principle holds true, we’ve got a good game to play – finding which security firms collaborate with government agencies by looking at which companies ingratiate themselves most, and which companies receive the most government favours.
Remember, this is a game. The rules are similar to those used by law enforcement agencies in their own game called Find the Terrorist: one red flag if the suspect denounces the invasion of a foreign land; two red flags if he or she accuses the government of lying or expresses sympathy with Anonymous; three red flags if a Moslem country is visited and so on. Six red flags and you’ve found a terrorist.
In our game, the following are worth one red flag:
- production of absurd statistics that support government policy (such as the cybercrime cost figures generated by McAfee and BAE Systems Detica)
- continuing success against all natural market forces (such as Microsoft Office, when there are better free products such as Open Office and Google Docs)
- purchase of key personal data companies that are outside of core business (such as EMC buying RSA, and Microsoft buying Skype)
- existing accusations of collaboration (such as BT over Tempora, and backdoors in Windows)
- directly accusing foreign governments of involvement in specific cybercrimes when in reality their can be no objective proof (such as Mandiant’s famous accusations against Comment Crew, and various firms’ terminology that implies that ‘hackers in China’ really means ‘Chinese government hackers’).
The following are worth two red flags:
- preferential treatment that does not make economic sense (such as government insistence that costly products – eg MS Office – are used in government departments, schools and examinations – in preference to free products like Open Office)
- sudden increase in direct government-inspired attacks against the major competition (such as those against Google – so who is Google’s primary competition? Note, this doesn’t mean that Google is innocent.)
The following are worth three red flags:
- direct government ‘approval’ (such as the elevation of Mandiant, Detica, Cassidian, and Context to CESG’s Cyber Response Scheme)
- active support for proposals that will make government surveillance more simple, such as support for the Communications Bill in the UK, or the Trusted Computing Platform anywhere.
There aren’t any…
…because you can’t lose. All security firms collaborate with government to one degree or another. If they don’t do it willingly, they do so under coercion; and if they don’t do it yet, it’s because they haven’t been told to, yet. But they do or will do it. The only way for a company to avoid collaborating with government is to shut down – like Lavabit.
Is it safe to carry on using Dropbox (post Prism)? Yes and No: Part III
Is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV?
Is Windows 8 an NSA trojan?
Am I a terrorist?
When the UK government talks about ‘transparency’, it means being transparent with our data, not government behaviour. Transparency doesn’t mean telling the people what the government is doing, or providing proof to justify its actions – it means selling the personal information of ordinary people to the highest bidder.
And when it doesn’t have enough personal data it furtively sets about getting more. Like secretly collecting the private communications of everyone. Like planning a national DNA/ID database hidden within the National Health Service.
A year ago, the government asked “Stephan Shakespeare, Chair of the Data Strategy Board and CEO of YouGov, to look at our progress so far on opening up public data and set out his assessment of how the Government should best use PSI [public sector information] to support economic growth… Stephan consulted with leading industry experts, businesses and academics in the field as well as undertaking a comprehensive market assessment of PSI.”
But he didn’t talk to you and he didn’t talk to me. And ‘public sector information’ is our information not his, and not the government’s.
Here’s a flavour from Shakespeare’s report:
In our consultations, business has made clear that it is unwilling to invest in this field until there is more predictability in terms of supply of data. Therefore without greater clarity and commitment from government, we will fail to realise the growth opportunities from PSI.
It is important to note for such a strategy that the biggest prize is freeing the value of health, education, economic and public administrative data.
Quite clearly, without any consultation with the people, the government is being urged to be transparent with business on exactly what it is willing to sell; and that the most valuable data is our personal health records, our educational records, our economic status, and other information held about us by the local authority.
And the government’s response to this? One word:
This is government transparency – selling our privacy to the highest bidder. Are we really happy to just let this happen?
For most of my life I have been opposed to proportional representation. I had been swayed by my politics tutor as a student: PR leads to weak governments and the people need a strong government.
That may have been true in the past. It is not true today. Years ago, politicians were basically good. Today, politicians are basically bad. The art of lobbying has become an efficient science; and vocational politicians have been replaced by money-worshipping, expenses-fiddling, favour-selling careerists.
It is possible to get very rich through a career in politics, but only if you achieve high office. Backbenchers are poorly paid. The higher the office, the greater the rewards – so all backbenchers aspire to ministerial positions. This is basically achieved by brown-nosing the PM and Cabinet; and the PM to stay in the Cabinet.
The result is inescapable: we do not have government by Parliament, nor even government by Cabinet: we have government by the Prime Minister. And this is precisely where and why we do not need a strong government. A strong government simply means that the Prime Minister is free and able to do whatever he wishes.
Democracy now needs a weak government. But the first past the post electoral system used in the UK makes it very difficult for any more than two parties to gain the number of parliamentary seats that reflects the number of national votes – and almost impossible for fourth and fifth and sixth parties to get any seats at all.
Normally we get a left-of-centre Labour government or a right-of-centre Conservative government with very little difference between the two and no chance of new ideas like environmental protection (Greens) or European secession (UKIP) or internet freedom (Pirate Party) being seriously heard.
Instead we get the whim of the PM steam-rollering the wishes of the lobbyists through the Conservabour party. A case in point is the Communications Data Bill – a bill that is wanted by the copyright holders and the intelligence agencies but just about nobody else.
