Category Archives: Control

NSL: Internet Archive Exposes Lack of Security in National Security Letters

Brewster_Kahle_20021120.jpg The Internet Archive has for a decade been a cornerstone of the Internet, and the FBI was foolish to try to break it:
The FBI has withdrawn an illegal National Security Letter seeking information from an online library and has lifted a gag order that until Wednesday prevented any discussion of the information request.

Lawyers from the American Civil Liberties Union and Electronic Frontier Foundation helped the Internet Archive push back against what they say was an overly broad and unlawful request for information on one of its users. The FBI issued its National Security Letter in November, but ACLU, EFF and Archive officials were precluded from discussing it with anyone because of a gag order they say was unconstitutional.

After nearly five months of haggling, the FBI eventually withdrew its NSL, which requested personal information about at least one user of the Internet Archive. Founded in 1996, the archive is recognized as a library by the state of California, and its collections include billions of Web records, documents, music and movies.

Watchdogs prompt FBI to withdraw ‘unconstitutional’ National Security Letter, Nick Juliano, therawstory, Published: Wednesday May 7, 2008

The article goes on to say that the FBI has issued 200,000 National Security Letters, that almost none of those NSL have been challenged, yet every single time someone has challenged an NSL in court, the FBI has withdrawn it.

How do these NSL represent “Security”?

In any case, National Security Letters were authorized by the mis-named Patriot Act. Brewster Kahle has shown us how a real patriot acts: Continue reading

CCTV Security Fad Fails

CCTV2_228x342.jpg London probably has more security cameras per square inch than any other city, and:
The billions of pounds spent covering Britain with CCTV cameras has been an “utter fiasco” and failed to slash crime, Scotland Yard’s surveillance chief has said.

Detective Chief Inspector Mick Neville said a Metropolitan Police pilot project found just three per cent of street robberies in London were solved using CCTV images.

He claimed the vast swathes of money spent on cameras had been wasted because criminals don’t fear the cameras.

Billions spent on CCTV have failed to cut crime and led to an ‘utter fiasco’, says Scotland Yard surveillance chief, Just 3% of street robberies in London solved, By DANIEL BATES, Daily Mail, Last updated at 13:48pm on 6th May 2008

Needless to say, there are numerous efforts planned to make the cameras pay anyway.

The basic problem is:

But Mr Neville also castigated the police and claimed officers can’t be bothered to seek out CCTV images because it’s “hard work”.
CCTV is not the only security fad that hasn’t panned out:
For every 800 DNA samples being added by the police – including those taken from innocent people – only one crime is being solved.
We’ll see if either of these white elephant programs get terminated. I’m not holding my breath.

-jsq

European Parliament Votes for Internet Freedom and Security

Sometimes a legislative body gets the picture and shows some spine:
Despite last minute attempts by the French government to divide them, European MEPs today voted decisively against “three strikes”, the IFPI-promoted plan to create a class of digital outcasts, forbidden from accessing the Net if repeatedly accused by music companies of downloading infringing content.

In a vote held today, hundreds of MEPs supported language which declared termination of Internet access to be in conflict with “civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness”, all core values of the European Union.

… And Guy Bono, the author of the report, had this to say in the plenary:

“On this subject, I am firmly opposed to the position of some Member States, whose repressive measures are dictated by industries that have been unable to change their business model to face necessities imposed by the information society. The cut of Internet access is a disproportionate measure regarding the objectives. It is a sanction with powerful effects, which could have profound repercussions in a society where access to the Internet is an imperative right for social inclusion.”

European Parliament to Sarkozy: No “Three Strikes” Here, Posted by Danny O’Brien, EFF, April 10th, 2008

The European Parliament voted for social inclusion, participation, and human rights over profits for a tiny group of companies. That wasn’t hard. Even if the vote had gone the other way, it wouldn’t have produced any real security for the tiny group, and the way it did go, it produces far more security for everyone else. Maybe the U.S. can get the message.

-jsq

Liberty vs. Control (Not Privacy vs. Security)

secretsandlies.jpg Bruce Schneier hits the nail on the head:
If privacy and security really were a zero-sum game, we would have seen mass im migration into the former East Germany and modern-day China. While it’s true th at police states like those have less street crime, no one argues that their ci tizens are fundamentally more secure.

We’ve been told we have to trade off security and privacy so often — in debate s on security versus privacy, writing contests, polls, reasoned essays and poli tical rhetoric — that most of us don’t even question the fundamental dichotomy .

But it’s a false one.

Security and privacy are not opposite ends of a seesaw; you don’t have to accep t less of one to get more of the other. Think of a door lock, a burglar alarm a nd a tall fence.

