September 2011

4 5678910

Style Credit

Expand Cut Tags

No cut tags
hasimir: (Default)
Monday, September 5th, 2011 02:38 pm

Last week the complete unredacted diplomatic cables obtained by WikiLeaks last year were revealed to the world following a series of events involving WikiLeaks, the Guardian and possibly others. There has been much finger pointing regarding who is to ultimately blame for this, which is essentially pointless. The deed is done and the information is out. A couple of days later WikiLeaks, under the direction of Julian Assange, elected to update their Cablegate site with the unredacted data and provide a full mirror archive [torrent] and PostgreSQL database copy [torrent].

Already there are interesting revelations being brought to international attention by the latest data releases. There are also very valid concerns regarding the safety of intelligence sources, victims of crime and political dissidents who are identified in the cables. Amongst these have been the revelation that one or more cables identify current Australian intelligence officers, as reported in The Age and The Sydney Morning Herald.

Last Friday a statement [PDF] was made by Robert McClelland, the Australian Attorney-General, regarding this fact and confirming that the Australian Security Intelligence Organisation (ASIO), along with other agencies, were reviewing the material. Mr. McLelland reiterated that Section 92 of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) makes it a crime to “publish or cause to be published in a newspaper or other publication, or by radio broadcast or television, or otherwise make public, any matter stating, or from which it could reasonably be inferred, that a person having a particular name or otherwise identified, or a person residing at a particular address, is an officer (not including the Director-General), employee or agent of the Organisation or is in any way connected with such an officer, employee or agent or, subject to subsection (1B), is a former officer (not including a former Director-General), employee or agent of the Organisation or is in any way connected with such a former officer, employee or agent.” That second part is obviously aimed at protecting the families of ASIO employees, while subsection 1B deals with exceptions where former officers have consented to their previous employment being made public.

This has led to speculation that Julian Assange could face prosecution under Section 92 of the ASIO Act. There may be the possibility of additional charges relating to officers of other Australian agencies, such as the Office of National Assessments (ONA) or the Australian Secret Intelligence Service (ASIS). In adition to the cable referred to by The Age and The Sydney Morning Herald there is at least one cable which lists the names of a number of senior ONA analysts and there may be more buried amongst the quarter of a million cables.

One of the problems facing any Australian prosecution in this matter will be whether or not charges can be laid based on the sequence of events. The initial revelations of the complete data came from a GPG encrypted file which had been available online via BitTorrent for several months and which was decrypted using a passphrase published by the Guardian. Each on its own could not reveal the information, they had to be used together to obtain the data. If charges were to be laid related to that, who would be charged? Julian Assange for creating the encrypted file? Another WikiLeaks staffer for putting it on BitTorrent? David Leigh and Luke Harding at the Guardian for publishing the decryption passphrase in WikiLeaks: Inside Jullian Assange’s War on Secrecy? John Young at Cryptome for providing the decrypted CSV file? Raymond Hill at Cablegate Search for using that data in his online database? Others?

That’s just dealing with the initial release of the data. The next question is whether or not Julian Assange or others involved with WikiLeaks can be charged for effectively republishing the data after it has already been decrypted by others? No doubt this is something which Australian Commonwealth prosecuters will consider following the reviews of the diplomatic cables being conducted by ASIO and others.

On Sunday the Attorney-General followed the national security theme with a statement [PDF] announcing a new national security awareness campaign promoting the National Security Hotline (NSH). The NSH was introduced in 2002 by the Howard Government and the initial advertising campaign in 2003 featured much derided fridge magnets for every household.

What is unclear about the latest NSH advertising campaign is whether it was already planned, whether or not it is in response to or accelerated due to the release of the unredacted cables or whether it is part of a push to turn public opinion against WikiLeaks. When the cables were being dribbled out with effort taken to redact information that could identify people at risk of violence or retaliation it was difficult for many people to take the government’s objection too seriously. The complete release last week changes that scenario completely and the publication has been condemned by the traditional media organisations, which had previously worked with WikiLeaks to redact and publish the cables. It is possible that the Attorney-General’s department views an elevation of national security in the public consciousness will make it easier for people to draw the conclusion that the cable publication and, by extension, WikiLeaks is to be condemned.

Regardless of one’s opinions of Julian Assange and WikiLeaks, either for or against, the fact is that the facility to provide a platform for the global release of sensitive material has been a major change for both national and international politics. It has shifted the concentration of power in ways which governments are not used to. They are beginning to learn a similar lesson to that of the media: that the people formerly known as the audience are able to actively engage to a greater extent than previously possible. Not only are people able to do this, but they actually do it.

