Category Archives: Security

Porn, cash and the slippery slope to the National Security State

Posted on by

One of the most unsettling experiences of the last decade has been watching Western democracies sleepwalking into a national security nightmare. Each incremental step towards total surveillance follows the same script. It goes like this: first, a new security ‘threat’ is uncovered, revealed or hypothesised; then a technical ‘solution’ to the new threat is proposed, trialled (sometimes) and then implemented — usually at formidable cost to the public; finally, the new ‘solution’ proves inadequate. But instead of investigating whether it might have been misguided in the first place, a new, even more intrusive, ‘solution’ is proposed and implemented.

In this way we went from verbal questioning to pat-down searches at airports, and thence to x-ray scanning of cabin-baggage, to having to submit laptops to separate scanning (including, I gather, examination of hard-disk files in some cases), to having to take off our shoes, to having all cosmetic fluids (including toothpaste) inspected, and — most recently — to back-scatter x-ray scanning which reveals the shape of passengers’ breasts and genitals. It may be that we will get to the point where only passengers willing to stip naked are allowed to board a plane. The result: a mode of travel that was sometimes pleasant and usually convenient has been transformed into a deeply time-consuming, stressful and unpleasant ordeal

The rationale in all cases is the same; these measures are necessary to thwart a threat that is self-evidently awful and in that sense the measures are for the public good. We are all agreed, are we not, that suicidal terrorism is a bad things and so any measure deemed necessary to prevent it must be good? Likewise, we all agree that street crime and disorder is an evil, so CCTV cameras must be a good thing, mustn’t they? So we now have countries like Britain where no resident of an urban area is ever out of sight of a camera. And of course we all abhor child pornography and paedophilia, so we couldn’t possibly object to the Web filtering and packet-sniffing needed to detect and block it, right? A similar argument is used in relation to file-sharing and copyright infringement: this is asserted to be ‘theft’ and since we’re all against theft then any legislative measures forced on ISPs to ‘stop theft’ must be justified. And so on.

So each security initiative has a local justification which is held to be self-evidently obvious. But the aggregate of all these localised ‘solutions’ has a terrifying direction of travel — towards a total surveillance society, a real national security state. And anyone who expresses reservations or objections is invariably rebuffed with the trope that people who have nothing to hide have nothing to fear from these measures.

In the UK, a novel variation on this philosophy has just surfaced in Conservative (capital C) political circles. A right-wing Tory MP who is obsessed with the threat of Internet pornography has been touting the idea that broadband customers who do not want their ISPs to block access to pornography sites should have to register that fact with the ISP. (This is to ‘protect’ children, of course, in case the poor dears should mistype a search term and see images of unspeakable acts in progress.) Last Sunday a British newspaper reported that the communications minister, Ed Vaizey, is concerned about the availability of pornography and says he would quite like ISPs to do something about it for him. According to The Register, “he plans to call the major players to a meeting next month to discuss measures, including the potential for filters that would require those who do want XXX material to opt their connection out”.

The Register doesn’t take this terribly seriously, because it’s convinced that Vaizey is too shrewd to get dragged into the filtering mess that afflicted the Australian government. Maybe he is, but suppose he finds himself unable to hold back the tide of backbench wrath towards the evil Internet, with its WikiLeaks and porn and all. The implicit logic of the approach would fit neatly with everything we’ve seen so far. First of all, the objective is self-evidently ‘good’ — to protect children from pornography. Secondly, we’re not being illiberal — if you want to allow porn all you have to do is to register that fact with your ISP. What could be fairer than that?

But then consider the direction of travel. What if some future government decides that children should not be exposed to, say, the political propaganda of the British National Party? After all, they’re a nasty pack of xenophobic racists. And then there are the animal rights activists — nasty fanatics who put superglue in butchers’ shop doors on Christmas eve. Why should thay enjoy “the oxygen of publicity”? And then there are… Well, you get the point.

