Friday Squid Blogging: Antibiotic-Resistant Bacteria Found in Canadian Squid
This is not good news.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Page 413
Seventh Movie-Plot Threat Contest Winner
On April 1, I announced the Seventh Mostly Annual Movie-Plot Threat Contest:
The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling the strings behind everyone’s backs? Did it have to force companies to build surveillance into its products, or could it just piggy-back on market trends? How does it deal with liberal democracies and ruthless totalitarian dictatorships at the same time? Is it blackmailing Congress? How does the money flow? What’s the story?
On May 15, I announced the five semifinalists. The votes are in, and the winner is Doubleplusunlol:
The NSA, GCHQ et al actually don’t have the ability to conduct the mass surveillance that we now believe they do. Edward Snowden was in fact groomed, without his knowledge, to become a whistleblower, and the leaked documents were elaborately falsified by the NSA and GCHQ.
The encryption and security systems that ‘private’ companies are launching in the wake of theses ‘revelations’, however, are in fact being covertly funded by the NSA/GCHQ—the aim being to encourage criminals and terrorists to use these systems, which the security agencies have built massive backdoors into.
The laws that Obama is now about to pass will in fact be the laws that the NSA will abide by—and will entrench mass surveillance as a legitimate government tool before the NSA even has the capability to perform it. That the online populace believes that they are already being watched will become a self-fulfilling prophecy; the people have built their own panopticon, wherein the belief that the Government is omniscient is sufficient for the Government to control them.
“He who is subjected to a field of visibility, and who knows it, assumes responsibility for the constraints of power; he makes them play spontaneously upon himself; he inscribes in himself the power relation in which he simultaneously plays both roles; he becomes the principle of his own subjection.” Michel Foucault, Surveiller et punir, 1975
For the record, Guy Macon was a close runner-up.
Congratulations, Doubleplusunlol. Contact me by e-mail, and I’ll send you your fabulous prizes.
Censorship in China
First-person experience of censorship in China.
Feedly the Victim of DDoS Blackmail
So far it’s resisting.
Evernote and Deezer are also suffering attacks. I haven’t seen anything linking the three different victims, and the other two have not said anything about extortion demands.
iOS 8 is Randomizing MAC Addresses
This seems like a good idea.
Security Risks from Remote-Controlled Smart Devices
We’re starting to see a proliferation of smart devices that can be controlled from your phone. The security risk is, of course, that anyone can control them from their phones. Like this Japanese smart toilet:
The toilet, manufactured by Japanese firm Lixil, is controlled via an Android app called My Satis.
But a hardware flaw means any phone with the app could activate any of the toilets, researchers say.
The toilet uses bluetooth to receive instructions via the app, but the Pin code for every model is hardwired to be four zeros (0000), meaning that it cannot be reset and can be activated by any phone with the My Satis app, a report by Trustwave’s Spiderlabs information security experts reveals.
This particular attack requires Bluetooth connectivity and doesn’t work over the Internet, but many other similar attacks will. And because these devices send to have their code in firmware, a lot of them won’t be patchable. My guess is that the toilet’s manufacturer will ignore it.
On the other end of your home, a smart TV protocol is vulnerable to attack:
The attack uses the Hybrid Broadcast Broadband TV (HbbTV) standard that is widely supported in smart television sets sold in Europe.
The HbbTV system was designed to help broadcasters exploit the internet connection of a smart TV to add extra information to programmes or so advertisers can do a better job of targeting viewers.
But Yossef Oren and Angelos Keromytis, from the Network Security Lab, at Columbia University, have found a way to hijack HbbTV using a cheap antenna and carefully crafted broadcast messages.
The attacker could impersonate the user to the TV provider, websites, and so on. This attack also doesn’t use the Internet, but instead a nearby antenna. And in this case, we know that the manufacturers are going to ignore it:
Mr Oren said the standards body that oversaw HbbTV had been told about the security loophole. However, he added, the body did not think the threat from the attack was serious enough to require a re-write of the technology’s security.
Security and Human Behavior (SHB 2014)
I’m at SHB 2014: the Seventh Annual Interdisciplinary Workshop on Security and Human Behavior. This is a small invitational gathering of people studying various aspects of the human side of security. The fifty people in the room include psychologists, computer security researchers, sociologists, behavioral economists, philosophers, political scientists, lawyers, anthropologists, business school professors, neuroscientists, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.
I call this the most intellectually stimulating two days of my years. The goal is discussion amongst the group. We do that by putting everyone on panels, but only letting each person talk for 5-7 minutes The rest of the 90-minute panel is left for discussion.
The conference is organized by Alessandro Acquisti, Ross Anderson, and me. This year we’re at Cambridge University, in the UK.
The conference website contains a schedule and a list of participants, which includes links to writings by each of them. Ross Anderson is liveblogging the event. It’s also being recorded; I’ll post the link when it goes live.
Here are my posts on the first, second, third, fourth, fifth, and sixth SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops. It’s hard to believe we’ve been doing this for seven years.
Friday Squid Blogging: Squid Cartoon
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
GCHQ Intercept Sites in Oman
Last June, the Guardian published a story about GCHQ tapping fiber-optic Internet cables around the globe, part of a program codenamed TEMPORA. One of the facts not reported in that story—and supposedly the fact that the Guardian agreed to withhold in exchange for not being prosecuted by the UK authorities—was the location of the access points in the Middle East.
On Tuesday, the Register disclosed that they are in Oman:
The secret British spy base is part of a programme codenamed “CIRCUIT” and also referred to as Overseas Processing Centre 1 (OPC-1). It is located at Seeb, on the northern coast of Oman, where it taps in to various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf. Seeb is one of a three site GCHQ network in Oman, at locations codenamed “TIMPANI”, “GUITAR” and “CLARINET”. TIMPANI, near the Strait of Hormuz, can monitor Iraqi communications. CLARINET, in the south of Oman, is strategically close to Yemen.
Access is provided through secret agreements with BT and Vodaphone:
British national telco BT, referred to within GCHQ and the American NSA under the ultra-classified codename “REMEDY”, and Vodafone Cable (which owns the former Cable & Wireless company, aka “GERONTIC”) are the two top earners of secret GCHQ payments running into tens of millions of pounds annually.
There’s no source document associated with the story, but it does seem to be accurate. Glenn Greenwald comments:
“Snowden has no source relationship with Duncan (who is a great journalist), and never provided documents to him directly or indirectly, as Snowden has made clear,” Greenwald said in an email. “I can engage in informed speculation about how Duncan got this document - it’s certainly a document that several people in the Guardian UK possessed —but how he got it is something only he can answer.”
The reporter is staying mum on his source:
When Wired.co.uk asked Duncan Campbell—the investigative journalist behind the Register article revealing the Oman location—if he too had copies proving the allegations, he responded: “I won’t answer that question—given the conduct of the authorities.”
“I was able to look at some of the material provided in Britain to the Guardian by Edward Snowden last year,” Campbell, who is a forensic expert witness on communications data, tells us.
Campbell also published this on the NSA today.
EDITED TO ADD (6/16): Cyprus is another interception point for Middle East surveillance.
Sidebar photo of Bruce Schneier by Joe MacInnis.