Category: Security

Privacy and Security – Summary and Guideline for Further Research

An example of a Telecom Data Centre. Licensed under GFDL 1.2 via Wikimedia Commons.

Privacy

Metadata – what does it capture:

  • IP address endpoints on http traffic, but not https.
  • GSM MetaData – who you called/texted and when/where.
  • Public wifi hotspots not required to collect metadata.
  • https mail is secure from metadata protection except —>
    Five eyes agreement (Share intelligence – US UK NZ CANADA and AUST)
    Not secure if you email a non-https email account.
  • Metadata DOES NOT INCLUDE your content on Facebook, however obviously public shared data is available to anyone, and private or friends only data is available through PRISM (see below).

Subpoenas
Information held by Australian service providers, and sometimes international services can be subpoenaed. Example, copyright cases.

https://www.getup.org.au/campaigns/digital-freedom-and-privacy/go-dark-against-data-retention/go-dark-against-data-retention

National Security Agency

NSA have several mechanisms for tracking/collecting data.  The main methods are Internet Backbone interception and PRISM

  • Internet Backbone:
    AT&T, Verizon, Sprint have all provided NSA access to their networks.  This means NSA can monitor and collect data going across those provider’s networks.   NSA have also been caught out intercepting routers enroute from manufacturer to customer and inserting software backdoors.  This means they can log any traffic that crosses that router once it is in operation.
  • PRISM. PRISM is a surveillance system that provides backdoor access to several main service providers.  It allows NSA agents to access data held on users of those services.   Known members of PRISM include:
    Facebook
    Yahoo (who fought it in FISA court but lost)
    Microsoft (and outlook.com)
    Apple
    Google
    AOL
    http://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet
  • FISA Court. – sometimes supports NSA, sometimes limits it.  FISA is the Foreign Intelligence Surveillance Court.  FISA is responsible for authorising or blocking NSA surveillance operations.

 

Security (Solutions)

Warrant Canary

Like a canary used by miners, if the canary dies, there is a gas leak.  Canaries will die from gas before humans, so a dead canary is advanced notice for humans of a gas leak.  Likewise, a warrant canary is a statement regularly updated by a provider indicating they have not been subject to a government warrant.  If the statement is out of date or missing, it means the company has been subject to warrant, and therefore your data held by the company may no longer be secure.

Warrant canaries are issued because warrant requests usually legally require the company not reveal that they are subject to a warrant.

https://www.eff.org/deeplinks/2014/04/warrant-canary-faq

TOR

Web browsing anonymity. IP address obfuscation. Slow, and can’t be used for torenting since torenting breaks the anonymity. Outbound nodes can be compromised.

https anywhere improves security by ensuring all traffic is encrypted.

VPN – Encrypts traffic between the user and the vpn proivder
VPN providers can be subpoenaed – look for vpn that doesn’t keep ip address logs.
Free vpn versus paid – pros and cons – Free VPN providers are less secure, unknown.  Large providers are more secure, but more likely to be subject to warrant.

https://www.torproject.org/projects/torbrowser.html.en

Private chat/call/email

Wickr – goes through central provider but end to end encryption – they don’t know what you are sending.
Wick use Warrant Cannaries.

RISEUP – https secure email. Not encrypted at provider, but provider is trustworthy. They can still be subpoenaed. Riseup use a Warrant Canary.
https://help.riseup.net/

TextSecure, now Redphone – recommended by Snowden – encrypted, but some metadata can leak.

Skype – encrypted, but can be captured if Skype has been subject to warrant (whereas wickr data is fully encrypted end point to end point). Also meta data is leaky. No warrant canary – owned by MS so part of PRISM

All above chat/call methods rely on third parties

Gypsy Joker Protest Run SA Anti-Association Laws

Gypsy Joker Protest Run SA Anti-Association Laws
By Roy Lister from Salisbury North, South Australia (Gypsy Joker Protest Run) [CC-BY-2.0 (http://creativecommons.org/licenses/by/2.0)], via Wikimedia Commons

Just recently the government passed the The Vicious Lawless Association Disestablishment Act 2013.  There are some misunderstandings relating to the scope of this Act, the primary one being the misperception that the Act targets bikies specifically.  There is a separate piece of legislation, the Criminal Law Amendment Act, that deals with proscribed clubs and the offences of members of proscribed clubs not being allowed to meet in groups larger than three.