As I type this there are people around the globe pouring through the released cables looking for interesting information. Some of the results are published by traditional media outlets, some are blogged about and some are included in the running commentary on Twitter or other social media networks. Most people refer to the latter as crowd-sourcing, but governments and intelligence agencies refer to it as open source intelligence. It is another example of ordinary citizens being able to level a playing field which has previously been restricted to governments, intelligence agencies, law enforcement and corporations with the budgets necessary to obtain and mine vast amounts of data. This shift is, unsurprisingly, of real concern to those organisations which have traditionally maintained a monopoly on information.

As a consequence, moves by governments around the world to attempt to limit or discourage this power shift are to be expected. Where that coincides with existing national security legislation, such as that protecting intelligence officers here in Australia, a link is able to be drawn between the power shift and a subtext of potential sedition. It’s not quite accusing anyone engaged in any aspect of the shift in power and sharing (versus control) of information of treason, but it is a manner of presenting opposition to people doing so as in the interests of national security. It is a subtle and dangerous approach to the changing nature of politics and intelligence, which could backfire. Yet it is one which will be pursued by any government seeking to maintain a concentration of power; that being, all of them.

It also won’t work, not completely, that genie is well and truly out of the bottle. The governments, intelligence agencies, law enforcement and corporations already know this; their game is now to limit anything which they see as potentially damaging. The extent of their success or failure in this will only become apparent over time; not just in relation to the various releases from WikiLeaks, but also information which will be released by other sources and organisations in the future.

There are new players in the Great Game of international politics, players who were previously viewed almost entirely as pawns. It will be very interesting to see how it plays out as the power and the rules shift.

Originally published at Organised Adversary. Please leave any comments there.

hasimir: (Default)
Saturday, August 20th, 2011 06:53 am

Yesterday’s news that Paul Freebody, a candidate for the Queensland seat of Cairns, has been expelled from the Liberal National Party (LNP) highlights the need for the greater adoption of email encryption and digital signatures.

As with the OzCar Affair of two years ago, the issue here relates more to the verification that an email has not been tampered with rather than protecting the content from prying eyes. Thus it is a digital signature which would have been of use to Freebody in this case. Had he already been using OpenPGP compliant software to sign his emails, such as PGP or GPG, Freebody could have proven that the change to his email after signing and sending it was made by someone else, without needing to identify or, in this case, embarass that person.

The reports regarding the case of Paul Freebody are a little unclear as to whether the modified email had been sent from his computer or whether a family member who had received the email modified it and then forwarded it on. Regardless of which of those two alternatives it was, the regular use of a digital signature would have helped.

If the email had been modified on Mr. Freebody’s computer before it was sent, the prompt to sign the message would have prevented message from being sent without the relevant passphrase. If the relative had removed the signing option then Mr. Freebody could have pointed to the lack of the signature as a certain level of proof that he did not send that email.

Had the email been signed and a recipient modified the content before forwarding it to others, the signature would not validate for that message and Mr. Freebody could then have pointed to that as proof that the message had been altered. In this case Mr. Freebody could have provided a copy of the original message with the valid signature for comparison.

This is the second time in as many years in which a forged or modified email has resulted in a scalp being claimed in Australian politics; yet the tools to prevent it have been available for two decades and standardised since the late 1990s. Since that time the ease of using email encryption and signatures, particularly with the combination of Thunderbird, GPG and Enigmail, has been improved considerably.

Until people in public life start using at least this aspect of cryptographic technology, even if they don’t actually encrypt their email, these kind of scandals will continue to occur.

Originally published at Organised Adversary. Please leave any comments there.

hasimir: (Default)
Sunday, April 3rd, 2011 04:09 am

I have started experimenting with BitCoin, which is a relatively new form of digital currency. It’s an interesting idea and design which cuts out all the usual middlemen in online payments through a peer-to-peer network, though the price of that is being unable to obtain a refund of a transaction (e.g. a chargeback).

It does, however, provide a method of performing transactions which are simultaneously transparent and anonymous. Users create BitCoin addresses, which are a hash of relevant data (and appear like this: 19E4GYgVJrpSZ4kDnNB7NxdEFed8U13Aq5). A user can create as many such addresses as they wish, even to the extent of creating a new address for each transaction. So even though an address and associated transactions can be viewed by anyone it is still very difficult to determine the parties involved, if not impossible.

So what’s the point? Well, aside from the currency being unable to be manipulated by the normal state based actors (e.g. the Reserve Bank of Australia or the US Federal Reserve), there are a small, but growing number of people and sites accepting BitCoin payments. There is also currency trading between BitCoin and state currencies, as well as sites like CoinCard which enables purchasing BitCoins through PayPal or converting BitCoins to PayPal funds.