Stowe Boyd has an interesting post about another bright security wheeze which has really sinister long-term implications. Since terrrists and drug barons use cash, why not do away with the stuff and switch over to electronic money instead?

In a cashless economy, insurgents’ and terrorists’ electronic payments would generate audit trails that could be screened by data mining software; every payment and transfer would yield a treasure trove of information about their agents, their locations and their intentions. This would pose similar challenges for criminals.

Who would such a system benefit, asks Boyd?

Not the part-time sex worker, trying to make ends meet in a down economy. Not the bellman at the airport, whose tips might disappear after the transition to cards. Not the homeless guy I gave $2 to the other day, or the busker playing guitar in the train station. Or the Green Peace folks collecting coins at the park.

The ones that benefit are the those selling the cards and the readers. And the policy-makers who want to see the flow of cash to find — supposedly — drug lords and terrorists, but secretly want to know everything about everybody.

But this is the argument for pervasive surveillance again. In the name of security and safety, they say we should all accept the intrusion of the government into our private lives so that the state can be protected from its enemies. After all, they say, if we aren’t doing anything illegal, why should we care? What have we got to hide?

But we have the right to privacy in our doings. We don’t have to say why we want privacy: it is our right.

And the shadowy doings at the margins of people’s lives are exactly the point of privacy. The man funneling money to a child born to his mistress without his wife’s knowledge, or a woman loaning money to her brother without her husband knowing: they want anonymous cash.

Boyd thinks that cash is a prerequisite of a free society, and he’s right.

“Cash”, he says,

is not a metaphor for freedom, it is a requirement of freedom. A strong society that accepts human nature without moralizing will always have anonymous cash. Only totalitarian governments — where everything not expressly required is illegal — would want to monitor the flow of every cent.

.

The £500m question

Posted on by

This morning’s Observer column.

The news that, according to the national security review at least, cyber attack comes second only to terrorism as the gravest security threat facing the nation will have come as a great surprise to most citizens. We are conscious of the annoyances of malware, viruses, worms, spam and phishing, but for most these are just minor irritations, not threats to the nation's survival.

Yet the other day we had the foreign secretary gravely intoning why, in the midst of the most savage spending cuts in living memory, it is suddenly necessary to give an extra £500m to GCHQ to protect us against nemesis in cyberspace. At the same time, in America, we see the Pentagon setting up a whole new cyber command, USCybercom, with all the usual paraphernalia and awash with funding.

What, you might ask, is going on?

There seem to be two broad answers to the question…

The worm that’s turning

Posted on by

This morning’s Observer column

In the normal course of events, a Siemens Simatic Programmable Logic Controller PLC would not be of interest to anyone other than a hardcore industrial process engineer. It’s a small, dedicated computer used to control the operations of specialised machinery in a wide range of manufacturing industries. Since June, however, the Siemens controllers have become a topic of intense interest to people like journalists and policymakers who, in normal circumstances, have difficulty controlling a microwave oven.

How come? The reason is the Stuxnet worm, a piece of computer malware as malicious software is called, that has caused a huge stir in the mainstream media…

Glocer and the (layered) Orwellian future

Posted on by

One of the chapters in my upcoming book has the title “Huxley vs. Orwell”, symbolising the fact that the visions of these two writers serve as bookends for scenarios about our online futures. So it’s interesting to see this rant by Tom Glocer, CEO of Thomson Reuters setting out the Orwellian case.

Ultimately, I believe that the answer lies in creating a “super net” or overlay internet among trusted and authenticated institutions, akin to the role mil.net served for the US Department of Defense. We are slowly evolving from an unpoliced network of anonymous nodes to a multi-layered network of authenticated institutions and individuals. Just as individuals must be approved to receive a security clearance from their government, so can their machines be identified and approved. What emerges, need not be an Orwellian nightmare of government control. Rather, I can imagine a layered internet in which the nuclear arsenal is controlled by the highest and most secure level, the power grid, air traffic control and ATM networks are secured by a sufficiently robust next layer, but an open cyber frontier — a wild west — remains for individuals to roam free of government control and authentication, but also open to attack and abuse.