(A list of proscribed clubs is available in Schedule 2 of the Criminal Law (Criminal Organisations Disruption) Amendment Act 2013)

You don’t have to be a member of a proscribed club to be prosecuted under the VLAD laws.

Here is a scary example: one of the declared offences is “receive tainted property”. Say you are the member of a camera club and you purchase a camera off another member that turns out to be stolen and the police charge you with receipt of stolen goods. Unless you can prove that it is not a standard practice of the club to deal in stolen property, you are a Vicious Lawless Associate. The burden of proof is on the accused. You are guilty until proven innocent. If you cannot prove the club does not have as one of it’s purposes the trade in stolen items, the magistrate will be required to sentence you to 15 years in jail (25 years if you hold an office bearing position in the club). The magistrate has no choice in this; the prescribed sentences are mandatory.

Your only real hope is that you can prove through a lack of history of offences involving the club that your claim that the club’s purpose does not involve trading stolen goods is accepted, but the potential for abuse of this by police intent on getting “results” is high. When the burden of proof is on the accused, you rely on the good will of the accuser, which is a dangerous thing in the hands of police. It minimises accountability.

Another example: Marijuana is considered a ‘Dangerous Drug’ under the Drugs Misuse Act 1986.  Under the VLAD Act, a Declared Offence includes Possession of a Dangerous Drug.  For the purposes of the VLAD Act, an Association is defined as a corporation, an incorporated association, a club or league, or “any other group of 3 or more persons by whatever name called, whether associated formally or informally and whether the group is legal or illegal.”

In other words, if three people or more are arrested by the police in the process of sharing a ‘joint’, and the police decide to call the group an association, the person in possession of the marijuana will have to prove to a court that possessing or dealing in marijuana was not an activity of the association.  It is clear that if three people were involved in a murder, that they were a Vicious Lawless Association and the maximum jail term of 15 years on top of whatever sentence they receive for the actual murder or attempted murder wouldn’t seem quite so unfair.  But under the VLAD Act there is no differentiation in sentencing.  Even if the normal sentence for possession of marijuana is a stiff fine, the court is required to sentence the possessor of the marijuana to 15 years, UNLESS they can prove the possession of the marijuana was not an intended activity of the ‘association’.

In cases such as “Dangerous Operation of a Motor Vehicle” (a declared offence) some people would be inclined to say “they deserve to go to jail”.  Some might even say that a young car club member at a Show n Shine doing a burnout (“Dangerous Operation of a Motor Vehicle”) deserves to go to jail for 15 years, though I suggest that most would see that as far too harsh.  Likewise, does someone really deserve to go to jail for smoking a joint with friends?

It may not often come to this, but past experience has shown that when police are given such overarching powers, they tend to use them.  Even a few such miscarriages of justice would be too many.

Even in a case where an actual bikie or criminal is being charged with a declared offence, do they really deserve to have 15-25 years tapped on top of the sentence they receive for the actual criminal act? Do we trust over-zealous police to recognise when a bikie has committed an act that is not part of his or her club’s purpose?  Is a bikie acting alone more culpable than any other criminal acting alone?  Or do people at large really believe that organised criminals or no longer entitled to the same due process that the rest of us are entitled to?  And do they sit in their ivory towers (sic) believing that because they don’t smoke dope, don’t do burn outs, are never likely to commit any of the offences on the declared offences list (and many are admittedly horrific offences that committers wouldn’t obtain much sympathy for) that they can sit back self-righteously and ignore the potential abuse of process that this legislation invites?

This kind of “it’s okay, because they are bad people” legislation is a slippery slope.  Once it’s okay to treat ‘associates’ more harshly than individuals, it takes very little for the government to expand the meaning of ‘association’ and ‘declared offences’. The police service will be aching at the bit to use these powers to rein in criminal activity that is not gang related (such as low level drug dealing).  The government will be eager to expand the list of declared offences to deal with activity they deem politically unsavoury.  How soon before protest groups are targeted, or unions?

The legislation is a minefield and is not targeted at bikies alone but any group that the government or police arbitrarily decide is a threat to law and order.

Read the Bill here: The Vicious Lawless Association Disestablishment Act 2013

Guest Lawyers analysis: Are You A Vicious Lawless Associate?

Legal Aid QLD: Drug Offences

Supporting notes for the VLAD Bill

Manning Statement: “I am Chelsea Manning. I am a female.”

Manning, recently sentenced to 35 years prison for releasing classified documents, has released a statement declaring her wish to henceforth be known as Chelsea Manning, and to be referred to with the feminine pronoun.

