Category Archives: Regulatory matters

Mega-cloud

Shhh… US Pressures Forced PayPal to Punish Mega (& MegaChat) for Encrypted Communications & Keeping Our Privacy

This is bizarre (see article below) but a good sign that what Mega offers in encrypted communications is the real deal and the authorities are certainly not impressed, thus the pressures on credit card companies to force Paypal to block out Mega, as they did previously with WikiLeaks.

BUT don’t forget Kim Dotcom’s newly launched end-to-end encrypted voice calling service “MegaChat” comes in both free and paid versions – see my earlier piece on how to register for MegaChat.

Under U.S. Pressure, PayPal Nukes Mega For Encrypting Files

By Andy
on February 27, 2015

After coming under intense pressure PayPal has closed the account of cloud-storage service Mega. According to the company, SOPA proponent Senator Patrick Leahy personally pressured Visa and Mastercard who in turn called on PayPal to terminate the account. Bizarrely, Mega’s encryption is being cited as a key problem.

During September 2014, the Digital Citizens Alliance and Netnames teamed up to publish a brand new report. Titled ‘Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,’ it offered insight into the finances of some of the world’s most popular cyberlocker sites.

The report had its issues, however. While many of the sites covered might at best be considered dubious, the inclusion of Mega.co.nz – the most scrutinized file-hosting startup in history – was a real head scratcher. Mega conforms with all relevant laws and responds quickly whenever content owners need something removed. By any standard the company lives up to the requirements of the DMCA.

“We consider the report grossly untrue and highly defamatory of Mega,” Mega CEO Graham Gaylard told TF at the time. But now, just five months on, Mega’s inclusion in the report has come back to bite the company in a big way.

Speaking via email with TorrentFreak this morning, Gaylard highlighted the company’s latest battle, one which has seen the company become unable to process payments from customers. It’s all connected with the NetNames report and has even seen the direct involvement of a U.S. politician.

According to Mega, following the publication of the report last September, SOPA and PIPA proponent Senator Patrick Leahy (Vermont, Chair Senate Judiciary Committee) put Visa and MasterCard under pressure to stop providing payment services to the ‘rogue’ companies listed in the NetNames report.

Following Leahy’s intervention, Visa and MasterCard then pressured PayPal to cease providing payment processing services to MEGA. As a result, Mega is no longer able to process payments.

“It is very disappointing to say the least. PayPal has been under huge pressure,” Gaylard told TF.

The company did not go without a fight, however.

“MEGA provided extensive statistics and other evidence showing that MEGA’s business is legitimate and legally compliant. After discussions that appeared to satisfy PayPal’s queries, MEGA authorised PayPal to share that material with Visa and MasterCard. Eventually PayPal made a non-negotiable decision to immediately terminate services to MEGA,” the company explains.

paypalWhat makes the situation more unusual is that PayPal reportedly apologized to Mega for its withdrawal while acknowledging that company’s business is indeed legitimate.

However, PayPal also advised that Mega’s unique selling point – it’s end-to-end-encryption – was a key concern for the processor.

“MEGA has demonstrated that it is as compliant with its legal obligations as USA cloud storage services operated by Google, Microsoft, Apple, Dropbox, Box, Spideroak etc, but PayPal has advised that MEGA’s ‘unique encryption model’ presents an insurmountable difficulty,” Mega explains.

As of now, Mega is unable to process payments but is working on finding a replacement. In the meantime the company is waiving all storage limits and will not suspend any accounts for non-payment. All accounts have had their subscriptions extended by two months, free of charge.

Mega indicates that it will ride out the storm and will not bow to pressure nor compromise the privacy of its users.

“MEGA supplies cloud storage services to more than 15 million registered customers in more than 200 countries. MEGA will not compromise its end-to-end user controlled encryption model and is proud to not be part of the USA business network that discriminates against legitimate international businesses,” the company concludes.

US-China

Shhh… NSA Demands on Crypto Backdoors Led to US-China Spat on Backdoors & Encryption

Photo (above) credit: US-China Perception Monitor.

GlennGreenward-Tweets

The tweet from Glenn Greenwald above sums up the prevailing stance between the US and China (see video clip below) on backdoors and encryption matters – please see also article below.

It’s not like the NSA has not been warned and China may just be the first of many to come.

The United States Is Angry That China Wants Crypto Backdoors, Too

Written by
Lorenzo Franceschi-Bicchierai
February 27, 2015 // 03:44 PM EST

When the US demands technology companies install backdoors for law enforcement, it’s okay. But when China demands the same, it’s a whole different story.

The Chinese government is about to pass a new counter terrorism law that would require tech companies operating in the country to turn over encryption keys and include specially crafted code in their software and hardware so that chinese authorities can defeat security measures at will.

Technologists and cryptographers have long warned that you can’t design a secure system that will enable law enforcement—and only law enforcement—to bypass the encryption. The nature of a backdoor door is that it is also a vulnerability, and if discovered, hackers or foreign governments might be able to exploit it, too.

Yet, over the past few months, several US government officials, including the FBI director James Comey, outgoing US Attorney General Eric Holder, and NSA Director Mike Rogers, have all suggested that companies such as Apple and Google should give law enforcement agencies special access to their users’ encrypted data—while somehow offering strong encryption for their users at the same time.


“If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”

Their fear is that cops and feds will “go dark,” an FBI term for a potential scenario where encryption makes it impossible to intercept criminals’ communications.

But in light of China’s new proposals, some think the US’ own position is a little ironic.

“You can’t have it both ways,” Trevor Timm, the co-founder and the executive director of the Freedom of the Press Foundation, told Motherboard. “If the US forces tech companies to install backdoors in encryption, then tech companies will have no choice but to go along with China when they demand the same power.”

He’s not the only one to think the US government might end up regretting its stance.


Someday US officials will look back and realize how much global damage they’ve enabled with their silly requests for key escrow.

— Matthew Green (@matthew_d_green) February 27, 2015

Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.

Matthew Green, a cryptography professor at Johns Hopkins University, tweeted that someday US officials will “realize how much damage they’ve enabled” with their “silly requests” for backdoors.

Ironically, the US government sent a letter to China expressing concern about its new law. “The Administration is aggressively working to have China walk back from these troubling regulations,” US Trade Representative Michael Froman said in a statement.

A White House spokesperson did not respond to a request for comment from Motherboard.

“It’s stunningly shortsighted for the FBI and NSA not to realize this,” Timm added. “By demanding backdoors, these US government agencies are putting everyone’s cybersecurity at risk.”

In an oft-cited examples of “if you build it, they will come,” hackers exploited a system designed to let police tap phones to spy on more than a hundred Greek cellphones, including that of the prime minister.

At the time, Steven Bellovin, a computer science professor at Columbia University, wrote that this incident shows how “built-in wiretap facilities and the like are really dangerous, and are easily abused.”

That hasn’t stopped other from asking though. Several countries, including India, Kuwait and UAE, requested BlackBerry to include a backdoor in its devices so that authorities could access encrypted communications. And a leaked document in 2013 revealed that BlackBerry’s lawful interception system in India was “ready for use.”

Wanted-Evgeniy Bogachev

How to Cope With File-Encrypting Ransomware Risks (After US Offer $3mn Award for GameOver Zeus creator Evgeniy Bogachev)?

It could be game over for Russian hacker Evgeniy Bogachev as the US State Department and FBI have issued a “Wanted” poster with a US$3 million reward for information leading to his arrest, the highest price the US authorities had ever placed on a head in a cyber case.

