ICT Policy

A Recent History of Back Doored Encryption, in 4 links

TSA Keys, 3D-printed

This is partially a footnotes section from last week's Crpyto Saves Lives post, but every week brings new stories, and this week was a doozy. So, let's recap the whole "backdoored crypto / secret golden keys can work" argument:

Claims:

(1) We can protect private information

*Cough* OPM *Cough*

Update: "Security bloggers and researchers claim to have uncovered a publicly available database exposing the personal information of 191 million voters on the Internet. The information contains voters’ names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000."

(2) Well, we are really good at protecting super-important crypto keys that only give good guys access,

So, those luggage locks with a "golden key", now required world-wide that only trained TSA agents can pop open? Yeah, about that... - TSA's master key set was allowed to be photographed, and while that photo was quickly taken off the internet, the damage was done. Anyone can now 3D print completely functional TSA keys.

(3) Besides, adding a backdoor won't cause problems!

Tags
Kiev on #Jan25
404: Human Rights Not found?
Jon Sat, 01/25/2014 - 04:51

I spent this past week in Kiev. You may have heard something about the protests, and possibly even about some of the policy changes and new laws that sparked them. I was working with colleagues, journalists and human rights activists, supporting and training them as quickly as possible on digital security basics, and making sure they had contacts to reach out to for timely support.

It was a trip that was scheduled many months ago, when Ukraine was on the cusp of joining the EU. Things, to put it mildly, changed. Obviously, the violent protests have been featured widely in the news, but those capture only the most visible challenges the country is facing. Legislation pushed through with no regard for legal proceedings last Thursday promise to have a chilling effect on free speech, tight limits on media, even citizen journalists, and will devastate the civil society organizations, labeling them as "foreign agents" and taxing them as for-profit corporations if they take any international aid funding.

In the few days I was there, we experienced a "test" of new censorship capabilities as twitter and facebook -- critical messaging and coordination channels for activists -- went dark in Kiev for almost half an hour. People near the protest areas received ominous SMS messages on their phones telling them that they had been registered as present at the (illegal, under the new law) protest.

One note of import - there are two main areas of the protest - EuroMaidan is the months-long, Occupy-on-steroids encampment in Maidan Square. Though well barricaded off, it is a peaceful protest, with daily concerts and speeches on a well-equipped stage, a huge jumbotron, laser-light projections and more. Businesses - from a Nike storefront to a local brewpub to a carousel - are going on with business as normal within the barricaded-off area. The scenes of burning tires, tear gas and molotov cocktails is from the nearby Grushevsky St, where protesters gathered to confront Parliament after their "passage" of this Black Thursday law.

It is inspiring to see the passion and focus of people working to protect and expand their rights, and it is humbling to be able to lend support in any form. However, the challenges aren't getting any easier. The digital tools which provide the most security are also difficult to use, and more difficult to use correctly. They still "stick out" as unusual, and face an uphill battle against popular systems with little if any security.

This has to change. Privacy is not some abstract concept in these situations, it is the economic well-being, and too often, the pure survival of activists, journalists, and their contacts. When we allow policies and practices that undermine security and privacy, we're not just revealing embarrassing factoids about our call history, or even the three felonies a day you're probably committing as a US citizen - we are undermining our global dream of a world of nations with democratic rule, where their citizens can enjoy basic human rights without fear.

The world is ready for this, but when the current Ukrainian government points at American domestic policies as models of their newly crafted censorship and surveillance laws, it's a sign that we as Americans are not drinking our own koolaid (with a hat-tip to the many dedicated civil servants who are working hard to further human rights).

Distributed Solutions for Distributed Attacks Jon Mon, 10/21/2013 - 18:50

Google has been making headlines with their shiny Project Shield which wraps PageSpeed with other tools to defend sites against denial of service attacks. The history of the denial of service, however, runs deep, and underlines that no centralized response to it will ever be able to cost-effectively scale against a distributed attack.

