Category Archives: Risk management

Out of Africa

Shhh… Out of Africa: Spies & Leaked Intelligence from the New “El Dorado of Espionage”

Here is an interesting story from The Guardian, based on a leaked cache of secret intelligence documents and cables.

Africa is new ‘El Dorado of espionage’, leaked intelligence files reveal

Continent emerges as the focus of international spying, with South Africa becoming a regional powerhouse and communications hub

Seumas Milne and Ewen MacAskill
Tuesday 24 February 2015 18.01 GMT

Africa emerges as the 21st century theatre of espionage, with South Africa as its gateway, in the cache of secret intelligence documents and cables seen by the Guardian. “Africa is now the El Dorado of espionage,” said one serving foreign intelligence officer.

The continent has increasingly become the focus of international spying as the battle for its resources has intensified, China’s economic role has grown dramatically, and the US and other western states have rapidly expanded their military presence and operations in a new international struggle for Africa.

With South Africa a regional powerhouse and communications hub, Pretoria has become a centre of the continent’s new Great Game, intelligence officials say, and a target of global espionage. The leaked documents obtained by al-Jazeera and shared with the Guardian contain the names of 78 foreign spies working in Pretoria, along with their photographs, addresses and mobile phone numbers – as well as 65 foreign intelligence agents identified by the South Africans as working undercover. Among the countries sending spies are the US, India, Britain and Senegal.

The United States, along with its French and British allies, is the major military and diplomatic power on the continent. South Africa spends a disproportionate amount of time focused on Iran and jihadi groups, in spite of internal documents showing its intelligence service does not regard either as a major threat to South Africa. “The Americans get what they want,” an intelligence source said.

The targets of foreign intelligence are myriad, ranging from jihadi groups to economic or technological theft. China has emerged as one of the biggest economic players on the continent, investing heavily in infrastructure, building a strong presence in many countries, in large part motivated by its huge appetite for fuel and resources.

Chinese intelligence is identified in one secret South African cable as the suspect in a nuclear break-in. A file dating from December 2009 on South Africa’s counter-intelligence effort says that foreign agencies had been “working frantically to influence” the country’s nuclear energy expansion programme, identifying US and French intelligence as the main players. But due to the “sophistication of their covert operations”, it had not been possible to “neutralise” their activities.

However, a 2007 break-in at the Pelindaba nuclear research centre – where apartheid South Africa developed nuclear weapons in the 1970s – by four armed and “technologically sophisticated criminals” was attributed by South African intelligence to an act of state espionage. At the time officials publicly dismissed the break-in as a burglary.

Several espionage agencies were reported to have shown interest in the progress of South Africa’s Pebble Bed Modular Reactor. According to the file, thefts and break-ins at the PBMR site were suspected to have been carried out to “advance China’s rival project”. It added that China was “now one year ahead … though they started several years after PBMR launch”.

In an October 2009 report by South Africa’s intelligence service, the National Intelligence Agency (NIA), on operations in Africa, Israel is said to be “working assiduously to encircle and isolate Sudan from the outside, and to fuel insurrection inside Sudan”. Israel “has long been keen to capitalise on Africa’s mineral wealth”, the South African spying agency says, and “plans to appropriate African diamonds and process them in Israel, which is already the world’s second largest processor of diamonds”.

The document reports that members of a delegation led by then foreign minister Avigdor Lieberman had been “facilitating contracts for Israelis to train various militias” in Africa.

The NIA’s relationship with its highly active Israeli counterpart, Mossad, has been mixed: close during the apartheid era, distant in the early years of the rule of the pro-Palestinian African National Congress, and more ambiguous in recent years.

One factor in South Africa’s attraction for rival spy agencies is the porous nature of its security services. A South African intelligence document, Security Vulnerabilities in Government, dated October 2009, offers an uncompromising look at the weakness of its security, a point rammed home by the fact it is marked secret but ended up among the leaked files.

The document says: “Foreign governments and their intelligence services strive to weaken the state and undermine South Africa’s sovereignty. Continuing lack of an acceptable standard of security … increases the risk.” It lists theft of laptop computers, insufficient lock-up facilities, limited vetting of senior officials in sensitive institutions, no approved encryption on landlines or mobiles, total disregard by foreign diplomats for existing regulations, ease of access to government departments allowed to foreign diplomats, and the lack of proper screening for foreigners applying for sensitive jobs.

According to one intelligence officer with extensive experience in South Africa, the NIA is politically factionalised and “totally penetrated” by foreign agencies: “Everyone is working for someone else.” The former head of the South African secret service, Mo Shaik, a close ally of the president, Jacob Zuma, was described as a US confidant and key source of information on “the Zuma camp” in a leaked 2008 Wikileaks cable from the American embassy in Pretoria.

The cables disclose an apparent assassination plot in Ethiopia against the South African politician Nkosazana Dlamini-Zuma, days after she became the new chair of the African Union Commission in 2012, giving a flavour of the day-to-day tribulations of intelligence operations in Africa.

South Africa’s head of station in Addis Ababa was warned of the plot, but instructed not to give details to the Ethiopians. Eventually, the Ethiopians were tipped off but the bodyguards assigned to Dlamini-Zuma’s hotel to protect her left their positions to get food and water.

In a frantic series of cables to Pretoria and in meetings with Ethiopian officials, South African intelligence officials are shown struggling to protect Dlamini-Zuma’s security without creating an impression of no confidence in Ethiopian security. When South Africa hands over a list of suspects, Ethiopian intelligence blames Sudan but is unable to link the names with Khartoum.

CitizenFour-Oscars

Shhh… Snowden’s Girlfriend at the Oscars for CitizenFour

Congratulations to Laura Poitras and her team behind “CitizenFour” in winning the Oscars for Best Documentary Feature. And did you notice Snowden‘s girlfriend Lindsay Mills was on the stage (see picture above (Credit: YouTube) and video clips below)?

The film on the Snowden revelations during his hiding in Hong Kong in 2013 will be aired on HBO later today.

Barbie2

Shhh… Doll Hack? New Wi-fi Connected “Hello Barbie” Risks Inviting Pedophiles Into the Barbie World

Barbie-HelloBarbie3

The newly announced internet-connected “Hello Barbie” (see video clip below) may be every girls’ dream but every parents’ nightmare.

The first-ever conversational doll (developed by ToyTalk in partnership with Mattel) will chat with the kids, record their conversations and transmit the recorded data to servers to be analyzed… and yes, risk being hacked and abused by pedophiles.

Think about it, it has all the hacking ingredients for any tech savvy blokes: wi-fi connection, speech-recognition software, phone apps (for kids?!), two-way conversations with kids and cloud storage.

