Archive for June, 2013

Greenwald on Snowden: there is more to come

June 30, 2013 1 comment

A partial transcript of Glenn Greenwald’s talk at the Socialism Conference in Chicago last Friday is available on The Dissenter. It should be required reading for all aspiring journalists and part of any school of journalism’s syllabus. For anyone just emerging from a long coma, Greenwald is the Guardian journalist who published the Edward Snowden revelations about the NSA and GCHQ secret surveillance programmes.

For me there are two big takeaways: that the Snowden revelations have exposed as much corruption within the mainstream media as they have within the intelligence services; and there is much more to come from Snowden.

Let’s take the former first. Governments cannot deny the revelations, so they are left with two options: downplay the effect and discredit the sources. So we get politicians saying loss of privacy is a small price to pay for security; if you don’t do anything wrong you have nothing to fear; we operate strictly within the law and uphold the rule of law. All of these are false, misleading arguments; but are rarely challenged by the media.

We also get a steady stream of suggestions and innuendo that denigrate both Snowden and Greenwald. Snowden is a fame whore traitor who has endangered the life of NSA agents and put the public at greater risk of terrorist attack; and he was probably in the pay of the Chinese government anyway. None of this is supported by any serious argument or fact. Greenwald, of course, is as much a traitor and should be prosecuted for espionage for doing his job as a journalist – that very job that most other journalists shy away from.

For the latter — that there is more to come — Greenwald said of one coming soon, “It talks about how a brand new technology enables the National Security Agency to redirect into its repositories one billion cell phone calls every single day, one billion cell phone calls every single day.”

Verbatim from the transcript, Greenwald added:

What we are really talking about here is a globalized system that prevents any form of electronic communication from taking place without its being stored and monitored by the National Security Agency. It doesn’t mean they’re listening to every call. It means they’re storing every call and have the capability to listen to them at any time and it does mean that they’re collecting millions upon million upon millions of our phone and email records. It is a globalized system designed to destroy all privacy and what’s incredibly menacing about it is it is all taking place in the dark, with no accountability and virtually no safeguards and the purpose of our story and the purpose of Edward Snowden’s whistleblowing is not singularly or unilaterally to destroy those systems. The purpose is to say that if you the United States government and the governments around the world want to create a globalized surveillance system in which we no longer have any privacy in our individual lives or on the internet you at least ought to have us know about it, have you do it in the sunlight so that we can decide democratically whether that’s the kind of system and the kind of world which we want to live.

It is probably knowledge of that to come rather than that already revealed that has persuaded the US government to block access to the Guardian for US soldiers. After all, they have all sworn an oath to defend the US Constitution; and the real enemy of the Constitution is now a moot point.

Categories: All, Politics, Security Issues

Facebook updates, and updates and updates its Android app

June 26, 2013 Leave a comment

Back in April Google amended its Google Play developer policy. It was a simple addition: “An app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.”

Simple, but far-reaching. At a stroke, it eliminated the growing threat of ‘silent updates’ to Android apps. At the time, many people thought it was specifically aimed at arch display advertising rival, Facebook. It probably was.

Facebook had been secretly experimenting with silent updates to its new Facebook Home app. Once an app has been installed with acceptable and accepted permissions, it is able to update itself with new and expanded permissions secretly (silent updates); that is, without telling the user what was happening, or what new permissions were being enacted.

But by forcing those updates to go via the Play Store, Google is able to stop them being ‘silent’. Good job, really. Facebook’s Android app has been updated — but provided you got it from Play, it cannot update itself silently.

Sarah A. Downey, a lawyer and privacy strategist with Abine, did a simple blog: eighteen words and a graphic compilation of three screenshots:


3 pages of Facebook permissions

3 pages of Facebook permissions


Her comment: “Really, Facebook? Three screens of permissions? No thanks. We don’t have that kind of relationship.”

Says it all really. If Google hadn’t insisted on updates via Play, you might never know about it this update. And if you side-load an app — for example, straight from Facebook — you might still never know about it.

So, two lessons: get your apps from Play; and dump Facebook anyway.

Categories: All, Security Issues

A hack by any other name tastes just as bad

June 23, 2013 Leave a comment

What is a hack? No, seriously, I need to know.

Last weekend the People/Mirror reported that Scout7 had been hacked and Manchester City’s scouting database compromised.

Scout7 came back and said it hadn’t been hacked and the integrity of its systems was sound. But City’s database was accessed by someone other than City.

Scout7 was saying that as far as its systems were concerned, it was a legal access via genuine credentials — implying that City must have lost, mislaid, or had its password stolen. It’s an interesting idea. The implication is that if you lose your house-keys and someone finds them, gets in while you’re out, and reads your personal, private diary, you haven’t been burgled.

That, of course, is emotionally absurd. But Scout7 is saying that it (the housebuilder) cannot be blamed for the burglary and doesn’t need to do anything about it. We’ll come back to that.

Meantime, how does this apply to ‘breach notification’? Is a breach a hack? Is the illegal use of legal credentials by a clear bad guy something that will require notification? Will companies be able to claim, we weren’t breached because the hackers got in through legitimate passwords, therefore we don’t need to tell anyone?

Incidentally, Kurt Wismer has an interesting story equally hinging on lack of semantic clarity: was the poor targeting in Stuxnet down to some lax manager saying , ‘make me a virus’, when he really meant, ‘make me a trojan’? Worth reading.

But back to Scout7. No, it cannot avoid its liability by implying it was a customer’s fault for losing his/her password. We all know that passwords do not provide adequate access security. So relying on them, and not adding a second factor to the access control, is effectively building something not fit for purpose. So as far as I am concerned, it got hacked.

