Archive for the ‘Politics’ Category

Diplomat to be new head of GCHQ

April 16, 2014 Leave a comment
Robert Hannigan -- new head of GCHQ

Robert Hannigan — new head of GCHQ

The new head of GCHQ is neither a spy by trade nor a hard-hitting political bully — he is a diplomat. Robert Hannigan, selected to replace Sir Iain Lobban, as head of Britain’s spy agency GCHQ comes out of the Foreign Office and is a former adviser to Tony Blair in Northern Ireland.

Ex-colleagues say choice of Foreign Office diplomat as GCHQ chief suggests government is leaving door open to reform
Robert Hannigan: GCHQ director who can balance secrecy and accountability — Guardian

The implication is clear: maybe, just maybe, Cameron has realised the severity of not just public concern and distrust over GCHQ, but the dismay of our European political allies. It will take some serious diplomacy to soothe some very ruffled feathers. It already seems likely the Britain will be excluded from the EU’s Schengen-routing and Schengen-cloud (see here for details); and that would put the country at a severe trade disadvantage in our most important export market.

The Guardian goes on to give an example of Hannigan’s diplomacy:

Hannigan rose from being the head of communications in the Northern Ireland Office to running its political affairs department. At one particularly critical moment in the peace talks in 2007, Hannigan helped overcome an impasse between Sinn Féin’s Gerry Adams and the DUP’s Ian Paisley. The latter wanted an adversarial arrangement with the parties glaring at each other across a table; Adams wanted them sitting side by side, as partners. Hannigan suggested a diamond-shaped table as a compromise.

The best of all possible worlds will be that Hannigan’s brief is to open up GCHQ to some form of public transparency. The greater likelihood, however, is that his brief is to pull the diplomatic wool over everyone’s eyes to allow GCHQ to continue as is.


Categories: All, Politics, Security Issues

Is it safe to carry on using Dropbox with Condoleezza Rice on the Board?

April 14, 2014 Leave a comment
Drew Houston, Dropbox (Wikipedia)

Drew Houston, Dropbox (Wikipedia)

No. How could you even ask? Leopards do not change their spots except on the road to Damascus; and Rice was too involved in the road to Baghdad with warrantless wiretapping along the route.

And what is Drew Houston, founder and CEO of Dropbox even thinking? On 9 April he blogged:

Finally, we’re proud to welcome Dr. Condoleezza Rice to our Board of Directors. When looking to grow our board, we sought out a leader who could help us expand our global footprint. Dr. Rice has had an illustrious career as Provost of Stanford University, board member of companies like Hewlett Packard and Charles Schwab, and former United States Secretary of State. We’re honored to be adding someone as brilliant and accomplished as Dr. Rice to our team.
Growing our leadership team

Condoleezza Rice, 2005 (Wikipedia)

Condoleezza Rice, 2005 (Wikipedia)

It is true that Rice has had an illustrious career. However, some of the bits not mentioned by Houston include being a board member of Chevron (one of the top six ‘supermajor’ oil companies) before becoming Bush’s National Security Advisor (the two positions actually overlapped for one month). As National Security Advisor she understood the need for the petrodollar invasion of Iraq and was a strong supporter of the 2003 invasion.

On Iraq’s weapons of mass destruction, the primary and false premise that justified the war, she said, “The problem here is that there will always be some uncertainty about how quickly he can acquire nuclear weapons. But we don’t want the smoking gun to be a mushroom cloud.” As Ming Campbell said of Tony Blair, you are either incompetent or lying.

There’s more. Rice was a strong supporter of the NSA’s warrantless wiretapping program; and it is claimed she personally authorised eavesdropping on UN officials. The Guardian reported on a leaked memo in 2003 instructing the NSA to increase surveillance “‘particularly directed at… UN Security Council Members (minus US and GBR, of course)’ to provide up-to-the-minute intelligence for Bush officials on the voting intentions of UN members regarding the issue of Iraq.”

The existence of the surveillance operation, understood to have been requested by President Bush’s National Security Adviser, Condoleezza Rice, is deeply embarrassing to the Americans in the middle of their efforts to win over the undecided delegations.
Revealed: US dirty tricks to win vote on Iraq war

Now, seriously, do we want a supporter of warrantless surveillance to be on the Board of a company that holds some of our most precious documents, photos and thoughts?