Not convinced? Consider this: these capabilities mean these Barbies can also eavesdrop and record any conversation within the four-walls. Not much difference from the internet-connected spying Samsung smart TV.

“It wouldn’t take much for a malicious individual to intercept either the wi-fi communications from the phone or tablet, or connect to the doll over Bluetooth directly. These problems aren’t difficult to solve; the manufacturer needs to check the phone application carefully to make sure it’s secure. They also need to check that any information sent by the doll to their online systems is protected,” reportedly according to Ken Munro, a security researcher at Pen Test Partners, who has previously warned about the vulnerabilities in another doll called Cayla which uses speech-recognition and Google’s translation tools.

SIMcard

Shhh… Solutions to NSA & GCHQ Hacks into SIM Cards to Eavesdrop on Mobile Phones Worldwide?

Glenn-pg97

This news originally from The Intercept, based on leaked files from Edward Snowden, shouldn’t come as a surprise as the NSA had been on a mission to Collect It All (Chapter 3) according to Glenn Greenwald’s book “No Place to Hide” (see above).

High time to seriously (re)consider encrypted communications like encrypted calls and messaging apps (despite efforts to ban encryption by Obama and Cameron)?

LenovoThinkPad2

Shhh… Pre-installed Superfish Malware Leaves Lenovo Computers Vulnerable to Man-in-the-Middle Attacks

I’m a self-confessed hardcore fan of the good old IBM Thinkpad laptops but I’ve shied away from the black box ever since the Lenovo acquisition in 2005. And this (see video clips below) is one of those reasons. My tilt these days is towards those laptops with no parts made in China

HardDrive

Shhh… Simple Solutions to NSA’s Embedded Spyware in Hard Drives

This may be bad news but it’s not the end of the world. There’s no need to push the panic button.

You may have read that the NSA have reportedly inserted spyware on the hard drives made by top manufacturers like Western Digital, Seagate, Toshiba, Samsung, etc – ie. the hard drives in literally every computers in the world. This global surveillance exercise, discovered by Moscow-based security software Kaspersky Lab, mainly targeted “government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activist” mainly in countries like Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

Now even if you’re not within that circumscribed range of victims, the fact remains that every computers can be compromised. But there are ways to circumvent the risks – you can never eliminate such risks but you can always minimize the impacts.

As I have pointed out in my public lectures, there are some simple tricks to protect your data (and your life if you’re an entrepreneur because your data is everything to your livelihood) even if you’re not an IT geek. One good practice is to never store a single file or doc, apart from the software and operating system, on your computer hard disk. And I’m not suggesting using the cloud given the well publicized risks. I meant storing your files on an external encrypted hard disk.

And together with several other simple tricks that I’ve shared publicly (for example, consider how you connect your devices online, when you should connect/disconnect the external hard drives to the computer…), there are indeed ways to protect your computers and data.

Snowden-ACLUDavisLevin2stAmndConf4

Shhh… Snowden at the ALCU Hawaii’s Davis Levin First Amendment Conference

Here’s the video clip of Edward Snowden’s latest public appearance (via video conference) on 14 February 2015 at the The Davis Levin First Amendment Conference, to a sold-out audience at the Hawaii Convention Center in Honolulu.

Previous speakers at this event include Daniel Ellsberg, Kenneth Starr, US Supreme Court Justice Antonin Scalia, Ralph Reed, Nadine Strossen and Jay Sekulow.

TimCook-Obama-CybersecuritySummit

Obama’s Still On the Wrong Frequency On Cybersecurity Issues

This is probably the most telling moment of how US President Barack Obama is still on the wrong frequency on cyber matters…

Obama blamed the “impact on their [the tech companies] bottom lines” for the mistrust between the government and Silicon Valley in the aftermath of the Snowden revelations. These were his words, straight from the POTUSA mouth rather than reading from the scripts, in an exclusive interview with Re/code’s Kara Swisher (see video below) following the well publicized cybersecurity summit at Stanford University last Friday, when he signed an executive order to encourage the private sector to share cybersecurity threat information with other companies and the US government.

Contrast that with the high-profile speech by Apple CEO Tim Cook (see video below), who warned about “life and death” and “dire consequences” in sacrificing the right to privacy as technology companies had a duty to protect their customers.

His speech was delivered before Obama’s address to the summit – which the White House organized to foster better cooperation and the sharing of private information with Silicon Valley – best remembered for the absence of leaders from tech giants like Google, Yahoo and Facebook who gave Obama the snub amid growing tensions between Silicon Valley and the Obama administration. Heavyweights whom Obama counted as “my friends” in the Re/code interview (watch closely his expression at the 39th second of the clip above).

Memex

Shhh… New Search Engine Memex to Reach the Other 95% of the Web (And Dark Web) that Google Missed

Popular search engines like Google, Yahoo and Bing can only access 5 percent of all the contents in the internet space. So that’s one good reason to be excited about the new breed search engine Memex, now at beta stage, developed by the US military’s Defense Advanced Research Projects Agency (DARPA) which is capable of ploughing through the entire web space including the Dark Web, that part (much of the other 95 percent) of the cyber ecosystem where criminals operate in the shadows to buy, sell and advertise their illegal trades such as weapons and sex trafficking.

Find out more about MEMEX from this exclusive 60 Minutes clip:

And more about the Dark Web:

quantumCommunications

Shhh… China to Boost Cyber-Security with the World’s First Quantum Communications Network – QC Satellite to Follow Next Year

Amid continuing Sino-US spats on cyber-espionage and related matters, China is beefing up its cyber and national security in a big way as it is reportedly just months away from launching the longest quantum communications network on earth stretching some 2,000 kilometer between its capital Beijing and financial center Shanghai to transfer data close to the speed of light with no hacking risks – initially to transmit sensitive diplomatic and classified information for the government and military with personal and financial data also on the cards for the near future.

And that’s ahead of the previously announced plan for 2016 to become the first country to launch a quantum communications satellite into the orbit.

Looks like Snowden was spot on again. In a post just a month ago, I wrote what he said about how the US (would and) is paying the price for focusing too much on the cyber offensive at the expense of cyber defense.

Meanwhile, following the recent cyber-attack on Sony Pictures, President Barack Obama’s homeland security and counter-terrorism adviser Lisa Monaco announced earlier this week a new intelligence unit – the Cyber Threat Intelligence Integration Center – to take the lead in tracking cyber-threats by pooling and disseminating data on cyber-breaches to other US agencies.

