GCHQ Catalog Leaked

Aside

Several months ago Greenwald et. al. reported on the NSA’s TAO division and provided a somewhat redacted copy of what amounts to their “spy catalog”. Yesterday the GCHQ’s catalog was leaked and there indeed appears to be many similarities in capability to their American allies.

Link

The US House of Representatives today passed an amendment that will see NSA programs designed to introduce backdoors are no longer funded. The bipartisan agreement, entitled ‘Massie-Lofgren’ was billed as an exciting development by the EFF, with Mark Rumold – the Foundation’s counsel stating that they “applaud the House for taking this important first step, and we look forward to other elected officials standing up for our right to privacy.” Many, including myself, have questioned as to whether the new bill will truly be effective in curtailing the NSA’s spying – at least on the domestic front. I suspect that it will be business as usual for the NSA and their associated contractors and affiliates.

Banner Art – I’m Working On It!

Aside

Okay, so quite a few people have been amused at the fact that I haven’t changed away from the stock banner photos. I have actually sent some ideas to an artist to see what can be done, one of my favorites being a goat raising the flag at Iwo Jima, with the “hill” comprised of broken PCs labeled with privacy invading concepts such as ‘key escrow’, etc. Kind of like the NetBSD attempt, but more political. Don’t quote me but I believe that NetBSD changed their logo to be a little less “in your face” as a consequence of a number of developers of Japanese heritage taking offense at the logo. In any case, I digress – I am aware of the issue – and unless you are willing to volunteer your services as an artist to remedy the situation – please sit tight and I will get some art organized as soon as I can.

My Thoughts On Reset The Net

Aside

The Reset The Net initiative plans to run splash screens on major sites on June 5 encouraging users to protect themselves from mass surveillance. I have been asked what I think of the project and my answer is simple – any initiative that results in more people using encryption is a good thing. I am uncertain as to how effective this will be at actually bringing about the legislative change we need to actually address the root cause of the problem but remain hopeful that such a targeted response may indeed get some people talking.

Schneier To Leave BT

Bruce Schneier, the world famous cryptographer behind algorithms like Blowfish has been asked to clean out his desk (proverbially speaking, as he evidently teleworked from Minnesota) as a consultant with BT. For their part the British telephony giant has claimed that it had nothing to do with his involvement in analyzing the Snowden documents with the team at The Guardian, but critics are skeptical. I wrote a brief response to this announcement on his blog and have included it below both for the convenience of the readers, to ensure that the link doesn’t break over time and more importantly to safeguard against the post being removed by the blog’s moderator.

“… hypothetically speaking I would think that if Bruce discovered the conduct of his employer conflicted with his own very well defined publically known ethical persona then I imagine he would hand in his resignation in a heartbeat. I know I would. You could counter argue that perhaps BT’s board was angered about having someone like Bruce – who thanks to the Guardian and his analysis of the Snowden material now has “controversial” emblazoned on his back – on their payroll when their own hands aren’t exactly clean (allegedly, anyway, if you believe the British press). I understand that there are almost certainly NDAs in place and that neither Bruce nor BT could likely comment in depth on this issue.

Suffice to say, I think it removes a big question mark that has been hanging over Schneier’s head regarding his potential conflict of interest. I can only speculate that Schneier has a diverse schedule and a comparably diverse income stream from things like book sales, signings, endorsements and speaking appearances so I suspect (and hope, as he is one of the “good guys”) that this will not cause him any financial distress.
If (and I expect this to neither be confirmed or vociferously denied) Schneier’s departure has even a shred of connection between his work on the Snowden material then I congratulate Bruce on standing up for what’s right and hope that he continues to be a bastion for free speech, limited government and internet security. On behalf of everyone who has read your work over the years – thank you.”

Schneier is a living treasure to the Internet security community. He has devoted a considerable portion of his life to researching and improving information security. Regardless of your opinions of his more controversial beliefs or his use of the proprietary and notoriously bug filled and security porous Windows, Bruce has conducted himself with professionalism and has been an asset to our industry. If the situation has occurred as some have alleged (emphasis on alleged) it would appear to be a tremendous mistake to let such a talented and valuable human resource slip through your organization as a result of nothing more than the bruised ego of a few white collars in the boardroom.

Bitcoin ATM Launches in Vancouver

Aside

The tech press is full of stories about the first North American bitcoin “ATM” opening in a coffee shop in Vancouver. This is all well and good, but the bit about a palmprint being required for “anti money laundering law” got my attention.

Bitcoin is presumably popular because of its relative anonymity (let’s call it pseudonymity). This service is requiring something that is even more personally invasive than a standard bank account – your biometric information.

Yes, I know there’s a whole variety of ways that this system could be circumvented. From using a “fake” palm (ala the fake fingers used for the print scanners; with some poor quality scanners just a high resolution print would suffice) to using silicone to modify your own palmprint, we have heard of them all. No doubt you could also just offer the bum outside fifty bucks to do your bidding and hope he doesn’t run out the back exit with your cash. Nonetheless this doesn’t sit right with me, especially as this is not a true ATM but more akin to a currency exchange and one with a $1000/day limit. Last time I converted some cash into Canadian dollars at my local exchange I wasn’t asked for biometric identification. Indeed, I wasn’t asked for any ID whatsoever. Why is this process any different?