Wanted-Evgeniy Bogachev2

Bogachev, apparently still in Russia, was charged by the US for running a computer attack called GameOver Zeus that has allegedly amassed in excess of US$100 million from online bank accounts of businesses and consumers in the US and around the world.

However, despite the taking down of the GameOver botnet and the demise of CryptoLocker, it’s not all over as new variants of file-encrypting ransomware still exist. The following screen is what you don’t want to see on your computer monitor.

CryptoDefense

Check out this nice article about how to protect yourself from ransomware with the Sophos Virus Removal Tool.

I have an easier, effective and unorthodox solution, which I have mentioned in public lectures and previous columns.: changing your cyber lifestyle by having “naked” computers, i.e. not storing a single file in the computer hard disks, apart from the operating system and software program files.

In essence, I store all my files on an external encrypted hard disk and use either the 1 laptop or 2 laptops approach – with the former you alternate between online and offline depending on when you connect the external disk to the laptop and with the latter, you attach the external disk to a laptop that is offline (you can go one step further with the Snowden approach by using an “air gapped” computer, as he has recommended to Glenn Greenwald) and work online only with the other computer. The latter would come handy when on the road (even with the extra weight) as there are always risks with public (which one should always avoid) and hotel internet connections, spying walls, etc.

NSA-Rogers

Shhh… NSA Want Framework to Access Encrypted Communications

NSA Director Admiral Michael Rogers said at a cyber security conference in Washington DC Monday this week that the government needs to develop a “framework” so that the NSA and law enforcement agencies could read encrypted data when they need and he was immediately challenged by top security experts from the tech industry, most notably Yahoo’s chief information security officer Alex Stamos (see transcript).

SIM-Gemalto3

Shhh… Security Experts Not Convinced By Gemalto’s Swift “Thorough” Investigations into NSA-GCHQ SIM Card Hacks

Gemalto, the world’s largest SIM cards manufacturer that The Intercept reported last week to be hacked by the NSA and GCHQ, putting at risk some two billion SIM cards used in cellphones across the world, has somehow and somewhat concluded its findings after a “thorough” internal investigations in just six days, with assurance that its encryption keys are safe and admitted that the French-Dutch company believes the US and British spy agencies were behind a “particularly sophisticated intrusion” of its internal computer networks, back four-five years ago.

In The Intercept follow-up report (please see further below):

“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union.

Or consider this (below – Source: https://www.youtube.com/watch?v=z0amvXr8BUk )

SIM-Gemalto2

So, time to decide for yourself if you’re convinced and also think of solutions like encrypted communications – and do check out the video clips below:

Gemalto Doesn’t Know What It Doesn’t Know
By Jeremy Scahill
@jeremyscahill

Gemalto, the French-Dutch digital security giant, confirmed that it believes American and British spies were behind a “particularly sophisticated intrusion” of its internal computer networks, as reported by The Intercept last week.

This morning, the company tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.

Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.

After the brief investigation, Gemalto now says that the NSA and GCHQ operations in 2010-2011 would not allow the intelligence agencies to spy on 3G and 4G networks, and that theft would have been rare after 2010, when it deployed a “secure transfer system.” The company also said the spy agency hacks only affected “the outer parts of our networks — our office networks — which are in contact with the outside world.”

Security experts and cryptography specialists immediately challenged Gemalto’s claim to have done a “thorough” investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces.

“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union. He adds that Gemalto remains “a high-profile target for intelligence agencies.”

Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, said, “This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.”

In its statement, Gemalto asserted:

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”

But security and encryption experts told The Intercept that Gemalto’s statements about its investigation contained a significant error about cellphone technology. The company also made sweeping, overly-optimistic statements about the security and stability of Gemalto’s networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees. “Their ‘investigation’ seem to have consisted of asking their security team which attacks they detected over the past few years. That isn’t much of an investigation, and it certainly won’t reveal successful nation-state attacks,” says the ACLU’s Soghoian.

Security expert Ronald Prins, co-founder of the Dutch firm Fox IT, told The Intercept, “A true forensic investigation in such a complex environment is not possible in this time frame.”

“A damage assessment is more what this looks like,” he added.

In a written presentation of its findings, Gemalto claims that “in the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable.” Gemalto also referred to its own “custom algorithms” and other, unspecified additional security mechanisms on top of the 3G and 4G standards.

Green, the Johns Hopkins cryptography specialist, said Gemalto’s claims are flatly incorrect.

“No encryption mechanism stands up to key theft,” Green says, “which means Gemalto is either convinced that the additional keys could not also have been stolen or they’re saying that their mechanisms have some proprietary ‘secret sauce’ and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That’s a deeply worrying statement.”

“I think you could make that statement against some gang of Internet hackers,” Green adds. “But you don’t get to make it against nation state adversaries. It simply doesn’t have a place in the conversation. They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption’ mechanisms that they don’t specify, and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.”

In a press conference today in Paris, Gemalto’s CEO, Olivier Piou, said his company will not take legal action against the NSA and GCHQ. “It’s difficult to prove our conclusions legally, so we’re not going to take legal action,” he said. “The history of going after a state shows it is costly, lengthy and rather arbitrary.”

There has been significant commercial pressure and political attention placed on Gemalto since The Intercept’s report. Wireless network providers on multiple continents demanded answers and some, like Deutsche Telekom, took immediate action to change their encryption algorithms on Gemalto-supplied SIM cards. The Australian Privacy Commissioner has launched an investigation and several members of the European Union parliament and Dutch parliament have asked individual governments to launch investigations. German opposition lawmakers say they are initiating a probe into the hack as well.

On Wednesday, Gerard Schouw, a member of the Dutch parliament, submitted formal questions about the Gemalto hack and the findings of the company’s internal investigation to the interior minister. “Will the Minister address this matter with the Ambassadors of the United States and the United Kingdom? If not, why is the Minister not prepared to do so? If so, when will the Minister do this?” Schouw asked. “How does the Minister assess the claim by Gemalto that the attack could only lead to wiretapping 2G-network connections, and that 3G and 4G-type networks are not susceptible to this kind of hacks?”

China Mobile, which uses Gemalto SIM cards, has more wireless network customers than any company in the world. This week it announced it was investigating the breach and the Chinese government said it was “concerned” about the Gemalto hack. “We are opposed to any country attempting to use information technology products to conduct cyber surveillance,” Foreign Ministry spokesman Hong Lei said. “This not only harms the interests of consumers but also undermines users’ confidence.” He did not mention that China itself engages in widespread, state-sponsored hacking.

While Gemalto is clearly trying to calm its investors and customers, security experts say the company’s statements appear intended to reassure the public about the company’s security rather than to demonstrate that it is taking the breach seriously.

The documents published by The Intercept relate to hacks done in 2010 and 2011. The idea that spy agencies are no longer targeting the company — and its competitors — with more sophisticated intrusions, according to Soghoian, is ridiculous. “Gemalto is as much of an interesting target in 2015 as they were in 2010. Gemalto’s security team may want to keep looking, not just for GCHQ and NSA, but also, for the Chinese, Russians and Israelis too,” he said.

Green, the Johns Hopkins cryptographer, says this hack should be “a wake-up call that manufacturers are considered valuable targets by intelligence agencies. There’s a lot of effort in here to minimize and deny the impact of some old attacks, but who cares about old attacks? What I would like to see is some indication that they’re taking this seriously going forward, that they’re hardening their systems and closing any loopholes — because loopholes clearly existed. That would make me enormously more confident than this response.”

