Friday, May 1, 2015

The obvious solution and the remaining problem with it

Refocus the Priority of the NSA back onto National Security

  • We need a 100% disclosure rate for exploits discovered by the NSA. The NSA should report every single vulnerability it finds to the relevant software vendor within one month of discovering it. The funny thing about exploits is that smart people all over the world are working on finding them every day, and nobody seems to be substantially faster than anybody else. When one person discovers an exploit and reports it to a bug bounty program, 500 hackers sigh with disappointment because they were days or weeks from discovering the same one.

  • We need an end to mandatory backdoors into communications systems. Backdoors cannot be relied upon to remain hidden and only available to the law-enforcement or government personnel who are the intended users. Quite the contrary, backdoors render a cryptosystem worse-than-useless because they deliberately cultivate a false sense of security while simultaneously providing a predictable avenue of attack for malicious actors. Eventually, this should culminate in the drastic revision of ECPA and CFAA, and the repeal of CALEA.

  • We need to end mass surveillance because it's not helping us identify threats. As a technology, the hypothesis has failed and it's time to stop wasting money repeating the same mistakes.

  • We need to focus on combating cyber-espionage and cyber-warfare proactively, by fixing bugs before they can be exploited by malicious actors rather than hoarding exploits, which disproportionately leaves innocent computer users vulnerable. If cybersecurity is to be the purview of the US Government and the NSA, then the NSA must be re-imagined as a security research and bug reporting agency. In this way only can we perfect our computer systems and protect our people from cyber-espionage and cyber-warfare in the long term

Fix the Problems with The Chain of Evidence

  • We need something quite bizarre to fix this problem. We need to encourage a criminal escalation in cybercrime and cyber-related crime like online drug trafficking. The escalation we need is an SSL-Encrypted, peer-to-peer Log-Hash-Escrow system, which stores non-reversible hashes of security logs for sensitive sites. This is to assure that all hacking performed by law-enforcement agencies is accurately reported when it is entered into evidence in a court of law. This will also help limit frivolous and excessive inaccuracies of lawsuits on the part of copyright lobbying agencies that stifle innovation like the RIAA and MPAA.

  • This is another difficult decision, like Tor itself was, but it is one of the only credible ways of restoring credibility to American cybercrime investigators.

The obvious solution and the remaining problem with it

Thursday, April 30, 2015

One last thing, let's talk about Parallel Construction

From the standpoint of due process, perhaps the most unsettling aspect of NSA activity so far is how it's bad processes have spread like a virus, corrupting agencies that have potentially much more positive and useful missions like the FBI. "Parallel Construction" is a practice recommended by the NSA to investigative agencies like the FBI and investigative arms of administrative agencies like the IRS, which entails the use of illegal evidence to discover suspects and directs investigators to fabricate a legal chain of evidence in order to obtain a legal conviction on U.S. soil in a U.S. court of law.

I was recently contacted by a young person who wanted me to help him breach a Facebook account belonging to his mother, believing that she was about to remarry her current boyfriend. The young man believed he would be able to discern his mother's suitor by stealing her private messages. I told him exactly what I tell everyone who asks me to violate someone's privacy, which is no, but I also told him something that I hadn't told anyone before.

"If I were to violate your mother's privacy and steal her messages so you could confront her with the identity of her suitor, she would certainly suspect that the information was obtained by surreptitiously intercepting her messages. That means that you have done wrong, while she has simply chosen to remarry, which is her right and privelege. Doing this is a violation of her trust on your part, which damages your position before you even get a chance to make it. It is better to be honest."

Activities like Parallel Construction undermine the confidence that law-abiding, honest Americans have in the ability of law enforcement, which is compounded by the problem which makes it possible, that any evidence collected in the course of a computer crime investigation comes under the control of an agency that has a vested interest in conceal any practice of Parallel construction. In short, confidence in the very notion of a chain of evidence for cybercrime is rightly shattered and requires an engineering solution.

One last thing, let's talk about Parallel Construction

Wednesday, April 29, 2015

Cost-benefit is all well and good, but does it work? Does the technology yield results?

It really doesn't look like it. Here's the thing. If you're willing to take a few fairly simple precautions, you can and will be able to avoid NSA, GHCQ, or cranked-out Russian teenager surveillance for sensitive communications. People who really need to hide from the U.S. Government, generally already do. It is possible to avoid the BitLocker key escrow/ password reset backdoor by powering on your machine on an offline connection and disabling that section of the backup software. Off-The-Record messaging, which uses a different key for every chat session and thus any intercepted key is only useful for a single conversation, has been widely available for a very long time and can be applied to any messaging protocol. The most dangerous people are already capable of avoiding mass surveillance. What it comes down to is a choice. Do we want these products, which are not going anywhere, to be protecting innocent people as well as they do soldiers, journalists, victims and criminals, or do we want to leave innocents exposed by leaving known problems in critical infrastructure in order to mostly fail to track criminals?

Cost-benefit is all well and good, but does it work? Does the technology yield results?

Tuesday, April 28, 2015

Let's start with blanket surveillance, can compromising privacy en masse save lives?

Balancing selection and privacy

How about programs that provide proactive intelligence based on so-called "Selectors?" Do they save enough lives to justify the invasiveness and expensiveness of mass archival of personal, potentially sensitive information?

