Category: Security

Security is immunity from the will of others.

Software defined radio

Software defined radio (SDR) is one of the things I am most curious about. There is just so much data being exchanged via radio these days. It’s strange to think about the constant complex pattern of broadcasting happening all around us.

This video gives a bit of a taste of what is happening in one part of the world and across a fairly narrow range of frequencies:

It’s pretty cool that he is able to identify and analyze Chinese over-the-horizon RADAR. It shows some of the possibilities SDR opens up for hobbyists.

Much of the hardware required to seriously experiment with SDR is expensive. Interestingly, though, someone has figured out how to do the job for the 64-1700MHz frequency band using an $11 digital TV tuner chip.

You could do some very cool stuff with this: set up your own infrastructure independent computer networks, explore what sort of communication is happening around you, conduct intrusion detection (looking for interception devices broadcasting), and experiment with the security of your hardware, such as the Bluetooth chips in your phone and laptop.

Secrets

You would think that people would be excessively defensive when it comes to their most personal secrets and – while that is often the case – there are also a surprising number of occasions in which people seem eager to share them with relative strangers.

Telling a secret is cathartic, and I suspect that explains a good part of this strange eagerness to disclose. If there is something that you feel you need to keep private, it must be connected with some topic of anxiety for you. Whenever you are reminded of the secret you are keeping, you are reminded of the anxiety or shame or doubt that is the motivation for the secrecy. Telling a secret is thus a form of psychological unburdoning. This may explain why psychiatrists have such a lucrative trade, or why websites like PostSecret do not lack for material.

While sharing a secret can certainly provide a strange combination of thrill and relief, it doesn’t follow that this unburdoning is a good idea. You may feel an early sense of trust and connection with a person, but that doesn’t mean they won’t eventually use your secret in a way that harms of embarrasses you, whether by accident or by design.

The balance, then, is between trust and caution in a world that will not always treat you kindly.

Open thread: smartphone security

There are masses of important recent news stories on the topic of smartphone security. I have been filing them below posts like this one, this one, and this one, but they really deserve a spot of their own.

First news story: Micro Systemation makes software that allows people to bypass the 4-digit lock code on an iPhone in seconds. This could be important for people crossing borders, people who get arrested at political protests, etc.

Ubiquitous surveillance

We now live in a world where it is highly likely that various web companies, your government, and your internet service provider are tracking your web browsing. Where facial recognition software identifies you at borders, airports, and subway stations. Where your DNA may be sampled if you are arrested. Where new face tracking software gets used with old photo archives and video camera footage. Where data on what you buy and how you repay your debts is sold between companies. Where cameras track your automobile license plate to build up a database of your movements. Where drones may watch you from the sky. Where computers transcribe your speech and handwriting into searchable text. Where you can be identified at a distance by the cards in your wallet. Where your emails, phone calls, and text messages are scanned for keywords, archived forever, and used to build up webs of your known associates. Where governments and private organizations use data mining techniques against you. Where your cell phone can easily be turned into a bug that passes on what you say and type, as well as where you are. Where your Google searches may be used as evidence against you. Where anyone can listen to your cell phone calls. Where the metadata in the photos and videos you make identifies you. Where the DNA of your family members may be used to incriminate you. Where anyone on your wireless network can archive and access all your web traffic, as well as steal website sessions. Where no encryption software you can acquire does much good. Where insecure means of communication are marketed as secure. Where archives containing your sensitive personal data can be broken into (or bought) by those who wish to cause you trouble. And where anything ill-considered you did as a teenager may re-emerge to cause embarrassment or worse decades later.

The appropriate responses to this are not clear. You can simply accept that your life is an open book that anyone who cares to can pretty easily read from. You can opt out of some services (like Facebook) and employ some available countermeasures. You can move to the remote countryside and become a technology-shunning subsistence farmer (which is not to imply that all farmers shun technology, nor manage only to subsist). You can try to drive legislative, regulatory, and technological changes that address some of the issues above. What else can you do?

Kim Jong-un and North Korea’s criminality

Sheena Chestnut – a friend and former Oxford classmate – recently had an article published in the Sunday Review section of The New York Times: A North Korean Corleone.

She has written some very interesting things about the illicit dabbling of the North Korean regime, including in terms of nuclear weapons proliferation.

Twitter grabbing address books from phones

Here’s an example of what I mean about the internet creating all sorts of new security vulnerabilities. Twitter has recently confessed to grabbing entire address books from the smartphones of people using the service.

As well as being a violation of privacy, this is a practice that could seriously endanger people. Consider all those brave protestors in Egypt and other Middle Eastern countries, using Twitter to help organize a pro-democracy movement. If Twitter is grabbing their address books, it is assembling a perfect tool for the intelligence services of governments to round up everyone involved in protests. The same is true for people pressing for democracy in China, or doing anything else that is laudable but unpopular with the people in charge.

Technology companies need to recognize that there will be people who want to use their records and capabilities for nefarious purposes, and they need to design their technology and procedures to protect against such attacks and reduce how serious they are when they take place.

The companies that make operating systems for smartphones should also assume that applications can be ineptly designed or malicious, and should work to protect the data on the phone from potential eavesdroppers.