Categories: All, Security Issues

That’s not surveillance. THAT’s surveillance…

June 23, 2013 Leave a comment

“Just kids having fun,” said Paul Hogan to Linda Kozlowski. “Have fun and make the most of it,” says a GCHQ training slide. GCHQ are just kids having fun.

While the NSA has been faffing around getting secret court orders to allow access to the data of large US cloud providers, GCHQ goes straight to the heart of things: it monitors everyone, everywhere, all of the time.

Not for us Brits the inconvenience of secret court orders based on secret interpretations of contentious laws. Ignore the law. No fear: just do it. Tap the very fibre arteries that carry the world’s communications and listen to everyone.

The UK and USA are governments out of control, where the secret police spy on all of us, all of the time. In the UK we’ve known for a long time that we’re the most camera-watched nation in the world. Now we know that we are the most cyber-watched nation in the world. They watch where we are, where we go, what we do, who we speak to and what we say.

They say they keep the details for just 30 days. Do not believe them. It is not credible to think that agencies that go to this trouble to collect information just delete it after thirty days. It is stored somewhere: information is power.

Now add the growing efficiency and sophistication of big data analytics and you get dragnet robots looking through our private communications seeking out tenuous connections that could be problematic for the government.

And the audacity of the intelligence services is matched only by the sophistry of the politicians. The loss of a little privacy is an acceptable price for security. Pure sophistry. Everything is done within the law. Pure sophistry. It prevents terrorism. Pure sophistry. We only engage in targeted surveillance. Pure sophistry.

If what our politicians tell us aren’t downright simple lies, they are words consciously meant to mislead. If what GCHQ does is within the law, the law must be changed. If the politicians are unwilling to change the law, then the politicians must be changed. And if they will not go, they must be made to go.

Every single person who values his or her freedom must now stand up. The government must change or go — or be made to go.

Categories: All, Politics, Security Issues

European regulators say Google is breaking European privacy laws

June 22, 2013 Leave a comment

You have to feel sorry for the ICO (Goodle): it’s in an invidious position. The overwhelming view of the Article 29 Working Party (ie, the collective representatives of all EU member states’ data protection regulators) is that Google is breaking European laws with its aggregated privacy policy.

Goodle (that is, the UK’s ICO) is friendly with Google. You can see that in its behaviour over Street View (the collection, inadvertent or otherwise, of personal wifi data while driving round the streets of the world). Germany fined Google over it. Goodle just said stop it, don’t do it again, and get rid of what you’ve got.

When Google didn’t get rid of it, Goodle had to get really tough, and say get rid of it now, because we really, really mean it this time!

But back to Article 29. Problematically, Goodle, it is one of six EU member states chosen to take enforcement action against Google. CNIL, the French regulator, has already completed its task. It has instructed Google in exactly what it must do to come into conformance with French laws. Google has three months to comply before CNIL levies a fine.

Spain is likely to be next. The Spanish regulator announced on Thursday that it has “found evidence of five serious privacy law breaches — each punishable with fines of up to 300,000 euros ($395,000).” (AFP) An enforcement notice with threats will likely follow shortly.

Germany is hardly likely to take a softer line – generally speaking it is tougher than most other EU nations on matters of personal privacy (some can remember Nazi Germany, and most can remember Stasi Germany).

Then we have Italy, the Netherlands, and of course Goodle. My bet is that Italy and the Netherlands do the same as France and Spain. But what then? What about the UK? What’s a good Goodle to do if all the other nations slap Google as hard as they can? It’s a difficult position for a loyal Google Poodle.

Categories: All, Politics, Security Issues

Why we don’t need to worry about the PATRIOT Act

June 20, 2013 Leave a comment

A senior US businessmen recently told me (this was before PRISM erupted), “Europe worries too much about the PATRIOT Act being used to spy on people. The simple fact is, everyone’s doing it.”

It was like being told not to worry about that man shooting at me because there are other people with guns aimed at me as well.

Categories: All, Security Issues

Mandiant: what planet do you live on?

June 18, 2013 Leave a comment

When Mandiant released its report on Chinese hacking, my response was

Thing is, I don’t trust Mandiant…

So for me there is a slight suggestion that perhaps there is another motive behind this report. And that’s where the closeness of Mandiant with the UKUSA government worries me.
Mandiant says it was the Chinese military what did it

When you say something like that, you always wonder, ‘was I right, did I overreact, have I been unfair?’

Well, I didn’t overreact and I wasn’t unfair. Today Mandiant published a comment on the US/China summit, 7-8 June. This is the final paragraph verbatim:

Washington and Beijing have different visions for the future; cyber espionage is one of the obstacles that prevent these two visions from being compatible. While Washington has attempted to shape Beijing into a responsible global partner in its own image over the last decade, the PRC has its own vision for the future including former PRC President Hu Jintao’s “Peaceful Rise” and now Xi’s “China Dream.” Although Beijing does not openly advocate corporate espionage, this tool has and will likely continue to be a key component in allowing the PRC to achieve its long-range economic and technology goals in a timely manner. For that reason, Beijing probably will not be willing to give up cyber espionage easily and it would take more than moderate diplomatic pressure to make them change this position.
U.S.-China Summit: Beijing’s Diplomatic Calculus for Continued Rejections of Cyber Espionage Accusations

I’ve read this several times and frankly just wonder if Mandiant is on the same planet as the rest of us. Prism? Verizon? Spying on the Russian president? Hypocrisy is the mildest word that comes to mind.

Categories: All, Politics, Security Issues