Full Disclosure and Whistleblowers

Aside

There was once a time where disclosure of a software vulnerability was considered reckless, uncouth and even potentially criminal. These days full disclosure (with a courtesy email to the author of the software and an acceptable period of time to allow a patch to be produced) is considered responsible and generally an accepted practice. It is even acceptable to publish your findings in the absence of a patch where the vendor has been given ample opportunity to fix their product but has not done so. Some would argue that this system provides software vendors with an incentive to produce higher quality code at release time and – sound problems be found – to release a patch as soon as possible. Were there not the “big stick” of imminent disclosure through security lists like bugtraq hanging over the heads of software vendors it is likely vulnerabilities would be remain unpatched for a far greater period of time or perhaps never be fixed. Public shaming, it seems, is a decent motivator.

It is with this in mind that I question vendors that demand a schedule for the release of security related patches (e.g. Microsoft’s patch Tuesday). While I can understand their rationale that it assists large enterprises in managing their assets and also take into account that on rare occasions Microsoft has elected to push an out of cycle patch for some important vulnerability the idea that we should schedule patches for release on a specific day seems ludicrous, especially in the world of security where time is absolutely critical. Assessments of the severity of found flaws can often be dead wrong – leading to a vulnerability that should have had patches rolled out immediately being left open and exploitable for up to another six days depending on where in the cycle it was first reported. Updates should be made available as quickly as possible. This doesn’t mean that testing of patches in a variety of environments should be skipped and “alpha” quality patches delivered to customers. Microsoft has had a few “bad updates” of late and no doubt would not like a repeat of such behavior, particularly where regression is difficult and an administrator must intervene to fix the issue. Moreover the entire process should be streamlined and these big vendors should work to ensure that the patches are released the day they are ready and not a moment later. Threats will not care that a patch is forthcoming next Tuesday if your machines are exploitable today.

A second and somewhat related thought centers around whistleblowers like Edward Snowden who the government regards as a terrorist. Whistleblowing on government practices that violate a nation’s own constitution or otherwise adversely affect a country should not be regarded as a crime but a service to the citizens of said country. Many have stepped forward to shine the light on corrupt practices only to be rewarded with arrest and incarceration. As a consequence many do so anonymously, afraid to voice their concerns or air privileged information that may shed light on dark practices. Snowden and his breed of whistleblowers have had the courage not only to leak information that they believe is important for the world to know but they have done so openly and without obscuring their identity. Depending on who you ask they are either extremely brave or incredibly stupid. No doubt Snowden will have to live with the consequence of his decision to go public and sign his name to these disclosures.

Snowden is, in effect, doing to government what the security industry’s ideal of “full disclosure” does to software vendors. No doubt questions remain as to how effective this process will be in achieving real change in how the US government’s surveillance agencies operate. Given that many citizens regard Snowden as a traitor and believe that mass surveillance is a necessary price to pay for their safety I hold little hope that things will change.

A sensible government would establish a taskforce charged with the investigation of corruption and create an official channel through which government employees and contractors can anonymously voice their concerns about practices they have witnessed without fear of reprisal. Such a taskforce must have the legal clout to facilitate a thorough investigation and to render their results to Congress and by extension the American people.

Given the way that Washington operates today the above suggestion is perhaps laughable. The check books of lobbyists, not to mention senators with obvious conflicts of interest have caused civil representation to morph into corporate representation, with the company with the most buddies in Washington (not to mention the deepest pockets) winning the game. The two parties horns are locked together to such an extent that there is a kind of governmental paralysis in D.C. that ensures that those that complain the loudest receive the most attention, even if they represent the smallest of minorities.

It goes without saying that the US government is broken and I do not blame the conspiracy theorists for believing that there is a plot in place to dissolve the core values of the nation. From the PATRIOT Act to NDAA to secret courtrooms and NSLs our rights have been eroded significantly in just ten years and all in the name of “security.”

Everyone, it seems, needs protecting from the “terrorists,” a term that is not well defined and seems to be applied to anyone the government doesn’t like the look of (e.g. Middle Eastern men being placed on “no fly lists” solely because of their ethnicity or surname).

The worst thing is that the people (with assistance from the well cultivated government relationships with the supposedly “free” mainstream media) don’t seem to have a problem with this disturbing trend. It is not uncommon to hear at an airpoint checkpoint, a place where people are asked to submit to ridiculous and ineffective security theater, a complaint from one traveller about the onerous procedure being countered by another exclaiming that they are ignorant and that this nonsense is somehow for the good of the nation. Clearly the TSA has no sense of humor as a recently photographed sign at an airport in Texas reads in italics “No jokes” and threatens that you may be detained if you disobey.

How did a country that was once the bastion of freedom slip so far away from the ideals of the Founding Fathers? I can’t answer this question but posit that a lack of diligence from the citizens as to the actions of those appointed to represent us combined with an acceptance of increasingly draconian policy certainly took us a long way down the road.

Benjamin Franklin is quoted as stating that “those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” Perhaps those who obediently allow themselves to be groped at the airport by the TSA whilst entertaining some vague notion that their molestation is somehow making the country a safer place to live should consider the true motives behind the circus that is the current state of the US federal government.