Green says that the Gemalto hack evidences a disturbing trend that is on the rise: the targeting of innocent employees of tech firms and the companies themselves. (The same tactic was used by GCHQ in its attack on Belgian telecommunications company Belgacom.)

“Once upon a time we might have believed that corporations like this were not considered valid targets for intelligence agencies, that GCHQ would not go after system administrators and corporations in allied nations. All of those assumptions are out the window, so now we’re in this new environment, where everyone is a valid target,” he says. “In computer security, we talk about ‘threat models,’ which is a way to determine who your adversary is, and what their capabilities are. This news means everyone has to change their threat model.”

Additional reporting by Ryan Gallagher. Josh Begley contributed to this report.

CitizenFour-Oscars

Shhh… Snowden’s Girlfriend at the Oscars for CitizenFour

Congratulations to Laura Poitras and her team behind “CitizenFour” in winning the Oscars for Best Documentary Feature. And did you notice Snowden‘s girlfriend Lindsay Mills was on the stage (see picture above (Credit: YouTube) and video clips below)?

The film on the Snowden revelations during his hiding in Hong Kong in 2013 will be aired on HBO later today.

SIMcard

Shhh… Solutions to NSA & GCHQ Hacks into SIM Cards to Eavesdrop on Mobile Phones Worldwide?

Glenn-pg97

This news originally from The Intercept, based on leaked files from Edward Snowden, shouldn’t come as a surprise as the NSA had been on a mission to Collect It All (Chapter 3) according to Glenn Greenwald’s book “No Place to Hide” (see above).

High time to seriously (re)consider encrypted communications like encrypted calls and messaging apps (despite efforts to ban encryption by Obama and Cameron)?

Snowden-Falciani

Edward Snowden & Hervé Falciani Knew Each Other Before Their Respective Exposé?

As it so happened, everything started and ended in Geneva…

It was a cold morning in mid-December 2008. Hervé Falciani has just finished packing his favorite black Rimowa luggage and a small handy leather bag with his five precious CDs safely tucked to the bottom.

“Mate I’m getting ready to leave for Nice for a few days, to do you know what,” he wrote on his encrypted email.

“Good luck mate. That’s the spirit. Am actually planning to get myself out of Geneva and home for good shortly after the New Year. Keep those stuff safe,” the reply promptly appeared on the computer screen.

“Will do. Thanks so much for all the guidance. Take care!” Falciani penned off, half-wishing his pal Snowden was not serious about leaving Geneva.

Well, that was probably how John le Carré approached his next best-selling spy novel but this opening scene may not be too far from the truth.

Falciani was widely dubbed the Snowden of the banking world when the HSBC exposé stole global headlines early this week. According to his profile, the then-36-year-old dual French-Italian national joined the British banking giant HSBC in 2000, in Monaco where he grew up, and was transferred to HSBC Private Bank (Suisse) in Geneva, Switzerland in 2006.

That was the same year Edward Snowden joined the CIA and the now famous whistleblower behind the NSA revelations was posted to Geneva the following year under diplomatic cover, where he admitted having grown disillusioned with American spy craft. He left Geneva and the agency in 2009.

And as an undercover CIA operative based in Geneva, Snowden probably knew some bankers as The Guardian once reported:

He described as formative an incident in which he claimed CIA operatives were attempting to recruit a Swiss banker to obtain secret banking information. Snowden said they achieved this by purposely getting the banker drunk and encouraging him to drive home in his car. When the banker was arrested for drunk driving, the undercover agent seeking to befriend him offered to help, and a bond was formed that led to successful recruitment.

The possibility that Snowden and Falciani knew each other may be a novelist’s creation and a trivial even if it’s true. But nevertheless, it would open up many possibilities.

Consider, for example, both claimed to have reported to their superiors, who ignored their respective complaints and warnings. Both became whistleblowers and accused for their actions. The two IT experts stole and released troves of internal data to the media – Falciani, the systems specialist of the HSBC Private Bank in Geneva now under the global spotlights, reportedly met French tax investigators at a cafe in Nice airport before Christmas of 2008 and handed them five CDs worth of confidential data pertaining to some 130,000 clients and 300,000 private accounts from 200 countries – which eventually reached then Finance Minister of France Christine Lagarde, who subsequently shared it with other countries.

And the rest was history as we know today.

Snowden is scheduled to speak via video-conference this Friday to the International Students For Liberty Conference in downtown Washington, D.C. Would be interesting to hear what he has to say about the HSBC exposé and… his friend Falciani.

Google-Erased

The Flawed “Right To Be Forgotten” Ruling on Google Cannot and Should Not be Globalized

A eight-member panel experts tasked to review privacy issues relating to online search giant Google Inc. has rejected late last week attempts by EU privacy watchdogs to extend the “right to be forgotten” ruling beyond the 28-nation bloc – see Bloomberg report below.

The European Court of Justice issued a landmark ruling last May that anyone living in the European Union and Europeans living outside the region could ask search engines like Google to remove links if they believed the online contents breached their right to privacy and are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”

I have explained in my column last July that the ruling was Much Ado About Nothing as it amounted to everything but forgotten: what Google essentially did was to remove results from name search of those names approved to be deleted but only on its European websites. The same results remain on the Google US homepage and all its non-European sites. Furthermore, Google is only removing the results but not the links.

Thus no surprise there are now efforts to address these not-so-forgotten issues.

But as I have further pointed out then, the more devastating and often overlooked impact was how any “right to be forgotten” would be a much welcomed and God-sent convenience for “women with a past and men with no future”, essentially amounting to the “right to be defrauded” as it was also described recently by Jason Wright of Kroll.

In short, anyone in support and calling to extend the “right to be forgotten” ruling – including the Hong Kong Privacy Commissioner Allen Chiang who erroneously heralded it as a way to grant everyone a “second chance in life” – is not only pulling the plug on the free flow of information but also effectively facilitating the closing down of everyone’s right to information, which would derail the notion of free markets in this global economy if every individuals and entities could so conveniently erase their dirty laundries (like criminal convictions, litigation history, old debts and past bankruptcy records for starters) at the expense of their counter-parties who could no longer trace anything – especially if this ruling was blindly extended and embraced globally.

And I stress once again, the internet, originally designed to exchange raw data between researchers and scientists, has evolved into a self-contained, self-sustained and self-evolving ecosystem of records, communications, commerce, entertainment, etc. Any attempt to remove the contents, successful or otherwise, is like playing God.

Historians will mark the EU ruling as a (irreversible) seismic error. Extending it to a global scale will have no equals in the history of mankind.

Google Panel Opposes EU Data Watchdogs on Forgotten Case

by Stephanie Bodoni

(Bloomberg) — A panel of experts enlisted by Google Inc. to review privacy issues following a European Union court ruling backed the search giant’s bid to limit the “right to be forgotten” to websites within the 28-nation bloc.

The eight-member group, which includes Wikipedia co-founder Jimmy Wales, rejected a push by EU privacy watchdogs to extend search link removals to Google’s global site.

“Delistings applied to the European versions of search will, as a general rule, protect the rights of the data subject adequately in the current state of affairs and technology,” the group said in the 41-page report. “Removal from nationally directed versions of Google’s search services within the EU is the appropriate means to implement the ruling at this stage.”

A ruling by the EU Court of Justice last year created a right to be forgotten, allowing people to seek the deletion of links on search engines if the information was outdated or irrelevant. The ruling created a furor, with Mountain View, California-based Google appointing the panel to advise it on implementing the law.

