Category: Security

Security is immunity from the will of others.

Ubiquitous surveillance

We now live in a world where it is highly likely that various web companies, your government, and your internet service provider are tracking your web browsing. Where facial recognition software identifies you at borders, airports, and subway stations. Where your DNA may be sampled if you are arrested. Where new face tracking software gets used with old photo archives and video camera footage. Where data on what you buy and how you repay your debts is sold between companies. Where cameras track your automobile license plate to build up a database of your movements. Where drones may watch you from the sky. Where computers transcribe your speech and handwriting into searchable text. Where you can be identified at a distance by the cards in your wallet. Where your emails, phone calls, and text messages are scanned for keywords, archived forever, and used to build up webs of your known associates. Where governments and private organizations use data mining techniques against you. Where your cell phone can easily be turned into a bug that passes on what you say and type, as well as where you are. Where your Google searches may be used as evidence against you. Where anyone can listen to your cell phone calls. Where the metadata in the photos and videos you make identifies you. Where the DNA of your family members may be used to incriminate you. Where anyone on your wireless network can archive and access all your web traffic, as well as steal website sessions. Where no encryption software you can acquire does much good. Where insecure means of communication are marketed as secure. Where archives containing your sensitive personal data can be broken into (or bought) by those who wish to cause you trouble. And where anything ill-considered you did as a teenager may re-emerge to cause embarrassment or worse decades later.

The appropriate responses to this are not clear. You can simply accept that your life is an open book that anyone who cares to can pretty easily read from. You can opt out of some services (like Facebook) and employ some available countermeasures. You can move to the remote countryside and become a technology-shunning subsistence farmer (which is not to imply that all farmers shun technology, nor manage only to subsist). You can try to drive legislative, regulatory, and technological changes that address some of the issues above. What else can you do?

Kim Jong-un and North Korea’s criminality

Sheena Chestnut – a friend and former Oxford classmate – recently had an article published in the Sunday Review section of The New York Times: A North Korean Corleone.

She has written some very interesting things about the illicit dabbling of the North Korean regime, including in terms of nuclear weapons proliferation.

Twitter grabbing address books from phones

Here’s an example of what I mean about the internet creating all sorts of new security vulnerabilities. Twitter has recently confessed to grabbing entire address books from the smartphones of people using the service.

As well as being a violation of privacy, this is a practice that could seriously endanger people. Consider all those brave protestors in Egypt and other Middle Eastern countries, using Twitter to help organize a pro-democracy movement. If Twitter is grabbing their address books, it is assembling a perfect tool for the intelligence services of governments to round up everyone involved in protests. The same is true for people pressing for democracy in China, or doing anything else that is laudable but unpopular with the people in charge.

Technology companies need to recognize that there will be people who want to use their records and capabilities for nefarious purposes, and they need to design their technology and procedures to protect against such attacks and reduce how serious they are when they take place.

The companies that make operating systems for smartphones should also assume that applications can be ineptly designed or malicious, and should work to protect the data on the phone from potential eavesdroppers.

Ending drug prohibition

Earlier, I wrote about whether the phrase ‘greenhouse gas pollution’ is accurate, and whether it might be useful for building political will to do something about climate change. The phrase is accurate – CO2 is an unwanted by-product of various processes and it does harm to people all over the world – and it may be a useful way to remind people that ‘greenhouse gas emissions’ are a real problem that needs to be dealt with. It calls to mind phrases like “make the polluter pay [for the cost of cleaning up pollution]”.

I wonder whether a similar change in language might be helpful for opposing unreasonable drug laws. Mention ‘marijuana legalization’ and the eyes of the people around you will glaze over. They have heard the debate, they have their view, and they probably don’t care about it too strongly one way or the other.

Maybe we can do better by saying things like: “End marijauana prohibition” or “End the prohibition of drugs”.

People remember the prohibition of alcohol, the way it failed, and the problems it caused. It enriched organized crime and pushed alcohol use underground. It led to inferior and dangerous kinds of alcohol being sold. It cost tax revenues, crowded the prisons, and so on. All this is true of drug criminalization today. Most of the problems associated with drugs only exist because they are illegal, or are made much worse because they are illegal. Drug prohibition turns the drug trade into a violent, dangerous business and it turns ordinary people who use substances that are often more benign than alcohol or tobacco into criminals.

Al Capone was the natural consequence of alcohol prohibition. His successors created by the drug war may be less famous – and they may kill more people in Mexico than in Chicago – but their business has arisen for exactly the same reason, and operates according to the same logic. Stratfor describes what has been happening recently in Mexico as “a stalemate” “between the Sinaloa Federation, Los Zetas and the government” and argue that it has produced 50,000 deaths. That is more than 16 times the number of people killed in the terrorist attacks of September 11th, 2001. It’s about 6% of the number of deaths associated with the 1994 Rwandan genocide.