Interesting that the CEO of a major journalistic organisation (Thomson Reuters) believes that “what emerges need not be an Orwellian nightmare of government control”. Want to to bet? Since 9/11 I don’t think we’ve seen any government — authoritarian or ‘democratic’ — voluntarily turn its back on any opportunity for tighter control.

How the Grid can ruin your alibi

Posted on by

This is both creepy and fascinating — from The Register.

ENF [electrical network frequency] analysis relies on frequency variations in the electricity supplied by the National Grid. Digital devices such as CCTV recorders, telephone recorders and camcorders that are plugged in to or located near the mains pick up these deviations in the power supply, which are caused by peaks and troughs in demand. Battery-powered devices are not immune to to ENF analysis, as grid frequency variations can be induced in their recordings from a distance.

At the Metropolitan Police's digital forensics lab in Penge, south London, scientists have created a database that has recorded these deviations once every one and a half seconds for the last five years. Over a short period they form a unique signature of the electrical frequency at that time, which research has shown is the same in London as it is in Glasgow.

On receipt of recordings made by the police or public, the scientists are able to detect the variations in mains electricity occuring at the time the recording was made. This signature is extracted and automatically matched against their ENF database, which indicates when it was made.

The technique can also uncover covert editing – or rule it out, as in the recent murder trial – because a spliced recording will register more than one ENF match.

The Met emphasised that ENF analysis is in its infancy as a practical tool, having been used in only around five cases to date. Proponents are optimistic about its uses in counter-terrorism investigations, for example to establish when suspects made reconnaissance videos of their targets, or to uncover editing in propaganda videos.

Dr Alan Cooper, the leader of the Met’s ENF project, said the technique is proving invaluable in serious cases, where audio and video evidence and its authenticity is often questioned.

Onanism and the National Security State

Posted on by

One of the reasons I was pleased (and not surprised) by Labour’s defeat in the general election is that I hold Blair, Brown, the infant Milibands and their mates responsible for a frightening growth in the authoritarian intrusiveness of the state over which they exercised such untramelled control. Even so, this piece by Paul Lewis shocked me.

A story lost amid the election coverage was that of David Hoffman, a photographer who had placed a poster of David Cameron containing the word "wanker" in his window on polling day. Hoffman, 63, was visited by police, who handcuffed him in his living room, threatened him with arrest and forcibly removed the poster, which they had deemed offensive.

The poster, which Hoffman considers an act of legitimate protest, has since returned to the window in Bow, east London. But the offending word has been replaced with “onanist”, derived from a biblical character in Genesis 38:9 whose seed was "spilled on the ground”.

As it turns out, Hoffman is no stranger to the policing of dissent, having spent the last three decades chronicling it. He photographed the miners’ strikes, the Wapping disturbances and the poll tax riots, but believes the policing of protest is today at its most repressive. (At last year’s G20 protest, he lost three teeth.)

The Conservative and Liberal Democrat coalition has promised to change all that, and made “restoration of rights to non-violent protest” a central plank of its drive to reinstate civil liberties. That ambition was repeated this week by deputy prime minister Nick Clegg, who will oversee the reforms.

I will start to take this coalition seriously if Clegg & Co deliver on the rolling back of the national security state. But I’m not holding my breath.

On balance, maybe I’ll take the bike

Posted on by

Wow! Impressed by your vehicle’s sophisticated electronics? Well, have a look at this.

We conducted our computer security analyses on two modern cars. These cars were introduced into the U.S. market in 2009 and are of the same make and model. We determined that someone with access to the internal network in the car could use his or her own computer equipment to take over a broad array of safety-critical computer systems.