Categories: All, Politics, Security Issues

How much will the Senate report on CIA torture reveal about British involvement?

April 13, 2014 Leave a comment

As the world waits to see how much of the Senate report on CIA torture is left unredacted in its imminent release, the British government and some of its former members must be worrying about what will be revealed of their own involvement.

Cameron can claim it all happened before his time; but he can hardly claim he didn’t learn of it since. All the current evidence seems to suggest that the Labour movers and shakers, including Blair and then foreign secretary Jack Straw knew and hushed up British involvement.

Just over a week ago, the Telegraph reported:

“The politicians took a very active interest indeed. They wanted to know everything. The Americans passed over the legal opinions saying that this was now ‘legal’, and our politicians were aware of what was going on at the highest possible level.

“The politicians knew in detail about everything – the torture and the rendition. They could have said [to MI6] ‘stop it, do not get involved’, but at no time did they,” said the source, who has direct and detailed knowledge of the transatlantic relations during that period.
The Telegraph: Tony Blair ‘knew all about CIA secret kidnap programme’

Britain, of course, has its own torture investigation in progress. When Gaddafi was overthrown, the victors found documents

>that appeared to show that Sir Mark Allen, the former head of counter-terrorism at MI6, and other agents had been complicit in the rendition of Abdel Hakim Belhadj, who was captured by the CIA with his pregnant wife and sent back to Libya.
The Independent: Tony Blair ‘knew everything about CIA interrogation programme’

The Metropolitan police are investigating whether any MI6 officers should be prosecuted for involvement with torture.

At issue now is whether Diego Garcia, a British island leased to the Americans, was a CIA ‘black prison’. If so, it could not have been used as such without British approval.


Diego Garcia

Diego Garcia: a hell made from paradise by Anglo-American imperialism


On 9 April, Al Jazeera America reported,

The Senate report, according to Al Jazeera’s sources, says that the CIA detained some high-value suspects on Diego Garcia, an Indian Ocean island controlled by the United Kingdom and leased to the United States. The classified CIA documents say the black site arrangement at Diego Garcia was made with the “full cooperation” of the British government. That would confirm long-standing claims by human rights investigators and journalists, whose allegations — based on flight logs and unnamed government sources — have routinely been denied by the CIA.

It is possible that when the report is finally released, British approval will have been redacted. This would explain why Cameron remains silent. It is unlikely that he does not know what is included in the report. If British involvement is made clear, he probably believes that he can lay all blame at the feet of the previous Labour government. But either way, Britain and America are guilty of appalling behaviour both to and with the island of Diego Garcia:

Island of Shame is the first major book to reveal the shocking truth of how the United States conspired with Britain to forcibly expel Diego Garcia’s indigenous people–the Chagossians–and deport them to slums in Mauritius and the Seychelles, where most live in dire poverty to this day. Drawing on interviews with Washington insiders, military strategists, and exiled islanders, as well as hundreds of declassified documents, David Vine exposes the secret history of Diego Garcia. He chronicles the Chagossians’ dramatic, unfolding story as they struggle to survive in exile and fight to return to their homeland. Tracing U.S. foreign policy from the Cold War to the war on terror, Vine shows how the United States has forged a new and pervasive kind of empire that is quietly dominating the planet with hundreds of overseas military bases.
Island of Shame: The Secret History of the U.S. Military Base on Diego Garcia


Categories: All, Politics

Andrew Weev Auernheimer freed on an important technicality

April 13, 2014 Leave a comment

Just over one year ago, Andrew (Weev) Auernheimer was sentenced to 41 months in prison for downloading data that AT&T had left exposed on the internet. That data was the email addresses of more than 100,000 early iPad adopters; and was a major embarrassment for AT&T.

Perhaps because of the importance of AT&T to law enforcement; perhaps because of the celebrities and government officials included in the early adopters; the government prosecuted Weev under the Computer Fraud and Abuse Act.

