Posts tagged: security
Latest from me at Wired:
Staying secure online is a pain. If you really want to protect yourself, you have to create unique passwords for every web service you use, turn on two-factor authentication at every site that supports it, and then encrypt all your files, e-mails, and instant messages.
At the very least, these are tedious tasks. But sometimes they’re worse than tedious. In 1999, researchers at Carnegie Mellon University found that most users couldn’t figure out how to sign and encrypt messages with PGP, the gold standard in e-mail encryption. In fact, many accidentally sent unencrypted messages that they thought were secured. And follow-up research in 2006 found that the situation hadn’t improved all that much.
As many internet users seek to improve their security in the wake of ex-government contractor Edward Snowden exposing the NSA’s online surveillance programs, these difficulties remain a huge issue. And it’s hard to understand why. Do we really have to sacrifice convenience for security? Is it that security software designers don’t think hard enough about making things easy to use—or is security just inherently a pain? It’s a bit of both, says Lorrie Cranor, an expert in both security and usability and the director of Carnegie Mellon’s CyLab Usable Privacy and Security Laboratory, or CUPS for short. “There isn’t a magic bullet for how to make security usable,” she says. “It’s very much an open research project.”
(I don’t care for that headline — there’s not really much evidence that this is necessarily going to change anytime soon)
My favorite things of the week were probably David Graeber’s essay on Thomas Picketty and why capitalism isn’t going to tame itself, and Thomas Frank’s interview with Graeber about bullshit jobs, the divide between anarchists and socialists on work ethic and why the working class resents middle class liberals.
But surveillance was, as it often is, the big theme of the week. For the one year anniversary of the publication of the first of Edward Snowden’s NSA leaks, superstar investor and Netscape co-founder Marc Andresseen, told the world that he thinks Snowden is a traitor. Rusty Foster then told the world that he thinks Andreeseen is a douchebag. But also recognizes that there’s a douchebag living inside his own head:
When I see Marc Andreessen, what I’m really seeing is this liar in my soul. It knows I always had a leg up, it knows I went to private school, I never had to conform to anyone else’s schedule, I never had to work as hard as anyone else, I always skated by on a good vocabulary and a plausible excuse. It knows all this but it doesn’t care, because it still believes that I’m special anyway, innately, not just that I got to live life on the easy setting and that I happened to be dropping out of college right when the internet came along to support my lazy ass.
Perhaps also in recognition of the NSA leaks anniversary, Vodaphone revealed that it has secret wires into its networks that allow intelligence agencies in various companies tap right in and listen to and record conversations, or collect metadata.
Speaking of phone companies, telcos are astroturfing opposition to the idea of regulating them like utilities, even though they like being thought of as utilities when it benefits them.
And remember the Stratfor hack? It turns out it was orchestrated by Hector “Sabu” Monsegur while he was an FBI informant. So were a bunch of major hacks in Brazil. The FBI could have stopped all of this stuff from happening, but thought it would be better to give the hackers it was watching enough rope to hang themselves, damn the consequences.
Returning to Snowden for a moment: the dude has said that encryption still works. And PGP is probably the best way to encrypt your e-mail. So this week Google released the code for a Chrome plugin that should make it easier to use PGP in the browser, but Ella Saitta explained why that might not be a good thing. One of the reasons was paraphrased by L. Rhodes on Twitter: Google might end up doing to crypto what they did to RSS.
Also from me this week on things that might actually be bad, maybe dumping a bazillion new devices into the environment isn’t such a good idea. But if you must make an Internet of Things thing, maybe you should use Contiki.
This week I watched all six episodes of Nathan Barley for the first time. It’s sort of like Portlandia if Portlandia took place in Hackney and was actually funny.
My latest for Wired:
Private messaging apps like SnapChat and WhatsApp aren’t as private as you might think.
SnapChat settled with the Federal Trade Commission earlier this month over a complaint that its privacy claims were misleading, as reported by USA Today, and last week, the Electronic Frontier Foundation published a report listing the company as the least privacy-friendly tech outfit it reviewed, including Comcast, Facebook, and Google. Last year, WhatsApp faced privacy complaints from the Canadian and Dutch governments, and like Snapchat, its security has been an issue as well.