For example, in live road tests, were able to forcibly and completely disengage the brakes while driving, making it difficult for the driver to stop. Conversely, we were able to forcibly activate the brakes, lurching the driver forward and causing the car to stop suddenly. We were also able to control the lighting within the cabin, the external lighting, the vehicle’s dash, and so on. A full description of the road tests is described beginning on page 11 of the IEEE Symposium on Security and Privacy paper (PDF).

We stress that all our experiments focused on what an unauthorized party could do if they had the ability to access the car’s internal network (e.g., via physical access to the car). For example, that unauthorized party might plug in a computer to the standard OBD-II diagnostic port under the dash. Clearly the risk in this scenario is low — it implies that someone already has physical access to the car — which is one reason we think consumers should not be alarmed by our results.

But our concern is that the increasing use of externally facing wireless interfaces may increase the risks for future vehicles and provide a way for someone to remotely access the car’s wired network. Hence, even though it may be challenging — and unlikely — for an unauthorized individual to perform the actions we describe in this paper, it is still important to understand them so that we can develop solutions that will continue to be robust even as our cars become increasingly connected.

UK jails schizophrenic for refusal to decrypt files

Posted on by

Good piece of reporting by The Register.

Exclusive The first person jailed under draconian UK police powers that Ministers said were vital to battle terrorism and serious crime has been identified by The Register as a schizophrenic science hobbyist with no previous criminal record.

His crime was a persistent refusal to give counter-terrorism police the keys to decrypt his computer files.

The 33-year-old man, originally from London, is currently held at a secure mental health unit after being sectioned while serving his sentence at Winchester Prison.

In June the man, JFL, who spoke on condition we do not publish his full name, was sentenced to nine months imprisonment under Part III of the Regulation of Investigatory Powers Act (RIPA). The powers came into force at the beginning of October 2007…

Cybercrime more dangerous than cyberwar, Says Obama Aide

Posted on by

From Technology Review.

A top White House cybersecurity aide said yesterday that transnational cybercrime, such as thefts of credit-card numbers and corporate secrets, is a far more serious concern than ‘cyberwar’ attacks against critical infrastructure such as the electricity grid.

Christopher Painter, the White House’s senior director for cybersecurity, made his comments at a conference arranged by top Russian cybersecurity officials in Garmisch-Partenkirchen, Germany. Russia is a major source of cybercrime, but its government has declined to sign the European Convention on Cybercrime–the first international treaty on the subject. The treaty aims to harmonize national laws and allow for greater law-enforcement cooperation between nations.

Painter acknowledged that critical infrastructure needed to be made more secure, but said that the best defenses start by cracking down on crime. “There are a couple of things we need to do to harden the targets, and make the systems as secure as possible,” he said. “But the other thing you need to do is reduce the threat. And the predominant threat we face is the criminal threat–the cybercrime threat in all of its varied aspects.”

For ‘attack’ read ‘protect’

Posted on by

Fascinating piece in the NYTimes about US reaction to a Chinese academic paper on cybersecurity.

It came as a surprise this month to Wang Jianwei, a graduate engineering student in Liaoning, China, that he had been described as a potential cyberwarrior before the United States Congress.

Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10 that it should be concerned because “Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S.”

When reached by telephone, Mr. Wang said he and his professor had indeed published “Cascade-Based Attack Vulnerability on the U.S. Power Grid” in an international journal called Safety Science last spring. But Mr. Wang said he had simply been trying to find ways to enhance the stability of power grids by exploring potential vulnerabilities.

“We usually say ‘attack’ so you can see what would happen,” he said. “My emphasis is on how you can protect this. My goal is to find a solution to make the network safer and better protected.” And independent American scientists who read his paper said it was true: Mr. Wang’s work was a conventional technical exercise that in no way could be used to take down a power grid.

The difference between Mr. Wang’s explanation and Mr. Wortzel’s conclusion is of more than academic interest. It shows that in an atmosphere already charged with hostility between the United States and China over cybersecurity issues, including large-scale attacks on computer networks, even a misunderstanding has the potential to escalate tension and set off an overreaction…