The geographic scope of an EU court ruling that forced the company last year to remove some search links on request was a “difficult question that arose throughout” the panel’s meetings, the group said.

Today’s report puts the group at odds with the 28-nation EU’s data-protection regulators who last year urged the company to allow people to seek the deletion of links to some personal data on the company’s main U.S. website.

Sabine Leutheusser-Schnarrenberger, a former German justice minister and one of the panel’s member, said that she opposed the majority view of the group on the geographical scope of the EU court ruling.

EU Domains

Removal requests “must not be limited to EU domains,” she said in the report. “The Internet is global, the protection of the user’s rights must also be global. Any circumvention of these rights must be prevented.”

The Google advisory group last year visited seven European cities, from Rome to Berlin, listening to academics and public officials.

“It’s been valuable to hear a wide range of viewpoints in recent months across Europe and we’ll carefully consider this report,” David Drummond, Google’s top lawyer, said in an e-mailed statement. “We’re also looking closely at the guidance given by Europe’s data protection authorities as we continue to work on our compliance with” the EU court ruling.

The company has received 212,109 requests to remove 767,804 links from its website to date, according to its website.

Initial Split

The deletion of links beyond the 28-nation EU was one of two issues that created an initial split between Google and data-protection regulators. Regulators have complained that information blocked on EU websites shouldn’t be easily accessible by visiting Google in other countries by changing a few characters on the browser address line.

The company’s policy of notifying the media about deleted links to stories on their websites also sparked the ire of regulators. The report recommended that search engines “should notify the publishers to the extent allowed by law.”

“In complex cases, it may be appropriate for the search engine to notify the webmaster prior to reaching an actual delisting decision,” the panel said. “If feasible, it would have the effect of providing the search engine additional context about the information at issue and improve accuracy of delisting determinations.”

SourceCode3

Shhh… US in Long Battle As China Request Source Code From Western Technology Companies

This spat on intrusive rules is going to be a huge long battle.

The US is voicing opposition to Chinese rules that foreign vendors hand over the source code if they were to supply computer equipments to Chinese banks – which could expand to other sectors as the matter is “part of a wider review”.

Other measures to comply with include the setting up of research and development centers in China and building “ports” for Chinese officials to manage and monitor the data processed by their hardware.

Submitting to these “intrusive rules” for a slice of the huge Chinese markets also means alienating the rest of the world – as complying with these rules means creating backdoors, adopting Chinese encryption algorithms and disclosing sensitive intellectual property.

Find out more from this video:

Obama-XiJinping4

US-China Spat on Intrusive Rules – And Actual Intrusions

Speaking of “intrusive rules” (see BBC report far below) and “actual intrusions” in China, the latter I have expanded recently in two articles – one on Apple yesterday and the other on VPN blocks last week – and merged in this new column I’m also pasting right below.

The long and short of it, it’s espionage made easy. Period.


Apple Lets Down Its Asia Users

Written by Vanson Soo
MON,02 FEBRUARY 2015

Knuckling under to China on security inspections

If you are a die-hard fan of Apple products and if you, your company or business have anything to do with mainland China, recent developments involving the US tech giant can be construed as bad news, with deeper implications than what was generally thought and reported.

First, about Apple.

I have always liked the beauty and elegance of Apple products. I have owned two Mac laptops and an iPhone but I have shunned them as anyone deeply conscious and concerned about privacy and security should do. Edward Snowden, for example, who laid bare extensive snooping by the US National Security Agency, recently said he had never used the iPhone given the existence of secret surveillance spyware hidden in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices including iPhones, iPads and Mac computers. The move understandably makes business sense to Apple [and its shareholders] as China is just too huge a market to ignore – so the Cupertino-based company [whose market capitalization hit US$683 billion last week, more than double Microsoft’s US$338 billion] realized it simply couldn’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

What Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well documented that Apple users were [and probably still are] known for their cult-like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers.

The company has also denied working with any government agencies to create back doors into its products or servers… So surrendering to security audits wouldn’t?

If only Apple users managed to chuck away their cult mentality and come to their senses about their privacy and security risks, the firm would realize the Google approach, though still not perfect, is a better way of cultivating brand loyalty.

And in case you’re wondering, I use Linux most of the time – and shun the most popular Linux distributions to be on the safe side.a

Now next. And this is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News surfaced in late January that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

The real impact is not merely on domestic residents who were cut off from YouTube, BBC/CNN news and other information sources but resident expatriates, multinationals, foreign embassies and those traveling to China, especially businessmen and executives. Think: Chinese espionage now made easy!

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through it, which effectively shields internet traffic from government filters that have set criteria on what sites can be accessed.

And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

Obama-XiJinping5

29 January 2015 Last updated at 14:35

US tech firms ask China to postpone ‘intrusive’ rules

By Kevin Rawlinson BBC News

US business groups are seeking “urgent discussions” over new Chinese rules requiring foreign firms to hand over source code and other measures.

The groups wrote to senior government officials after the introduction of the cybersecurity regulations at the end of last year.

The US Chamber of Commerce and other groups called the rules “intrusive”.

The regulations initially apply to firms selling products to Chinese banks but are part of a wider review.

“An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice,” the letter read.

The groups said that the rules would force technology sellers to create backdoors for the Chinese government, adopt Chinese encryption algorithms and disclose sensitive intellectual property.

Firms planning to sell computer equipment to Chinese banks would also have to set up research and development centres in the country, get permits for workers servicing technology equipment and build “ports” which enable Chinese officials to manage and monitor data processed by their hardware, Reuters reported.

Source code is the usually tightly guarded series of commands that create programs. For most computing and networking equipment, it would have to be turned over to officials, according to the new regulations.

Tension

In the letter, a copy of which has been seen by the BBC, the groups have asked the Chinese government to delay implementation of the regulations and “grant an opportunity for discussion and dialogue for interested stakeholders with agencies responsible for the initiatives”.

They added: “The domestic purchasing and related requirements proposed recently for China’s banking sector… would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain,” the letter, which was dated 28 January, read.

The letter from the American groups, including the US Chamber of Commerce, AmCham China and 16 others, was addressed to the Central Leading Small Group for Cyberspace Affairs, which is led personally by Chinese President Xi Jinping.

It comes at a time of heightened tension between the USA and China over cybersecurity. In May last year, Beijing denounced US charges against Chinese army officers accused of economic cyber-espionage.

Pressure

It was also alleged that the US National Security Agency spied on Chinese firm Huawei, while the US Senate claimed that the Chinese government broke into the computers of airlines and military contractors.

American tech firms, such as Cisco and Microsoft, are facing increased pressure from Chinese authorities to accept rigorous security checks before their products can be purchased by China’s sprawling, state-run financial institutions.

Beijing has considered its reliance on foreign technology a national security weakness, particularly following former National Security Agency contractor Edward Snowden’s revelations that US spy agencies planted code in American-made software to snoop on overseas targets.

The cyber-space policy group approved a 22-page document in late 2014 that contained the heightened procurement rules for tech vendors, the New York Times reported on Thursday.

Cryptoquip

Shhh… Why (Obama & Cameron) the NSA is Breaking Our Encryption and Why We Should Care

Here’s one nice TEDTalk on why encryption is important for everyone and why breaking or weakening it – British Prime Minister David Cameron and US President Barack Obama are now pushing for a ban on encryption – is not a good idea. To put it bluntly and briefly, it is shooting our own foot.