The important point to remember is that Weev performed no hack, subverted no security defences — he merely downloaded (effectively by asking the site to give him…) the email addresses of AT&T customers. The implication of the government action against him is that any site could declare any data ‘prohibited’ after its download, and allow the government to prosecute anyone who had downloaded it.

It would also mean that much genuine and valuable security research — such as testing a website to see if it is vulnerable to the Heartbleed bug — and even the compilation of web search databases such as Google and Bing would be illegal.

Weev appealed his sentence, and one year and a bit later, on 10 April 2014, Third Circuit judges vacated the conviction.

weev free

The satisfactory outcome is that Weev has been freed from another government CFAA overreach. The unsatisfactory outcome is the cop-out manner in which it was done by the court.

The appeal was effectively over the misuse of the CFAA, and the location of the trial in New Jersey. Location is an important concept in US computer law. If the conviction had been allowed to stand, prosecutors would be able to cherry-pick from different state laws (as indeed they seem to have done with Weev) in order to maximise the penalty. But the law says that there must be a geographical connection between the crime and the prosecution.

In this instance Auernheimer was in Arkansas, his accomplice was in California, AT&T was in Texas with the server in Georgia — and Gawker (which published some of the email addresses downloaded by Weev) was in New York. But the government prosecuted him in New Jersey where state laws allowed a longer sentence.

Few people believe that Weev’s conviction and sentence was anything other than a miscarriage of justice. This view could have been upheld by the appeal court either on the misuse of the CFAA or the venue of the trial. It chose the latter because this meant it did not need to consider the former. The great news is that the conviction has been vacated; the disappointing news is that the CFAA itself has not been challenged and future overreach remains a distinct possibility.

Mandiant: has the leopard changed its spots in its first major report since being acquired by FireEye

April 10, 2014 Leave a comment

The Mandiant M-Trends 2014 Threat Report: Beyond the Breach, published today, is Mandiant’s first report since its acquisition by FireEye. Mandiant is a technically competent company (it was one of the original four companies chosen by GCHQ to take part in the pilot incident response scheme); but for me it is also a politically suspect company. The latter stems from its famous or infamous APT1 report from just over a year ago. That report very clearly accused the Chinese government of being involved with the APT1 hacking group, which it said was part of the People’s Liberation Army Unit 61398. This was at a time when it was politically expedient for the US government to hype the cyber terrorism threat, and to particularly challenge China. No other security expert or company that I have spoken to has ever suggested that it is possible to be so certain about the precise source of a cyber attack.

So I consider that there are two aspects to this new report worthy of consideration: firstly its content because of Mandiant’s expertise; and secondly, any political over- or undertones following the takeover by the more circumspect and therefore believable FireEye.

Jason Steer, director of technology strategy, FireEye

Jason Steer, director of technology strategy, FireEye

There are five sections to this report. Jason Steer, director of technology strategy (from the FireEye pedigree) guided me through them: some general statistics; a closer look at Syrian Electronic Army activities followed by an evaluation of ‘suspected’ Iranian activities; a look at financial attacks with particular focus on the retail industry; and then what amounts to a defence of the APT1 report.

The statistics come from Mandiant customers, but Jason pointed out that doesn’t mean only large companies. “Some of our customers have as few as 200 users,” he told me. It’s not the size of the company that would warrant FireEye/Mandiant involvement, but the value of the data to be protected. He mentioned small companies that might have a highly valuable Trading Floor algorithm to protect, or a patent on the transmission of power via laser.

Those statistics appear to show a very slight improvement in the state of security. Compromises are being detected up to two weeks faster than they were in 2012; but against this the number of breaches detected by the breached company is down from 37% to 33%. 67% of victims were warned of the breach by an outside source, sometimes a bank or financial institution, but “Law enforcement is one of the primary sources,” Jason told me. Agents watch and monitor the underground chat rooms, pick up hints and warn the victim. (Of course, if the victim is particularly unlucky, discovery may come via Brian Krebs and Hold Security and be exposed to the world via KrebsOnSecurity.)




One conclusion from the statistics could be that criminals and malware are getting better at hiding themselves on the network; but that law enforcement has become even better at infiltrating underground chat rooms.

