Feed Aggregator Page 4
Rendered on Thu, 01 Dec 2016 14:30:13 GMT
Rendered on Thu, 01 Dec 2016 14:30:13 GMT
via News by editor on Wed, 30 Nov 2016 17:10:16 GMT
Caroline Wilson Palow, General Counsel at Privacy International:
“The passage of the Investigatory Powers Act is a major blow to the privacy of people in the UK and all over the world. It sets a world-leading precedent, but not one of which the Government should be proud. Instead of reining in the unregulated mass surveillance practices that have for years been conducted in secret and with questionable legal authority, the IPA now enshrines them in law. Widespread surveillance is an antithesis to democracy, yet the IPA now sanctions it. Privacy International is disappointed that Parliament has failed to curtail these broad and deep forms of surveillance that will affect each and every one of us, even if we’re not suspected of any crime. But the fight is not over. It will simply move from the politicians to the judges, who will need to decide if the IPA is consistent with the rule of law and the values of our democracy.”
via News by editor on Wed, 30 Nov 2016 17:09:33 GMT
This piece was written by PI Research Officer Edin Omanovic and originally appeared here.
Whatever happens over the next few years, if there is to be a storm, then it is best to prepare. It is essential that western liberal democratic societies are resilient enough to uphold their fundamental values.
One of the UK’s biggest security assets is one of its biggest security threats. The UK’s spies have access to and are allowed to exercise some of the most sophisticated electronic surveillance techniques in the world. It has underwritten its Special Relationship with the US, cementing a bond at the most sensitive level of the State.
But it’s come at a cost. A government-appointed independent review called the UK’s legal framework under which its capabilities have been developed “undemocratic, unnecessary and — in the long run — intolerable”.
The spooks and Home Office have been dragged into modest reforms kicking and screaming. The few safeguards which do exist are only in place because of external pressure. The oversight system relies on a staggering amount of unfounded trust in the resilience of liberal democracy and the post-war western security order. It is trust that is now outright dangerous.
It is understandable that the UK doesn’t want to risk the Special Relationship. The United States is unarguably the world’s only superpower, spending more than double what China does on its military. The post-war order is based on US power and its projection around the world. The security establishment in the west and its allies have invested it with vast power. In doing so, they have accepted that the it has built the world’s largest ever surveillance infrastructure, supported by its dominance in technology and international security relationships.
The UK spooks want to play with their Atlantic cousins. They don’t like being told to do boring things like report back, or have a foreseeable, necessary, and proportionate legal framework in place. Tellingly, the area where resistance to transparency has been strongest in the UK is the extent to which the US has access to its intelligence. This isn’t about spooks trading brown envelopes on park benches: intelligence sharing in the age of the internet involves sharing, by default, any and all electronic communications that the UK collects. Today, UK intelligence gathering includes tapping submarine cables through which the vast majority of internet traffic flows, allowing the surveillance of the communications of millions of people on a daily basis.
We only know of the existence of these intelligence sharing agreements because of an obscure agreement — the UK-USA Agreement — signed in the aftermath of the Second World War, when civilian communications were confined to the few households that could afford a telephone. The agreement — which governs intelligence sharing between the US, UK, Australia, Canada and New Zealand — not only provides for the sharing of raw intelligence, but also calls for these governments’ agencies to share surveillance equipment and techniques. Today, these arrangements have manifested themselves in the form of jointly staffed and jointly run bases, jointly run operations, and direct access to bulk surveillance. They have also been interpreted to allow US agencies to collect intelligence to target drone strikes, from a base in North Yorkshire.
Despite the level of cooperation however, the only official safeguard the government has been prepared to offer has been a two-page summary of secret internal guidance presented to a secret court.
This is intolerable. Globally, the pillars of democracy are under threat. It is worth remembering that it has no inherent right to exist. The effects of inequality are finding an outlet in populist nationalism, bringing with it politicians who were considered irrelevant and sneered at only a few years ago. In the UK, the independence of the judiciary has been openly challenged. If facts are becoming less relevant, then so too is parliamentary representation and the media.
The fact that the largest surveillance infrastructure ever exercised will soon be run by commander-in-chief Donald Trump, a man with no apparent qualms about using it to target entire religious groups, should therefore be of concern to everyone. For the UK, the security establishment’s trust in the system now means that Trump and whoever he appoints will also have access to the UK’s intelligence gathering infrastructure, including potentially data on British people. Moreover, they will have access at a time when the post-war western security order is under threat by a US leader who is in apparent awe of an authoritarian former KGB spy who has threatened and destabilised the UK’s allies and strategic interests.
Whatever happens over the next few years, if there is to be a storm, then it is best to prepare. It is essential that western liberal democratic societies are resilient enough to uphold their fundamental values. Some argue that technology is polarising groups and creating echo chambers: certainly, Brexit and the US election show that sides are less understanding of one another, and for a democracy, that represents real danger.
It is now in everyone’s interests to invest in robust institutions, governance systems, and clear laws that restrain and protect fundamental rights. Whether you believe it is the elites or populists that have hijacked democracy, a liberal system of checks and balances is the only way we know of how to manage power, and it is our only hope.