Encryption-LowTech

Shhh… Obama & Cameron: Here’s How Low-Tech Encrypted Communications Work – With Just a Pen & Paper – Which You Can’t Decrypt

Here’s a video on how to send an encrypted message in a very simple and low-tech way: with a pen and paper.

Beauty of this primitive but effective method is you would have burnt the “keys” and the authorities won’t be able to punch it out of you, even with water-boarding tactics.

But the one potential challenge is the pad of “cypher keys” (see video below) has to be shared securely in advance and used once at best. Alternative: have several of these pads and find a secure way to convey which pad to use for reference.

Wonder what British Prime Minister David Cameron and US President Barack Obama – who were keen to push for a total ban on encryption despite warnings of irreversible damages – have to say about this. The message to them: it’s impossible to ban encrypted communications.

VPN-China0

Shhh… China’s Block to VPN Services Has Global Impacts

This is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News has surfaced over the weekend that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through the designated pipe, which effectively shield internet traffic from government filters that have set criteria on what sites can be accessed.

Find out more about this news below – And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

VPN-China
VPN-China2
VPN-China3
VPN-China4

Snowden-iphone

Shhh… Snowden: iPhone has Secret Surveillance Spyware that Can Be Remotely Controlled

The NSA whistleblower Edward Snowden revealed last week that he doesn’t use an iPhone because the Apple device has a secret surveillance spyware controlled by the US intelligence agency.

Obama-Blackberry

Obama: Why is Your Blackberry Super-Encrypted & You Want to Ban the World from Using Encryption?

Let’s have a different take on Obama and his endorsement (of Cameron’s drive) to kill encryption.

Obama is not allowed to use an iPhone because it’s “not safe”, the NSA advised him – Edward Snowden has recently said the iPhone was made to remotely track and transmit data about users.

Obama uses a Blackberry because of its reputation for security. But it’s still not safe enough, so his device was further encrypted though experts warned it’s still no absolute guarantee.

So Mr. President, you understand very well the value of encryption and privacy. And you want to ban encryption in the name of national security when you knew very well the terrorists you’re after are very apt at finding alternatives (remember Osama bin Laden?), including using primitive channels like typewriters, paper and pen, etc?

And at the same time, you’re crippling the entire world – companies, individuals and government (what did Merkel tell you?) – with the floodgates thrown open to cyber-criminals and hackers?

Reckon you can see that the equation doesn’t add up?

BlackberryJohnChen

Shhh… Blackberry to Cameron & Obama: Encryption Ban a Gift to Hackers & Cyber-Criminals

Blackberry’s CEO John Chen in his latest blog post “Encryption Needn’t Be An Either/Or Choice Between Privacy and National Security” responded to the recent push by British Prime Minister David Cameron – endorsed by US President Barack Obama last week – to ban encrypted communications in the name of national security:

Encryption Needn’t Be An Either/Or Choice Between Privacy and National Security

In the wake of the Paris terror attacks earlier this month, U.K. Prime Minister David Cameron proposed banning encrypted communications services such as those offered by Apple, Facebook and others. President Obama partially endorsed Prime Minister Cameron’s proposal a few days later, indicating he would support banning encrypted communications services that cannot be intercepted by law enforcement and national security agencies. While there is no publicly-available evidence that encrypted communications played any role in the Paris attacks, security officials say their ability to prevent future attacks will be hindered if terrorists are able to evade surveillance using encrypted communications and messaging services.

Privacy advocates have harshly criticized the Cameron-Obama proposals, arguing that encryption is a vital tool for protecting sensitive government, corporate and personal data from hacking and other forms of cyber theft. Following the recent spate of hacking attacks against Sony, Target, Home Depot, certain celebrity users of popular but hackable smartphones, and others, these advocates argue we need more, not less encryption. Further, they argue that banning encryption will not necessarily make it easier for security agencies to surveil terror plotters; after all, the terrorists will know they are being overheard and will simply communicate in new and ever-changing forms of coded language.

Reconciling these opposing perspectives on encryption requires a reasoned approach that balances legitimate national security concerns with legitimate cyber security concerns.

Privacy is Everyone’s Concern

Our dependence on computing devices for transmitting and storing sensitive personal information has become irreversible. Billions of items of personal information including health records, bank account records, social security numbers and private photographs reside on millions of computers and in the cloud. This information is transmitted via the internet every day. The same is true for highly confidential and proprietary business information. And of course no government or law enforcement agency could function without maintaining high levels of information security.

With so much information residing on computer networks and flowing through the internet, cyber security has emerged as one of society’s uppermost concerns. Protecting private and sensitive information from hacking, intrusion and exfiltration now commands the attention not just of computer professionals, but also heads of state, CEOs, Boards of Directors, small business owners, and every individual using a computer or smartphone, and even those who never use a computing device.

Modern forms of encrypting voice and data traffic provide the best protection for highly valuable and private personal, business and government information. Rendering data unreadable to the intruder greatly diminishes the incentive to hack or steal. Banning encryption, therefore, would dramatically increase the exposure of all such information to hacking and cyber theft. Clearly that is not a viable option.

Call of Duty

On the other hand, the same encryption technology that enables protection of sensitive data can also be abused by criminals and terrorists to evade legitimate government efforts to track their data and communications. Companies offering encrypted communications thus have a duty to comply with lawful requests to provide information to security agencies monitoring would-be terrorists. Companies like BlackBerry: We’ve supported FIPS 140-2 validated encryption in all of our devices for the past 10 years – longer than many of our competitors have been selling smartphones.

Depending on the particular technology involved, that information requested by law enforcement agencies might include the content of encrypted messages, but it may include other vital data such as user information, the dates and times the subscriber contacted other users, the length of such communications, the location of the user, and so forth. In many instances non-content user information can be even more important than the actual content itself, because such metadata can provide crucial leads and other vital intelligence to law enforcement and security agencies.

Let’s be clear: I am not advocating sharing data with governments for their ongoing data collection programs without a court order, subpoena or other lawful request. However, telecommunications companies, Internet Service Providers, and other players in the modern communications and messaging ecosystem need to take seriously their responsibility to comply and to facilitate compliance with reasonable and lawful requests for such information. Unfortunately, not all players in the industry view this issue the same way. Some Silicon Valley companies have publicly opposed government efforts to enable lawful surveillance and data gathering, even where lives may hang in the balance. These companies appear to be trying to position themselves as staunchly “pro-privacy,” without according sufficient weight to legitimate and reasonable governmental efforts to monitor and track would-be terrorists. Far from protecting privacy rights, this irresponsible approach risks providing ever stronger arguments to those who would subjugate all cyber privacy concerns to national security.

The answer, therefore, is not to ban encryption, because doing so would give hackers and cyber-criminals a windfall, making it much easier for them to mine billions of items of sensitive personal, business and government data. Instead, telecommunications and internet companies should cooperate with the reasonable and lawful efforts of governments to fight terrorism. That way we can help protect both privacy and lives.

ObamaCameron

Shhh… Obama to Support Cameron on Encryption Ban – Knowingly Betray Our Privacy and Security

US President Obama has openly voiced support to British Prime Minister’s idea about banning encryption but as The Guardian report (below) last week on a secret US cybersecurity document in 2009 showed, they are very well aware their decision would leave the entire world highly vulnerable to cyber attacks at the expense of their interest in national security and terrorism matters.