The section on the Syrian Electronic Army provides additional lesser known facts about SEA’s methods. It is often suggested that SEA is unsophisticated and technically inferior to other groups. We don’t actually know this because it has been very successful in what it does and what it seeks: compromise sites and accounts for propaganda purposes. It needs little more than successful phishing, and its phishing has been very successful.

SEA“Since its inception in 2011,” reports Mandiant, “the SEA has successfully infiltrated more than 40 organizations, primarily targeting the websites and social media accounts of major Western news agencies.” But the effort used to do this is revealing. In one particular incident, Mandiant says, “All told, the SEA sent thousands of phishing emails to a large number of employees over the span of three hours. Despite having a success rate of only 0.04%, the phishing emails still allowed the SEA to harvest the credentials necessary to access the targeted resources. Within two hours of the first phishing email, the SEA obtained credentials for the news agency’s main website.”

The next section, Iran-based Activity, is particularly interesting since it gives clues on whether the Mandiant leopard has changed its spots. Mandiant had been called in to investigate a suspected breach at a state government office. Its investigation led it to believe that the attackers were probably Iran-based and not particularly competent.

Mandiant’s observations of suspected Iranian actors have not provided any indication that they possess the range of tools or capabilities that are hallmarks of a capable, full-scope cyber actor. They rely on publicly available tools and capitalize solely on Web-based vulnerabilities — constraints that suggest these cyber actors have relatively limited capabilities.

I put it to Jason that this is exactly how I would behave if I were a third-party agency, perhaps beginning with N or G, who for political purposes wished firstly to be discovered, and secondly to implicate Iran. “Absolutely,” he replied. “That’s why we have said ‘suspected’ Iranian involvement.” When you read this section you get the overwhelming feeling that Mandiant is accusing Iran – but when you examine the content you find the word ‘suspected’ repeated eight times (out of a total of nine throughout the whole document) at strategic points. It is, one might almost say, a suspected semantic insertion after the event.

If this sounds like a paranoid conspiracy theory, I would briefly refer you back to the very first page of the report. It says, “With no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important.” You cannot have a diplomatic solution to criminal activity. I suspect, then, that this report was always, or at least originally, intended to highlight the type of state-sponsored activity that could be swayed by diplomacy. If this is the case, a primary purpose of the report was to accuse Iran of state-sponsored cyberwar – and the leopard has not yet changed its spots.

This conclusion is possibly confirmed by the final section of the report which is an analysis of the period since Mandiant’s APT1 report last year. It starts with that ninth use of the word ‘suspected’: “January 2013 marked the first large-scale public disclosure that an advanced persistent threat (APT) group with suspected ties to the People’s Republic of China (PRC) had compromised a key U.S. media company: The New York Times.” The rest of the section, however, amounts to a renewal of the original accusations and a robust defence of Mandiant’s of conclusions.

Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft. This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash.

My reading of this report is that Mandiant still wishes to name and shame political opponents to the United States; but that it is being reined in somewhat by FireEye proof readers. If this is the case, I wish FireEye all success in doing so. Mandiant’s technical expertise is overshadowed by doubts over its political desires – and that is a huge shame. The information that Mandiant is otherwise able to give security defenders is too valuable and useful to be lost to such concerns. That missing fourth section, for example, includes the warning that average criminals are mass compromising systems, and then selling on the cherries to more advanced and organized gangs who take over the initial entry point with more sophisticated and stealthy malware intent on long-term compromise and data exfiltration. Such insights will only serve to improve industry’s overall security stance by helping to formulate and guide more effective defensive policies.

Categories: All, Politics, Security Issues

United States Trade Representative threatens the EU

April 7, 2014 Leave a comment

UsvsEUThe United States is accustomed to getting its way internationally through trade threats. One method is the Special 301 Report Watch List, which is an annual list of countries which the US believes are failing in their duties towards copyright protection (specifically, US copyright protection). Once included in the Priority Watch List, a foreign country is liable for legal and/or trade sanctions. The Special 301 Report is compiled by the Office of the United States Trade Representative (USTR), and is seen as a method of bullying recalcitrant nations into conformity with US preferences.