Ending drug prohibition

Earlier, I wrote about whether the phrase ‘greenhouse gas pollution’ is accurate, and whether it might be useful for building political will to do something about climate change. The phrase is accurate – CO2 is an unwanted by-product of various processes and it does harm to people all over the world – and it may be a useful way to remind people that ‘greenhouse gas emissions’ are a real problem that needs to be dealt with. It calls to mind phrases like “make the polluter pay [for the cost of cleaning up pollution]”.

I wonder whether a similar change in language might be helpful for opposing unreasonable drug laws. Mention ‘marijuana legalization’ and the eyes of the people around you will glaze over. They have heard the debate, they have their view, and they probably don’t care about it too strongly one way or the other.

Maybe we can do better by saying things like: “End marijauana prohibition” or “End the prohibition of drugs”.

People remember the prohibition of alcohol, the way it failed, and the problems it caused. It enriched organized crime and pushed alcohol use underground. It led to inferior and dangerous kinds of alcohol being sold. It cost tax revenues, crowded the prisons, and so on. All this is true of drug criminalization today. Most of the problems associated with drugs only exist because they are illegal, or are made much worse because they are illegal. Drug prohibition turns the drug trade into a violent, dangerous business and it turns ordinary people who use substances that are often more benign than alcohol or tobacco into criminals.

Al Capone was the natural consequence of alcohol prohibition. His successors created by the drug war may be less famous – and they may kill more people in Mexico than in Chicago – but their business has arisen for exactly the same reason, and operates according to the same logic. Stratfor describes what has been happening recently in Mexico as “a stalemate” “between the Sinaloa Federation, Los Zetas and the government” and argue that it has produced 50,000 deaths. That is more than 16 times the number of people killed in the terrorist attacks of September 11th, 2001. It’s about 6% of the number of deaths associated with the 1994 Rwandan genocide.

Ending drug prohibition just makes sense. It is both unethical and ineffective for governments to try to control what consenting adults do with their bodies. Their efforts to assert that control are doing demonstrable harm. Perhaps by speaking about the situation in terms of ‘ending prohibition’ rather than ‘legalizing’ this or that, the political debate can be moved forward just a little.

Internet surveillance in Canada

The Conservative government is proposing a new law that would require internet service providers to monitor and record what Canadians do online, and to provide that information to the authorities without a warrant.

As well as being an obvious violation of the Charter of Rights and Freedoms (§8 “Everyone has the right to be secure against unreasonable search or seizure.”), I think this is an example of thinking badly about security. Obviously, having the government monitor everything that happens online could prevent some bad things from happening. At the same time, it is virtually certain that the capability would be abused or that security breaches will allow it to be hijacked by those with nefarious purposes. The abuse could happen at the governmental level – say, with discreet inquiries being made into the private correspondence of members of competing political parties. It could be done within the police and intelligence services – say, a jilted ex tracking the emails of their former partner. It could be done within internet service providers – say, some low-paid tech at Bell or Telus deciding to earn a bit of extra cash by blackmailing customers.

The archives of internet use would be an irresistible target for malefactors of every type, from nosy bosses and spouses to spammers and rogue political operatives. Maintaining and trying to secure these archives would also be a major burden for internet service providers. Instead of being in the business of helping their clients communicate, they will be forced into the business of keeping tabs on their clients on behalf of the government.

The security risks created by internet surveillance are greater than the risks that it might help reduce. Furthermore, allowing the creation of internet surveillance systems violates the Charter-protected rights of Canadians. What Canadians do online is their private business. It is not something that governments have the right to monitor, just because doing so will occasionally allow them to catch people committing crimes. Hopefully, this proposal will never become law.

The TOR browser bundle

The TOR browser bundle seems like a reasonably effective and very easy-to-use means of circumventing web censorship and surveillance.

The speed of web browsing falls significantly when data is routed through the TOR network, but tools like this are increasingly essential as governments undertake more and more inappropriate meddling with the free flow of ideas online.

There are versions for various operating systems. I have tried both the Windows and Mac OS installs and they are both easy to use and at least a bit effective in avoiding tracking and censorship. Remember, however, that TOR is useless if someone is tracking all your web traffic at your point of connection to the internet, for instance by reading all the traffic through your broadband connection or cell phone. If you are worried about that, use public networks along with TOR, or set up an encrypted connection to a proxy or virtual private network and then run TOR from there.

Remember, all security bets are of if an attacker gets malware on your machine or gains physical access to it.

The second rule of the internet

Back in 2010, I described what I called the ‘first rule of the internet‘:

Against a sophisticated attacker, nothing connected to the internet is secure.

To this, I feel like I should add a second item:

Everything is internet now.

While there were once large numbers of electronic systems entirely disconnected from the internet, nowadays virtually everything is either connected to the internet constantly or occasionally connected to a device that is online. Your cell phone is probably always accessible to a sophisticated attacker using the internet, and the same is probably true for landlines using VoIP. Many of your computers are probably constantly connected to wireless networks (themselves targets for attack) and exposed to the wider internet through your broadband connection at all times.

Web integration with computers has reached the point that Google’s Chrome browser now treats ‘search’ and ‘GMail’ as apps within the Chrome environment.

The implication of combining the first and second rules is pretty plain. If you manage to attract the attention of a sophisticated attacker, they can probably get into the contents of your cell phone and your GMail account, as well as the hard drive of your PC and laptop, the ubiquitous webcams now built into computers, and so on. There is also a good chance they can take over your email, websites, Twitter accounts, and the like and use them for their own purposes.