What Our Top Spy Doesn’t Get: Security and Privacy Aren’t Opposites, Bruce Schneier, Wired, 01.24.08 | 12:00 PM

There’s more, all well worth reading.

Here’s the gist:

The debate isn’t security versus privacy. It’s liberty versus control.

You can see it in comments by government officials: “Privacy no longer can mean anonymity,” says Donald Kerr, principal deputy director of national intelligen ce. “Instead, it should mean that government and businesses properly safeguard people’s private communications and financial information.” Did you catch that? You’re expected to give up control of your privacy to others, who — presumabl y — get to decide how much of it you deserve. That’s what loss of liberty look s like.

Haven’t we lost enough already?

-jsq

Hammers to be Outlawed in UK

parliament_logo.gif What can you expect when public, press, and government think “hacker” means criminal?
The UK government has published guidelines for the application of a law that makes it illegal to create or distribute so-called “hacking tools”.

A revamp of the UK’s outdated computer crime laws is long overdue. However, provisions to ban the development, ownership and distribution of so-called “hacker tools” draw sharp criticism from industry. Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.

The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are subtle. The problem is that anything from nmap through wireshark to perl can be used for both legitimate and illicit purposes, in much the same way that a hammer can be used for putting up shelving or breaking into a car.

UK gov sets rules for hacker tool ban, Consultants in frame? Definitely Maybe By John Leyden, The Guardian, Published Wednesday 2nd January 2008 15:54 GMT

How long will it be before a simple traceroute gets you not only disconnected from your ISP but also clapped in jail for “hacking”?

It gets better: Continue reading

Traffic Control Viewed as ISP Risk

pirates.jpg Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what’s happening in China:
Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to “purify” the Internet — an apparently urgent task. “Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state,” President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country’s stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

The Great Firewall: China’s Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don’t know how, that article provides tips. Continue reading

Egerstad Arrested: Uses Tor to Snoop Snoopers; Is This a Crime?

So this fellow was just arrested and some of his computers confiscated: danegerstad_narrowweb__300x378,0.jpg
Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline.

Swedish Police Swoop on Dan Egerstad – UPDATE by Fergie, Fergie’s Tech Blog, 14 Nov 2007

He got this information by installing Tor, which people use to hide their IP addresses, and looking to see what passed over it. What he saw he thinks was people who had already broken into embassy accounts using them illicitly. He tried to inform governments, who (except for Iran) were uninterested. Then he posted his information online, thus probably stopping the snoopers.

So Egerstad gets arrested, yet this man, who says “Privacy no longer can mean anonymity” walks around free.

-jsq

Free Burma!

free_burma_05.gif Well, I hadn’t been planning on posting more on the Myanmar or Burma situation, but within minutes of my posting yesterday, the Free Burma folks found my post and commented on it with a link back to their site.

I’ve got to admire their quick use of the Internet to amplify their activism. Their web pages say they only started Sunday. Looks like some of their supporters are actually astroturf web sites, but that just goes with the territory. Also, a lot of people can’t type in their own web addresses correctly. However, they’ve collected a dozen more supporters while I’ve been typing this.

So, how could I refuse to post again on their requested date, which happened to be today?

-jsq

Web Panopticons: China and U.S.

panopticon.gif Fergie points out a university project investigating censorship:

The "Great Firewall of China," used by the government of the People’s Republic of China to block users from reaching content it finds objectionable, is actually a "panopticon" that encourages self-censorship through the perception that users are being watched, rather than a true firewall, according to researchers at UC Davis and the University of New Mexico.

The researchers are developing an automated tool, called ConceptDoppler, to act as a weather report on changes in Internet censorship in China. ConceptDoppler uses mathematical techniques to cluster words by meaning and identify keywords that are likely to be blacklisted.

University Researchers Analyze China’s Internet Censorship System, News Report, Government Technology News, Sep 11, 2007

So the Great Firewall of China watches what users are doing by actively intercepting their traffic. Meanwhile, back in the U.S. of A., how about a passive web panopticon?

Continue reading

Brass Leaks

usacio.png We already observed that military information security is a bit of an oxymoron and over in Peerflow that the U.S. military thinks its soldiers in Iraq are likely leaks.

Well, it turns out that:

For years, members of the military brass have been warning that soldiers’ blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.

Army Audits: Official Sites, Not Blogs, Breach Security, By Noah Shachtman, Danger Room, August 17, 2007, 12:29:00 PM

Is there a psychologist in the house? Is the military blaming it’s own incompetent leaks on the troops projection, or is it just plain old CYA?

I’m pretty sure hiding this report until the EFF filed a FOI lawsuit to get it is CYA.

I don’t think it’s good risk management for the troops, or the Iraqis, or even for the brass.

-jsq