Lavabit and Silent Circle have joined forces in the Dark Mail Alliance. The intent is to develop open source secure email available to everyone – and given the pedigree within the two companies, they may just achieve it. My story on the Alliance is here on Infosecurity Magazine.
The danger is that in solving one problem the Dark Mail Alliance may leave us with a worse one. If they succeed in securing communications against the likes of GCHQ and the NSA, are we to believe that the spies will say, ‘Oh, well done; we might as well give up on spying and go home?’
That’s a rhetorical question, because of course they won’t. The intelligence agencies may lose battles, but they never concede wars. We should have learnt that when we thought we won the First Crypto Wars. We didn’t. They withdrew, regrouped, and launched a more stealthy attack; which Snowden has demonstrated they have been winning hands down.
The same thing will happen again. If they cannot get at our communications, they will withdraw and try something different. And here’s the danger. If they cannot attack our communications, they will attack our computers.
One route, and one great danger, already exists: the Trusted Computing Platform. Under the guise of providing us with secure computers, governments, agencies and big business suppliers will con the public into using computers secure against all malware except government malware – which we will know nothing about.
So expect this: if the Dark Mail Alliance succeeds, there will be greater emphasis and publicity in getting us to accept the false precepts of the Trusted Computing Platform. We must not.
It’s the throwaway last comment in yesterday’s Le Monde report on NSA spying that worries me most: “In Europe, only Germany and the United Kingdom are beyond France in terms of number of interceptions. But for the British, this was done with the consent of their government…”
Did you know that? That the British government specifically allows the NSA to spy on British citizens? How bloody dare they!
But when you think about it, it’s fairly obvious. Britain is now a full-blooded police state, controlled by MI5, GCHQ and now including the National Crime Agency. How much do you know about Tempora and other GCHQ surveillance programs? I’m willing to bet that it’s very little, just a few passing comments in the Guardian and other serious newspapers.
The whole thing has been effectively stifled by the government and its agencies. Government officers entered the Guardian’s premises and forced and oversaw the physical destruction of the hard drives containing Snowden’s documents. In Washington, British agents called on the editor of the New York Times and asked her not to publish Snowden’s documents. Luckily she was protected by the US constitution, and declined. But back in the UK, the government’s lap dog known as the Daily Mail published an opinion calling the Guardian irresponsible and accusing it of putting lives in danger.
And all the time the British government ceaselessly works to undermine the European Union’s proposed data protection law, claiming that it will stifle growth and burden business. Palpable nonsense. Cameron and his cohorts simply fear that it could put a stop to its secret surveillance programs.
Right now a group of civil liberties organizations is taking the government to the European Court over GCHQ’s illegal activities. Britain’s response? To threaten to abolish the Human Rights Act and remove itself from the European Court’s jurisdiction.
Frankly, it all beggars belief. But you’d better believe it, because this is Britain today.
Censorship. It’s an emotive word. And always wrong, right? Wrong.
You see, people confuse censorship with choice. And when it’s really a question of choice, it cannot be wrong. Consider the recent ‘censorship’ of hard core self-published books by organizations like WH Smith and Amazon. Amos Kepler wrote (14 October 2013):
My books have been banned by WHSmith… If anything, the books being controversial is one more important reason to sell them and feature them. Censorship and oppression of free expression are never okay!
My books have been banned by WHSmith
SM Johnson wrote (13 October 3013):
Well. It seems one of my books has been censored by Amazon… This is one of those “big bads” that NEEDS to be publicized. If we ever needed a shit-storm about anything, it’s THIS.
Erotica Authors – Amazon Censorship Alert
But this isn’t censorship, this is choice. It is the choice of the publisher (in this instance WH Smith and Amazon) to sell or provide what they choose (or in this case, not sell what they don’t choose). We would not describe Harrods’ disinclination to sell Happy Shopper beans as censorship of baked beans requiring a shit-storm of protest — so why should we do so about WH Smith and Amazon? After all, you can still get Happy Shopper beans from Happy Shopper — and you can still get hard core from hard core shops.