“Currently, no single government entity is responsible for producing coordinated cyber threat assessments,” according to Monaco.


China nears launch of hack-proof ‘quantum communications’ link

Published: Feb 9, 2015 11:13 p.m. ET

Technology to be employed for military and other official uses

BEIJING (Caixin Online) — This may be a quantum-leap year for an initiative that accelerates data transfers close to the speed of light with no hacking threats through so-called “quantum communications” technology.

Within months, China plans to open the world’s longest quantum-communications network, a 2,000-kilometer (1,240-mile) electronic highway linking government offices in the cities of Beijing and Shanghai.

Meanwhile, the country’s aerospace scientists are preparing a communications satellite for a 2016 launch that would be a first step toward building a quantum communications network in the sky. It’s hoped this and other satellites can be used to overcome technical hurdles, such as distance restrictions, facing land-based systems.

Physicists around the world have spent years working on quantum-communications technology. But if all goes as planned, China would be the first country to put a quantum-communications satellite in orbit, said Wang Jianyu, deputy director of the China Academy of Science’s (CAS) Shanghai branch.

At a recent conference on quantum science in Shanghai, Wang said scientists from CAS and other institutions have completed major research and development tasks for launching the satellite equipped with quantum-communications gear.

The satellite program’s likelihood for success was confirmed by China’s leading quantum-communications scientist, Pan Jianwei, a CAS academic who is also a professor of quantum physics at the University of Science and Technology of China (USTC) in Hefei, in the eastern province of Anhui. Pan said researchers reported significant progress on systems development after conducting experiments at a test center in Qinghai province, in the northwest

The satellite would be used to transmit encoded data through a method called quantum key distribution (QKD), which relies on cryptographic keys transmitted via light-pulse signals. QKD is said to be nearly impossible to hack, since any attempted eavesdropping would change the quantum states and thus could be quickly detected by data-flow monitors.

A satellite-based quantum-communications system could be used to build a secure information bridge between the nation’s capital and Urumqi, a city that’s the capital of the restive Xinjiang Uyghur Autonomous Region in the west, Pan said.

It’s likely the technology initially will be used to transmit sensitive diplomatic, government-policy and military information. Future applications could include secure transmissions of personal and financial data.

Plans call for China to put additional satellites into orbit after next year’s ground-breaking launch, Pan said, without divulging how many satellites might be deployed or when. He did say that China hopes to complete a QKD system linking Asia and Europe by 2020, and have a worldwide quantum-communications network in place by 2030.

Success stories

In 2009, China became the first country in the world to put quantum-communications technology to work outside of a laboratory.

In October of that year, a team of scientists led by Pan built a secure network for exchanging information among government officials during a military parade in Beijing celebrating the 60th anniversary of the People’s Republic. The demonstration underscored the research project’s key military application.

“China is completely capable of making full use of quantum communications in a regional war,” Pan said. “The direction of development in the future calls for using relay satellites to realize quantum communications and control that covers the entire army.”

The country is also working to configure the new technology for civilian use.

A pilot quantum-communications network that took 18 months to build was completed in February 2012 in Hefei. The network, which cost the city’s government 60 million yuan ($9.6 million), was designed by Pan’s team to link 40 telephones and 16 video cameras installed at city government agencies, military units, financial institutions and health-care offices.

A similar, civilian-focused network built by Pan’s team in Jinan, the provincial capital of the eastern province of Shandong, started operating in March 2014. It connects some 90 users, most of whom tap the network for general business and information.

In late 2012, Pan’s team installed a quantum-communications network that was used to securely connect the Beijing venue hosting a week-long meeting of the 18th National Congress of the Communist Party, with hotel rooms where delegates stayed, as well as the Zhongnanhai compound in Beijing where the nation’s top leaders live and work.

Next on the development agenda is opening the network linking Beijing and Shanghai. Pan is leading that project as well.

If all goes as planned, Pan said, existing networks in Hefei and Jinan would eventually be tied to the Beijing-Shanghai channel to provide secure communications connecting government and financial agencies in each of the four regions. The new network could be operating as early as 2016.

No room for hype

A quantum code expert said that so far, quantum-communications technology development efforts in China have basically focused on protecting national security. “How important it will be for the public and in everyday life are questions that remain unanswered,” said the expert.

To date, Pan said, technical barriers and the high cost of systems development have kept private capital out of what’s now almost exclusively a government initiative. Moreover, it’s still too early to tell whether the technology has any potential commercial value.

Pan has warned the public not to listen to investment come-ons that hype the money-making potential of quantum-communications businesses. At this stage of the game, he said, the focus is still on technological development, not commercial applications.

Nevertheless, since 2009, USTC has been building a commercial enterprise called Anhui Quantum Communication Technology Co. to produce equipment based on technology developed by Pan and his team. The company is China’s largest quantum-communications equipment supplier. Last September, it said it had started mass-producing quantum-cryptography equipment.

Anhui Quantum general manager Zhao Yong said the company’s clients include financial institutions and government agencies seeking to supplement, not replace, conventional communications systems. Their shared goal, he said, is to improve data security.

Once the technology has matured, said Wang Xiangbin, a physicist at Beijing’s Tsinghua University, its range of applications should be targeted to specific industries and regions because of its high barrier in technology and cost. Quantum communications is not a technology suitable for mass use via the Internet, for example, Wang told a group of scientists at a 2012 seminar.

Some experts say it’s wrong to assume that quantum communications is a flawlessly secure means of transmitting information. Another Tsinghua physics professor, Long Guilu, said quantum communication is only theoretically safe, since malfunctioning equipment or operational errors can open doors to risk.

Experimental systems built in 2007 by Chinese and U.S. physicists reportedly achieved secure QKD transmissions between two points more than 100 kilometers apart. But the experiment also taught scientists that data can be intercepted by a third party during a transmission.

In addressing the naysayers, Pan admitted that quantum communications is not perfect. But he defended it as safer than conventional means of communication. In fact, he said, no means of protecting data is more secure than quantum communications.

To test the capacity and safety of the network linking Beijing and Shanghai, Pan said his team plans to ask other communications experts to carefully study the system and look for potential security holes. The network could then be modified in ways that close any detected gaps and reduce hacking risks.

“Assessments and testing will be conducted after the network is completed,” said Pan, who remains convinced that any network using quantum cryptographic technology is more secure than any other communications channel.

Pan has been working on quantum-communications technology since the late 1990s, when he was a researcher at the University of Vienna and working in a partnership with Austrian physicist Anton Zeilinger. That team is credited with developing the first protocol for quantum communications.