When you use messaging services like these, you’re depending on outside companies to properly encrypt your messages, store them safely, and protect them when the authorities come calling. And they may not be up to the task. The only way to ensure your messages are reasonably safe is to encrypt them yourself, using keys that no one has access to–including your messaging service provider. That way, even if hackers bust into your service provider or the authorities hit it with subpoenas, your messages are protected.
Unfortunately, this is easier said than done. Encryption tools are notoriously hard to use. But several projects are working to change this, building a more polished breed of encryption software that can serve the everyday consumer. A new open source project called Briar is part of this crowd, but it puts a fresh twist on the idea. It doesn’t just encrypt your messages. It lets you jettison your messaging service provider altogether. Your messages travel straight to the person you’re sending them to, without passing through a central server of any sort. It’s what’s known as a “peer-to-peer” tool.
This has a few advantages. You and your contacts keep complete control your data, but you needn’t setup your own computer server in order to do so. Plus, you can send messages without even connecting to the internet. Using Briar, you can send messages over Bluetooth, a shared WiFi connection, or even a shared USB stick. That could be a big advantage for people in places where internet connections are unreliable, censored, or non-existent.
Briar is still in alpha and not ready for use for high-risk scenarios. If you’re looking for something immediately, OffTheRecord and TextSecure are worth considering, but of course nothing is perfectly secure.
The New York Times reports:
The accelerating rate of climate change poses a severe risk to national security and acts as a catalyst for global political conflict, a report published Tuesday by a leading government-funded military research organization concluded.
The CNA Corporation Military Advisory Board found that climate change-induced drought in the Middle East and Africa is leading to conflicts over food and water and escalating longstanding regional and ethnic tensions into violent clashes. The report also found that rising sea levels are putting people and food supplies in vulnerable coastal regions like eastern India, Bangladesh and the Mekong Delta in Vietnam at risk and could lead to a new wave of refugees.
In addition, the report predicted that an increase in catastrophic weather events around the world will create more demand for American troops, even as flooding and extreme weather events at home could damage naval ports and military bases.
Reminds me that Bruce Sterling wrote in 2009:
If I wanted to be politically effective, rather than visionary, I’d disguise myself as a right-wing Green, probably some kind of hunting-shooting NASCAR “conservationist,” and I’d infiltrate the Republicans this year. […]
So we publicly recognize the climate crisis: just as if we suddenly discovered it ourselves. And we don’t downplay the climate crisis: we OVERPLAY the crisis.
“Then we blame the crisis on foreigners. We’re not liberal weak sisters ‘negotiating Kyoto agreements.’ We’re assembling a Coalition of the Willing tp threaten polluters.
“We’re certainly not bowing the knee to the damn Chinese — they own our Treasury, unfortunately, but we completely change the terms of that debate. When the Chinese open a coal mine and threaten the world’s children with asthma, we will take out that threat with a cruise missile!
That’s our new negotiating position on the climate crisis: we’re the military, macho hard line.
Apparently not a hoax, Foreign Policy reports:
Buried on the military’s secret computer network is an unclassified document, obtained by Foreign Policy, called “CONOP 8888.” It’s a zombie survival plan, a how-to guide for military planners trying to isolate the threat from a menu of the undead — from chicken zombies to vegetarian zombies and even “evil magic zombies” — and destroy them.
“This plan fulfills fictional contingency planning guidance tasking for U.S. Strategic Command to develop a comprehensive [plan] to undertake military operations to preserve ‘non-zombie’ humans from the threats posed by a zombie horde,” CONOP 8888′s plan summary reads. “Because zombies pose a threat to all non-zombie human life, [Strategic Command] will be prepared to preserve the sanctity of human life and conduct operations in support of any human population — including traditional adversaries.”
Navy Capt. Pamela Kunze, a spokeswoman for Strategic Command, acknowledged the document exists on a “secure Internet site” but took pains to explain that the zombie survival guide is only a creative endeavor for training purposes. “The document is identified as a training tool used in an in-house training exercise where students learn about the basic concepts of military plans and order development through a fictional training scenario,” she wrote in an email. “This document is not a U.S. Strategic Command plan.”