This isn’t an out of the blue announcement, Manning having often posted as Breanna Manning in chat rooms at the time of the classified document releases, and having lived as an out gay person for a number of years.

Manning in wig and lipstick.

This photograph was attached to emails Manning had sent to therapist Captain Michael Worsley and NCOIC Sgt. Paul Adkins, in which Manning expressed a hope that a career in the military might “get rid of it”, in reference to what she called “my problem”, the gender dysphoria that she has now come to accept.
Chelsea Manning has released this image into the Public Domain.

Manning has expressed her wish to start hormone treatment to more effectively live as a woman. Manning’s sentence will be served out in Fort Leavenworth, in the male population, where authorities have claimed hormone treatment is not provided to prisoners. Chase Strangio, a lawyer of the American Civil Liberties Union LGBT project, has said this raises “serious constitutional concerns”.

“The official policy of the Federal Bureau of Prisons and most state agencies is to provide medically necessary care for the treatment of gender dysphoria, and courts have consistently found that denying such care to prisoners based on blanket exclusions violates the eighth amendment of the constitution.”

Chelsea Manning’s full statement below:

“Subject: The Next Stage of My Life

I want to thank everybody who has supported me over the last three years. Throughout this long ordeal, your letters of support and encouragement have helped keep me strong. I am forever indebted to those who wrote to me, made a donation to my defense fund, or came to watch a portion of the trial. I would especially like to thank Courage to Resist and the Bradley Manning Support Network for their tireless efforts in raising awareness for my case and providing for my legal representation.

As I transition into this next phase of my life, I want everyone to know the real me. I am Chelsea Manning. I am a female. Given the way that I feel, and have felt since childhood, I want to begin hormone therapy as soon as possible. I hope that you will support me in this transition. I also request that, starting today, you refer to me by my new name and use the feminine pronoun (except in official mail to the confinement facility). I look forward to receiving letters from supporters and having the opportunity to write back.

Thank you,

Chelsea E Manning”

Bradley Manning Sentence: 35 Years for Disclosures

The Bradley Manning trial sentence has been handed down, a sentence of 35 years for assorted disclosures.  The government had sought a minimum of 60 years.

The sentence is a mixed blessing.  Much harsher than many other whistleblowers, and many years longer than US servicemen found guilty of far worse crimes, such as the deaths of civilians.  But on the reverse side, Manning will see the light of day again, which is much better than the 136 year possible sentence he was facing.

A cynical view would be that the US government have manufactured this sentence in order to send a strong signal that whistleblowing will not be tolerated, yet at the same time forestall the protests and negative publicity that would follow a sentence that would have seen Manning in jail for the term of his natural life.

The sentence is expected to be subject to immediate appeal.

Bradley Manning US Army

Editorial: Can NSA XKeyScore Operatives Access All Your Data?

There is a very good article on The Guardian at the moment that exposes more detail about NSA data collection (see here) but I would question some of the conclusions. The headline makes it seem like XKeyscore is collecting all internet activity on every user but this is not the case. The term used by the NSA material, “nearly everything a typical user does on the internet”, means that they collect nearly all the types of data an internet user generates: browsing history, email, chat, social media etc. Not that they collect all the information in those data classes for all users.

The XKeyscore database collects data from various sources including prism, ISP taps etc. It can hold the data usually for only 3 days or so before it has to be rolled off to make room for new data.

When Snowden says all he needs is an email and he can access all the data for any individual, he has to be exaggerating. For a start pop email accounts download mail from the server onto the end user’s computer which is protected behind a home or business hardware firewall – NSA will not be able to access this data just by “filling in an online form”. Also people with their own domains may or may not be hosted on ISP’s for which NSA have onsite ‘taps’. Users whose email address on social media is different to their personal email address will not be so easily connected – for example the address max@xxxxxx.net.au has no connection with the user’s facebook page.

What Snowden is talking about is the user whose online identity is connected through various cloud providers – for example one email address that forms the basis of their webmail (example gmail which includes email, browsing history etc), facebook, dropbox and so on. For those users, through Prism, an almost complete online history is recoverable. For other online users there will be varying levels of data able to be recovered.

XKeyscore seems to be a data collation program, bringing together data from various NSA sources, as opposed to an overarching data collection mechanism laid over the internet as Snowden and the Guardian article seem to be inferring.

Other than this exaggeration on the part of Snowden, and on the part of the Guardian in the way they have headlined the article, there is some high quality information and is well worth a read.