Page 346
This weird story describes a “porn dog” that is trained to find hidden hard drives. It’s used in child porn investigations.
I suppose it’s reasonable that computer disks have a particular chemical smell, but I wonder what it is.
EDITED TO ADD (1/13): More info.
On Thursday, a Brazilian judge ordered the text messaging service WhatsApp shut down for 48 hours. It was a monumental action.
WhatsApp is the most popular app in Brazil, used by about 100 million people. The Brazilian telecoms hate the service because it entices people away from more expensive text messaging services, and they have been lobbying for months to convince the government that it’s unregulated and illegal. A judge finally agreed.
In Brazil’s case, WhatsApp was blocked for allegedly failing to respond to a court order. Another judge reversed the ban 12 hours later, but there is a pattern forming here. In Egypt, Vodafone has complained about the legality of WhatsApp’s free voice-calls, while India’s telecoms firms have been lobbying hard to curb messaging apps such as WhatsApp and Viber. Earlier this year, the United Arab Emirates blocked WhatsApp’s free voice call feature.
All this is part of a massive power struggle going on right now between traditional companies and new Internet companies, and we’re all in the blast radius.
It’s one aspect of a tech policy problem that has been plaguing us for at least 25 years: technologists and policymakers don’t understand each other, and they inflict damage on society because of that. But it’s worse today. The speed of technological progress makes it worse. And the types of technology—especially the current Internet of mobile devices everywhere, cloud computing, always-on connections and the Internet of Things—make it worse.
The Internet has been disrupting and destroying long-standing business models since its popularization in the mid-1990s. And traditional industries have long fought back with every tool at their disposal. The movie and music industries have tried for decades to hamstring computers in an effort to prevent illegal copying of their products. Publishers have battled with Google over whether their books could be indexed for online searching.
More recently, municipal taxi companies and large hotel chains are fighting with ride-sharing companies such as Uber and apartment-sharing companies such as Airbnb. Both the old companies and the new upstarts have tried to bend laws to their will in an effort to outmaneuver each other.
Sometimes the actions of these companies harm the users of these systems and services. And the results can seem crazy. Why would the Brazilian telecoms want to provoke the ire of almost everyone in the country? They’re trying to protect their monopoly. If they win in not just shutting down WhatsApp, but Telegram and all the other text-message services, their customers will have no choice. This is how high-stakes these battles can be.
This isn’t just companies competing in the marketplace. These are battles between competing visions of how technology should apply to business, and traditional businesses and “disruptive” new businesses. The fundamental problem is that technology and law are in conflict, and what’s worked in the past is increasingly failing today.
First, the speeds of technology and law have reversed. Traditionally, new technologies were adopted slowly over decades. There was time for people to figure them out, and for their social repercussions to percolate through society. Legislatures and courts had time to figure out rules for these technologies and how they should integrate into the existing legal structures.
They don’t always get it right— the sad history of copyright law in the United States is an example of how they can get it badly wrong again and again—but at least they had a chance before the technologies become widely adopted.
That’s just not true anymore. A new technology can go from zero to a hundred million users in a year or less. That’s just too fast for the political or legal process. By the time they’re asked to make rules, these technologies are well-entrenched in society.
Second, the technologies have become more complicated and specialized. This means that the normal system of legislators passing laws, regulators making rules based on those laws and courts providing a second check on those rules fails. None of these people has the expertise necessary to understand these technologies, let alone the subtle and potentially pernicious ramifications of any rules they make.
We see the same thing between governments and law-enforcement and militaries. In the United States, we’re expecting policymakers to understand the debate between the FBI’s desire to read the encrypted e-mails and computers of crime suspects and the security researchers who maintain that giving them that capability will render everyone insecure. We’re expecting legislators to provide meaningful oversight over the National Security Agency, when they can only read highly technical documents about the agency’s activities in special rooms and without any aides who might be conversant in the issues.
The result is that we end up in situations such as the one Brazil finds itself in. WhatsApp went from zero to 100 million users in five years. The telecoms are advancing all sorts of weird legal arguments to get the service banned, and judges are ill-equipped to separate fact from fiction.
This isn’t a simple matter of needing government to get out of the way and let companies battle in the marketplace. These companies are for-profit entities, and their business models are so complicated that they regularly don’t do what’s best for their users. (For example, remember that you’re not really Facebook’s customer. You’re their product.)
The fact that people’s resumes are effectively the first 10 hits on a Google search of their name is a problem— something that the European “right to be forgotten” tried ham-fistedly to address. There’s a lot of smart writing that says that Uber’s disruption of traditional taxis will be worse for the people who regularly use the services. And many people worry about Amazon’s increasing dominance of the publishing industry.
We need a better way of regulating new technologies.
That’s going to require bridging the gap between technologists and policymakers. Each needs to understand the other —not enough to be experts in each other’s fields, but enough to engage in meaningful conversations and debates. That’s also going to require laws that are agile and written to be as technologically invariant as possible.
It’s a tall order, I know, and one that has been on the wish list of every tech policymaker for decades. But today, the stakes are higher and the issues come faster. Not doing so will become increasingly harmful for all of us.
This essay originally appeared on CNN.com.
EDITED TO ADD (12/23): Slashdot thread.