This must start with the state’s monopoly on violence and its power to spy on us and to control. For the UK government, this begins with telling Parliament and its electorate what Donald Trump will have on them. We can no longer rely on blind trust in the system, on secret courts reviewing secret safeguards.
Whether you believe that the UK’s surveillance infrastructure is the product of a national debate, supported by independent review, that strikes a balance between national security and transparency, or a dangerous and counter-productive global precedent that has no place in a modern liberal democracy, it’s in everyone’s interest to make it as democratic and resilient as possible — and certainly a lot more than it is at the moment. Why take the risk?
via Schneier on Security by Bruce Schneier on Wed, 30 Nov 2016 15:33:18 GMT
Ross Anderson describes DigiTally, a secure payments system for use in areas where there is little or no network connectivity....via Emergent Chaos by adam on Tue, 29 Nov 2016 17:01:27 GMT
The Green Party is driving a set of recounts that might change the outcome in one or more swing states. Simultaneously, there is a growing movement to ask the Electoral College to choose a candidate other than Donald Trump to … Continue readingvia Schneier on Security by Bruce Schneier on Tue, 29 Nov 2016 12:01:13 GMT
You can rent a 400,000-computer Murai botnet and DDoS anyone you like. BoingBoing post. Slashdot thread....via Schneier on Security by Bruce Schneier on Mon, 28 Nov 2016 23:36:34 GMT
It's really bad. The ticket machines were hacked. Over the next couple of years, I believe we are going to see the downside of our headlong rush to put everything on the Internet. Slashdot thread....via Emergent Chaos by adam on Mon, 28 Nov 2016 16:13:26 GMT
In September, we shared the news that for its 50th year, the people of Gävle paid an extra $100,000 to secure the goat. Sadly, it seems to have not helped. Today, the goat tweeted: Oh no, such a short amount … Continue readingvia Schneier on Security by Bruce Schneier on Fri, 25 Nov 2016 22:30:21 GMT
Here's a nice picture of one of the few known poisonous squids. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....via Schneier on Security by Bruce Schneier on Fri, 25 Nov 2016 16:00:58 GMT
Was the 2016 presidential election hacked? It's hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won this month: Wisconsin, Michigan and Pennsylvania. The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman,...via News by editor on Wed, 23 Nov 2016 12:27:44 GMT
This guest piece was written by Elonnai Hickok and Vipul Kharbanda.
In light of the complex challenges and threats posed to, and by, the field of information telecommunications in cyberspace, in 1998 the draft resolution in the First Committee of the UN General Assembly was introduced and adopted without a vote (A/RES/53/70) . Since then, the Secretary General to the General Assembly has invited annual reports on the issue. The most recent report, Developments in the Field of Information and Telecommunications in the Context of International Security, was published in June 2015.
The 2015 Report touches upon a number of issues, including international cooperation, norms and principles for responsible state behavior, confidence building measures cross border exchange of information, and capacity building measures.
Annual reports will continue to be accepted by the General Assembly, and the 2016/2017 Group of Governmental Experts will have it's first meeting in August 2016. India was a member of the Group of Governmental Experts in 2013.
The Centre for Internet and Society (CIS) published a paper analysing India’s alignment with the recommendations of the report of the Group of Governmental Experts. This policy brief attempts to articulate the major policy actions that may be considered by India to further incorporate and implement the principles enunciated in the Report.
CIS believes that the report of the Group of Governmental Experts provides important minimum standards that countries could adhere to in light of challenges to international security posed by ICT developments. Given the global nature of these challenges and the need for nations to holistically address such challenges from a human rights and security perspective, CIS believes that the Group of Governmental Experts and similar international forums are useful and important forums for India to continue to actively engage with.
Below are our specific recommendations:
(a) Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
India has entered into treaties on ICT issues with countries such as Belarus, Canada, China, Egypt, and France. Additionally, India’s IT Act addresses a number of the cyber-crimes listed in the Budapest Convention. However, India is not yet a signatory to the Convention. This leaves scope for India to consider further forums and means of international cooperation to better realise this principle.
India has been invited to accede to the Budapest Convention in the past, but for various tactical and political reasons has not yet agreed to do so. Although whether to accede to an international convention or not is usually a well discussed and thought out policy decision of the diplomatic core of a country, the mutual assistance framework, however flawed it may be, would offer a better opportunity for India for international cooperation for increasing the stability and security of ICTs and prevent harmful ICT practices as envisaged in the Report of the Group of Governmental Experts.
(b) In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution [of cybercrime] in the ICT environment and the nature and extent of the consequences;
While the Department of Electronics and Information Technology (DEITY) as well as the Computer Emergency Response Team, India (CERT-In) have a number of policies which talk about maintaining security and means of addressing threats in the ICT environment, most ICT incidents, crimes or illegal activities using ICT, unless they involve large or government institutions, are handled by the regular police establishment of the country. The lack of capacity, both in terms of infrastructure and skill, of the regular police to adequately address most cyber-crimes is an area that needs to be strengthened. The need for cyber security capacity building in India was highlighted in 2015 by the Standing Committee on Information Technology. It would be useful for dedicated cyber-crime departments to be established in all districts. This would be a step in the right direction to provide the requisite capacity and resources to deal with the various technical issues such as attribution, jurisdiction, etc. arising out of ICT incidents.
