Crypto-Gram

July 15, 2017

by Bruce Schneier
CTO, IBM Resilient
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <https://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at <https://www.schneier.com/crypto-gram/archives/2017/...>. These same essays and news items appear in the "Schneier on Security" blog at <https://www.schneier.com/>, along with a lively and intelligent comment section. An RSS feed is available.


In this issue:


Book Review: "Twitter and Tear Gas," by Zeynep Tufekci

There are two opposing models of how the Internet has changed protest movements. The first is that the Internet has made protesters mightier than ever. This comes from the successful revolutions in Tunisia (2010-11), Egypt (2011), and Ukraine (2013). The second is that it has made them more ineffectual. Derided as "slacktivism" or "clicktivism," the ease of action without commitment can result in movements like Occupy petering out in the US without any obvious effects. Of course, the reality is more nuanced, and Zeynep Tufekci teases that out in her new book "Twitter and Tear Gas."

Tufekci is a rare interdisciplinary figure. As a sociologist, programmer, and ethnographer, she studies how technology shapes society and drives social change. She has a dual appointment in both the School of Information Science and the Department of Sociology at University of North Carolina at Chapel Hill, and is a Faculty Associate at the Berkman Klein Center for Internet and Society at Harvard University. Her regular "New York Times" column on the social impacts of technology is a must-read.

Modern Internet-fueled protest movements are the subjects of "Twitter and Tear Gas." As an observer, writer, and participant, Tufekci examines how modern protest movements have been changed by the Internet -- and what that means for protests going forward. Her book combines her own ethnographic research and her usual deft analysis, with the research of others and some big data analysis from social media outlets. The result is a book that is both insightful and entertaining, and whose lessons are much broader than the book's central topic.

"The Power and Fragility of Networked Protest" is the book's subtitle. The power of the Internet as a tool for protest is obvious: it gives people newfound abilities to quickly organize and scale. But, according to Tufekci, it's a mistake to judge modern protests using the same criteria we used to judge pre-Internet protests. The 1963 March on Washington might have culminated in hundreds of thousands of people listening to Martin Luther King Jr. deliver his "I Have a Dream" speech, but it was the culmination of a multi-year protest effort and the result of six months of careful planning made possible by that sustained effort. The 2011 protests in Cairo came together in mere days because they could be loosely coordinated on Facebook and Twitter.

That's the power. Tufekci describes the fragility by analogy. Nepalese Sherpas assist Mt. Everest climbers by carrying supplies, laying out ropes and ladders, and so on. This means that people with limited training and experience can make the ascent, which is no less dangerous -- to sometimes disastrous results. Says Tufekci: "The Internet similarly allows networked movements to grow dramatically and rapidly, but without prior building of formal or informal organizational and other collective capacities that could prepare them for the inevitable challenges they will face and give them the ability to respond to what comes next." That makes them less able to respond to government counters, change their tactics -- a phenomenon Tufekci calls "tactical freeze" -- make movement-wide decisions, and survive over the long haul.

Tufekci isn't arguing that modern protests are necessarily less effective, but that they're different. Effective movements need to understand these differences, and leverage these new advantages while minimizing the disadvantages.

To that end, she develops a taxonomy for talking about social movements. Protests are an example of a "signal" that corresponds to one of several underlying "capacities." There's narrative capacity: The ability to change the conversation, as Black Lives Matter did with police violence and Occupy did with wealth inequality. There's disruptive capacity: The ability to stop business as usual. An early Internet example is the 1999 WTO protests in Seattle. And finally, there's electoral or institutional capacity: The ability to vote, lobby, fund raise, and so on. Because of various "affordances" of modern Internet technologies, particularly social media, the same signal -- a protest of a given size -- reflects different underlying capacities.

This taxonomy also informs government reactions to protest movements. Smart responses target attention as a resource. The Chinese government responded to 2015 protesters in Hong Kong by not engaging with them at all, denying them camera-phone videos that would go viral and attract the world's attention. Instead, they pulled their police back and waited for the movement to die from lack of attention.