The current government is a coalition; but only just. That coalition has forced the prime minister to think again about the Bill (he still wants it, and he’ll still get it, of course). But that is precisely why we need multi-party coalition governments – to stop the steamroller and make the prime minister horse trade over his (or her) more ridiculous and draconian wishes.
The irony is that weak governments make for strong democracy – and we’ll only get that in the UK with proportional representation.
One thing that RSA week always brings is dozens of new surveys and research reports. I looked at three for Infosecurity Magazine on Friday:
- 2013 Security Report (Check Point)
- Targeted attacks and how to defend against them (Trend Micro/Quocirca)
- Managing information security: Public sector survey report (Clearswift/SPS)
They are all looking at different issues, but there is a common finding in all of them – a disconnect between recognising a threat and taking the right or adequate action to mitigate that threat. More specifically, they all say that the public sector is the worst offender.
From Check Point we learn that government is the leading offender in the use of high risk applications (remote admin, file storage and sharing, P2P file sharing, and anonymizers). In particular government is more likely than any other sector to suffer an incident that could lead to data loss at least once every week; and government is the leading offender in sending credit card information to external resources.
From Clearswift we learn that “Despite 93% of [UK public sector] organisations sharing sensitive information with external partners, 30% don’t view information security as a high priority when selecting a partner.”
Trend Micro, commenting on its own report, says, “Public sector respondents were guilty of a worrying level of complacency, with over a third claiming targeted attacks are not a concern, despite 74 per cent of such organisations having been a victim of these attacks in the past.”
Put quite simply, government cannot and must not be trusted with our personal information. In the UK, this is the government that plans to build a national DNA database within the NHS; and that wishes to be able to intercept our private communications at will. For the sake of our security, it must be stopped.
“Britain is target of up to 1,000 cyber attacks every hour” says the headline in a Telegraph article today. It comes from William Hague, UK Foreign Secretary, in his latest interview with the media.
What neither Hague nor the Telegraph do is explain where this figure comes from, nor what type of attack is meant. Last month the White House was breached by Chinese attackers who gained access to US nuclear secrets. The reality is there was a single, but unsuccessful, phishing attack that got past the primary defences. You have to wonder if similar disinformation is at work here.
If we’re talking about ‘all’ attacks, then I would suspect this is an unrealistically conservative figure – 1000 attacks per second – scam, spam, skiddie probes, phishing et al – would be more realistic for the whole of the UK. But limiting the figure to just 1000 makes the reader assume this is 1000 serious, APT-style attacks against the critical infrastructure alone. The problem is, no details are given, leaving the reader to assume the worst.
This lack of detail pervades the entire article/interview.
Hackers and foreign spies are bombarding government departments and businesses around the clock in what has become one of the ‘greatest challenges’ of modern times.
As well as targeting state or trade secrets, the cyber criminals and anarchists also try to disrupt infrastructure and communications and even satellite systems.
Britain is target of up to 1,000 cyber attacks every hour
Anarchists threaten the internet? Really? Typical fear-mongering, reminiscent of the Russian hacker who attacked a US water utility (not), or the attack on Brazilian power supplies that turned out to be soot on the insulators.
This speech is just another fear-mongering attempt by the government to ease the passage of the Communications Bill, and is typical of the sort of government warnings, on both sides of the Atlantic, that always precede new legislation.
That’s not to say the internet is safe. It isn’t. There are problems, lots of problems and serious problems. We think we’re secure when we’re not. But that’s not the underlying message from Hague and GCHQ. The underlying message here is that terrorists (and anarchists!) are attacking the UK, and the only solution is to pass more laws giving government more powers and us less liberty. The security industry joins in with this conspiracy by leaping on every word the government utters – even though they said it first – and claiming government endorsement of the need for business to buy their products. Government wants our liberty and the security industry wants our money.
But it’s the final two paragraphs of this article that should worry us most.
The Intelligence and Security Committee, appointed by the Prime Minister, believes Britain should declare cyber war on states and criminals who target the country by using aggressive retaliatory strikes to destroy their own operations.
Security and intelligence agencies should be willing to engage in covert cyber attacks on enemy states using programs such as the Stuxnet virus that targeted Iran’s nuclear ambitions, the committee members say.
The worrying thing is not the sentiment – we’ve already been doing that for years. The worrying thing is that government is now openly advocating what it is already doing secretly. The implication is that if things are that bad, we’re effectively at war. War invariably involves martial law. Martial law of the internet is what the government is after. If we think we are at war, attacking and being attacked, we are more likely to accept the draconian laws that the government wants to enact – for our own safety.
We are being manipulated into accepting the loss of liberty. It is disgraceful that a newspaper like the Telegraph should support this manipulation.
Confidential and for internal eyes only
This basic demand template is suitable for all demands for all personnel in all branches.
Please note that only the subjects change.
- budget is interchangeable with law, personal information, surveillance etc.
- spam is interchangeable with any occurrence whatsoever
- China is interchangeable with greatest perceived threat du jour
- Congressman Rogers should be replaced by your own name
- ‘no match for’ should be replaced by an expansion of 3
Empirical evidence suggests a 99% success rate based on this template, but expect a three-month turnaround. Once complete, change the names and start again with the next requirement.