Blog

  • CleanIT – Leak shows plans for large-scale, undemocratic surveillance of all communications

    posted by Keito
    2012-09-26 20:48:25
    'A leaked document from the CleanIT project shows just how far internal discussions in that initiative have drifted away from its publicly stated aims, as well as the most fundamental legal rules that underpin European democracy and the rule of law.

    The European Commission-funded CleanIT project claims that it wants to fight terrorism through voluntary self-regulatory measures that defends the rule of law.

    The initial meetings of the initiative, with their directionless and ill-informed discussions about doing “something” to solve unidentified online “terrorist” problems were mainly attended by filtering companies, who saw an interesting business opportunity. Their work has paid off, with numerous proposals for filtering by companies and governments, proposals for liability in case sufficiently intrusive filtering is not used, and calls for increased funding by governments of new filtering technologies.

    The leaked document contradicts a letter sent from CleanIT Coordinator But Klaasen to Dutch NGO Bits of Freedom in April of this year, which explained that the project would first identify problems before making policy proposals. The promise to defend the rule of law has been abandoned. There appears never to have been a plan to identify a specific problem to be solved – instead the initiative has become little more than a protection racket (use filtering or be held liable for terrorist offences) for the online security industry.

    The proposals urge Internet companies to ban unwelcome activity through their terms of service, but advise that these “should not be very detailed”. This already widespread approach results, for example, in Microsoft (as a wholly typical example of current industry practice) having terms of service that would ban pictures of the always trouserless Donald Duck as potential pornography (“depicts nudity of any sort ... in non-human forms such as cartoons”). The leaked paper also contradicts the assertion in the letter that the project “does not aim to restrict behaviour that is not forbidden by law” - the whole point of prohibiting content in terms of service that is theoretically prohibited by law, is to permit extra-judicial vigilantism by private companies, otherwise the democratically justified law would be enough. Worse, the only way for a company to be sure of banning everything that is banned by law, is to use terms that are more broad, less well defined and less predictable than real law.

    Moving still further into the realm of the absurd, the leaked document proposes the use of terms of service to remove content “which is fully legal”... although this is up to the “ethical or business” priorities of the company in question what they remove. In other words, if Donald Duck is displeasing to the police, they would welcome, but don't explicitly demand, ISPs banning his behaviour in their terms of service. Cooperative ISPs would then be rewarded by being prioritised in state-funded calls for tender.

    CleanIT (terrorism), financed by DG Home Affairs of the European Commission is duplicating much of the work of the CEO Coalition (child protection), which is financed by DG Communications Networks of the European Commission. Both are, independently and without coordination, developing policies on issues such as reporting buttons and flagging of possibly illegal material. Both CleanIT and the CEO Coalition are duplicating each other's work on creating “voluntary” rules for notification and removal of possibly illegal content and are jointly duplicating the evidence-based policy work being done by DG Internal Market of the European Commission, which recently completed a consultation on this subject. Both have also been discussing upload filtering, to monitor all content being put online by European citizens.

    CleanIT wants binding engagements from internet companies to carry out surveillance, to block and to filter (albeit only at “end user” - meaning local network - level). It wants a network of trusted online informants and, contrary to everything that they have ever said, they also want new, stricter legislation from Member States.

    Unsurprisingly, in EDRi's discussions with both law enforcement agencies and industry about CleanIT, the word that appears with most frequency is “incompetence”.

    The document linked below is distributed to participants on a “need to know” basis – we are sharing the document because citizens need to know what is being proposed.

    Key measures being proposed:

    -Removal of any legislation preventing filtering/surveillance of employees' Internet connections
    -Law enforcement authorities should be able to have content removed “without following the more labour-intensive and formal procedures for 'notice and action'”
    -“Knowingly” providing links to “terrorist content” (the draft does not refer to content which has been ruled to be illegal by a court, but undefined “terrorist content” in general) will be an offence “just like” the terrorist
    -Legal underpinning of “real name” rules to prevent anonymous use of online services
    -ISPs to be held liable for not making “reasonable” efforts to use technological surveillance to identify (undefined) “terrorist” use of the Internet
    -Companies providing end-user filtering systems and their customers should be liable for failing to report “illegal” activity identified by the filter
    -Customers should also be held liable for “knowingly” sending a report of content which is not illegal
    -Governments should use the helpfulness of ISPs as a criterion for awarding public contracts
    -The proposal on blocking lists contradict each other, on the one hand providing comprehensive details for each piece of illegal content and judicial references, but then saying that the owner can appeal (although if there was already a judicial ruling, the legal process would already have been at an end) and that filtering such be based on the “output” of the proposed content regulation body, the “European Advisory Foundation”
    -Blocking or “warning” systems should be implemented by social media platforms – somehow it will be both illegal to provide (undefined) “Internet services” to “terrorist persons” and legal to knowingly provide access to illegal content, while “warning” the end-user that they are accessing illegal content
    -The anonymity of individuals reporting (possibly) illegal content must be preserved... yet their IP address must be logged to permit them to be prosecuted if it is suspected that they are reporting legal content deliberately and to permit reliable informants' reports to be processed more quickly
    -Companies should implement upload filters to monitor uploaded content to make sure that content that is removed – or content that is similar to what is removed – is not re-uploaded
    -It proposes that content should not be removed in all cases but “blocked” (i.e. make inaccessible by the hosting provider – not “blocked” in the access provider sense) and, in other cases, left available online but with the domain name removed.'