Secret US cybersecurity report: encryption vital to protect private data


Newly uncovered Snowden document contrasts with British PM’s vow to crack down on encrypted messaging after Paris attacks

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

The advice, in a newly uncovered five-year forecast written in 2009, contrasts with the pledge made by David Cameron this week to crack down on encryption use by technology companies.

In the wake of the Paris terror attacks, the prime minister said there should be no “safe spaces for terrorists to communicate” or that British authorites could not access.

Cameron, who landed in the US on Thursday night, is expected to urge Barack Obama to apply more pressure to tech giants, such as Apple, Google and Facebook, which have been expanding encrypted messaging for their millions of users since the revelations of mass NSA surveillance by the whistleblower Edward Snowden.

Cameron said the companies “need to work with us. They need also to demonstrate, which they do, that they have a social responsibility to fight the battle against terrorism. We shouldn’t allow safe spaces for terrorists to communicate. That’s a huge challenge but that’s certainly the right principle”.

But the document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

Part of the cache given to the Guardian by Snowden was published in 2009 and gives a five-year forecast on the “global cyber threat to the US information infrastructure”. It covers communications, commercial and financial networks, and government and critical infrastructure systems. It was shared with GCHQ and made available to the agency’s staff through its intranet.

One of the biggest issues in protecting businesses and citizens from espionage, sabotage and crime – hacking attacks are estimated to cost the global economy up to $400bn a year – was a clear imbalance between the development of offensive versus defensive capabilities, “due to the slower than expected adoption … of encryption and other technologies”, it said.

An unclassified table accompanying the report states that encryption is the “[b]est defense to protect data”, especially if made particularly strong through “multi-factor authentication” – similar to two-step verification used by Google and others for email – or biometrics. These measures remain all but impossible to crack, even for GCHQ and the NSA.

The report warned: “Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled US and allied information systems.”

It further noted that the “scale of detected compromises indicates organisations should assume that any controlled but unclassified networks of intelligence, operational or commercial value directly accessible from the internet are already potentially compromised by foreign adversaries”.

The primary adversaries included Russia, whose “robust” operations teams had “proven access and tradecraft”, it said. By 2009, China was “the most active foreign sponsor of computer network intrusion activity discovered against US networks”, but lacked the sophistication or range of capabilities of Russia. “Cyber criminals” were another of the major threats, having “capabilities significantly beyond those of all but a few nation states”.

The report had some cause for optimism, especially in the light of Google and other US tech giants having in the months prior greatly increased their use of encryption efforts. “We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions,” it concluded.

Official UK government security advice still recommends encryption among a range of other tools for effective network and information defence. However, end-to-end encryption – which means only the two people communicating with each other, and not the company carrying the message, can decode it – is problematic for intelligence agencies as it makes even warranted collection much more difficult.

The latest versions of Apple and Google’s mobile operating systems are encrypted by default, while other popular messaging services, such as WhatsApp and Snapchat, also use encryption. This has prompted calls for action against such strong encryption from ministers and officials. Speaking on Monday, Cameron asked: “In our country, do we want to allow a means of communication between people which we cannot read?”

The previous week, a day after the attack on the Charlie Hebdo office in Paris, the MI5 chief, Andrew Parker, called for new powers and warned that new technologies were making it harder to track extremists.

In November, the head of GCHQ, Robert Hannigan, said US social media giants had become the “networks of choice” for terrorists. Chris Soghoian, principal senior policy analyst at the American Civil Liberties Union, said attempts by the British government to force US companies to weaken encryption faced many hurdles.

“The trouble is these services are already being used by hundreds of millions of people. I guess you could try to force tech companies to be less secure but then they would be less secure against attacks for anyone,” he said.

GCHQ and the NSA are responsible for cybersecurity in the UK and US respectively. This includes working with technology companies to audit software and hardware for use by governments and critical infrastructure sectors.

Such audits uncover numerous vulnerabilities which are then shared privately with technology companies to fix issues that could otherwise have caused serious damage to users and networks. However, both agencies also have intelligence-gathering responsibilities under which they exploit vulnerabilities in technology to monitor targets. As a result of these dual missions, they are faced with weighing up whether to exploit or fix a vulnerability when a product is used both by targets and innocent users.

The Guardian, New York Times and ProPublica have previously reported the intelligence agencies’ broad efforts to undermine encryption and exploit rather than reveal vulnerabilities. This prompted Obama’s NSA review panel to warn that the agency’s conflicting missions caused problems, and so recommend that its cyber-security responsibilities be removed to prevent future issues.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”. It is unclear why such a document was posted to the agency’s intranet, which is available to all agency staff, NSA workers, and even outside contractors.

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Security experts regularly say that keeping software up to date and being aware of vulnerabilities is vital for businesses to protect themselves and their customers from being hacked. Failing to fix vulnerabilities leaves open the risk that other governments or criminal hackers will find the same security gaps and exploit them to damage systems or steal data, raising questions about whether GCHQ and the NSA neglected their duty to protect internet systems in their quest for more intelligence.

A GCHQ spokesman said: “It is long-standing policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the parliamentary intelligence and security committee.“All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European convention on human rights.”

Michael Beckerman, president and CEO of the Internet Association, a lobby group that represents Facebook, Google, Reddit, Twitter, Yahoo and other tech companies, said: “Just as governments have a duty to protect to the public from threats, internet services have a duty to our users to ensure the security and privacy of their data. That’s why internet services have been increasing encryption security.”

Cameron

Shhh… Paris Attacks: Dangerous Precedence & Irreversible Damages with Cameron’s Pursuit of “Safe Spaces” & Ban on Encrypted Online Messaging Apps

In the aftermath of the recent Charlie Hebdo attacks, it came as no surprise politicians were quick to up the antenna (again) on surveillance and stifle the right to privacy – whilst, in the same breath, they drape themselves publicly in Paris to embrace free speech and press freedom.

British Prime Minister David Cameron, for example, stole the headlines this week saying that, if re-elected in May, he would ban encrypted online messaging apps like WhatsApp and Snapchat if the British intelligence agencies were not given backdoors to access the communications.

“We must not allow terrorists safe space to communicate with each other,” said Cameron as he spoke about a “comprehensive piece of legislation” to close the “safe spaces” used by suspected terrorists – and also planned to encourage US President Barack Obama (who should be reminded that he has promised to pursue NSA reforms) to make internet companies like Facebook and Twitter cooperate with British intelligence agencies to track the online activities of Islamist extremists.

Backdoors are by and large security holes and what Cameron is proposing would set a dangerous precedence with irreversible consequences far beyond the loss of free speech – this is best summed up in the following open letter to David Cameron (below – and here):

Cameron-OpenLetter
Cameron-OpenLetter2

data-breach-DATA

New US Sanctions on North Korea – Comparing Sony & the World’s Biggest Data Breaches

In what looks like the opening salvo in response to the major cyberattack on Sony Pictures Entertainment, the United States slapped North Korea with a new round of sanctions last Friday when President Obama signed an Executive Order authorizing the imposition of sanctions and designated 3 entities and 10 individuals for being agencies or officials of the North Korean government.

According to a Treasury Department statement:

databreach-Sanctions

databreach-Sanctions2

The identifiers of these 10 individuals are:

databreach-Sanctions3

But the US government knew sanctions have had limited impact on the Hermit Kingdom. The new sanctions might be deemed as swift and decisive measures in some quarters but it is really nothing more than a window-dressing of sorts – much like animating a gun with one’s fingers under a coat as a first warning at best. Consider, for example, what kind of impact should one expect from these new sanctions anyway? The 3 organizations were already on the US sanctions list and the 10 North Koreans are highly unlikely to have assets in the US, at least not under their name.