Censorship is different. It is the removal of choice. It does not say, you cannot have this from us; it says no-one can have this from anyone, at all, period — and with censorship, WH Smith and Amazon would have no choice over what they wish to sell or not sell. There’s a big difference.
WH Smith and Amazon are not censoring these books; they do not have the ability to do so (the books will be available elsewhere, even if only from the authors’ own websites). WH Smith and Amazon are choosing not to make them available from their sites. And it is their right to make that choice.
Censorship is when an organization prevents all access to information or ideas or art that would otherwise be available. Governments can do it. ISPs can do it. Bookshops cannot.
So if we go back to our first paragraph, censorship is always wrong, right? Right! But choice is not; and we should not confuse the two. Claiming that a bookseller’s decision not to sell a particular book is censorship weakens the argument against genuine, serious censorship. Genuine censorship is not merely wrong, it is dangerous. Bookshops deciding not to sell hard core is not censorship.
Direct from, and thanks to, TorrentFreak…
[Italian] Police say they have raided the “operational headquarters” of a massive movie streaming organization which cost the entertainment industry a mind-boggling $330m euros ($445m) after a year online, something not even Megaupload achieved. During the raid Italian police seized lots of “new generation” computer equipment and drove a suspect away under flashing lights…
Cast your mind back to the Megaupload seizure, and you’ll probably see black helicopters, machine-gun toting special forces and tons of drama. The only thing missing is a film of the event.
The Italians – not a country to miss a photo opportunity – were not so reticent. The Italian Guardia di Finanza filmed their dramatic raid on this newer pirate; and it has to be seen to be believed. I make no further comment (but watch out for the lady cop and draw your own conclusions).
Earlier this evening I was reading Jonathan Strange and Mr Norrell. For no particular reason that I can remember, I had Radio 4 softly in the background — and I slowly became aware of a BBC report on the Snowden leaks. I started listening, briefly, and then switched off in disgust and returned to Mr Norrell.
The BBC was doing what it now does best — twisting the truth, limiting the content and generally justifying its government masters.
Now I didn’t hear much of this. I really couldn’t stomach it. But there are two things I remember: that the Snowden leaks have not given any specific examples of law breaking; and that all States have legitimate state secrets.
Not broken the law? Really? Well, as far as Americans are concerned, that is arguably true. First of all, the NSA is legally entitled — indeed, required — to spy on non-Americans. It breaks no American law in doing so. And as far as spying on Americans is concerned, a secret US court, designed for the purpose, operating in secret and hearing no arguments from anyone other than the government, says it’s legal.
Therefore the NSA truthfully has broken no US laws. But it breaks national laws all around the world. Seriously, is it legal in Europe to spy on European institutions. Is it legal in Brazil to impersonate Google and spy on the state oil company? Is it legal to spy on the EU embassies in the US, which are technically not part of the US? Is it legal to collect the financial details of European citizens?
So you could argue that the BBC report was technically correct, but hugely misleading.
The second ‘claim’ that disturbed me was the suggestion — no, more like an assumption that we must all accept — that the state has justifiable secrets that we have no right to know. Sorry. No. It hasn’t.
The state has no right to withhold information from me, or from you. And that is because we are the state. There is no such thing as ‘the state’ that is separate from the people. The people are the state. For some individuals to say, ‘we are the state and we are separate from you and we have things that we will not allow you to know’ is an act of aggression by those individuals against the people.
And the BBC, in broadcasting such misleading comments and promoting such authoritarian views, becomes a party to that aggression.
Well, I guess that’s as official as we’re likely to get: GCHQ hacked Belgacom.
The reasoning is this…
The European Parliament’s Civil Liberties, Justice and Home Affairs committee (LIBE) is conducting a series of hearings to investigate the ‘Prism scandal’. Yesterday it held the latest in the series: “Allegations of ‘hacking’ / tapping into the Belgacom systems by intelligence services”. Statements were expected from two high-ranking Belgacom executives, and Sir Iain Lobban, director of GCHQ.