If this all sounds dry and academic, it's not. "Twitter and Tear Gas" is infused with a richness of detail stemming from her personal participation in the 2013 Gezi Park protests in Turkey, as well as personal on-the-ground interviews with protesters throughout the Middle East -- particularly Egypt and her native Turkey -- Zapatistas in Mexico, WTO protesters in Seattle, Occupy participants worldwide, and others. Tufekci writes with a warmth and respect for the humans that are part of these powerful social movements, gently intertwining her own story with the stories of others, big data, and theory. She is adept at writing for a general audience, and -- despite being published by the intimidating Yale University Press -- her book is more mass-market than academic. What rigor is there is presented in a way that carries readers along rather than distracting.

The synthesist in me wishes Tufekci would take some additional steps, taking the trends she describes outside of the narrow world of political protest and applying them more broadly to social change. Her taxonomy is an important contribution to the more-general discussion of how the Internet affects society. Furthermore, her insights on the networked public sphere has applications for understanding technology-driven social change in general. These are hard conversations for society to have. We largely prefer to allow technology to blindly steer society or -- in some ways worse -- leave it to unfettered for-profit corporations. When you're reading "Twitter and Tear Gas," keep current and near-term future technological issues such as ubiquitous surveillance, algorithmic discrimination, and automation and employment in mind. You'll come away with new insights.

Tufekci twice quotes historian Melvin Kranzberg from 1985: "Technology is neither good nor bad; nor is it neutral." This foreshadows her central message. For better or worse, the technologies that power the networked public sphere have changed the nature of political protest as well as government reactions to and suppressions of such protest.

I have long characterized our technological future as a battle between the quick and the strong. The quick -- dissidents, hackers, criminals, marginalized groups -- are the first to make use of a new technology to magnify their power. The strong are slower, but have more raw power to magnify. So while protesters are the first to use Facebook to organize, the governments eventually figure out how to use Facebook to track protesters. It's still an open question who will gain the upper hand in the long term, but Tufekci's book helps us understand the dynamics at work.

This essay originally appeared on Vice Motherboard.
https://motherboard.vice.com/en_us/article/43dx3j/...

The book:
https://www.twitterandteargas.org/
https://www.amazon.com/...

Tufekci:
https://twitter.com/zeynep
https://www.nytimes.com/column/zeynep-tufekci


News

Turns out that it's surprisingly easy to game Google News:
https://www.johnscottrailton.com/gaming-google-news/

There's evidence linking WannaCry to North Korea.
https://www.washingtonpost.com/world/...
https://www.wired.com/story/north-korea-cyberattacks/
https://it.slashdot.org/story/17/06/15/0340215/...
Here's the grugq trying to figure it out:
https://medium.com/@thegrugq/...

Here's a new technique to hijack social media accounts. Access Now has documented it being used against a Twitter user, but it also works against other social media accounts.
https://www.accessnow.org/doubleswitch-attack/
https://www.theverge.com/2017/6/9/15767888/...
http://gizmodo.com/...
http://fortune.com/2017/06/09/twitter-hack-fake-news/

Last month, the Department of Justice released 18 new FISC opinions related to Section 702 as part of an EFF FOIA lawsuit. (Of course, they don't mention EFF or the lawsuit. They make it sound as if it was their idea.) There's probably a lot in these opinions. In one Kafkaesque ruling, a defendant was denied access to the previous court rulings that were used by the court to decide against it.
https://www.eff.org/deeplinks/2017/06/...
https://icontherecord.tumblr.com/post/161824569523/...
https://www.eff.org/deeplinks/2017/06/...

In June, Microsoft issued a security patch for Windows XP, a 16-year-old operating system that Microsoft officially no longer supports. In May, Microsoft issued a Windows XP patch for the vulnerability used in WannaCry. Is this a good idea? This 2014 essay argues that it's not:
https://arstechnica.com/security/2017/06/...
This is a hard trade-off, and it's going to get much worse with the Internet of Things. At least Microsoft has security engineers on staff that can write a patch for Windows XP. There will be no one able to write patches for your 16-year-old thermostat and refrigerator, even assuming those devices can accept security patches.

According to a recently declassified report obtained under FOIA, the NSA's attempts to protect itself against insider attacks aren't going very well:
https://www.documentcloud.org/documents/...
https://www.nytimes.com/2017/06/16/us/politics/...
Marcy Wheeler comments:
https://motherboard.vice.com/en_us/article/...