Let's rewind back to the 90s. Denial of service was a very, very different thing then - it was a tool for free expression, not one used to mute dissenting opinions as it is today.
In the dot-com boomtimes of the late 90s, I was absolutely fascinated by the digital protests that sprung up in reaction to Mexico's treatment of the Zapatista Movement. Floodnet was an activist art project by the Electronic Disturbance Theater. Floodnet was simply a website you could visit and it would direct your browser to constantly reload pages on the website of the Mexcian government. In addition to overloading the website with thousands of requests from you and our fellow programmers, you could add in a political message with each page load, to force the government's server to fill their log files with messages like "human rights not found."

"The FloodNet application of error log spamming is conceptual Internet art. This is your chance to voice your political concerns on a targeted server. [...] The server may respond to your intentional mistake with a message like: "human_rights not found on this server." So by creatively selecting phases, you can make the server voice your concerns. It may not use the kind of resources that the constant reloading uses (FloodNet automatically does that too), but it is sassy conceptualism and it invites you to play with clever statements while the background applet is running." (via http://www.thing.net/~rdom/ecd/ZapTact.html)

Floodnet used DoS attacks to protest the Mexican Government
Floodnet used DoS attacks to protest the Mexican Government


This original "denial of service" attack was seen as the digital mirror of a classic "sit-in" protest. It was a way for a David to strike back at a Goliath through technology. However, this, ahem, "sassy" political activism began an arms race that today is dominated by Goliaths alone. Instead of a tool of protest, denial of service attacks are today tools of retribution and ways to mute dissenting voices. They are massively automated and distributed, and are run not by rowdy bands of dissidents, but by well-organized for-hire groups (https://krebsonsecurity.com/2013/05/ragebooter-legit-ddos-service-or-fe…) and even from government infrastructures.

The only defense, so far, has been equally massive, and centralized, commercial services. This is a growing industry with its own round of disruptive innovators all to itself. This current business innovation is helping to move from the monolithic services protecting online infrastructures at high costs to a more scalable model, with services that smaller websites can benefit from. Still, back-end models are the same - providing shelter from DDoS attacks by having sufficient servers and bandwidth to absorb whatever their proprietary tools and filters cannot outright block.

Open source models to fight back have been conspicuous in their absence - until now.

The Deflect Project, created by the eQualit.ie technology collective based out of Montreal and Dublin, is responding to that gap. They focus on providing protection for activists and journalists around the world, who are subject to DDoS attacks from those who disagree with their views all the way to their own governments. Thanks to grant funding, Deflect is able to offer their services for free to independent media sites, NGOs and non-profits -- but the technology model under the hood is the real game-changer.

The Anti-Halo Effect

Appification

Create pro-consumer mobile technology and open up a new market of multi-platform and platform-agnostic users who want the best devices.

The Washington Post ran a great article on the increasing problems of vendor lock-in with tablets and mobile devices. In simple language it boils down the problem around why buying an app for one device doesn't give you access to that app anywhere else; if you switch from an iPhone to an Android phone, you'll have to re-buy your apps, and your iTunes content. This partially is lock-in, but there's also a halo-effect - you can transfer an app from on iPhone to a new iPhone, or content from your desktop iTunes to your iWhatever - and the more devices from the same vendor, the better the system works.

But this is a horrible direction to take, and why I rarely buy apps or content from locked-down stores like iTunes. My desktop computer runs Ubuntu Linux, my tablet Android, and my phone is an iPhone. The media server for our house is a Mac Mini, and I finally retired my hold-out Windows computer last year. I refuse to buy music that I can only listen to on one of those myriad devices any more than I'd buy a CD that only plays in my car, but not in my home, or food that I could eat in the kitchen, but not in the dining room or on a picnic.

By and large, I'm a good target demographic - some discretionary income, a gadget afficionado, and generally plugged in to fun new technologies, but my market is rarely well served.