(d) States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
Owing to the growing irrelevance of physical and political borders in the age of globally networked devices, one of the most important issues arising out of ICTs and cyber-crimes is the need for greater and more efficient exchange of information between nations. It has been widely accepted that sharing of information on a regular and sustained basis between nation states would be a very important tool. Limitations in the traditional mechanisms (MLATs, Letters Rogatory, etc.) such as the delay in accessing the information as well as denial of access due to differences in legal standards, present hurdles to the efficacy of law enforcement agencies only emphasize the urgency of developing a new mechanism of international information sharing that would be able to deal with ICT incidents, while at the same time protecting the freedoms and privacy rights of the citizens of the world. Exploration and participation in dialogues and solutions that are evolving at the international level around cross border sharing of information is key.
(i) States should take reasonable steps to ensure the integrity of the supply chain [of ICT equipment] so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
While the National Electronics Policy of 2012 states that the government should mandate technical and safety standards in order to curb the inflow of sub-standard and unsafe electronic products, the government is yet to mandate any broad standards in the Indian market for ICT equipment. Considering the enormous security implications of compromised ICT this is an area where the government should prioritisemust act immediately. Mandating standards may require the establishment of a monitoring or enforcement mechanism to ensure that the standards are being implemented. This should be done with the aim of ensuring security while not hindering innovation or the flow of business. To achieve such a balance, research and discussion is needed within the government to formulate a mechanism which would ensure the safety and quality of ICT tools while at the same time ensuring that industry is not hindered.
Conclusion
The suggestions given above are some of the major lessons from the analysis of the UN Report on ICT which CIS believe the government of India could adopt and pursue to strengthen its enlightenment with the recommendations of the Report. It is also imperative that the Government of India continues to realise the importance of the work being done by the Group of Governmental Experts and take measures to ensure that a representative from India is included in future Groups. Meanwhile, India can take positive steps by strengthening domestic privacy safeguards, improving transparency and efficiency of relevant policies and processes, and looking towards solutions that respect rights and strengthen security.
via Schneier on Security by Bruce Schneier on Wed, 23 Nov 2016 20:01:46 GMT
Susan Landau has an excellent essay on why it's more important than ever to have backdoor-free encryption on our computer and communications systems. Protecting the privacy of speech is crucial for preserving our democracy. We live at a time when tracking an individual -- a journalist, a member of the political opposition, a citizen engaged in peaceful protest -- or...via Schneier on Security by Bruce Schneier on Wed, 23 Nov 2016 12:56:58 GMT
Surprising no one who has been following this sort of thing, headphones can be used as microphones....via Schneier on Security by Bruce Schneier on Tue, 22 Nov 2016 20:29:55 GMT
Vice Motherboard has an interesting article about governments using social-media platforms for propaganda and surveillance, and the companies that are supporting this....via Emergent Chaos by adam on Tue, 22 Nov 2016 18:00:42 GMT
I moved to MacOS X because it offers both a unix command line and graphical interfaces, and I almost exclusively use the command line as I switch between tasks. If you use a terminal and aren’t familiar with the open … Continue readingvia Schneier on Security by Bruce Schneier on Tue, 22 Nov 2016 16:16:36 GMT
Interesting paper. John Scott-Railton on securing the high-risk user....via Schneier on Security by Bruce Schneier on Mon, 21 Nov 2016 12:04:21 GMT
According to a Harris poll, 39% of Americans would give up sex for a year for perfect computer security: According to an online survey among over 2,000 U.S. adults conducted by Harris Poll on behalf of Dashlane, the leader in online identity and password management, nearly four in ten Americans (39%) would sacrifice sex for one year if it meant...via Schneier on Security by Bruce Schneier on Fri, 18 Nov 2016 22:10:19 GMT
Squid catch is down, so fisherman are trying to sell more processed product. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....via Schneier on Security by Bruce Schneier on Fri, 18 Nov 2016 20:22:32 GMT
This is pretty amazing: International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that...via Schneier on Security by Bruce Schneier on Fri, 18 Nov 2016 12:40:04 GMT
This is impressive research: "When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals": Abstract: In this study, we present WindTalker, a novel and practical keystroke inference framework that allows an attacker to infer the sensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from the observation that keystrokes on mobile devices will...via Schneier on Security by Bruce Schneier on Thu, 17 Nov 2016 14:22:19 GMT
PoisonTap is an impressive hacking tool that can compromise computers via the USB port, even when they are password protected. What's interesting is the chain of vulnerabilities the tool exploits. No individual vulnerability is a problem, but together they create a big problem. Kamkar's trick works by chaining together a long, complex series of seemingly innocuous software security oversights that...