Pan worked with Zeilinger about a decade after U.S. physicist Charles Bennett and colleagues at IBM Research built the world’s first functioning quantum cryptographic system. Based on their research, the first network was installed in the U.S. city of Boston.

Like their counterparts in China, researchers in the United States, Japan and European countries continue work to advance the technology. A key effort is aimed at extending that potential reach of quantum-communications systems, which for years were used only to span short distances.

Some experts have even wondered whether the new technology has been misidentified, since its key feature is high-level cryptography, not electronic communications.

“What we can do now is merely encrypt data, which is far from real quantum communications,” said one expert who declined to be named. “Theoretically it can’t be hacked, but in practice it has many limitations.”

Guo Guangcan, director of USTC’s quantum-communications lab, said networks now operating and those being built in China “achieve encryption only,” whereas true communications networks “involve content.”

“It’s not accurate to call it quantum communications,” said Guo.

Whatever it’s called, China appears determined to push ahead with the research and development that paves the way for a new era of secure communications. And according to Pan, that era is still at least a decade away.

“It will take 10 to 20 years to really put (the technology) into practice,” said Pan.

Rewritten by Han Wei

SamsungSmartTV

Shhh… Spy Alert: Your Smart TV Watches You – Just Like Your Computer

This is really nothing new but I’m posting it because similar “news” resurfaced again the past week.

Let’s not forget smart TV are essentially becoming more like computers. And yes, they can watch you and your loved ones discreetly without your knowledge.

If you’ve already bought one, the easy solution is to cover the webcam with a duct tape unless you need to use it.

Snowden-Falciani

Edward Snowden & Hervé Falciani Knew Each Other Before Their Respective Exposé?

As it so happened, everything started and ended in Geneva…

It was a cold morning in mid-December 2008. Hervé Falciani has just finished packing his favorite black Rimowa luggage and a small handy leather bag with his five precious CDs safely tucked to the bottom.

“Mate I’m getting ready to leave for Nice for a few days, to do you know what,” he wrote on his encrypted email.

“Good luck mate. That’s the spirit. Am actually planning to get myself out of Geneva and home for good shortly after the New Year. Keep those stuff safe,” the reply promptly appeared on the computer screen.

“Will do. Thanks so much for all the guidance. Take care!” Falciani penned off, half-wishing his pal Snowden was not serious about leaving Geneva.

Well, that was probably how John le Carré approached his next best-selling spy novel but this opening scene may not be too far from the truth.

Falciani was widely dubbed the Snowden of the banking world when the HSBC exposé stole global headlines early this week. According to his profile, the then-36-year-old dual French-Italian national joined the British banking giant HSBC in 2000, in Monaco where he grew up, and was transferred to HSBC Private Bank (Suisse) in Geneva, Switzerland in 2006.

That was the same year Edward Snowden joined the CIA and the now famous whistleblower behind the NSA revelations was posted to Geneva the following year under diplomatic cover, where he admitted having grown disillusioned with American spy craft. He left Geneva and the agency in 2009.

And as an undercover CIA operative based in Geneva, Snowden probably knew some bankers as The Guardian once reported:

He described as formative an incident in which he claimed CIA operatives were attempting to recruit a Swiss banker to obtain secret banking information. Snowden said they achieved this by purposely getting the banker drunk and encouraging him to drive home in his car. When the banker was arrested for drunk driving, the undercover agent seeking to befriend him offered to help, and a bond was formed that led to successful recruitment.

The possibility that Snowden and Falciani knew each other may be a novelist’s creation and a trivial even if it’s true. But nevertheless, it would open up many possibilities.

Consider, for example, both claimed to have reported to their superiors, who ignored their respective complaints and warnings. Both became whistleblowers and accused for their actions. The two IT experts stole and released troves of internal data to the media – Falciani, the systems specialist of the HSBC Private Bank in Geneva now under the global spotlights, reportedly met French tax investigators at a cafe in Nice airport before Christmas of 2008 and handed them five CDs worth of confidential data pertaining to some 130,000 clients and 300,000 private accounts from 200 countries – which eventually reached then Finance Minister of France Christine Lagarde, who subsequently shared it with other countries.

And the rest was history as we know today.

Snowden is scheduled to speak via video-conference this Friday to the International Students For Liberty Conference in downtown Washington, D.C. Would be interesting to hear what he has to say about the HSBC exposé and… his friend Falciani.

Google-Erased

The Flawed “Right To Be Forgotten” Ruling on Google Cannot and Should Not be Globalized

A eight-member panel experts tasked to review privacy issues relating to online search giant Google Inc. has rejected late last week attempts by EU privacy watchdogs to extend the “right to be forgotten” ruling beyond the 28-nation bloc – see Bloomberg report below.

The European Court of Justice issued a landmark ruling last May that anyone living in the European Union and Europeans living outside the region could ask search engines like Google to remove links if they believed the online contents breached their right to privacy and are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”

I have explained in my column last July that the ruling was Much Ado About Nothing as it amounted to everything but forgotten: what Google essentially did was to remove results from name search of those names approved to be deleted but only on its European websites. The same results remain on the Google US homepage and all its non-European sites. Furthermore, Google is only removing the results but not the links.

Thus no surprise there are now efforts to address these not-so-forgotten issues.

But as I have further pointed out then, the more devastating and often overlooked impact was how any “right to be forgotten” would be a much welcomed and God-sent convenience for “women with a past and men with no future”, essentially amounting to the “right to be defrauded” as it was also described recently by Jason Wright of Kroll.

In short, anyone in support and calling to extend the “right to be forgotten” ruling – including the Hong Kong Privacy Commissioner Allen Chiang who erroneously heralded it as a way to grant everyone a “second chance in life” – is not only pulling the plug on the free flow of information but also effectively facilitating the closing down of everyone’s right to information, which would derail the notion of free markets in this global economy if every individuals and entities could so conveniently erase their dirty laundries (like criminal convictions, litigation history, old debts and past bankruptcy records for starters) at the expense of their counter-parties who could no longer trace anything – especially if this ruling was blindly extended and embraced globally.

And I stress once again, the internet, originally designed to exchange raw data between researchers and scientists, has evolved into a self-contained, self-sustained and self-evolving ecosystem of records, communications, commerce, entertainment, etc. Any attempt to remove the contents, successful or otherwise, is like playing God.

Historians will mark the EU ruling as a (irreversible) seismic error. Extending it to a global scale will have no equals in the history of mankind.

Google Panel Opposes EU Data Watchdogs on Forgotten Case

by Stephanie Bodoni

(Bloomberg) — A panel of experts enlisted by Google Inc. to review privacy issues following a European Union court ruling backed the search giant’s bid to limit the “right to be forgotten” to websites within the 28-nation bloc.

