Category Archives: Uncategorized

Operation Prism

I’d started writing a piece about CALEA earlier this week, other things came up, and I thought it would just be another nonstarter. The US’s Communications Assistance for Law Enforcement Act (CALEA) is designed to make it easier for law enforcement to spy on criminals, which of course no law abiding person would want to impede, it’s been used successfully to assist in the conviction of countless numbers of criminals since it was came into force in 1995. Allowing law enforcement to tap into telephone conversations, forcing telecommunication companies to both allow the wiretapping and hide the fact from the user that their conversations are being monitored. Putting the burden on the supplier to provide the required monitoring equipment to the law enforcement agencies, which meant the installation of new hardware and software across the industry.

prismAll modern telephone switches (PBX) now have these features built into them. But today, more and more voice communication is carried out using diverse methods of internet telephony, there are various moves to expand CALEA it IP telephony (VoIP) which weren’t previously covered. A major controversy is that by expansion is that by the very nature of building back doors into secure systems, backdoors that will quickly become targets of criminals that are already abusing our systems.

Is it even possible to build a backdoor into a product such as Skype, as I understand it Skype in its standard mode of person to person VoIP connection is an encrypted session between the 2 users, with no ability to listen in except at either end point. Whole products would need to change, if you forced the session to travel via a 3rd party so monitoring by authorities were possible, this would increase traffic and latency a great deal.

Now yesterday there was a major news story on the BBC which first came to my attention US ‘orders Verizon to disclose millions of phone records’ (this headline has now changed).  Which exposes what later in the day proved to be the tip of the iceberg on what many would say was immense privacy abuse by the US National Security Agency (NSA) in collecting data on call session information from 10’s of millions of subscribers, not the content of the calls, but who’s been talking to who when and for how long, which was quite amusing as I’d just been reading ISACA’s take on “Big Data” just the day before. I can only think we’re talking about hundreds of millions of records a month. I don’t use Verizon, don’t know much about them, but I didn’t give it much thought, till later in the day it was exposed that this has been going on for years, and quite a number of telecoms and ISP have been supplying similar vast amounts of data to the NSA, as well as Google and Microsoft having passed on all manner of data including search queries, Microsoft apparently were the first to offer up the data in what we now know is called Operation Prism.

Personally I doubt there is anything the FBI or NSA would find interesting that I might have to say but if they’re going to start putting security holes in our systems we traditionally thought of as secure, I’m thinking that I may have to start looking using systems that are beyond their control, it’s not like there aren’t plenty of choices such as Cellcrypt and I expect we will see a lot more being developed, necessity being the mother of invention. It’s not like backdoors are the only issue, following the military leaks by Bradley Manning we are reminded of 2 things, the majority of confidentiality breaches are by insiders and all security can be bypassed.

Are the real threats, both criminals and terrorist that dumb to use insecure communications, the vast majority of the relevant court cases I have read about where IT and forensic evidence were involved were public threats or where cached information was found in browser history?

I am sure there’s a lot more to be said over the coming day, looks like interesting times ahead.

Warning: Social media can destroy lives

A couple of stories in the last couple of days caught my attention, the first was that of Paris Brown, a 17 year old English girl who caused a bit of a stir, first, pleasantly for having been the appointed the fairly high profile newly created roll of “youth police and crime commissioner”, paying £15,000 P/A, . A few days later, police were investigating her for some tweets and posts on other social media a few years earlier for being racist and homophobic, it also came to light that she’d talked about her sex life, drink and drugs. Of course she was left with no option but to resign.

rehtaeh parsonsThe second story is tragic beyond belief, and is that of 17 year old Rehtaeh Parsons, who survived having been gang raped by 4 boys 18 months ago at a house party, had requests to police to take action over the allegations pretty much ignored, bullying at her then school, then after moving schools, finally settled down some and started going forward. But then one of the rapists finished her off last week by posting pictures taken during the rape to her whole peer group. She locked herself in a bath room, and sadly hung herself.

I think it would be natural for us to think Paris Brown had it coming, she brought it on herself, and she’s now lost the chance of a lifetime for a young lady to launch into a political career. But really those choices she made as a 14 year old were those of a child. While kids will be kids, and their behavior at that time is another issue, don’t we all want our kids to “do the right thing”, the fact is they don’t, and even worse they will brag about things they haven’t done online, same as in the playground.

With the case of Rehtaeh, the police currently are refusing to take any action; again, even though it would seem obvious that posting images of a 15 year old being raped would in itself be a crime, the police claim not to have adequate evidence. Morally I would suggest that the boy who posted these images has a responsibility for her death. And I would want to see the police firstly to use all resources available to secure convictions and secondly to hold an internal investigation to see how they let Rehtaeh’s life slip through their fingers and how they can avoid this ever happening again.

Maybe changes in the law are needed, that they are not well enough defined, a post on Facebook can be just as hurtful to a 12 year old as being beaten up in the toilet. And even worse, what’s posted on social media is not only there for life, you don’t know even if you message something privately that that won’t be made public by the recipient.

I would suggest that parents are losing the ability to control what our kids are doing online, they can get Facebook and Twitter on any internet connected device now, cell phones, PlayStations, and even our TV has its own internet browser. While we can’t control what they do, we can make sure we have a Facebook account that has them listed as a friend, and subscribe to their Twitter feed; at least we will know what’s going on in their world, and when we need to step in. While we can’t stop them going to that house party, as all their friends are going, we can warn them, that your potential employer in 10 years might not be so impressed. Of course how the parents of the boy that posted those pictures can live with themselves, I don’t know.

You may like to join me in signing this petition to Demand an independent inquiry into the police investigation.

I did find some useful films to help drive the message home on the PrivacyComm YouTube feed, this one below I particularly liked and showed this one below to my 11 year old.