Ending drug prohibition just makes sense. It is both unethical and ineffective for governments to try to control what consenting adults do with their bodies. Their efforts to assert that control are doing demonstrable harm. Perhaps by speaking about the situation in terms of ‘ending prohibition’ rather than ‘legalizing’ this or that, the political debate can be moved forward just a little.

Internet surveillance in Canada

The Conservative government is proposing a new law that would require internet service providers to monitor and record what Canadians do online, and to provide that information to the authorities without a warrant.

As well as being an obvious violation of the Charter of Rights and Freedoms (§8 “Everyone has the right to be secure against unreasonable search or seizure.”), I think this is an example of thinking badly about security. Obviously, having the government monitor everything that happens online could prevent some bad things from happening. At the same time, it is virtually certain that the capability would be abused or that security breaches will allow it to be hijacked by those with nefarious purposes. The abuse could happen at the governmental level – say, with discreet inquiries being made into the private correspondence of members of competing political parties. It could be done within the police and intelligence services – say, a jilted ex tracking the emails of their former partner. It could be done within internet service providers – say, some low-paid tech at Bell or Telus deciding to earn a bit of extra cash by blackmailing customers.

The archives of internet use would be an irresistible target for malefactors of every type, from nosy bosses and spouses to spammers and rogue political operatives. Maintaining and trying to secure these archives would also be a major burden for internet service providers. Instead of being in the business of helping their clients communicate, they will be forced into the business of keeping tabs on their clients on behalf of the government.

The security risks created by internet surveillance are greater than the risks that it might help reduce. Furthermore, allowing the creation of internet surveillance systems violates the Charter-protected rights of Canadians. What Canadians do online is their private business. It is not something that governments have the right to monitor, just because doing so will occasionally allow them to catch people committing crimes. Hopefully, this proposal will never become law.

The TOR browser bundle

The TOR browser bundle seems like a reasonably effective and very easy-to-use means of circumventing web censorship and surveillance.

The speed of web browsing falls significantly when data is routed through the TOR network, but tools like this are increasingly essential as governments undertake more and more inappropriate meddling with the free flow of ideas online.

There are versions for various operating systems. I have tried both the Windows and Mac OS installs and they are both easy to use and at least a bit effective in avoiding tracking and censorship. Remember, however, that TOR is useless if someone is tracking all your web traffic at your point of connection to the internet, for instance by reading all the traffic through your broadband connection or cell phone. If you are worried about that, use public networks along with TOR, or set up an encrypted connection to a proxy or virtual private network and then run TOR from there.

Remember, all security bets are of if an attacker gets malware on your machine or gains physical access to it.

The second rule of the internet

Back in 2010, I described what I called the ‘first rule of the internet‘:

Against a sophisticated attacker, nothing connected to the internet is secure.

To this, I feel like I should add a second item:

Everything is internet now.

While there were once large numbers of electronic systems entirely disconnected from the internet, nowadays virtually everything is either connected to the internet constantly or occasionally connected to a device that is online. Your cell phone is probably always accessible to a sophisticated attacker using the internet, and the same is probably true for landlines using VoIP. Many of your computers are probably constantly connected to wireless networks (themselves targets for attack) and exposed to the wider internet through your broadband connection at all times.

Web integration with computers has reached the point that Google’s Chrome browser now treats ‘search’ and ‘GMail’ as apps within the Chrome environment.

The implication of combining the first and second rules is pretty plain. If you manage to attract the attention of a sophisticated attacker, they can probably get into the contents of your cell phone and your GMail account, as well as the hard drive of your PC and laptop, the ubiquitous webcams now built into computers, and so on. There is also a good chance they can take over your email, websites, Twitter accounts, and the like and use them for their own purposes.

Advice to supervillains – killing your own scientists

One classic mistake made by cartoon supervillains concerns the complicated piece of machinery that is inevitably at the heart of their secret plan. It might be a time travel device of some sort, or a machine that strips the opposing superhero of their power, or a key part of a world domination scheme.

As a way of illustrating just how evil and ruthless they really are, supervillains will often kill the whole team of scientists who built the thing, perhaps by having them all drink poisoned champagne. This does make a certain measure of sense. Killing the scientists keeps them from going off and telling people about what they did, which could cause problems for you.

That being said, I strongly object to the timing that is frequently used for these killings. The supervillain will kill off the science team right before testing the device for the first time. As anyone who has worked on anything remotely technical and complex can tell you, this is the worst possible time to kill off all the people involved. Chances are, the machine will not work properly on the first try and that the only people who can figure out what went wrong are the people who designed and built the machine.

By all means, kill the science team once you are confident that you have a machine that will do what you want. Build it, test it, build an improved model, build a backup copy or two, and then hand out the glasses of killer champagne.