Two things to read:
This interesting article by medieval historian Amanda Power traces our culture’s relationship with the concept of mass surveillance from the medieval characterization of the Christian god and how piety was policed by the church:
What is all this but a fundamental trust in the experience of being watched? One must wonder about the subtle, unspoken fear of the consequences of refusing to participate in systems of surveillance, or even to critique them seriously. This would be to risk isolation. Those who have exposed the extent of surveillance are fugitives and exiles from our paradise. They have played the role of the cursed serpent of Eden: the purveyor of illicit knowledge who broke the harmony between watcher and watched. The rest of us contemplate the prospect of dissent with careful unease, feeling that our individual and collective security depends on compliance.
[…]
Eight centuries ago, in November 1215, Pope Innocent III presided over a Great Council of the Church in Rome known as the Fourth Lateran Council. It was attended by high-ranking members of the ecclesiastical hierarchy and the monastic world, together with representatives of emperors, kings, and other secular leaders from throughout Christendom. Their decisions were promulgated through seventy-one constitutions. They began with a statement of what all Christians were required to believe, including specifics on the nature of Godby this time: “eternal and immeasurable, almighty, unchangeable, incomprehensible and ineffable”—and the view that salvation could be found only through the Roman Catholic Church. Anyone who disagreed, according to the third constitution, was to be handed over to secular lords for punishment, stripped of their property, and cast out of society until they proved their orthodoxy, or else be executed if they did not. Anyone in authority would be punished if they did not seek out and expel such people from their lands; their subjects would be released from obedience and their territories handed over to true Catholics. There was nothing empty about this threat: the council occurred in the middle of the bitter Albigensian Crusade, during which heresy—likened to a cancer in the body of Christendom—was purportedly being cut out of Languedoc by the swords of the pious.
The Fourth Lateran Council was talking about crimes of thought, of dissent over matters of belief, matters not susceptible of proof. But whether individuals were heretics could not, in theory, be established without investigating the contents of their minds. To this end, the council decreed that bishops’ representatives should inquire in every parish at least once a year to discover “if anyone knows of heretics there or of any persons who hold secret conventicles or who differ in their life and habits from the normal way of living of the faithful.” These representatives were to follow these external indications of nonconformity into the recesses of the mind and establish their meaning in each case. Over the decades the role of the inquisitor was developed into an art and a science, and elaborate handbooks were produced. But in 1215 it was stated merely that individuals should be punished if “unable to clear themselves of the charge.”
[…]
What is all this but a fundamental trust in the experience of being watched? Our trust is so strong that it seems to have found its own protective rationality, deeply rooted in Western consciousness. It’s an addict’s rationality, by which we’re unable to refrain from making public a stream of intimate details of our lives and those of children too young to consent. One must wonder about the subtle, unspoken fear of the consequences of refusing to participate in systems of surveillance, or even to critique them seriously. This would be to risk isolation. It would be a trifle paranoid to reveal less—a little eccentric, not quite rational.
Juniper has warned about a malicious back door in its firewalls that automatically decrypts VPN traffic. It’s been there for years.
Hopefully details are forthcoming, but the folks at Hacker News have pointed to this page about Juniper’s use of the DUAL_EC_DBRG random number generator. For those who don’t immediately recognize that name, it’s the pseudo-random-number generator that was backdoored by the NSA. Basically, the PRNG uses two secret parameters to create a public parameter, and anyone who knows those secret parameters can predict the output. In the standard, the NSA chose those parameters. Juniper doesn’t use those tainted parameters. Instead:
ScreenOS does make use of the Dual_EC_DRBG standard, but is designed to not use Dual_EC_DRBG as its primary random number generator. ScreenOS uses it in a way that should not be vulnerable to the possible issue that has been brought to light. Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOS cryptographic operations.
This means that all anyone has to do to break the PRNG is to hack into the firewall and copy or modify those “self-generated basis points.”
Here’s a good summary of what we know. The conclusion:
Again, assuming this hypothesis is correct then, if it wasn’t the NSA who did this, we have a case where a US government backdoor effort (Dual-EC) laid the groundwork for someone else to attack US interests. Certainly this attack would be a lot easier given the presence of a backdoor-friendly RNG already in place. And I’ve not even discussed the SSH backdoor which, as Wired notes, could have been the work of a different group entirely. That backdoor certainly isn’t NOBUS—Fox-IT claim to have found the backdoor password in six hours.
More details to come, I’m sure.
EDITED TO ADD (12/21): A technical overview of the SSH backdoor.
EDITED TO ADD (12/22): Matthew Green wrote a really good technical post about this.
They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone—maybe a foreign government—was able to decrypt Juniper traffic in the U.S. and around the world. And all because Juniper had already paved the road.
Another good article.
Watch this video of gentoo penguins fighting over a large squid.
This underwater brawl was captured on a video camera taped to the back of the second penguin, revealing this unexpected foraging behaviour for the first time. “This is completely new behaviour, not just for gentoo penguins but for penguins in general,” says Jonathan Handley, a doctoral student at Nelson Mandela Metropolitan University in Port Elizabeth, South Africa.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
If you like puzzles, GCHQ has one for you.
Just don’t let it distract you from fighting the UK legislation giving the GCHQ new surveillance powers.
Gene Spafford writes about the history of Practical Unix Security.
The Intercept has “a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies.” Lot of detailed information about Stingrays and similar equipment.
This should come as no surprise: users often compromise their own security by making mistakes setting up and using their encryption apps.
Paper: “On the Security and Usability of Crypto Phones,” by Maliheh Shivanian and Nitesh Saxena, Proceedings of ACSAC 2015.
Sidebar photo of Bruce Schneier by Joe MacInnis.