Page 495
IT for Oppression
I’ve been thinking a lot about how information technology, and the Internet in particular, is becoming a tool for oppressive governments. As Evgeny Morozov describes in his great book The Net Delusion: The Dark Side of Internet Freedom, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, and propaganda. And they’re getting really good at it.
For a lot of us who imagined that the Internet would spark an inevitable wave of Internet freedom, this has come as a bit of a surprise. But it turns out that information technology is not just a tool for freedom-fighting rebels under oppressive governments, it’s also a tool for those oppressive governments. Basically, IT magnifies power; the more power you have, the more it can be magnified in IT.
I think we got this wrong—anyone remember John Perry Barlow’s 1996 manifesto?—because, like most technologies, IT technologies are first used by the more agile individuals and groups outside the formal power structures. In the same way criminals can make use of a technological innovation faster than the police can, dissidents in countries all over the world were able to make use of Internet technologies faster than governments could. Unfortunately, and inevitably, governments have caught up.
This is the “security gap” I talk about in the closing chapters of Liars and Outliers.
I thought about all these things as I read this article on how the Syrian government hacked into the computers of dissidents:
The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the Arab Spring was reaching a crescendo, the government in Damascus suddenly reversed a long-standing ban on websites such as Facebook, Twitter, YouTube, and the Arabic version of Wikipedia. It was an odd move for a regime known for heavy-handed censorship; before the uprising, police regularly arrested bloggers and raided Internet cafes. And it came at an odd time. Less than a month earlier demonstrators in Tunisia, organizing themselves using social networking services, forced their president to flee the country after 23 years in office. Protesters in Egypt used the same tools to stage protests that ultimately led to the end of Hosni Mubarak’s 30-year rule. The outgoing regimes in both countries deployed riot police and thugs and tried desperately to block the websites and accounts affiliated with the revolutionaries. For a time, Egypt turned off the Internet altogether.
Syria, however, seemed to be taking the opposite tack. Just as protesters were casting about for the means with which to organize and broadcast their messages, the government appeared to be handing them the keys.
[…]
The first documented attack in the Syrian cyberwar took place in early May 2011, some two months after the start of the uprising. It was a clumsy one. Users who tried to access Facebook in Syria were presented with a fake security certificate that triggered a warning on most browsers. People who ignored it and logged in would be giving up their user name and password, and with them, their private messages and contacts.
I dislike this being called a “cyberwar,” but that’s my only complaint with the article.
There are no easy solutions here, especially because technologies that defend against one of those three things—surveillance, censorship, and propaganda—often make one of the others easier. But this is an important problem to solve if we want the Internet to be a vehicle of freedom and not control.
EDITED TO ADD (12/13): This is a good 90-minute talk about how governments have tried to block Tor.
Advances in Attacking ATMs
Cash traps and card traps are the new thing:
[Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customer’s card from being ejected from the ATM when the transaction is completed.
“Spring traps are still being widely used,” EAST wrote in its most recently European Fraud Update. “Once the card has been inserted, these prevent the card being returned to the customer and also stop the ATM from retracting it. According to reports from one country despite warning messages that appear on the ATM screen or are displayed on the ATM fascia customers are still not reporting when their cards are captured, leading to substantial losses from ATM or point-of-sale transactions.”
More descriptions, and photos of the devices, in the article.
James Bond Movie-Plot Threats
Amusing post on the plausibility of the evil plans from the various movies.
EDITED TO ADD (12/13): There’s a whole book on this. Here’s an interview with the author.
The Psychology of IT Security Trade-offs
Good article. I agree with the conclusion that the solution isn’t to convince people to make better choices, but to change the IT architecture so that it’s easier to make better choices.
Classified Information Confetti
Some of the confetti at the Macy’s Thanksgiving Day Parade in New York consisted of confidential documents from the Nassau County Police Department, shredded sideways.
EDITED TO ADD (12/12): Update.
Hackback
Stewart Baker, Orin Kerr, and Eugene Volokh on the legality of hackback.
Liars and Outliers Ebook 50% Off and DRM-Free
Today only, O’Reilly is offering 50% off all its ebooks, including Liars and Outliers. This is probably the cheapest you’ll find a DRM-free copy of the book.
Homeland Security Essay Contest
The Naval Postgraduate School’s Center for Homeland Defense and Security is running its sixth annual essay competition. There are cash prizes. (Info on previous years here.)
Friday Squid Blogging: Another Squid Comic
Another squid comic.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Sidebar photo of Bruce Schneier by Joe MacInnis.