Tagging explosives

On a television show I was watching, they mentioned that C-4 explosive is tagged in a way that aids the tracing of its origin if it is used in an illicit way like in a terrorist attack.

Possible method of tagging

I have no idea if that is true, but an idea did occur to me about how it could be done if an organization wanted to. What you need is a collection of chemicals that are stable – that can survive an explosion – and which are rare and can be detected individually. Say you have a set of six such chemicals: A, B, C, D, E, and F.

Each is essentially one bit of data: a zero if absent in the explosive in question and a one if it is present. With six bits of data, you could then label 64 different batches with a unique combination of those chemicals. They would range from 000000 to 111111.

As the number of chemicals used increases, the number of distinct batches you can tag increases rapidly, according to the formula 2x, where x is the number of different chemicals used.

After undetonated explosives or an explosion is found, tests could be administered to detect the presence or absence of the marker chemicals. Based on the combination of chemicals present, the marker could be read.

Uses of tagging

If you had a couple of dozen distinct chemicals, you could label a huge number of distinct batches. You could have factories making the stuff identify whether it was sold for civilian use or military use, where it was to be initially sold, etc. You would then have a forensic ability to trace back the explosive to the point of manufacture and maybe identify who was the final user.

This could be especially useful if you suspect a legitimate customer is illicitly trafficking in explosives. Say you suspect a mining company of providing explosives to paramilitary groups, or you suspect an allied country of providing explosives to armed rebels in another country. You could make sure to provide the suspect entity with a specially tagged batch, and then you could take samples at sites of suspected use and look for the markers.

Of course, you could also get caught in the act yourself if you got careless. Someone could work out your marker system for themselves or buy information about it from someone who knows. Then, they might be able to find cases where you were redistributing explosives yourselves through illicit channels.

Also, there will always be some homemade explosives like triacetone triperoxide (TATP) that groups will have access to, but denying them the ability to make covert use of explosives manufactured for legal military purposes or commercial use could nonetheless be valuable.

Inside Canadian Intelligence

Edited by Dwight Hamilton, Inside Canadian Intelligence: Exposing the New Realities of Espionage and International Terrorism is an interesting read, though I would say that there are some important counterarguments to the main ideological positions adopted by the various authors.

The book describes Canada’s various present and historical intelligence services, including the intelligence branch of the Royal Canadian Mounted Police (RCMP), the Canadian Security and Intelligence Service (CSIS), the Communications Security Establishment (CSE), military intelligence, and others. There are chapters on counterintelligence, on the Air India attack and subsequent investigations, on special forces (including JTF-2), and on various other topics connected to matters of Canadian security and intelligence. For those wanting to get a better understanding of the history and present operations of these organizations, it is probably a worthwhile read. There is also some interesting information on technical capabilities and techniques, such as some information on the RADAR and infrared data fed into NORAD, how internal government security screenings are conducted, automated facial recognition, how some information from human sources is validated, and voice recognition in mass surveillance of telecommunication.

Most books written by people closely linked to intelligence organizations have a tendency to represent the officers of those organizations as heroes who can do no wrong, opposed by inhuman monsters, and hampered by meddling politicians and judges (for example). What this ignores is the dangers posed to the general public by intelligence services themselves, as well as the willingness they sometimes demonstrate to protect their own interests at the expense of the general public. Oversight may occasionally prevent good things from being done, but it surely prevents abuses as well.

Another assumption I question is that it is appropriate to categorize counterterrorism efforts as a ‘war’. First, I don’t think that is accurate. Terrorism is a tactic, not an entity that can be defeated. Secondly, I think it causes problems when we describe the fight against terrorism as a war. It justifies a lack of oversight, and can be used to justify human rights violations. It also creates the misleading impression that the ‘War on Terror’ could end. In reality, as long as there are people willing to use violence for political purposes, there will be terrorism. It can no more be ended than tax evasion or petty crime.

Above all, what this book lacks is a sense of perspective. Terrorism really isn’t such a huge problem. It kills far fewer people than chronic or infectious diseases, war, or accidents. It’s a mistake to turn our society upside down or spend an excessive amount of money trying to stop people from using certain violent tactics. We need to remain aware of the importance of other priorities, as well as the ways in which ‘being at war’ corrodes the integrity of democratic states. One example of such corrosion is the dangerous tendency of states to spy on everybody, in hopes of catching the few people who may be up to no good. Because it is so powerful, and has so many abilities to hide its mistakes and abuses, the state is far more dangerous than any terrorist cell, and it is critical to human freedom that the power of states be kept in check.

By all means, we should be grateful for the good work done by the security services, but we must also recognize the danger that they will go too far and become violators of rights, as well as the much greater importance of other governmental undertakings. Dealing with cancer and providing a better education for children are far more important to the welfare of Canadians than stopping terrorist attacks. It’s a shame that we are continuing to spend billions on the latter, while government is cutting back on virtually everything else.