The secret code of Beatrix Potter:
http://www.atlasobscura.com/articles/...
http://scienceblogs.de/klausis-krypto-kolumne/files/...

In a proposed rule by the FAA, it argues that software in an Embraer S.A. Model ERJ 190-300 airplane is secure because it's proprietary. Longtime readers will immediately recognize the "security by obscurity" argument. Its main problem is that it's fragile. The information is likely less obscure than you think, and even if it is truly obscure, once it's published you've just lost all your security.
https://www.federalregister.gov/documents/2017/06/...
This is me from 2014, 2004, and 2002.
https://www.schneier.com/blog/archives/2014/02/...
https://www.schneier.com/essays/archives/2004/10/...
https://www.schneier.com/crypto-gram/archives/2002/...

Apple is fighting its own battle against leakers, using people and tactics from the NSA.
https://theoutline.com/post/1766/...
The information is from an internal briefing, which was leaked.

Good article on the DAO Ethereum hack:
https://www.bloomberg.com/features/...

WikiLeaks has published CherryBlossom, the CIA's program to hack into wireless routers. The program is about a decade old.
https://wikileaks.org/vault7/#Cherry%20Blossom
https://arstechnica.com/security/2017/06/...
https://www.theverge.com/2017/6/15/15812216/...
https://gizmodo.com/...
http://www.zdnet.com/article/...
https://www.wired.com/story/wikileaks-cia-router-hack/
https://qz.com/1008273/...

The Girl Scouts are going to be offering 18 merit badges in cybersecurity, to scouts as young as five years old.
http://www.reuters.com/article/...

Some websites are grabbing user-form data even before it's been submitted.
https://gizmodo.com/...
This kind of thing is going to happen more and more, in all sorts of areas of our lives. The Internet of Things is the Internet of sensors, and the Internet of surveillance. We've long passed the point where ordinary people have any technical understanding of the different ways networked computers violate their privacy. Government needs to step in and regulate businesses down to reasonable practices. Which means government needs to prioritize security over their own surveillance needs.

Really good article about the women who worked at Bletchley Park during World War II, breaking German Enigma-encrypted messages.
http://www.techrepublic.com/article/...
There's also a book: "The Debs of Bletchley Park and Other Stories", by Michael Smith.
https://www.amazon.com/dp/B00SG9HR44/

"Fortune" magazine just published a good article about Google's Project Zero, which finds and publishes exploits in other companies' software products. I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.
http://fortune.com/2017/06/23/...

The 16th Workshop on Economics and Information Security was this week. Ross Anderson liveblogged the talks.
http://weis2017.econinfosec.org/program/
https://www.lightbluetouchpaper.org/2017/06/26/...

A man-in-the-middle attack against a password-reset system:
https://www.schneier.com/blog/archives/2017/07/...
https://www.ieee-security.org/TC/SP2017/papers/207.pdf
https://boingboing.net/2017/06/22/...
A couple of related papers:
http://engineering.nyu.edu/files/...
https://www.researchgate.net/publication/...

I don't have anything to say -- mostly because I'm otherwise busy -- about the malware known as GoldenEye, NotPetya, or ExPetr. But I wanted a post to park links.
http://www.tomshardware.com/news/...
https://www.nytimes.com/2017/06/28/world/europe/...
https://lawfareblog.com/...
https://labsblog.f-secure.com/2017/06/29/...
http://www.darkreading.com/attacks-breaches/...?

Good commentaries from Ed Felten and Matt Blaze on US election security. Both make a point that I have also been saying: hacks can undermine the legitimacy of an election, even if there is no actual voter or vote manipulation.
https://freedom-to-tinker.com/2017/06/19/...
http://www.crypto.com/blog/vote_hacking_by_email/

A report from the Brennan Center for Justice on how to secure elections:
https://www.brennancenter.org/publication/...

Dubai is deploying autonomous robotic police cars. It's hard to tell how much of this story is real and how much is aspirational, but it really is only a matter of time.
http://gulfnews.com/news/uae/emergencies/...