    Leaked document: http://www.edri.org/files/cleanIT_sept2012.pdf

    CleanIT Project website: http://www.cleanitproject.eu/
  • Security researchers hack Android remotely over NFC to gain full control and steal all data from a Samsung Galaxy S3

    posted by Keito
    2012-09-20 21:43:37
    'Mobile Pwn2Own at EuSecWest 2012

    Today MWR Labs demonstrated an Android vulnerability at the EuSecWest Conference in Amsterdam. The demonstration of the 0day exploit took place at the Mobile Pwn2Own competition. The exploit was developed in a team effort between our South African and UK offices. The vulnerability was found and the exploit was developed by Tyrone and Jacques in South Africa and Jon and Nils in the UK.

    ### Impact

    MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation.

    The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.

    ### The Vulnerabilities

    The first vulnerability was a memory corruption that allowed us to gain limited control over the phone. We triggered this vulnerability 185 times in our exploit code in order to overcome some of the limitations placed on us by the vulnerability.

    We used the second vulnerability to escalate our privileges on the device and undermine the application sandbox model. We used this to install a customised version of Mercury, our Android assessment framework. We could then use Mercury’s capabilities to exfiltrate user data from the device to a remote listener, including dumping SMS and contact databases, or initiating a call to a premium rate number.

    ### Challenges & Shortcomings

    Android 4.0.4 has many of the exploit mitigation features that are common to desktop Linux distributions, including Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP). Shortcomings in these protections allowed us to leverage the control we had of the device to trigger the second vulnerability. Crucially, the ASLR implementation is incomplete in Android 4.0.4, and does not cover Bionic (Android’s linker) and /system/bin/app_process, which is responsible for starting applications on the device. Other protections which would make exploitation harder were also found to be absent.

    A more in depth technical blog post will be released once the vulnerability has been patched by the vendor, detailing the process of finding and exploiting this bug.'
  • Internet enemy number one, Lamar Smith, is sponsoring the FISA FAA renewal and pushing it to a vote in the House on Wednesday. This is the bill that retroactively legalized NSA warrantless wiretapping. We need to stop this now.

    posted by Keito
    2012-09-11 15:03:19
    'It’s back. On Thursday the House of Representatives is scheduled to vote on a five-year reauthorization of the FISA Amendments Act (FAA), the 2008 law that legalized the Bush administration’s warrantless wiretapping program and more. It permits the government to get year-long orders from the secret Foreign Intelligence Surveillance Act (FISA) court to conduct dragnet surveillance of Americans’ international communications—including phone calls, emails, and internet records—for the purpose of collecting foreign intelligence. The orders need not specify who is going to be spied on or even allege that the targets did anything wrong. The only guarantees that the FAA gives are that no specific American will be targeted for wiretapping and that some (classified) rules about the use of intercepted information will be followed.

    After four years, you’d hope that some basic information or parameters of such a massive spying program would be divulged to the public, or at least your rank-and-file member of Congress, but they haven’t. Only a small handful of members have either personally attended classified briefings or have staff with high enough clearances to attend for them. Sen. Ron Wyden—who has been on the Senate Intelligence Committee for years—has even been stonewalled by the Obama administration for a year and a half in his attempts to learn basic information about the program, such as the number of Americans who have had their communications intercepted under the FAA.

    Yet the House ambles on, ready to rubber stamp another five years of expansive surveillance that can pick up American communications without meaningful judicial oversight and without probable cause or any finding of wrongdoing. Instead of blind faith in the executive branch, every member of the House should demand that the administration publicly disclose the following before proceeding with reauthorization:
    • Copies of FISA court opinions interpreting our Fourth Amendment rights under the FAA, with redactions to protect sensitive information (the Department of Justice can write summaries of law if necessary);
    • A rough estimate of how many Americans are surveilled under the FAA every year;
    • A description of the rules that govern how American information picked up by FAA surveillance is protected.