This is not the only annual report from the USTR. It also produces the Section 1377 Review which examines international compliance with telecommunications trade agreements. This too, perhaps because it has become entrenched in the USTR way of doing business, can take a bullying tone. The latest report was released on Friday – but I would suggest that it thinks again if it believes it can bully the European Union at this stage of EU/US relations.

Following the Snowden revelations on NSA/GCHQ spying, the now former head of Deutsche Telekom, René Obermann, proposed in November 2013 that Europe should establish a Schengen-routing and Schengen-cloud. The idea was that any communication from one point in Europe to another point in Europe should never leave Europe; and that personal European data should remain within Europe. This latter would effectively remove the existing safe harbour agreement with the US.

‘Schengen’ was chosen specifically as a mechanism for excluding the UK. The Schengen Area comprises 26 European countries that have abolished border control for Europeans between common borders – the UK has always remained outside of this agreement. As Die Welt described in March, the ‘Schengen-routing’ is intended to be “a defensive measure against the encroachments of the Anglo-Saxon intelligence on European internet users.”

Germany’s Angela Merkel and France’s François Hollande (that is, the central axis of the European Union) have declared support for the idea.

USTR’s Section 1377 Review
At the end of last week the USTR released its 2014 Section 1377 Review. On cross-border data flows it has two concerns: Turkey and the EU.

In Turkey, in the run-up to the recent local elections (‘won’ by Prime Minister Erdogan’s AKP party) and ahead of the presidential elections in August, the government has been tightening its grip on and control over the internet. USTR is concerned over restrictions on data flows and will seek “to ensure that data flows supporting legitimate trade can expand unimpeded.”

In Europe, the report notes that

DTAG [Deutsche Telekom AG] has called for statutory requirements that all data generated within the EU not be unnecessarily routed outside of the EU; and has called for revocation of the U.S.-EU “Safe Harbor” Framework, which has provided a practical mechanism for both U.S companies and their business partners in Europe to export data to the United States, while adhering to EU privacy requirements.

Well, obviously, this is a false statement. The safe harbour agreement requires that US companies holding European data do not pass that data to any third-party – but clearly they do pass it to the NSA and law enforcement. The report continues,

The United States and the EU share common interests in protecting their citizens’ privacy, but the draconian approach proposed by DTAG and others appears to be a means of providing protectionist advantage to EU-based ICT suppliers. Given the breath [sic] of legitimate services that rely on geographically-dispersed data processing and storage, a requirement to route all traffic involving EU consumers within Europe, would decrease efficiency and stifle innovation. For example, a supplier may transmit, store, and process its data outside the EU more efficiently, depending on the location of its data centers. An innovative supplier from outside of Europe may refrain from offering its services in the EU because it may find EU-based storage and processing requirements infeasible for nascent services launched from outside of Europe.

This is riddled with emotive language and inaccuracies. Draconian? Protectionist advantage? (Now I freely accept that DTAG will be looking for commercial opportunities, and that it is not a company I personally wish to use. From personal experience, I will never have dealings with T-Mobile again. But it is interesting that it seems to be willing to trade the US market for the European market.)

And the inaccuracies… Europeans would suggest that the US has shown scant regard for anyone’s privacy, while it is the US that delivers protectionist advantage (sometimes via economic espionage) to its own companies. Secondly, it completely misrepresents the proposals. European point-to-point communications should stay within Europe (that’s the ‘routing’); while personal data should not leave Europe (that’s the ‘cloud’). But the USTR is lumping the two together into some form of balkanised European intranet completely cut off from the rest of the internet. In reality, it should have little effect on legitimate trade between the EU and US.

It is not, for example, nearly as draconian as the US exclusion of Huawei from the US markets without any proof of actual threat (other than economic).

Then comes the USTR threat:

Furthermore, any mandatory intra-EU routing may raise questions with respect to compliance with the EU’s trade obligations with respect to Internet-enabled services. Accordingly, USTR will be carefully monitoring the development of any such proposals.