In any case, the horizon ahead of 2015 is likely to be proliferated with more headlines about catastrophic data breaches.

And the Sony cyberattack actually pale in comparison to other data breaches on record, as shown (below) by independent data journalist and information designer David McCandless – you can also click on the bubbles to find out about these cases shown in the chart and table nicely compiled and presented in his blog.

databreachChart1
databreachChart2
databreachChart3

Hui-Tsang

The Rafael Hui Case Amplifies Flaws in Hong Kong’s Background Checks & Vetting System

Photo above: Rafael Hui (right) and Donald Tsang (left)

My last post of the year below and also in AsiaSentinel.

RafaelHui

Photo above: Rafael Hui

Why Didn’t the HK Vetting System Find Raphael Hui?

Former chief secretary, on his way to jail for 7-1/2 years, should have been spotted by background checks

Written by Vanson Soo
WED,24 DECEMBER 2014

The Hong Kong High Court delivered a landmark ruling Tuesday that brought an end to a chapter of one of the highest-level corruption trials in the city’s history with the conviction of former Chief Secretary Raphael Hui for bribery, along with the two executives who bribed him. But one serious question lingers.

Hui was handpicked by then Hong Kong chief executive Donald Tsang to return to the civil service as chief secretary. Why didn’t the background checks turn up what was obviously a grotesquely opulent lifestyle?

The 131-day high-profile trial involving Hui, effectively the number two in the Hong Kong government hierarchy, and two tycoons of Sun Hung Kai, the world’s second-most valuable real estate company according to Bloomberg, drew effective closure with Hui receiving seven and a half years behind bars for five charges including taking HK$8.5 million (US$1.1 million) in bribes from Sun Hung Kai co-chairman Thomas Kwok, who was given a five-year sentence and fined HK$500,000 for conspiring to corrupt the former chief secretary.

But who would have dared to oppose Hui’s appointment during the vetting process if Tsang wanted him? Apparently nobody. And shouldn’t Tsang be held responsible for overlooking Hui’s (known) vices? Shouldn’t the system have counted on the chief executive as the last line of defense to be absolutely clean?

If pre-employment background checks found a lavish opulent lifestyle and a high-spending propensity that were well known among Hui’s peers, who cast aside the potential red flag as merely a private and personal matter? Wasn’t it a colossal mistake that nobody asked the very simple question, if he was spending well beyond his means, where was he getting the money? Who then should be responsible for the gross oversight?

Details of Hui’s high life, including the showering of expensive gifts on his high-maintenance young mistress, came to light during the trial but it also emerged that his tilt towards the material world was no secret among his associates.

In light of Hui’s case, the government has defended its system of background checks, insisting there were adequate checks in place prior to slotting civil servants into their appointments. That defense highlights one gross, systematic problem, such as pre-employment background checks, in both the civil and commercial sectors alike: a check-the-box mentality instead of a serious investigation.

Pre-employment background checks are an exercise to ensure someone is properly, thoroughly and systematically vetted before an official undertaking, such as employment or appointment, to the extent that the person doesn’t become a potential liability and cause embarrassment sometime down the way.

These checks have both quantitative and qualitative elements. On the quantitative side, the checks include paper trials to confirm (thus the tag “check-the-box”) personal details, educational background, career history and highlight any potential conflicts and red flags found – for example, any record of bankruptcy, insolvency, sanctions, political affiliations, criminal history, etc.

In the civil service, all those checks extend to the subject’s next-of-kin. In commercial background checks (for example, banks in some jurisdictions are required to conduct these checks on all new hires), any personal stake and interest in other companies would also be material information.

The qualitative checks refer to efforts to find, as the wording suggests, any non-quantitative (i.e. non-documented) facts that could potentially cause trouble. In some commercial checks I have done for my clients, for example, someone found to have a high gambling propensity, or another with a history of sexual harassment in the workplace, were duly noted and accounted for in the process. In the political sphere, for example, anyone found to have employed undocumented immigrants would be promptly flagged in the United States and has been, ending the careers of several high-level appointees.

The check-the-box exercise underscores the very bureaucracy of the civil service as these background checks are designed to be “on the safe side,” documenting only those facts that are “traceable and reliable,” according to a source, a former senior Hong Kong government official familiar with the background checks and vetting processes within the civil service.

Beyond these quantifiable facts, the source told me any adverse comments – such as reports of one’s character, much like Hui’s high life – would rarely be passed on in the reports because they would be easily challenged. In several instances, troubles emerged later precisely because these omitted qualitative red flags came back to haunt both the employers and the newly employed.

The point then is, so what if Hui is known to have those vices? The government can boast all they want about their rigorous system of checks, including having two referees to evaluate the candidate but what use is it when the referees were appointed by the candidates themselves?

In Hui’s case, he was handpicked by Tsang to return to the civil service as chief secretary. But it has been widely reported that Tsang himself could face criminal prosecution on charges of improper conduct in office although the city’s anti-graft body – the Independent Commission Against Corruption (ICAC) – only says its investigation is still underway.

So, was it not a colossal mistake by the civil service to assume poor Hui and companies wouldn’t be singing Christmas carols behind bars, this and several more Christmas ahead?

Phones-eavesdropping

Shhh… A Feasible Strategy Despite Severe Innate Phone Security (Eavesdropping) Flaws Like SS7

The Washington Post article below once again highlights one approach to mobile phone usage: have many spares, apart from your regular smartphone(s), like good old cellulars and disposable low-value SIM cards. Dispose the SIM card after each use and always switch amongst those cellulars.

It can’t stop eavesdropping but at least the hackers and spies cannot trace you so easily. The approach may sound extreme to most people, so for all practical reasons, it’s best recommended only for those important and confidential conversations.

SpareSimsPhones2

German researchers discover a flaw that could let anyone listen to your cell calls.
By Craig Timberg December 18

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.

“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.

Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)

The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They’ve likely sat on these things and quietly exploited them.”

The GSMA, a global cellular industry group based in London, did not respond to queries seeking comment about the vulnerabilities that Nohl and Engel have found. For the Post’s article in August on location tracking systems that use SS7, GSMA officials acknowledged problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues.

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function — a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Nohl on Wednesday demonstrated the ability to collect and decrypt a text message using the phone of a German senator, who cooperated in the experiment. But Nohl said the process could be automated to allow massive decryption of calls and texts collected across an entire city or a large section of a country, using multiple antennas.

“It’s all automated, at the push of a button,” Nohl said. “It would strike me as a perfect spying capability, to record and decrypt pretty much any network… Any network we have tested, it works.”

Those tests have included more than 20 networks worldwide, including T-Mobile in the United States. The other major U.S. carriers have not been tested, though Nohl and Engel said it’s likely at least some of them have similar vulnerabilities. (Several smartphone-based text messaging systems, such as Apple’s iMessage and Whatsapp, use end-to-end encryption methods that sidestep traditional cellular text systems and likely would defeat the technique described by Nohl and Engel.)

In a statement, T-Mobile said: “T-Mobile remains vigilant in our work with other mobile operators, vendors and standards bodies to promote measures that can detect and prevent these attacks.”

The issue of cell phone interception is particularly sensitive in Germany because of news reports last year, based on documents provided by former NSA contractor Edward Snowden, that a phone belonging to Chancellor Angela Merkel was the subject of NSA surveillance. The techniques of that surveillance have not become public, though Nohl said that the SS7 hacking method that he and Engel discovered is one of several possibilities.