This means that it provides a very real method of exchanging money with no real state based scrutiny. This would certainly appeal to people who may wish to disguise what a certain transaction actually involved or who the parties involved were. While many people may assume that only certain illegal transactions (e.g. drugs and arms trafficking) would benefit from this, there are actually plenty of others. One obvious example of often legal, but potentially embarassing, transactions is the sex industry. Really, though, any transaction in which one or both of the parties involved wants a degree of privacy can benefit from BitCoin.

Some governments might raise the spectre of tax evasion via BitCoin, but that is easily countered. When converting BitCoin currency to one’s local currency and bank account, it becomes income which would be declared like any other and the tax paid on that income. Even without converting the BitCoin currency to the local currency of a recipient it would still be possible using the BitCoin currency markets to calculate the tax owed on any given transaction. Other alternative currencies, like Barter Card, have already found methods of addressing tax related issues and they are not insurmountable.

Given the level of distrust with a number of currencies, particularly following the global financial crisis, BitCoin has the potential to gain more than just a handful of computer geek users. Especially since the software is simple to use and available for Windows, Mac and Linux. The source code is also available to guarantee transparency of the entire system.

I have, of course, installed it and obtained a tiny amount of BitCoin currency using the BitCoin Faucet to see just how easy it is to use. The answer is that it is very easy to use. The example BitCoin address I included in this post (19E4GYgVJrpSZ4kDnNB7NxdEFed8U13Aq5) is an active one I generated using the software. It did not take very long to generate and could be used by anyone to send BitCoin donations or payments to me, not that I really expect that to happen. That, however, is all it takes: providing an address hash to another party to send a payment through.

As with any other online payment method, BitCoin can be configured to accept payments via a web server. Alternatively the free MyBitCoin service can be used to accept online payments through BitCoin on a commerce site quickly and easily. The advantage there is not having to worry about maintaining one’s own BitCoin payment code to integrate with an existing shopping card. The disadvantage is that the BitCoin wallet is stored on the MyBitCoin servers instead of one’s own system, although this disadvantage can be minimised by automatically forwarding payments to a local BitCoin address.

All things considered, I think this particular implementation of a virtual currency has great potential, depending on the degree to which it is adopted.

Originally published at Organised Adversary. Please leave any comments there.

hasimir: (Default)
Tuesday, March 8th, 2011 01:52 pm

Yesterday’s Patch Monday podcast from Stilgherrian dealt with the plan for Australia to sign the Council of Europe’s Convention on Cybercrime.

This treaty deals with a number of matters, some of which are just designed to address issue which are already illegal, such as child pornography and pædophilia, just with a technological slant. Some of it relates to computer or network specific crimes, such as computer intrusion and denial of service attacks. Some of it, however, deals with expanding the powers of law enforcement agencies to intercept data traffic and to retain logs of all online activity for possible future use by law enforcement.

Colin Jacobs, from Electronic Frontiers Australia, attempts to address some of the many ways this treaty will adversely affect civil liberties and privacy issues in particular. While Nigel Phair, from the Surete Group, promoted the opinions of law enforcement for what they believe they need to investigate cases online.

There are details of the Australian review of this treaty are on the Attorney-General’s website and will be accepting submissions until the close of business on Monday the 14th this month.

It appears highly likely that moves to prepare Australia to sign the Convention on Cybercrime will be used to enact contentious issues like data retention policies in Australia. So anyone wishing to prevent that should strongly consider sending a submission to the Attorney-General’s Department review.

Should Australia sign this treaty and/or introduce data retention policies, then some people may wish to consider various methods of circumventing that policy. Fortunately some of the same methods which can be used to bypass Internet censorship, such as using a VPN and Tor, can also be used to circumvent the data retention policies.

Originally published at Organised Adversary. Please leave any comments there.

hasimir: (Default)
Sunday, January 30th, 2011 09:16 pm

Recent reports in The Guardian and The Independent, largely overshadowed by current events in Egypt, return to the phone hacking scandal and a renewal of the investigation into illegal activities performed by or on behalf of Rupert Murdoch’s News of the World. It is important to note that, with the exception of what apparently happened to Nick Brown’s landline, what we are talking about is not wiretapping, rather it is cracking the (poor) security of voicemail systems to access recorded messages without authorisation.

In spite of years of denials of involvement, Andy Coulson has resigned as Director of Communications for Prime Minister David Cameron. News International has fired assistant editor Ian Edmondson. While the London Metropolitan Police have finally been spurred into a new and hopefully more complete investigation. Celebrities and politicians seem intent on taking the News of the World to court for numerous breaches of their privacy.