The eight-member group, which includes Wikipedia co-founder Jimmy Wales, rejected a push by EU privacy watchdogs to extend search link removals to Google’s global site.

“Delistings applied to the European versions of search will, as a general rule, protect the rights of the data subject adequately in the current state of affairs and technology,” the group said in the 41-page report. “Removal from nationally directed versions of Google’s search services within the EU is the appropriate means to implement the ruling at this stage.”

A ruling by the EU Court of Justice last year created a right to be forgotten, allowing people to seek the deletion of links on search engines if the information was outdated or irrelevant. The ruling created a furor, with Mountain View, California-based Google appointing the panel to advise it on implementing the law.

The geographic scope of an EU court ruling that forced the company last year to remove some search links on request was a “difficult question that arose throughout” the panel’s meetings, the group said.

Today’s report puts the group at odds with the 28-nation EU’s data-protection regulators who last year urged the company to allow people to seek the deletion of links to some personal data on the company’s main U.S. website.

Sabine Leutheusser-Schnarrenberger, a former German justice minister and one of the panel’s member, said that she opposed the majority view of the group on the geographical scope of the EU court ruling.

EU Domains

Removal requests “must not be limited to EU domains,” she said in the report. “The Internet is global, the protection of the user’s rights must also be global. Any circumvention of these rights must be prevented.”

The Google advisory group last year visited seven European cities, from Rome to Berlin, listening to academics and public officials.

“It’s been valuable to hear a wide range of viewpoints in recent months across Europe and we’ll carefully consider this report,” David Drummond, Google’s top lawyer, said in an e-mailed statement. “We’re also looking closely at the guidance given by Europe’s data protection authorities as we continue to work on our compliance with” the EU court ruling.

The company has received 212,109 requests to remove 767,804 links from its website to date, according to its website.

Initial Split

The deletion of links beyond the 28-nation EU was one of two issues that created an initial split between Google and data-protection regulators. Regulators have complained that information blocked on EU websites shouldn’t be easily accessible by visiting Google in other countries by changing a few characters on the browser address line.

The company’s policy of notifying the media about deleted links to stories on their websites also sparked the ire of regulators. The report recommended that search engines “should notify the publishers to the extent allowed by law.”

“In complex cases, it may be appropriate for the search engine to notify the webmaster prior to reaching an actual delisting decision,” the panel said. “If feasible, it would have the effect of providing the search engine additional context about the information at issue and improve accuracy of delisting determinations.”

SourceCode3

Shhh… US in Long Battle As China Request Source Code From Western Technology Companies

This spat on intrusive rules is going to be a huge long battle.

The US is voicing opposition to Chinese rules that foreign vendors hand over the source code if they were to supply computer equipments to Chinese banks – which could expand to other sectors as the matter is “part of a wider review”.

Other measures to comply with include the setting up of research and development centers in China and building “ports” for Chinese officials to manage and monitor the data processed by their hardware.

Submitting to these “intrusive rules” for a slice of the huge Chinese markets also means alienating the rest of the world – as complying with these rules means creating backdoors, adopting Chinese encryption algorithms and disclosing sensitive intellectual property.

Find out more from this video:

Obama-XiJinping4

US-China Spat on Intrusive Rules – And Actual Intrusions

Speaking of “intrusive rules” (see BBC report far below) and “actual intrusions” in China, the latter I have expanded recently in two articles – one on Apple yesterday and the other on VPN blocks last week – and merged in this new column I’m also pasting right below.

The long and short of it, it’s espionage made easy. Period.


Apple Lets Down Its Asia Users

Written by Vanson Soo
MON,02 FEBRUARY 2015

Knuckling under to China on security inspections

If you are a die-hard fan of Apple products and if you, your company or business have anything to do with mainland China, recent developments involving the US tech giant can be construed as bad news, with deeper implications than what was generally thought and reported.

First, about Apple.

I have always liked the beauty and elegance of Apple products. I have owned two Mac laptops and an iPhone but I have shunned them as anyone deeply conscious and concerned about privacy and security should do. Edward Snowden, for example, who laid bare extensive snooping by the US National Security Agency, recently said he had never used the iPhone given the existence of secret surveillance spyware hidden in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices including iPhones, iPads and Mac computers. The move understandably makes business sense to Apple [and its shareholders] as China is just too huge a market to ignore – so the Cupertino-based company [whose market capitalization hit US$683 billion last week, more than double Microsoft’s US$338 billion] realized it simply couldn’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

What Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well documented that Apple users were [and probably still are] known for their cult-like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers.

The company has also denied working with any government agencies to create back doors into its products or servers… So surrendering to security audits wouldn’t?

If only Apple users managed to chuck away their cult mentality and come to their senses about their privacy and security risks, the firm would realize the Google approach, though still not perfect, is a better way of cultivating brand loyalty.

And in case you’re wondering, I use Linux most of the time – and shun the most popular Linux distributions to be on the safe side.a

Now next. And this is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News surfaced in late January that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

The real impact is not merely on domestic residents who were cut off from YouTube, BBC/CNN news and other information sources but resident expatriates, multinationals, foreign embassies and those traveling to China, especially businessmen and executives. Think: Chinese espionage now made easy!

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through it, which effectively shields internet traffic from government filters that have set criteria on what sites can be accessed.

And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

Obama-XiJinping5

29 January 2015 Last updated at 14:35

US tech firms ask China to postpone ‘intrusive’ rules

By Kevin Rawlinson BBC News

US business groups are seeking “urgent discussions” over new Chinese rules requiring foreign firms to hand over source code and other measures.

The groups wrote to senior government officials after the introduction of the cybersecurity regulations at the end of last year.

The US Chamber of Commerce and other groups called the rules “intrusive”.

The regulations initially apply to firms selling products to Chinese banks but are part of a wider review.

“An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice,” the letter read.

The groups said that the rules would force technology sellers to create backdoors for the Chinese government, adopt Chinese encryption algorithms and disclose sensitive intellectual property.

Firms planning to sell computer equipment to Chinese banks would also have to set up research and development centres in the country, get permits for workers servicing technology equipment and build “ports” which enable Chinese officials to manage and monitor data processed by their hardware, Reuters reported.

Source code is the usually tightly guarded series of commands that create programs. For most computing and networking equipment, it would have to be turned over to officials, according to the new regulations.

Tension

In the letter, a copy of which has been seen by the BBC, the groups have asked the Chinese government to delay implementation of the regulations and “grant an opportunity for discussion and dialogue for interested stakeholders with agencies responsible for the initiatives”.

