Schneier on Security
A blog covering security and security technology.
« Methanol Fuel Cells on Airplanes |
| Mesa Airlines Destroys Evidence »
October 9, 2007
Burmese Government Seizing UN Hard Drives
Burma's ruling junta is attempting to seize United Nations computers containing information on opposition activists in the latest stage of its brutal crackdown on pro-democracy demonstrations, The Times has learnt.
The discs contain information that could help the dictatorship to identify key members of the opposition movement, many of whom have gone underground. UN staff spent much of the weekend deleting information.
Another reason law enforcement's demands that e-mails be tracable is a bad idea.
Posted on October 9, 2007 at 1:14 PM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It also seems odd that they would just have this stuff sitting locally on their computers when they are in such a hostile environment in the first place.
This seems like *the* instance when you'd want good physical security. Not saying that's necessarily possible in Burma, but still a consideration they seemed to miss.
In torn between two comments:
1) If only there was some way to make it so that even if the drives were taken by the Burmese government, it wouldn't matter.
2) I sincerely hope that, unlike just about everyone in the world that has sensitive personal data on their hard drives (especially when it's a laptop), that they used strong encryption.
ps: Thank goodness, the article didn't say "Maynmar's ruling junta". I haven't a clue how to turn that into an adjective: Mayanmari? Mayanmarian? Mayn?
This particular Times is a piece of Garbage. You're a fool to believe anything in it.
Wondering how many UN workers, and people at such potentially exposed positions, understand the principles of effective destruction of information on storage media. In other words, how many know how to irrecoverably erase a file or a disk.
Use Evidence Eliminator on each computer.
Hope they aren't wasting time wiping hard drives, just borrow an axe and a sledge hammer. At this point, salvage of any kind isn't even to be considered.
The more I think of this the more angry I become. The implication in the article and the one Bruce and everyone seems to go along with is that it is perfectly fine for the UN to be "friends" with the dissidents; I though the UN is a neutral party and fair to both sides. Do you happen to understand who some of these democratic dissidents are? Some of them are drug runners, others are ethics separatists (How about a country of me and 14 relatives?). And many of thme are connected to Western intelligence agencies, especially British one. "BURMA" is the British name for their former colony.
It is quite possible that one result of the events of the past weeks will be the waning of the influence of Aung San Suu Kyi. The daughter of Aung San (the leader of the liberation of Burma from the British after World War II), Suu Kyi was raised and educated by British intelligence Asia hands in India and London, including her (now deceased) husband, Michael Aris. She was placed into the leadership of the opposition during the 1988 upheaval, and has done the bidding of her London mentors ever since.
However, Mrs. Aris's dogmatic insistance that the opposition follow the demands of the British and the "Project Democracy" networks in the US - in particular, that they support the imposition of sanctions on their nation and that they refuse to participate in the on-going national convention to formulate a new constitution - has
become increasingly unpopular among the opposition within Myanmar, and even among the dissident movement living abroad. It is recognized that the sanctions have failed, that Suu Kyi is seen as an asset of London and Washington, and that Myanmar's Asian neighbors, China, India, Russia, Thailand and others, are engaged in a siginficant opening up of Myanmar to trade, investment and major regional transportation projects, which are begin
the extremely poor country.
The military government is also recognized for having united the nation of Myanmar for the first time since
British colonization. When the British pulled out in 1948, they left a constitution which granted the right to
secession for each ethnic minority - which facilitated British and American drug trafficking and armed insurgencies against China. Since 1988, the government has pacified these insurgencies, and nearly wiped out the drug traffic. Antonio Maria Costa, the UN anti-drug chief, acknowledged this historic achievement by by the junta,
while noting that the U.S.-occupied Afghanistan has more than made up for the opium supplies eliminated in Myanmar.
While I agree that the UN should be neutral, like reporters they have an interest in keeping the information they recieve from dissidents (and governments) secret from other parties in a conflict. Otherwise they won't get sensitive information and (in the case where identity is sensitive) they can't broker between the parties.
Success for the authorities in this case would be a setback for the UN's mission, regardless of which side you feel should prevail.
Now they've done it -- they've p'oed the U.N.
Within 5 or 6 years, they'll be a resolution passed condeming this as quite not a nice thing to do.
TrueCrypt...with plausible deniabililty.
BTW, I'm sure there are records of Burmese government employees and supporters on the UN disks too, the point of this post is that the totalitarian governments can and will use all means at their disposal to get information, even that which was conveyed with reasonable expectation of confidence. That's true no matter which 'side' you are on. And an anathema to those who value privacy and security (most of the trolls on this site, and a basis of a democracy)
> the government has pacified these
Pacified? My friend, Peace is something larger than just the absence of physical violence.
May we all help create a world where Peace prevails.
I fail to see why the UN needs to cooperate with a regime that executes unarmed Buddhist monks. Be serious.
How are we supposed to tell the Good Governments from the Bad Governments? And whose side is the U.N. on, anyway?
I can see this being an issue for a long, long time.
Interesting to see that the propaganda war spills over here! Even from one of the most impoverished countries in the world, or the players are on the cyberwarpath.
On topic, the UN doesn't need "plausible deniability" as some of the posters imply. They just need to keep the Myanmar government from getting their data - Myanmar is unlikely to start torturing, etc, the UN employees with access to the hard drives.
All they need is encrypted hard drives. I guess the UN hasn't yet reached the technical sophistication of the US Veteran's administration.