U.S. embassies and consulates in dozens of foreign cities, including Berlin, are outfitted with antennas for collecting cellular signals, according to reports by German magazine Der Spiegel, based on documents released by Snowden. Many cell phone conversations worldwide happen with either no encryption or weak encryption.

The move to 3G networks offers far better encryption and the prospect of private communications, but the hacking techniques revealed by Nohl and Engel undermine that possibility. Carriers can potentially guard their networks against efforts by hackers to collect encryption keys, but it’s unclear how many have done so. One network that operates in Germany, Vodafone, recently began blocking such requests after Nohl reported the problem to the company two weeks ago.

Nohl and Engel also have discovered new ways to track the locations of cell phone users through SS7. The Post story, in August, reported that several companies were offering governments worldwide the ability to find virtually any cell phone user, virtually anywhere in the world, by learning the location of their cell phones through an SS7 function called an “Any Time Interrogation” query.

Some carriers block such requests, and several began doing so after the Post’s report. But the researchers in recent months have found several other techniques that hackers could use to find the locations of callers by using different SS7 queries. All networks must track their customers in order to route calls to the nearest cellular towers, but they are not required to share that information with other networks or foreign governments.

Carriers everywhere must turn over location information and allow eavesdropping of calls when ordered to by government officials in whatever country they are operating in. But the techniques discovered by Nohl and Engel offer the possibility of much broader collection of caller locations and conversations, by anyone with access to SS7 and the required technical skills to send the appropriate queries.

“I doubt we are the first ones in the world who realize how open the SS7 network is,” Engel said.

Secretly eavesdropping on calls and texts would violate laws in many countries, including the United States, except when done with explicit court or other government authorization. Such restrictions likely do little to deter criminals or foreign spies, say surveillance experts, who say that embassies based in Washington likely collect cellular signals.

The researchers also found that it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. The calls transmit a temporary identification number which, by sending SS7 queries, can lead to the discovery of the phone number. That allows location tracking within a certain area, such as near government buildings.

The German senator who cooperated in Nohl’s demonstration of the technology, Thomas Jarzombek of Merkel’s Christian Democratic Union party, said that while many in that nation have been deeply angered by revelations about NSA spying, few are surprised that such intrusions are possible.

“After all the NSA and Snowden things we’ve heard, I guess nobody believes it’s possible to have a truly private conversation on a mobile phone,” he said. “When I really need a confidential conversation, I use a fixed-line” phone.

Fingerprint-electronicInvestigation

Are You Unique – How to Check Your Browser Fingerprints & Online Privacy?

Think you have taken all measures to remain anonymous and untraceable online? Or are you still (unknowingly) leaving browser fingerprints that can be traced to you and your devices?

The good news is, there’s a way to check and confirm if you are unique in cyberspace.

A browser fingerprint, or device fingerprint, is the systematic collection of information about a remote device for identification purposes, even when cookies are turned off.

There’s a web site “Am I Unique” which you can visit and check by clicking “View my browser fingerprint” as shown below:

Fingerprinting-Browser

That should give much food for thoughts for the Christmas holidays?

According to a recent international survey on 23,376 Internet users in 24 countries, carried out between October 7, 2014 and November 12, 2014, which found some 64 percent confessed they’re more concerned today about online privacy than they were a year ago.

Privacy-survey

That’s one way to gauge the post-Snowden effects. And if you still wonder why privacy matters, I highly recommend the Glenn Greenwald’s TEDTalk on “Why Privacy Matters“.

Surveillance-Homes

Shhh… US Federal Court: Warrantless Surveillance Footage in Public Areas is an Invasion of Privacy

Guess one would easily assume privacy does not apply in public areas – just look at the proliferation of CCTV cameras in the streets.

Well, that’s probably not necessarily the case judging by one recent court ruling in Washington. It may be good news for the general public and bad news for law enforcement.

Now first, many would probably associate the following 2 photos with typical covert surveillance operations, whereby operatives waited patiently to snap photos (and video) evidence of their subjects.

Surveillance-Detectives

Surveillance-Detectives2

But in this case involving the Washington police and Leonel Vargas (an “undocumented” immigrant suspected of drug trafficking), the authorities had a better idea.

The police planted a video camera, without a warrant, on a nearby utility pole 100 yards from Vargas’ rural Washington state house and shot 6 weeks worth of footage of his front yard whereby they eventually captured convincing evidence.

Vargas challenged the case on the grounds of violation of his privacy, which the government argued was not valid as his front yard is a public space and thus privacy does not apply.

The evidence put forward by the authorities was subsequently thrown out of the court by US District Judge Edward Shea, whose ruling is well summed up as such:

Law enforcement’s warrantless and constant covert video surveillance of Defendant’s rural front yard is contrary to the public’s reasonable expectation of privacy and violates Defendant’s Fourth Amendment right to be free from unreasonable search. The video evidence and fruit of the video evidence are suppressed.

Find out more about this case from here and there.

Sydney

One Question on the Sydney Siege: Why didn’t the Snipers Shoot Earlier?

I’m troubled by the Sydney siege at the Lindt Chocolate Café in Martin Place that has just concluded with 3 fatalities and 3 injured.

For starters, here’s one easy question: What’s wrong with these pictures (above from 7 News and the 2 below) and the video below (watch from 2:06 onwards)?

Sydney siege gunman-PIC
Photo credit: 7 News

Sydney-LindtCafeSeige-PIC
Picture: Ross Schultz Source: News Corp Australia

Now, the real question is: Where were the snipers? And why didn’t they shoot when they had the chance?

(Snipers reportedly manned nearby rooftops and shouted “Hostage down, window two” only when tactical police stormed the café at the end of the siege.)

If the media had these clear shots of the gunman Man Haron Monis, why didn’t the authorities have the snipers to take him down within the 16 hours window? If the snipers were not in a better position than the media, surely they have enough time to move for better views, rooftop or on the ground? The snipers of course need clearance from their commanders who should be on site with their squads. So does that mean the authorities did not want to kill him for whatever reasons?

Certainly many complicated questions but in any case, there were 17 hostages at stake and the police did not move in for the kill until (negotiations apparently failed and) there were gunshots within the café?

I have only one potential explanation: the authorities were concerned with the hostage taker’s claims that there were other explosive devices planted around the city – and the police have intelligence that he has comrades who would trigger those devices if he’s dead (I know it’s easier said than done but with good use of negotiators and intelligence, and a good 16-hour timeframe, the police and intelligence agencies could have established if he has other accomplices to detonate those devices, if any – plus it’s not that Man Haron Monis was any stranger to the Australian authorities. They should have a huge file on him all along).

Anything short (and as it turned out, his former lawyer, Manny Conditsis, reportedly told the media that Monis was an isolated figure who had acted alone), it’s sad to see yet another case whereby the authorities have not followed protocol in hostage situations: Take the man down (at the very opportunity).

It’s reminiscent of the Manila hostage event of 23 August 2010, when the hostage taker, former Philippines police officer Rolando Mendoza, hijacked a tourist bus with 25 hostages onboard. He was in plain sight (see picture below) several times, more than sufficient for the snipers to decide where to aim. But the Philippines authorities missed the opportunities, resulting in 9 deaths (including the perpetrator).

Manila-BusHostage-PIC

A longer version of this column appears in AsiaSentinel.com