They added: “The domestic purchasing and related requirements proposed recently for China’s banking sector… would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain,” the letter, which was dated 28 January, read.

The letter from the American groups, including the US Chamber of Commerce, AmCham China and 16 others, was addressed to the Central Leading Small Group for Cyberspace Affairs, which is led personally by Chinese President Xi Jinping.

It comes at a time of heightened tension between the USA and China over cybersecurity. In May last year, Beijing denounced US charges against Chinese army officers accused of economic cyber-espionage.

Pressure

It was also alleged that the US National Security Agency spied on Chinese firm Huawei, while the US Senate claimed that the Chinese government broke into the computers of airlines and military contractors.

American tech firms, such as Cisco and Microsoft, are facing increased pressure from Chinese authorities to accept rigorous security checks before their products can be purchased by China’s sprawling, state-run financial institutions.

Beijing has considered its reliance on foreign technology a national security weakness, particularly following former National Security Agency contractor Edward Snowden’s revelations that US spy agencies planted code in American-made software to snoop on overseas targets.

The cyber-space policy group approved a 22-page document in late 2014 that contained the heightened procurement rules for tech vendors, the New York Times reported on Thursday.

Apple-Shanghai3

From Apple With Love – Granting Chinese Security Audits Leaves More Deep & Profound Implications Than Betrayal of Apple Die-Hards

I always like the beauty and elegance of Apple products (I had 2 Mac laptops and 1 iPhone) but I have to admit I have already shunned them as anyone deeply conscious and concerned about privacy and security should do – Snowden, for example, recently said he never used the iPhone given the existence of secret surveillance spyware in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices like the iPhones, iPads and Mac computers. The move understandably makes business sense to Apple (and its shareholders) as China is just too huge a market to ignore – so the Cupertino-based company (whose market capitalization hit $683 billion last week, more than double Microsoft’s $338 billion) realized it simply can’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

And what Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well-documented Apple users were (and probably still are) well known for their “cult” like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers. The company has also denied working with any government agencies to create back doors into its products or servers… (So surrendering to security audits wouldn’t?)

If only Apple users somewhat managed to chuck away their cult mentality and come to their senses (about their privacy and security risks), the US tech giant would realize the Google approach (though still not the perfect example) is a better way to cultivating brand loyalty (see article below).

And in case you’re wondering, I use laptops with no parts made in China along with Linux most of the time – and shun the most popular Linux distributions to be on the safe side.


Apple’s New Security Concessions to Beijing

By Doug Young | January 27, 2015, 10:13 AM

Apple is deepening its uneasy embrace of Beijing security officials, with word that it has agreed to allow security audits for products that it sells in China. This latest development comes less than a year after Apple took the unusual step of moving some of the user information it collects to China-based servers, which was also aimed at placating security-conscious regulators in Beijing.

Apple’s increasingly close cooperation with Beijing contrasts sharply with Google, whose popular Internet products and services are increasingly being locked out of China as it refuses to play by Beijing’s rules. Other global tech giants are also having to deal with the delicate situation, each taking a slightly different approach to try to protect user privacy while complying with Beijing’s insistence that they make their information available to security-conscious government regulators.

As a relatively neutral observer, I can sympathize with both the Apples and Googles of the world. Companies like Apple have decided that China is simply too large for them to ignore, and thus are taking steps to address Beijing’s security concerns as a condition for access to the huge market. Microsoft has also taken a similar tack, and Facebook is showing it will also be willing to play by such rules with its recent repeated lobbying for a chance to set up a China-based service.

Google has taken a more defiant stance by refusing to compromise user privacy and free speech, with the result that a growing number of its products and services are now blocked in China. The company shuttered its China-based search website in 2010 over a dispute with Beijing on self censorship. Last year many of its global sites and even its Gmail email service also became increasingly difficult to access for users in China.

Apple isn’t being nearly so defiant, and the latest headlines say it has agreed to the audits of its products by the State Internet Information Office. The reports say Apple agreed to the audits when CEO Tim Cook met with State Internet Information Office official Lu Wei during a December trip to the U.S. I previously wrote about Lu’s trip after photos appeared on an official Chinese government website showing him visiting the offices of Facebook, Apple, and also Amazon.

Lu reportedly told Cook that China needs to be sure that Apple’s popular iPhones, iPads, and other products protect user privacy and also don’t compromise national security. Unlike other PC and cellphone makers that simply sell their devices to consumers, Apple actively keeps records of its product users and some of their usage habits and other related information on remote computers.

This latest move looks like an extension of another one last summer, which saw Apple agree to host some of the data from its China-based users on servers based inside the country. That move also looked aimed at calming national security worries from Beijing, since storing such information on China-based computers would make it more accessible to investigators conducting security-related probes.

In an interesting twist to the story, this latest report comes from a state-owned newspaper in Beijing, making it a sort of semi-official disclosure of China’s approach to the matter. That would follow the government’s own announcement of Lu Wei’s December trip, and perhaps shows that Beijing wants to be more open about steps it’s taking to address national security threats like terrorism. That kind of more open attitude could help both domestic and foreign companies to better navigate China’s tricky cyber realm, though it won’t be of much help to defiant companies like Google that are more intent on protecting free speech and user privacy.

Cryptoquip

Shhh… Why (Obama & Cameron) the NSA is Breaking Our Encryption and Why We Should Care

Here’s one nice TEDTalk on why encryption is important for everyone and why breaking or weakening it – British Prime Minister David Cameron and US President Barack Obama are now pushing for a ban on encryption – is not a good idea. To put it bluntly and briefly, it is shooting our own foot.

Encryption-LowTech

Shhh… Obama & Cameron: Here’s How Low-Tech Encrypted Communications Work – With Just a Pen & Paper – Which You Can’t Decrypt

Here’s a video on how to send an encrypted message in a very simple and low-tech way: with a pen and paper.

Beauty of this primitive but effective method is you would have burnt the “keys” and the authorities won’t be able to punch it out of you, even with water-boarding tactics.

But the one potential challenge is the pad of “cypher keys” (see video below) has to be shared securely in advance and used once at best. Alternative: have several of these pads and find a secure way to convey which pad to use for reference.

Wonder what British Prime Minister David Cameron and US President Barack Obama – who were keen to push for a total ban on encryption despite warnings of irreversible damages – have to say about this. The message to them: it’s impossible to ban encrypted communications.

KimDotcom-Megachat

Shhh… How to Register for Kim Dotcom’s End-to-End Encrypted Voice Calling Service “MegaChat”

If you’re amongst those wary of (eavesdropping with) Skype and Google Hangouts, this will be great news.