In reality we should not take this too seriously. It’s a form of lobbying – perhaps the first of much more to come – and we already know that USTR is not averse to lobbying on behalf of US industry. But it does show that the US is beginning to take the Schengen threat seriously. The UK should too. In the meantime, it should be said that US industry is not without its European allies. Neelie Kroes, the European Commissioner in charge of the European Digital Agenda, has said: “It’s not realistic that we can keep data in the EU, and the trial could jeopardize the open Internet.” Neelie Kroes is the commissioner who recently tried to redefine ‘net neutrality’ to suit big telecoms companies, only to have her definition rejected by the European Parliament.

Categories: All, Politics, Security Issues, pseudonymised data and the ICO

April 6, 2014 Leave a comment

I find the ICO’s response to Dr Neil Bhatia’s request for clarification on and the Data Protection Act (DPA) to be very strange. is the name for NHS England’s program to centralise all GP patient health records together with all hospital visit records in one big data warehouse available to researchers. While originally intended to go live this month, it has been delayed for six months.

Dr Neil Bhatia is a privacy activist opposed to the program. Where a patient objects to his or her data being shared outside of the NHS, the intention is to share ‘pseudonymised’ health data. Dr Bhatia wrote to the ICO for clarification on the Data Protection Act and pseudonymised health records.

The ICO replied that anonymised data is not covered by the DPA. If the subject cannot be identified there can be no privacy loss.

But on pseudonymised data he has no clear response:

Pseudonymised data on its own would not constitute personal data, as it does not enable individuals be identified.

However, it is possible that pseudonymised data may become personal data if it is held by an organisation which holds other information which could be used in conjunction with the pseudonymised data to identify individuals.

As such, whether pseudonymised data would be covered by the DPA would depend on other information which is in the data controller’s possession.
ICO’s letter to Dr Neil Bhatia

There are two problems with the ICO’s statement — both the first and last of these sentences. For the first, there is a growing academic consensus that you simply cannot pseudonymise data so that the individuals concerned cannot be re-identified.

On Friday, Professor Ross Anderson blogged in Light Blue Touchpaper and provided both audio and slides for a talk he gave at the Open Data Institute. The talk is titled ‘Why Anonymity Fails’. In the inference section he notes:

  • If you link episodes into longitudinal records, most patients can be re-identified
  • Add demographic, family data: worse still
  • Active attacks: worse still (Iceland example)
  • Social network stuff: worse still

[The 'Iceland example', incidentally, refers to the occasion in 1998 when DeCODE offered Iceland free IT systems in return for access to medical records. The funding came from the Big Pharma company, Roche.]

Now check the 33 Bits of Entropy blog operated by Arvind Narayanan (a Computer Science/CITP Assistant Professor at Princeton and affiliate scholar at Stanford Law School’s CIS):

The title refers to the fact that there are only 6.6 billion people in the world, so you only need 33 bits (more precisely, 32.6 bits) of information about a person to determine who they are.

…If your hometown has 100,000 people, then knowing your hometown gives me 16 bits of entropy about you, and only 17 bits remain.
About 33 Bits

It is clear that a determined adversary will be able to obtain the 33 necessary bits of entropy from within the pseudonymised data — but the ICO seems to ignore this as if simply labeling a dataset as pseudonymised actually makes it impossible to re-identify the subject.

And this, of course, is without marrying the health data to other easily obtainable databases — such as the edited version of the electoral register which includes details of everyone who hasn’t specifically opted out of being included. There are no restrictions on the use of this data.

The second problem with the ICO’s statement is that he talks about ‘other information’ actually in the data controller’s possession — nothing about the other data that the data controller could subsequently obtain. This means that an unscrupulous operator could easily obtain because he has no ‘other information’ and then later marry it with separately obtained other databases. He would then become subject to the Data Protection Act, but might no longer be within the ICO’s jurisdiction. Having got the data, he would have everything necessary to sell personal information to whoever would buy it.

The simple reality is that it is impossible to protect the anonymity of patient health data while retaining the value that the researchers (big pharma, insurance, credit companies etcetera) demand. With big business and David Cameron both singing from the same hymn sheet, may have been delayed, but it is a long way from being abandoned — particularly when we have an ICO more determined to apply his own interpretation of the law than protect the people.

Categories: All, Politics, Security Issues

Get every new post delivered to your Inbox.

Join 127 other followers