It's pretty easy to identify the "Bad" governments. Government which severely curtail public opposition and protest are Bad. The more they curtail it, the worst they are. So countries which kill nonviolent protesters are Very Bad (Myanmar), countries which beat and curtail protest locations are Bad (US), countries that allow open protest are Good. The latter category is fairly thin.
Good v. Bad doesn't matter, NO governments have rights to my hard disk without safeguards and recourse.
Do you happen to understand who some of these democratic dissidents are? Some of them are drug runners, others are ethics separatists
Thomas Jefferson was a slave-owner, and the Dalai Lama is the exiled leader of a theocracy. So what? That doesn't make Georgian Britain, Red China, and the Myanmanese junta any less reprehensible.
Burma is not "The British name" for Myanmar... The names are pretty much the same thing.
Myanmar is also known in Burmese as Bama. The final a is a long a thus "mar" and "ma" are equivalent. In Burmese M and B are frequently pronounced the same way... In addition the use of the name "Burma" is considered to be more inclusive by the minorities living in "Burma" than the name "Myanmar" which is derived purely from the majority ethnicity.
See Wikipedia http://en.wikipedia.org/wiki/Names_of_Burma/... for a detailed discussion of why Britain isn't the only place to call Burma Burma either historically or at present.
Having just read a much more neutral article about Burma (part of "Who Hates Whom" a book by Bob Harris) I have to say that your slant on things seems to be biased towards the Military Junta who have slaughtered peaceful protesters at various times in the recent past. Sure some people who don't like the Military Junta might not be good people, and the enemy of my enemy might not be my friend, if we are going to paint the situation with broad brush strokes the peaceful dissident leader who has been under house arrest for more than a decade, and has won the Nobel peace prize is more likely to get my vote in a popularity contest than the leader of a dictatorial regime who has had peaceful protesters and journalists killed. Sure the military might have some good people and the dissidents have some bad people, but overall I prefer the ideals of the dissidents.
Actually the UN has a responsibility to protect such information:
But in a lot of cases they don't have the technical know how. Plus they have a tendancy to go cheap on IT stuff.
Plausible deniability helps in any situation. How much time are they going to spend cracking data they aren't even sure is there?
And while they may not overtly arrest and torture UN employees, people do sometimes "disappear."
If you need to wreck information in a hard drive in a rush you could drill holes into it and try to tear it to pieces. Sledge hammers are good for this.
Then into the basement incinerator, if available.
In fact, data recovery companies are very good at reconstructing data from mechanically/physically damaged hard drives.
This includes damage from fire, water, acid, and cutting amongst others. The grade of destruction can be quite heavy. Shredding the whole thing to (small enough!) pieces would probably work.
The german computer magazine c't tested commercial data recovery companies and found that all were unable to recover useful data from drives that were simply overwritten with zeroes. Of course, doing a 35-times-Gutmann-DOD-NSA-megascheme does not hurt but seems to be unecessary unless you assume an *extremely* capable adversary.
Anyway, there would be no need to worry at all, if the data is encrypted.
Apparently the Australian Red Cross are not using thin client notebooks for this reason. To quote http://www.searchcio.com.au/topics/article.asp?...
"Their CEO told me he'd been waiting for this to happen for a couple of years," says Neoware's Michael McGrath. "He piloted the device, put in his Telstra 3G card and used it on the train, on the Manly ferry, loved the concept and they are now rolling them out fairly broadly within the Red Cross. Their people go into a war zone or some natural disaster and the capability to go in there with a thin client device and not be too concerned if that device gets stolen or lost if they have to leave the war zone quickly, or someone knocks off the device, is really important to them. No longer is there concern about sensitive data or information being put in the wrong hands. They could have information that identifies people that are being targeted."
Oops, that should read "Apparently the Australian Red Cross are now"
Sorry about the typo.
Another perfect reason for implementing full-disk encryption.
No matter who takes the hardware, access is prevented.
isn't an overt action against UN possible of military response?
I mean, it's not the Red Cross we're talking here
Yeah, I'm going to go with Bill's solution on this one.
Bruce, remember the story a couple of years back about biometrics on Russian cars leading to a decrease in auto theft but an increase in carjacking?
Any "bad guy" regime that is willing to impound devices that might have sensitive information on them may not pause overmuch at "convincing" the original device owner that they really would be better off giving up their encryption key.
The right answer is: if you're going into a situation where the government is that dicey and/or unstable, don't carry or store sensitive data on local media. Send it to Switzerland. They can revoke access to the data by the remote machines, and now at least you have a negotiation between a "bad guy" government and an organization ("Tell us what we want to know and we'll let your Red Cross volunteers go") instead of a direct torture scenario.
Seems like full disk encryption (FDE) would have been useful here. There's still the lack of plausible deniability w/ most FDE suites, but FDE will thwart all but the a) gun to head and b) left password on sticky-note scenarios.
TrueCrypt is nice (as someone already posted) and provides plausible deniability, but on the downside isn't as "thorough." I.e., the emails would have to be on an encrypted container that the user would need to mount (not to mention possible data leaking).
FDE--in addition to other measures--sounds pretty good for those UN guys w/ confidential info on their conveniently-accessible laptops.
Bill, I hope they are using an unbreakable encryption method for all traffic between those thin clients and the extremely remote servers. Tapping internet traffic is as easy as seizing hard drives, and much less detectable.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.