The website key.me will make a duplicate key from a digital photo. If a friend or coworker leaves their keys unattended for a few seconds, you know what to do.
https://www.key.me/

The Intelligence Advanced Research Projects Activity (IARPA) is soliciting proposals for research projects in secure multiparty computation. My guess is that this is to perform analysis using data obtained from different surveillance authorities.
https://www.fbo.gov/index?...

This teapot has two chambers. Liquid is released from one or the other depending on whether an air hole is covered. I want one.
http://www.neatorama.com/2016/02/17/...

This article argues that AI technologies will make image, audio, and video forgeries much easier in the future.
https://www.wired.com/story/...
I am not worried about fooling the "untrained ear," and more worried about fooling forensic analysis. But there's an arms race here. Recording technologies will get more sophisticated, too, making their outputs harder to forge. Still, I agree that the advantage will go to the forgers and not the forgery detectors.

Some of the ways artists are hacking the music-streaming service Spotify.
http://www.vulture.com/2017/07/...

"Traffic shaping" -- the practice of tricking data to flow through a particular route on the Internet so it can be more easily surveiled -- is an NSA technique that has gotten much less attention than it deserves. It's a powerful technique that allows an eavesdropper to get access to communications channels it would otherwise not be able to monitor. There's a new paper on this technique:
https://tcf.org/content/report/...
http://www.zdnet.com/article/...
NSA document detailing the technique with Yemen.
https://www.documentcloud.org/documents/...
This work builds on previous research that I blogged about.
http://papers.ssrn.com/sol3/papers.cfm?...
https://www.schneier.com/blog/archives/2014/07/...
The fundamental vulnerability is that routing information isn't authenticated.

I have a soft spot for interesting biological security measures, especially by plants. I've used them as examples in several of my books. Here's a new one: when tomato plants are attacked by caterpillars, they release a chemical that turns the caterpillars on each other:
https://www.theverge.com/2017/7/11/15948422/...

A set of documents in Pakistan were detected as forgeries because their fonts were not in circulation at the time the documents were dated.
detected:
https://www.theverge.com/2017/7/12/15961354/...
http://www.bbc.com/news/blogs-trending-40571708
https://arstechnica.com/tech-policy/2017/07/...


Amazon Patents Measures to Prevent In-Store Comparison Shopping

Amazon has been issued a patent on security measures that prevents people from comparison shopping while in the store. It's not a particularly sophisticated patent -- it basically detects when you're using the in-store Wi-Fi to visit a competitor's site and then blocks access -- but it is an indication of how retail has changed in recent years.

What's interesting is that Amazon is on the other side of this arms race. As an online retailer, it wants people to walk into stores and then comparison shop on its site. Yes, I know it's buying Whole Foods, but it's still predominantly an online retailer. Maybe it patented this to prevent stores from implementing the technology.

It's probably not nearly that strategic. It's hard to build a business strategy around a security measure that can be defeated with cellular access.

https://www.washingtonpost.com/news/innovations/wp/...
http://...


Schneier News

None - enjoy your summer.


Separating the Paranoid from the Hacked

Sad story of someone whose computer became owned by a griefer:

The trouble began last year when he noticed strange things happening: files went missing from his computer; his Facebook picture was changed; and texts from his daughter didn't reach him or arrived changed.
"Nobody believed me," says Gary. "My wife and my brother thought I had lost my mind. They scheduled an appointment with a psychiatrist for me."
But he built up a body of evidence and called in a professional cybersecurity firm. It found that his email addresses had been compromised, his phone records hacked and altered, and an entire virtual internet interface created.
"All my communications were going through a man-in-the-middle unauthorised server," he explains.

It's the "psychiatrist" quote that got me. I regularly get e-mails from people explaining in graphic detail how their whole lives have been hacked. Most of them are just paranoid. But a few of them are probably legitimate. And I have no way of telling them apart.

This problem isn't going away. As computers permeate even more aspects of our lives, it's going to get even more debilitating. And we don't have any way, other than hiring a "professional cybersecurity firm," of telling the paranoids from the victims.

http://www.bbc.com/news/business-40281353


Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <https://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including "Liars and Outliers: Enabling the Trust Society Needs to Survive" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and CTO of IBM Resilient and Special Advisor to IBM Security. See <https://www.schneier.com>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of IBM Resilient.

Copyright (c) 2017 by Bruce Schneier.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.