Tags
Tech Trends: Come discuss at Digital Capital Week! Jon Thu, 10/27/2011 - 09:37

I will be discussing the tech trends from 2011 and looking forward to what 2012 holds for us with a fine group of panelists during DCWeek. Our panel still has some free tickets left - RSVP at http://www.meetup.com/net2dc/

Want to get in the action early? Join our thread over at Quora.

My fellow panelists are Nisha Chittal, Colin Delany, Bob Fine, and Bonnie Shaw, and Roshani Kothari is going to have the arduous task of wrangling us as our moderator.

Read more about the event at DCWeek: http://bit.ly/dcweektechtrends1108

Rebuilding cell networks in Libya

Via MobileActive, I got to reading this article at the WSJ.

Unsurprisingly, the Libyan cell network is built to be Tripoli-centric, "giving him and his intelligence agents full control over phones and Internet" according to the WSJ. If that's not a stark reminder of the challenges of using SMS and mobiles in human rights work that I've been concerned about, I don't know what is.

The brilliant response here has been to wrest control over segments of the Libyan mobile network. This has taken some outside effort, external government support, and massive funding - it is, at least for now, successful at creating an independent domestic network with limited external access:

A team led by a Libyan-American telecom executive has helped rebels hijack Col. Moammar Gadhafi's cellphone network and re-establish their own communications.

The new network, first plotted on an airplane napkin and assembled with the help of oil-rich Arab nations, is giving more than two million Libyans their first connections to each other and the outside world after Col. Gadhafi cut off their telephone and Internet service about a month ago.

That March cutoff had rebels waving flags to communicate on the battlefield. The new cellphone network, opened on April 2, has become the opposition's main tool for communicating from the front lines in the east and up the chain of command to rebel brass hundreds of miles away.

Packets, Please: Government monitoring and #IranElection

Wired reminds us that we can rail against and complain about the intrusive, privacy-destroying and free-speech-threatening monitoring that Iran has been employing against the protestors over the past few months, but we have to remember two things. First, US and European companies provided the hardware and software to Iran for them to do this. Second - our own government does the same thing, and we should stop it.

Regarding the first problem, bipartisan Senators are proposing a ban on government contracts to companies caught selling such technology to Iran, and it's technically illegal for US companies anyhow (which might not be stopping everyone, and appears to be using Secure Computing's (now McAfee) SmartFilter according to the Open Net Initiative's testing.

ICT and the Iran Election

The Daily Dish reposts a call to action from Twitter: ALL internet & mobile networks are cut. We ask everyone in Tehran to go onto their rooftops and shout ALAHO AKBAR in protest #IranElection, and comments:

That a new information technology could be improvised for this purpose so swiftly is a sign of the times. It reveals in Iran what the Obama campaign revealed in the United States. You cannot stop people any longer. You cannot control them any longer. They can bypass your established media; they can broadcast to one another; they can organize as never before.

Other coverage at Global Voices and Daily Kos present videos and links to photos of protests coming from Tehran.

Cory Doctorow, or how I learned to start worrying and hate IP regulation

Sometimes, I lie awake at night and worry about copyright. I then start worrying if this makes me irreconcilably weird.

I worry both for our American culture, as items have stopped falling into the public domain and becoming available to re-use and re-mix, or simply to re-present for free. If this doesn't seem like a problem, this video on a 6-second drumbeat will blow your mind - especially if you then read this story about an artist being sued for a 1 minute clip of silence making fun of John Cage's 4'33" of silence. The artist ended up settling out of court.

I worry more generally about international trade and development, as we inflict ever-tighter IP regulations on countries we give aid to or trade with - regulations which we scoffed and flouted during our own development.

We're no longer protecting innovation with these laws - we're protecting the first movers (often big, established businesses), and encouraging gaming the patent system to try and get the most generic and sweeping patent accepted.