You can read the full document on Scribd.
Glenn Greenwald reports on more documents from Edward Snowden’s cache, this batch on how GCHQ uses online deception and other tactics to discredit hacktivists and possibly other political activists:
Among the core self-identified purposes of JTRIG are two tactics: (1) to inject all sorts of false material onto the internet in order to destroy the reputation of its targets; and (2) to use social sciences and other techniques to manipulate online discourse and activism to generate outcomes it considers desirable. To see how extremist these programs are, just consider the tactics they boast of using to achieve those ends: “false flag operations” (posting material to the internet and falsely attributing it to someone else), fake victim blog posts (pretending to be a victim of the individual whose reputation they want to destroy), and posting “negative information” on various forums. […]
Government plans to monitor and influence internet communications, and covertly infiltrate online communities in order to sow dissension and disseminate false information, have long been the source of speculation. Harvard Law Professor Cass Sunstein, a close Obama adviser and the White House’s former head of the Office of Information and Regulatory Affairs, wrote a controversial paper in 2008 proposing that the US government employ teams of covert agents and pseudo-”independent” advocates to “cognitively infiltrate” online groups and websites, as well as other activist groups.
Sunstein also proposed sending covert agents into “chat rooms, online social networks, or even real-space groups” which spread what he views as false and damaging “conspiracy theories” about the government. Ironically, the very same Sunstein was recently named by Obama to serve as a member of the NSA review panel created by the White House, one that – while disputing key NSA claims – proceeded to propose many cosmetic reforms to the agency’s powers (most of which were ignored by the President who appointed them).
What’s more, the GCHQ admit in one of the docs that this activity has nothing to do with terrorism or even national security.
Here’s the description of a talk that happened at Belfer Center for Science and International Affairs:
In today’s world, businesses are facing increasingly complex threats to infrastructure, finances, and information. The government is sometimes unable to share classified information about these threats. As a result, business leaders are creating their own intelligence capabilities within their companies.
This is not about time honored spying by businesses on each other, or niche security firms, but about a completely new use of intelligence by major companies to support their global operations.
The panelists examine the reasons for private sector intelligence: how companies organize to obtain it, and how the government supports them. “Is this a growing trend?” “How do companies collaborate in intelligence?” “How does the government view private intelligence efforts?” “How do private and government intelligence entities relate to one another?” “What does this all mean for the future of intelligence work?”
I’d love to find out more, or find a transcript or video of the talk.
(Thanks Tim Maly)
Tim Maly on self-defense in the security state:
This may well be the defining motto of our times. No one is to be trusted; it’s a dangerous world out there and if you can’t be bothered to take basic steps…
Well, everyone gets what’s coming sooner or later.
The watchword is self-reliance. They’re coming to take what’s yours, so you’d better be ready. Federate your email, buy a generator, make sure you’ve got good locks, and for God’s sake, carry a handgun. There are monsters in the streets and some idiot is arming them.
But how to defend against the errors of the masses unwilling to take care of themselves? Every message in my outbox is in some fool’s inbox; plain as day, as if I’d sent it straight to PRISM myself. NSA-proof? Not without a massive shift of collective action undertaken by a society of people who’ve spent the past decade or so dumping as many photos, feelings, and fantasies online as time and bandwidth would allow. Why not? I certainly did. It’s nice to have friends.
USA Today reports:
“After the scandal with the spread of secret documents by WikiLeaks, the revelations of Edward Snowden, reports of listening to Dmitry Medvedev during his visit to the G20 summit in London, the practice of creating paper documents will increase,” an unidentified FSO source tells Izvestia.
One key reason for using typewriters is that each creates its own unique “signature” that can be traced, the newspaper says.
Cryptogasm has found thousands of unsecured, publicly accessible webcams via Google. Lots of them are doggie day cares, some are pointed at public spaces, some are at work places and quite a few are of private residences. He’s aggregated them all, excepts ones that are pointed at children’s rooms, on a giant page.
You can also filter them by location. Here’s Oregon.
This reminds me of a thread from the William Gibson forum a few years ago, where someone discovered a publicly accessible remotely controllable webcam pointed at someone’s office. The forum poster tried, unsuccessfully, to communicate with the guy.