    Can you believe that 435 members of Congress who have sworn to uphold the Constitution are about to vote on a sweeping intelligence gathering law without this basic information? Act now to let them know that it’s time for Congress to fix FISA. Keep an eye on this space and the @ACLU on Twitter for updates this week (for more detailed tweets about FISA, follow @Richardson_Mich, A.K.A. Michelle Richardson, the ACLU’s lobbyist who works on FISA).

    Relatedly, on October 29th, the Supreme Court will hear arguments in the ACLU’s constitutional challenge to the FAA, which was filed in 2008 less than an hour after President Bush signed the amendments into law.'

    http://www.aclu.org/blog/national-security/house-vote-fisa-amendments-act-wednesday
  • Sir Tim Berners-Lee accuses government of 'draconian' internet snooping

    posted by Keito
    2012-09-06 20:47:39
    'The inventor of the world wide web, Sir Tim Berners-Lee, has accused the government of invading the privacy by monitoring internet use.

    Sir Tim warned that plans to monitor individuals' use of the internet would result in Britain losing its reputation as an upholder of web freedom

    The plans, by Theresa May, would force service providers to keep records of every phone call, email and website visit in Britain.

    Sir Tim told the Times: "“In Britain, like in the US, there has been a series of Bills that would give government very strong powers to, for example, collect data. I am worried about that."

    Yesterday was the launch of the World Wide Web Foundation's first global Web Index analysing the state of the web in 61 countries using indicators such as the political, economic and social impact of the web, connectivity and use.

    Britain came third in the list which was topped by Sweden and the United States in second place.

    Speaking at the launch, Sir Tim said that Britain would soon slip down the rankings if the draft Communications Data Bill became law.

    “If the UK introduces draconian legislation that allows the Government to block websites or to snoop on people, which decreases privacy, in future indexes they may find themselves farther down the list,” he said.

    The draft bill extends the type of data that internet service providers must store for at least 12 months. Providers would also be required to keep details of a much wider set of data, including use of social network sites, webmail and voice calls over the internet.

    Mrs May has justified the need for the new legislation by saying that it is necessary to combat organised crime and terrorism.

    Sir Tim's comments came on the same day as he denied that there was an 'off'; switch for the internet.

    He said the only way the internet could only ever be completely shut down is if governments across the world coordinated to make it a centralised system:

    "At the moment, because countries connect to each other in lots of different ways, there is no one off switch, there is no central place where you can turn it off.

    "In order to be able to turn the whole thing off or really block, suppress one particular idea then the countries and governments would have to get together and agree and coordinate and turn it from a decentralised system to being a centralised system.

    "And if that does happen it is really important that everybody fights against that sort of direction."'

    http://www.telegraph.co.uk/technology/internet/9524681/Sir-Tim-Berners-Lee-accuses-government-of-draconian-internet-snooping.html
  • Unity is Strength

    posted by Keito
    2012-09-04 21:22:19
    Telecomix Crypto Munitions Bureau works for the benefit of cipherspace. Cipherspace is the state of crypto anarchy. This means that your identity is anonymous as long as you stay protected. There are no identities or authorities in cipherspace, and it is not possible to enforce laws where there is no identity, or where there are no authorities.

    Today there are several threats to the inhabitants of the internet. The politicians of oppressive regimes in the east and in the west, in north and south, are imposing surveillance. Surveillance of the entire networks. What people say to each other, what information is transmitted between bots and humans alike.

    This aggression must be met with the strongest encryption algorithms available to modern computers. With onion and garlic routing it is possible to erect the fractal cipherspace. With distributed hash tables it is possible to create networks that has no central node. There is no one that controls the fractal cipherspace. Internet as we know it, turns into darknet.

    Telecomix Crypto Munitions Bureau recommends that you use the following software: i2p, for anonymous and secure communications, Gnu Privacy Guard, for direct and verified communication. The onion router, TOR, to access the internets.

    Telecomix Munitions is a defense bureau.

    You can change the future of the internets by joining us in defending the networks and creating cipherspace.

    You can help defending yourself and your friends, yes, all inhabitants of the networks.

    By learning a few skills you can take control over technology.

    Telecomix munitions are currently developing and promoting advanced security devices, which can endure even the harshest forms of government or corporation surveillance.

    Your personal computer is an encryption device. Modern hardware can transform plain text to ciphertext with ease. So rapidly you barely notice the difference between unencrypted and encrypted data.

    The laws of mathematics are infinitely stronger than the laws of nations and corporations, as the human laws are really only ink on paper. The laws of mathematics, on the other hand, are the laws that define our very universe. With the use of modern crypto algorithms we can use this fact to defend free speech and the integrity of both bots and humans. Information is nothing but numbers, numbers governed not by human laws, but by the laws of mathematics.

    Networks that utilize the power of cryptography already exist. It will not be possible to stop the spread of the fractal cipherspace.

    To find out more, come to cryptoanarchy.org