After the event, LIBE issued its statement. In full, it reads:
Civil Liberties Committee MEPs expressed their regret on Thursday that the British Government Communications Headquarters (GCHQ) had declined their invitation to take part in a hearing on the alleged hacking of Belgian telecoms firm Belgacom’s servers. Belgacom’s top managers would not confirm or deny media reports that UK intelligence services were behind the attack.
First of all I consider it grossly discourteous for Lobban to fail to attend. This committee comprises elected representatives of the people who pay his wages and on whom he spies.
And then – forgive me for being simplistic – but I have a general principle on such matters: The innocent will never say they are guilty, but can always say they are innocent. The guilty cannot admit guilt, cannot lie, and therefore say nothing.
By avoiding have to say anything, Lobban did not say he didn’t do it – therefore the huge likelihood is that he did. And as for Belgacom, by not saying it wasn’t GCHQ, the huge likelihood is that it was. It’s called the science of gut feeling; and is usually pretty accurate.
But there’s another issue here. The UK is a member of the European Union. What is the point of having a legal union if individuals can simply ignore the elected representatives of the union? And by what moral, if not legal, right does Lobban decline an interview to attend a hearing being held by one of the most important political committees in Europe?
Have you ever wondered why we hear of a new hack every day? Well, here’s one reason – the arrogance and denial of some of our security managers.
A couple of months back I was speaking to Ilia Kolochenko, the CEO of a pentesting firm called High Tech Bridge. I asked him if pentesting was really necessary. Well, he said, just this morning I found flaws in [several high-profile media websites] that could, if cleverly exploited, lead to the complete owning of the networks concerned.
Needless to say I was interested. I asked him if he could find more, and laid down a few conditions to ensure that these weren’t old vulnerabilities that he already knew about. He delivered the goods, and the full story was published in Infosecurity Magazine: Infosecurity Exclusive: Major Media Organizations Still Vulnerable Despite High Profile Hacks.
Before publishing the story, all of the companies were notified and given a period of time to correct the flaws. Here’s a sample of the notifications:
Last week I have accidentally found an XSS vulnerability on your website that allows to steal visitors’ sensitive information (e.g. cookies or browsing history), perform phishing attacks and make many other nasty things… [details of the flaw and proof]
Please forward this information to your IT security team, so they can fix it. They may contact me in case they would need additional information and/or any assistance – I will be glad to help.
In some cases, where no vulnerability reporting address could be found, this or similar was sent to as many addresses as could be found.
Point one. Only one of the companies replied to the notification emails. This company basically said, thank you, fixed it. In reality it was only partly fixed and easily by-passed. So at the time of publishing the story, all of the websites had been contacted and given time to fix the flaw – but none of them had.
Point two. Shortly after publishing the story I received the following comments from one of the featured companies:
However try as I might I have found no-one at xyz inc who has ever heard of or from Mr Kolochenko, or yourselves, regarding any testing of our systems, vulnerabilities found, or in fact comments upon our security. Could you therefore please forward me [a copy of the several emails we had already sent].
Needless to say we did this, including an automated receipt email that proved that xyz inc had been sent and had received the email.
This head of xyz’s security then went on to accuse me of writing an advertorial for Kolochenko. He added,
…the vast majority of reported attacks on media broadcasters and press organisations so far in 2013 have had nothing to do with external attacks on websites or online presence, and the Syrian Electronic Army in particular have never used this attack vector – every one of their successful breaches has been the result of a phishing attack, which Mr Kolochenko’s tools will do nothing whatsoever to obviate.
This, of course, is both wrong and irrelevant – how the SEA’s preference for phishing (which could have been made easier by exploiting this vulnerability anyway) somehow protects xyz inc is beyond me.
The simple fact is this head of security was more concerned with deflecting any blame from himself, denying any vulnerability in his system and accusing me of lacking professional standards than in actually finding and fixing said vulnerability. A little humility and acceptance of help from security researchers might go a long way to making the internet a safer place.
Postscript. Following publication of the article, the websites in question fixed the flaws. As far xyz inc is concerned, Ilia subsequently received a further email:
We have now pushed out a fix for this vulnerability. Thanks very much for bring this to our attention.