New Zealand-based internet entrepreneur Kim Dotcom, best known for his legendary Megaupload and Mega file sharing services, announced last week the launch of his new and highly anticipated encrypted communication software MegaChat for video calling, messaging and chat. Dubbed a “Skype Killer”, the New Zealand-based service is available in both free and paid version – see video below.

And this is going to be interesting. The Snowden revelations have revealed how Microsoft, which bought Skype, has handed the NSA access to encrypted messages.

Earlier this month, following the Paris attacks, British Prime Minister announced his push to ban encryption altogether and US President Barack Obama has openly voiced support despite warnings of irreversible damages.

Meantime, Kim Dotcom said encrypted video conferencing, email and text chat would also be available later. In any case, here’s a video on how to register and start using MegaChat.

VPN-China0

Shhh… China’s Block to VPN Services Has Global Impacts

This is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News has surfaced over the weekend that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through the designated pipe, which effectively shield internet traffic from government filters that have set criteria on what sites can be accessed.

Find out more about this news below – And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

VPN-China
VPN-China2
VPN-China3
VPN-China4

Snowden-iphone

Shhh… Snowden: iPhone has Secret Surveillance Spyware that Can Be Remotely Controlled

The NSA whistleblower Edward Snowden revealed last week that he doesn’t use an iPhone because the Apple device has a secret surveillance spyware controlled by the US intelligence agency.

Obama-Blackberry

Obama: Why is Your Blackberry Super-Encrypted & You Want to Ban the World from Using Encryption?

Let’s have a different take on Obama and his endorsement (of Cameron’s drive) to kill encryption.

Obama is not allowed to use an iPhone because it’s “not safe”, the NSA advised him – Edward Snowden has recently said the iPhone was made to remotely track and transmit data about users.

Obama uses a Blackberry because of its reputation for security. But it’s still not safe enough, so his device was further encrypted though experts warned it’s still no absolute guarantee.

So Mr. President, you understand very well the value of encryption and privacy. And you want to ban encryption in the name of national security when you knew very well the terrorists you’re after are very apt at finding alternatives (remember Osama bin Laden?), including using primitive channels like typewriters, paper and pen, etc?

And at the same time, you’re crippling the entire world – companies, individuals and government (what did Merkel tell you?) – with the floodgates thrown open to cyber-criminals and hackers?

Reckon you can see that the equation doesn’t add up?

BlackberryJohnChen

Shhh… Blackberry to Cameron & Obama: Encryption Ban a Gift to Hackers & Cyber-Criminals

Blackberry’s CEO John Chen in his latest blog post “Encryption Needn’t Be An Either/Or Choice Between Privacy and National Security” responded to the recent push by British Prime Minister David Cameron – endorsed by US President Barack Obama last week – to ban encrypted communications in the name of national security:

Encryption Needn’t Be An Either/Or Choice Between Privacy and National Security

In the wake of the Paris terror attacks earlier this month, U.K. Prime Minister David Cameron proposed banning encrypted communications services such as those offered by Apple, Facebook and others. President Obama partially endorsed Prime Minister Cameron’s proposal a few days later, indicating he would support banning encrypted communications services that cannot be intercepted by law enforcement and national security agencies. While there is no publicly-available evidence that encrypted communications played any role in the Paris attacks, security officials say their ability to prevent future attacks will be hindered if terrorists are able to evade surveillance using encrypted communications and messaging services.

Privacy advocates have harshly criticized the Cameron-Obama proposals, arguing that encryption is a vital tool for protecting sensitive government, corporate and personal data from hacking and other forms of cyber theft. Following the recent spate of hacking attacks against Sony, Target, Home Depot, certain celebrity users of popular but hackable smartphones, and others, these advocates argue we need more, not less encryption. Further, they argue that banning encryption will not necessarily make it easier for security agencies to surveil terror plotters; after all, the terrorists will know they are being overheard and will simply communicate in new and ever-changing forms of coded language.

Reconciling these opposing perspectives on encryption requires a reasoned approach that balances legitimate national security concerns with legitimate cyber security concerns.

Privacy is Everyone’s Concern

Our dependence on computing devices for transmitting and storing sensitive personal information has become irreversible. Billions of items of personal information including health records, bank account records, social security numbers and private photographs reside on millions of computers and in the cloud. This information is transmitted via the internet every day. The same is true for highly confidential and proprietary business information. And of course no government or law enforcement agency could function without maintaining high levels of information security.

With so much information residing on computer networks and flowing through the internet, cyber security has emerged as one of society’s uppermost concerns. Protecting private and sensitive information from hacking, intrusion and exfiltration now commands the attention not just of computer professionals, but also heads of state, CEOs, Boards of Directors, small business owners, and every individual using a computer or smartphone, and even those who never use a computing device.

Modern forms of encrypting voice and data traffic provide the best protection for highly valuable and private personal, business and government information. Rendering data unreadable to the intruder greatly diminishes the incentive to hack or steal. Banning encryption, therefore, would dramatically increase the exposure of all such information to hacking and cyber theft. Clearly that is not a viable option.

Call of Duty

On the other hand, the same encryption technology that enables protection of sensitive data can also be abused by criminals and terrorists to evade legitimate government efforts to track their data and communications. Companies offering encrypted communications thus have a duty to comply with lawful requests to provide information to security agencies monitoring would-be terrorists. Companies like BlackBerry: We’ve supported FIPS 140-2 validated encryption in all of our devices for the past 10 years – longer than many of our competitors have been selling smartphones.

Depending on the particular technology involved, that information requested by law enforcement agencies might include the content of encrypted messages, but it may include other vital data such as user information, the dates and times the subscriber contacted other users, the length of such communications, the location of the user, and so forth. In many instances non-content user information can be even more important than the actual content itself, because such metadata can provide crucial leads and other vital intelligence to law enforcement and security agencies.

Let’s be clear: I am not advocating sharing data with governments for their ongoing data collection programs without a court order, subpoena or other lawful request. However, telecommunications companies, Internet Service Providers, and other players in the modern communications and messaging ecosystem need to take seriously their responsibility to comply and to facilitate compliance with reasonable and lawful requests for such information. Unfortunately, not all players in the industry view this issue the same way. Some Silicon Valley companies have publicly opposed government efforts to enable lawful surveillance and data gathering, even where lives may hang in the balance. These companies appear to be trying to position themselves as staunchly “pro-privacy,” without according sufficient weight to legitimate and reasonable governmental efforts to monitor and track would-be terrorists. Far from protecting privacy rights, this irresponsible approach risks providing ever stronger arguments to those who would subjugate all cyber privacy concerns to national security.