My interest in this case is twofold.

Firstly I want to know if these activities are limited to News of the World or if they have been used by other News International or News Corporation organisations. In particular I want to know if these practices have been employed in the United States or here in Australia.

Secondly I am interested, as a professional geek, in methods of maintaining private communications. Upon the realisation that the so-called hacking was simply accessing a voicemail system, the solution to that problem was readily apparent: move the voicemail system from something under the telephone company’s control to something under one’s own control. It’s actually fairly straight forward to do with solutions available right now. Essentially it just involves forwarding missed or unanswered calls to a PABX (e.g. Asterisk) and then accessing that voicemail in a more secure manner, such as via HTTPS on any smartphone.

So I will continue to watch the case with interest and how far it does or doesn’t spread throughout the Murdoch empire. As well as seeing just how low the muckrakers will stoop for a scoop.

Originally published at Organised Adversary. Please leave any comments there.

hasimir: (Default)
Thursday, January 27th, 2011 05:31 am

Recently I have noticed that a number of my friends and acquaintances have had their GMail accounts compromised. While my preferred email address is on my own server, I do have a GMail address too (actually I have a couple, but only one that is really used much) and it has not been compromised. I’ve been asked about it a little bit and I figured it best to add my thoughts here regarding best practices, along with some software recommendations.

The first and most obvious recommendation is to use a strong password, ideally with a minimum of 128 bits of entropy. The best way to achieve this is to generate a suitably strong password with KeePassX (Windows users should use KeePass). KeePassX can also be used to generate and securely store passwords for any other account or site. KeePass and KeePassX store all passwords in a database that is protected by a passphrase and 256-bit AES or Twofish encryption.

The second recommendation is to never under any circumstances use the same password for multiple accounts. Passwords for one service should not be used to link it to another service where it may be exploited by an application or plugin for the second service. This way even if one service is compromised, the potential damage is limited to that service only and won’t be able to affect other accounts on different sites.

The third recommendation is to always connect using SSL/TLS. I always recommend the Mozilla Firefox browser with the EFF’s HTTPS Everywhere plugin. The Google settings for always connecting via HTTPS and enabling either or both of IMAPS and POP3S.

The fourth recommendation is to configure a proper mail client, such as Mozilla Thunderbird, to connect with IMAP over SSL. Using a proper and robust mail client, like Thunderbird, is my preferred method of accessing email, but in the case of GMail and other primarily web based email hosting does not prevent access via the web.

The fifth recommendation is to use the Tor Browser Bundle when connecting to GMail through a public wireless point or public network (e.g. an Internet café). This software includes a modified version of Firefox that incorporates HTTPS Everywhere and will help prevent session hijacking, such as that used by the Firesheep exploit. The Tor Browser Bundle is designed to run from a USB stick and does not require any installation; simply click and run.

These fairly straight forward measures should be enough to protect any GMail account from compromise and may also be applied to other web email hosts such as Hotmail or Yahoo. Although I have not checked the extent of support for SSL/TLS connections to either of those services.

Finally, I still encourage the use of the GNU Privacy Guard for securing correspondence between parties, but that is a different matter to securing the accounts themselves.

Originally published at Organised Adversary. Please leave any comments there.

hasimir: (Default)
Friday, January 21st, 2011 09:55 pm

So the “Dickileaks” saga is apparently resolved. How many heads rolled? None. Not one. Following a great deal of posturing by the St. Kilda Football Club, including taking a 17-year-old girl to court on Christmas Eve, they have apparently decided to settle. The football club will pay the girl’s rent for a few months in return for a public apology, deletion of the photos and a statement by her that the players who were involved with her met her socially following a match and not at her school.

This leaves a great many unanswered questions. It does not settle the issue over when Sam Gilbert and another player actually met the girl, not when the statement to the contrary is effectively being bought with the price of accomodation. Nor has there been a satisfactory explanation of the role of the Victorian Police, who allowed her initial statement to them to be influenced by calls from St. Kilda Football Club personnel. There has been no statement about how the Memorandum of Understanding between the Australian Football League and the Victoria Police, which was active at the time of the initial investigation, may have influenced that investigation.

The resolution of this case appears to be an enormous win for the St. Kilda Football Club and the AFL. For the club, buying their way out of further scandal has come very cheaply. Meanwhile, football players have seen that clubs and the league are still willing to buy them immunity for their transgressions.

Did we really expect it to go any other way? Not in this town.

Originally published at Organised Adversary. Please leave any comments there.