The NSA currently claims that it's intelligence has prevented 55 terrorist events or cyberattacks this year. This is not likely to be true. As a matter of fact it's much more likely that this figure was made up on the spot. Statistically, the likelihood that 55 terrorist attacks on Americans were planned this year is almost inconcievable. I cannot find a calculator capable of turning that into a Z-score. We're like more than 30 standard deviations above the mean here. It's that unlikely. Bottom line, either the NSA has perjured itself or in the years since the US started the War on Terror the likelihood of a terrorist attack on Americans has exploded at a unprecedentedly catastrophic rate. Either way, that is a Really Big Problem.

But let's take them at their word for a moment and assume that they have actually prevented 55 terrorist attacks. The NSA spends about $10 billion per year, roughly 14% of the total national budget. $10 billion divided by 55 is an average cost of $181818181.81 per attack. Almost 200 million dollars per attack. It is not callous to call for this process to be more efficient.

Another potential analysis of the costs and benefits of this information is the problematic factors of putting such tempting information at the fingertips of fallible human agents. The widespread sharing of private love letters, especially those containing nude photos intended for personal messages between lovers, has occurred many many more than 55 times, although the actual figure is as yet indeterminate. Instances of stalking are also common among NSA employees, civilian contractors, and police all over the world, including in the US.

And let's not forget, if the NSA can get it, so can anyone else.

Let's start with blanket surveillance, can compromising privacy en masse save lives?

Monday, April 27, 2015

But does it do any good? Can it do any good?

So we know that if the NSA can get it, anyone can get it, but if the NSA can do it's job efficiently enough to prevent loss of life or destruction of property does the end justify the means, if only in terms of cost-benefit analysis? In order to examine this we need to break internet surveillance into several categories.

First, a distinction needs to be made between Privacy and Anonymity.

Privacy in this context pertains to the contents of messages sent between users on the internet.

Anonymity pertains to the identifiable characteristics pertaining to the sender and recipient of a message.

Next, a distinction needs to be made between two types of surveillance.

Selection is defined as the process of distinguishing the majority of collected internet traffic from a potential risk. This is the "Needle in the haystack" analogy.

Targeted is defined as the use of exploits to compromise targets in order to gather evidence or determine the identity of a suspect.

But does it do any good? Can it do any good?

Sunday, April 26, 2015

4 Basic System Management - Rooting

This section is mostly for people who have to use "Modified Stock" ROM's instead of Free and Open Source ROM's, and only if the Modified Stock ROM doesn't come with the phone owner in control of the administrative account. It is mostly included to discuss the issues surrounding rooting and because it is required for those who wish to de-bloat a Stock system without compiling Android from source code for their device. Rooting also allows you to use certain applications to block applications from sending information using elevated permissions and a firewall.

What Is Rooting for the Purposes of our Discussion?

For the purposes of this set of instructions, Rooting is a necessary step in the process of assuring you are in complete control of the what the programs on your device do at all times. It is the process of obtaining full, administrative privilege over your devices settings, and contents. This is necessary because many of Android's features are used to transmit data back to various parties concerned with the operation of your device, like the manufacturer or Google. Even if the information is never misused by those parties, it can easily be eavesdropped upon from many locations in the network by unscrupulous characters and as such should be disabled on any phone used for sensitive communication.

Why you should understand rooting

Why rooting is a security risk and why you should do it anyway: Every root guide you will read will disclaim the security risks of rooting to you, but not every security guide will disclaim what those risks actually are. Sometimes, that's because the risks are so low, relatively speaking, that the people adapting the root exploits are not aware of them. There are only 2 risks really associated with rooting your device.

  1. When you root your device, you must take full responsibility for the contents of your device. When you install an app which uses root to it's advantage, it will be capable of asking you for root privileges in order to take advantage of system-wide permissions. If those apps are malicious, then they will ask you for those same permissions and there is very little way to tell. Rooting gives you control, but with power comes the ability to make mistakes. Without rooting, one must accept the mistakes left behind by the manufacturer.
  2. Root apps are just root exploits without malicious mechanisms. In order to root your phone, you'll have to execute an exploit(A "Hack" in the common parlance) which gives you the ability to change system-wide settings on your phone. Those same exploits can be embedded in malicious apps which will attempt to root your phone and give control not to you, but to some remote agent. Only use root apps which are widely reviewed and reputable, such as TowelRoot, and only if you cannot install a pre-rooted ROM.

Stuck with a Stock ROM? You should still root if you can. Do it this way

It is also possible to root your device without trusting an app by executing the so-called "Master Key" exploit from your computer with your phone plugged in. In order to do this, you'll need to use a GNU+Linux computer with the Android Debug Bridge and Android Asset Packaging Tool installed.

  1. First, download the mkbreak generic exploit for the Master Key from the source code repository as github. mkbreak by Saurik
  2. Unzip the file and open a terminal in the mkbreak-master directory.
  3. Run the command ./doit.sh and follow the text instructions displayed in the terminal.
Appendix 4
  • Upkeep:
  • Notes:

Rooting: Doable Privacy Instructions for Android Part Five

Saturday, April 25, 2015

So what is the point?

The point is that if the NSA can get it, anybody can get it. Accomodating NSA spying, far from being a way of preventing attacks on critical infrastructure, actually preserves dangerous attack vectors for criminal use. If the NSA discovers an exploit and does not report it to the developers of the vulnerable application, that application remains vulnerable for everyone who uses it, the vast majority of whom will by definition be non-criminal actors within the developed world. People with jobs, paying taxes that are, also by definition, making them less safe.

Exploit hoarding disproportionately harms Americans. Whatever else happens, the NSA's exploit hoarding programs, including but not limited to BULLRUN, must be stopped.

So what is the point?

 
Cmotc © | Partner: Toxigon ©
CMotC © 2015 - Designed by Templateism.com