The answer, therefore, is not to ban encryption, because doing so would give hackers and cyber-criminals a windfall, making it much easier for them to mine billions of items of sensitive personal, business and government data. Instead, telecommunications and internet companies should cooperate with the reasonable and lawful efforts of governments to fight terrorism. That way we can help protect both privacy and lives.

ObamaCameron

Shhh… Obama to Support Cameron on Encryption Ban – Knowingly Betray Our Privacy and Security

US President Obama has openly voiced support to British Prime Minister’s idea about banning encryption but as The Guardian report (below) last week on a secret US cybersecurity document in 2009 showed, they are very well aware their decision would leave the entire world highly vulnerable to cyber attacks at the expense of their interest in national security and terrorism matters.


Secret US cybersecurity report: encryption vital to protect private data


Newly uncovered Snowden document contrasts with British PM’s vow to crack down on encrypted messaging after Paris attacks

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

The advice, in a newly uncovered five-year forecast written in 2009, contrasts with the pledge made by David Cameron this week to crack down on encryption use by technology companies.

In the wake of the Paris terror attacks, the prime minister said there should be no “safe spaces for terrorists to communicate” or that British authorites could not access.

Cameron, who landed in the US on Thursday night, is expected to urge Barack Obama to apply more pressure to tech giants, such as Apple, Google and Facebook, which have been expanding encrypted messaging for their millions of users since the revelations of mass NSA surveillance by the whistleblower Edward Snowden.

Cameron said the companies “need to work with us. They need also to demonstrate, which they do, that they have a social responsibility to fight the battle against terrorism. We shouldn’t allow safe spaces for terrorists to communicate. That’s a huge challenge but that’s certainly the right principle”.

But the document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

Part of the cache given to the Guardian by Snowden was published in 2009 and gives a five-year forecast on the “global cyber threat to the US information infrastructure”. It covers communications, commercial and financial networks, and government and critical infrastructure systems. It was shared with GCHQ and made available to the agency’s staff through its intranet.

One of the biggest issues in protecting businesses and citizens from espionage, sabotage and crime – hacking attacks are estimated to cost the global economy up to $400bn a year – was a clear imbalance between the development of offensive versus defensive capabilities, “due to the slower than expected adoption … of encryption and other technologies”, it said.

An unclassified table accompanying the report states that encryption is the “[b]est defense to protect data”, especially if made particularly strong through “multi-factor authentication” – similar to two-step verification used by Google and others for email – or biometrics. These measures remain all but impossible to crack, even for GCHQ and the NSA.

The report warned: “Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled US and allied information systems.”

It further noted that the “scale of detected compromises indicates organisations should assume that any controlled but unclassified networks of intelligence, operational or commercial value directly accessible from the internet are already potentially compromised by foreign adversaries”.

The primary adversaries included Russia, whose “robust” operations teams had “proven access and tradecraft”, it said. By 2009, China was “the most active foreign sponsor of computer network intrusion activity discovered against US networks”, but lacked the sophistication or range of capabilities of Russia. “Cyber criminals” were another of the major threats, having “capabilities significantly beyond those of all but a few nation states”.

The report had some cause for optimism, especially in the light of Google and other US tech giants having in the months prior greatly increased their use of encryption efforts. “We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions,” it concluded.

Official UK government security advice still recommends encryption among a range of other tools for effective network and information defence. However, end-to-end encryption – which means only the two people communicating with each other, and not the company carrying the message, can decode it – is problematic for intelligence agencies as it makes even warranted collection much more difficult.

The latest versions of Apple and Google’s mobile operating systems are encrypted by default, while other popular messaging services, such as WhatsApp and Snapchat, also use encryption. This has prompted calls for action against such strong encryption from ministers and officials. Speaking on Monday, Cameron asked: “In our country, do we want to allow a means of communication between people which we cannot read?”

The previous week, a day after the attack on the Charlie Hebdo office in Paris, the MI5 chief, Andrew Parker, called for new powers and warned that new technologies were making it harder to track extremists.

In November, the head of GCHQ, Robert Hannigan, said US social media giants had become the “networks of choice” for terrorists. Chris Soghoian, principal senior policy analyst at the American Civil Liberties Union, said attempts by the British government to force US companies to weaken encryption faced many hurdles.

“The trouble is these services are already being used by hundreds of millions of people. I guess you could try to force tech companies to be less secure but then they would be less secure against attacks for anyone,” he said.

GCHQ and the NSA are responsible for cybersecurity in the UK and US respectively. This includes working with technology companies to audit software and hardware for use by governments and critical infrastructure sectors.

Such audits uncover numerous vulnerabilities which are then shared privately with technology companies to fix issues that could otherwise have caused serious damage to users and networks. However, both agencies also have intelligence-gathering responsibilities under which they exploit vulnerabilities in technology to monitor targets. As a result of these dual missions, they are faced with weighing up whether to exploit or fix a vulnerability when a product is used both by targets and innocent users.

The Guardian, New York Times and ProPublica have previously reported the intelligence agencies’ broad efforts to undermine encryption and exploit rather than reveal vulnerabilities. This prompted Obama’s NSA review panel to warn that the agency’s conflicting missions caused problems, and so recommend that its cyber-security responsibilities be removed to prevent future issues.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”. It is unclear why such a document was posted to the agency’s intranet, which is available to all agency staff, NSA workers, and even outside contractors.

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Security experts regularly say that keeping software up to date and being aware of vulnerabilities is vital for businesses to protect themselves and their customers from being hacked. Failing to fix vulnerabilities leaves open the risk that other governments or criminal hackers will find the same security gaps and exploit them to damage systems or steal data, raising questions about whether GCHQ and the NSA neglected their duty to protect internet systems in their quest for more intelligence.

A GCHQ spokesman said: “It is long-standing policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the parliamentary intelligence and security committee.“All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European convention on human rights.”

Michael Beckerman, president and CEO of the Internet Association, a lobby group that represents Facebook, Google, Reddit, Twitter, Yahoo and other tech companies, said: “Just as governments have a duty to protect to the public from threats, internet services have a duty to our users to ensure the security and privacy of their data. That’s why internet services have been increasing encryption security.”

MarkCuban

Shhh… Mark Cuban on Social Media Mistakes and Self-Destruct Messaging Apps Cyber Dust

Rather than hearing from the geeks, it may be refreshing to listen the same from Mark Cuban, Shark Tank host and owner of NBA team Dallas Mavericks: