Thursday, 19 November 2015

UK cyber counter attack programme

Chancellor's speech to GCHQ on cyber security - Speeches - GOV.UK:

"And part of establishing deterrence will be making sure that whoever attacks us knows we are able to hit back.
We need to destroy the idea that there is impunity in cyberspace.

We need those who would harm us to know that we will defend ourselves robustly. And that we have the means to do so.

This is the fifth element of the plan.

Thanks to the investment that we have made during the last Parliament, just as our adversaries can use a range of actions against us, from the virtual to the physical, so we are making sure that we can employ a full spectrum of actions in response.

We reserve the right to respond to a cyber attack in any way that we choose.

And we are ensuring that we have at our disposal the tools and capabilities we need to respond as we need to protect this nation, in cyberspace just as in the physical realm.

We are building our own offensive cyber capability – a dedicated ability to counter-attack in cyberspace.
We have built this capability through investing in a National Offensive Cyber Programme.

The Programme is a partnership between the Ministry of Defence and GCHQ, harnessing the skills and talents of both organisations to deliver the tools, techniques and tradecraft required for the UK to establish a world class capability." 'via Blog this'

Monday, 16 November 2015

Privacy, encryption and the draft Investigatory Powers Bill #IGF2015

From the official transcript (corrected into English):
GABRIELLE GUILLEMIN:  I would be curious to hear from Chris Marsden who is Professor at Sussex University of what he thinks of the debate in United Kingdom when the investigative powers bill was published recently. 
CHRIS MARSDEN:  So I promised... by the way I was expecting to have people start throwing things at me.  I am only telling you what is going on in the UK but I am not responsible.  I promised I would divide this talk up in the good, the bad and the ugly.  
Let's start with the good.  This will be the shortest part.  We are actually having a debate in the UK and the current investigative powers bill is going in front of joint Parliamentary Committee scrutiny.  It is the response to a previous attempt to introduce a piece of legislation under the last Government that was actually vetoed by the junior coalition partner. Since this May we have a majority Government for the Conservative Party.  It has now been reintroduced in a different way.  You can see what the junior partner thought of it if you look up ‘Nick+Clegg’ online.  
We are having a debate and that's a very good thing. It is a 300 page Bill and there are lots of explanatory memoranda as well.  It is almost Patriot Act length, someone was commenting to me earlier.  Think of it as the UK Patriot Act, 14 years later.  
I should say the other element which I think is very important is that the Joint Scrutiny Committee (which considers the draft bill before it is actually introduced as a Bill in to Parliament) unfortunately doesn't seem to have taken advantage of the expertise that was available from the Scrutiny Committee that considered the previous failed Bill from three years ago, and there are no members of that previous Committee on the new Committee which is to say the least a shame.  For instance, the Intelligence and Security Committee of Parliament which is now Chaired by the former Attorney General of the country, is actually conducting its own shadow scrutiny investigation.  So we are shining light into dark corners.  
That's the good.  
The bad and I could go through a very long list but we only got five minutes.  So I should make it relatively short.  
There is no effective judicial review in a way that people would think of judicial review in the rest of the world.  So as things stand judges will have the ability to examine warrants for their reasonableness but not factual check on what the warrant contains.  And that's not full judicial review as it were. That's maybe a more of a matter problem of judicial oversight.  But I think that's probably the major bad.  
But there were many others. One of them is that there is as you may well know and the Chair stated in introduction, the Prime Minister has said he doesn't want there to be end to end encryption which doesn't have a back door for the security agencies.  There are problems with that, in that the British economy which if you start interfering as it were in the strong encryption products the UK has a very strong IT industry and there are a lot of companies that upset by what is still a draft scrutiny power that may or may not be introduced.  Tim Cook of Apple has been outraged at the ban on full encryption suggested.  
There will be problems for cloud providers and the financial services industry too.  And it has been suggested that this may be a major issue for as it were UK PLC, the UK economy as well.  I realize this is a rights based discussion we are having but Governments respond very well to that kind of thing.  
I have one minute.  
Let me quickly say, you know the new James Bond film has come out.  On the bad side I should tell you in Britain we think that the security agencies are a combination of Enigma code breakers, Alan Turing and Austin powers and if not James Bond and there has been quite a substantial publicity push, I repeat that, publicity push by the security agencies around the film and the publication of the draft bill.  Do not expect the British as we always call them the Great British Public to push back hard about this bill.  Activists have been outraged and some Members of Parliament outraged.  Sysadmins are outraged even at a local level.  Do not expect the general public to be outraged.  They like James Bond and they think he is a tremendous fellow.  
On the ugly, a year’s data retention costs will be extremely high.  There was a meeting, a Committee of Parliament, on Tuesday.  Government predicted the data retention cost would be somewhere in the order of $300 million, using universal currency (we have a currency but no one talks about it anymore).  The actual cost is basically exponentially higher at least according to the ISP and this will affect the one thing that the British people do care about in their broadband connections, the price.  That is the one possibility of there being a more general outcry of the bill.  
The other thing to say are about the data retention element of the bill: it will only retain metadata and not content. Two issues with that. Metadata is content. If you have access to all of someone's metadata you can make a very, very good approximation of what they want.  Content, of course, is relatively useless in security services unless you are very targeted because it is extremely expensive to analyze.  But the other part is to say that the ISPs think it is extremely difficult on a limited budget to separate metadata on a budget. That will be an interesting challenge if it were to come to law.  
I know this is audience that looking at the primary materials, section are the gagging clauses. One is a kind of Snowdonian engaging clauses and the other two are blanket clauses anything that the intelligence agencies don't do that is absolutely outrageous will be legal.  See sections 65, 66 and 71 of the Bill.
One final thing to say is UK Government will have to declare this Bill is consistent with both the European Convention on Human Rights and obligations as a member of the European Union under that Convention as it is incorporated in European Union law, but in terms of whether we will be members of either or both by the time this bill comes in to effect, watch this space.  
Much greater minds have contributed to my contribution this morning.  I spoke to Jon Crowcroft who is a professor at Cambridge, and many other academics who are deeply involved in trying to explain to Parliamentarians about what is involved.  Two people you should read. First and I almost take this draft bill as kind of the final insult, kind of postmortem insult, to Casper Bowden who has been one of the heroes of this debate.  He died in July of this year.  He wrote about the compatibility of mass surveillance with the European Convention on the Human Rights and he has been advising the European Parliament on this for 15 years. The second is my coauthor on our book where we talk about default encryption. His name is Ian Brown and he is a professor at Oxford.  And if you have read anything by Ian and Casper, you will be much more educated than with what advice I have given today."

Friday, 11 September 2015

Zimmermann Telegram - illegal UK interception of US cable in 1917 to aid war effort

Zimmermann Telegram - Wikipedia, the free encyclopedia: "Hall passed the telegram to the Foreign Office on 5 February, but still warned against releasing it. Meanwhile, the British discussed possible cover stories: to explain to the Americans how they got the ciphertext of the telegram without admitting to the cable snooping; and to explain how they got the cleartext of the telegram without letting the Germans know their codes were broken. Furthermore, the British needed to find a way to convince the Americans the message was not a forgery.

For the first story, the British obtained the ciphertext of the telegram from the Mexican commercial telegraph office. The British knew that the German Embassy in Washington would relay the message by commercial telegraph, so the Mexican telegraph office would have the ciphertext. "Mr. H", a British agent in Mexico, bribed an employee of the commercial telegraph company for a copy of the message. (Sir Thomas Hohler, then British ambassador in Mexico, claimed to have been "Mr. H", or at least involved with the interception, in his autobiography.) This ciphertext could be shown to the Americans without embarrassment. Moreover, the retransmission was enciphered using cipher 13040, so by mid-February the British not only had the complete text, but also the ability to release the telegram without revealing the extent to which the latest German codes had been broken—at worst, the Germans might have realized that the 13040 code had been compromised, but weighed against the possibility of United States entry into the war that was a risk worth taking.

Finally, since copies of the 13040 ciphertext would also have been deposited in the records of the American commercial telegraph, the British had the ability to prove the authenticity of the message to the United States government.
As a cover story, the British could publicly claim that their agents had stolen the telegram's deciphered text in Mexico. Privately, the British needed to give the Americans the 13040 cipher so that the United States government could verify the authenticity of the message independently with their own commercial telegraphic records, however the Americans agreed to back the official cover story. The German Foreign Office refused to consider a possible code break, and instead sent von Eckardt on a witch-hunt for a traitor in the embassy in Mexico." 'via Blog this'

Friday, 10 July 2015

Obituary: Caspar Bowden, a fearless privacy pioneer

Simon Davies, London School of Economics and Political Science

The world’s privacy advocates are reeling over the loss of one of their most influential and feared campaigners, Caspar Bowden, who has died of cancer. His fierce and combative evangelism for online privacy over two decades and surgical analysis of complex surveillance legislation raised the standard of commentary that influenced advocacy groups at home and abroad.

I had the honour and the pleasure of becoming a close friend and co-conspirator of Caspar. It wasn’t always easy – he held high expectations of his colleagues, who could often experience his wrath whenever they dared to negotiate with “the bastards” (whoever they happened to be at the time). The archaic American expression “ornery” could well have been invented for Caspar Bowden, as his opponents well knew.

In conferences and meetings where officials and ministers appeared there was frequently what became known as the “popcorn moment”, when Caspar would stand up and, from the back of the hall, clear his throat and launch into a devastating critique that would utterly destroy the credibility of his opponents. Within two years, ministerial staffers were routinely calling me to find out whether Caspar would be in the audience. No better tribute could ever be awarded to any campaigner.

Caspar Bowden, mid ‘popcorn moment’. Rama, CC BY-SA

Caspar joined the mainstream privacy world in 1997 during the Scrambling for Safety encryption event that I organised at the London School of Economics, and soon after he co-founded the Foundation for Information Policy Research (FIPR), which became the most astute think-tank in Britain in the field of surveillance.

At the time Caspar chaired Scientists for Labour, an organisation which at the time believed that the Labour Party (which had been elected to government only 18 days earlier) would actually respect scientific advice. The reams of dangerous and intrusive legislation the Labour government subsequently passed caused him to ditch this fantasy. In the years since Caspar appeared to abandon all faith in parties, taking pride in comparisons with TV character Mr MacKay in the comedy series Porridge, who famously said: “I have a job to do and, whatever else I am, I’m firm but fair. I want you to know that I treat you all with equal contempt”.

In 2002 Caspar joined Microsoft’s operation in Europe as chief privacy strategist, but the arrangement was a bad fit. Caspar continued to be outspoken, eventually parting company with Microsoft after he criticised the lack of privacy measures in its software and the firm’s cosiness with US government spooks. Years before Snowden’s revelations about US and UK mass surveillance in 2013, Bowden had already become deeply worried about the relationship between companies and security agencies – with his arguments about the safety of cloud data proven true by the subsequent leaks.

Gus Hosein, executive director of Privacy International and an an old friend and colleague said:

I’m not new to this issue, but whenever I struggle to get my head around the implications of a new policy or technology, I always looked to Caspar. I sought his guidance to navigate it, but I feared what he would say if I came out with something stupid. The future is uncertain enough, but without him it is even more daunting.

Caspar was very accurately described by another close friend and colleague Ian Brown, professor of Information Security and Privacy at Oxford University:

Caspar was a truly unique individual, one of the most passionate, methodical, relentless advocates of any cause I have met. I learnt so much from him as we worked together on and off for nearly 20 years on privacy issues. His forensic analysis of UK surveillance laws, and later European and US legislation, was essential reading for anyone who wanted to understand the implications of some extremely obscure language – including legislators themselves.

Brown believes UK internet users are still benefiting from Caspar’s successful campaign to remove “Big Browser” surveillance powers from the Regulation of Investigatory Powers Act 2000, and to ensure the burden of proof was not put onto individuals who might have actually forgotten passwords later demanded by police. His important reports for the European Parliament will also be key in the long-term decisions made by the EU to protect the privacy of its 500m citizens.

Anyone who knew Caspar understood that he was dogged in his later years by a deep cynicism about progress in privacy. Deeply mistrustful of governments, corporations and even the law, he eschewed mobile phones and came to place his faith almost solely on mathematical solutions, for example by heavily promoting the concept of differential privacy, which attempts to prevent a loss of privacy in situations where details can be inferred from other data.

Perhaps Caspar’s greatest legacy is that, in an age of increasing compromise, he showed us the importance of dogged, non-negotiable persistence. As George Bernard Shaw observed, all progress depends on the unreasonable man. In that respect, Caspar was a beacon of progress.

The Conversation

Simon Davies is Associate Director at London School of Economics and Political Science.

This article was originally published on The Conversation. Read the original article.

Thursday, 18 June 2015

Some thoughts on Usability of Privacy Technologies - George Danezis

Some thoughts on Usability of Privacy Technologies (Outline of Talk) | Conspicuous Chatter: "one may assume that the key customers of this software — large enterprises and governments — simply never asked for such features, and in fact probably considered such a feature to conflict with other requirements (such as the need to recover mail of employees, backup, …).

 These commercial pressures, have changed in the past few years, as large internet companies start relying heavily on serving end-users (search, webmail, social networking). Sadly, these companies have adopted both a business model — ad-based monetization — and a technical architecture — cloud computing — that makes meaningful privacy protection very difficult. In turn the “success” of those architectures has lead to an extreme ease of developing using this model, and an increasing difficulty in providing end-user solutions with appropriate privacy protections — let alone usable ones.

 The rise of services has pushed a number of key privacy technologies into not being commercially supported and a key feature, and in effect at best a “common” — with the governance and funding problems this entails. We have recently learned about the systemic under funding of key privacy technologies such as OpenSSL and GPG. Technologies like Tor are mostly funded for their national firewall traversal features, seeing development on anonymity features suffer.

Unlike other commons (health, parks, quality assurance in medicines), the state has not stepped in to either help with governance or with funding — all the opposite. For example, standardization efforts have systematically promoted “surveillance by design” instead of best of breed privacy protection; funding for surveillance technology is enormous compared to funding for privacy technologies, and somehow ironically, a number of calls for funding of privacy technologies are in the context of making surveillance more “privacy friendly” — leading to largely non-nonsensical outcomes." 'via Blog this'

Sunday, 26 April 2015

EU Wants a New Regulator to Make Sure Internet Firms are Behaving Themselves

The EU Wants a New Regulator to Make Sure Internet Firms are Behaving Themselves | Gizmodo UK: "They warn that some digital businesses are "transforming into super-nodes that can be of systemic importance” and “only a very limited part of the economy will not depend on them in the near future.”

 The documents warn that a lack of action could lead to a "point of no return", where economies are irreversibly tied to a handful of large companies.  Examples include the likes of Amazon, Etsy, Trip Advisor, Facebook, and Google.

They are mentioned as having undue power over their sectors of the market and can exclude any company or products they feel like, without evidence, by claiming they breach terms and conditions.

Apparently this could potentially put the whole European economy at risk due to market exploitation.

To tackle this the documents propose that a new "supervision framework" should be put together and do things like ban unfair business practices and prevent internet companies from using their platforms to provide preferential treatment to their own services." 'via Blog this'

Tuesday, 14 April 2015

Spying on the U.S. Submarine That Spies For the NSA and CIA

Spying on the U.S. Submarine That Spies For the NSA and CIA: "Annapolis's parent unit, Submarine Development Squadron 12, brokers all of this special equipment for the Navy's submarines, setting up relations with the CIA and NSA, as well as the National Reconnaissance Office, which operates the spy satellites and stealthy communications links. And there are a set of silent partners in industry and academia who also ply their trade in this secret submarine world.

 One such player is the Applied Research Laboratory of Pennsylvania State University. As a Pentagon-designated university-affiliated research center, Penn State's ARL "maintains a special long-term strategic relationship with DoD," the lab brags in an online presentation. That relationship accounts for nearly half the university's research budget—and it includes work on Annapolis's RADIANT GEMSTONE, the only public mention of this highly secretive program:

 How excited is the Navy about this new mission? Imagine being the only kid on the block with a shiny new red wagon. The service's admiral in charge of cryptology says the Navy is anxiously crafting "an ordered, sustainable maritime means of realizing military power in cyberspace."

 Still: What does that mean? When you can spy on anyone, anywhere, anytime—not just heads of state, but anyone on a cell or a WiFi connection—what do you actually do? More to the point: Who was the Annapolis spying on last year?

We know roughly where it traveled through the "European and Central Command areas of responsibility"—near Iran, Israel, perhaps even Yemen.

We know that its crew briefed those NSA and CIA officials. We know that Parks, his mission accomplished, recently stepped aside and handed command of Annapolis to a "tactical analysis" expert from Submarine Development Squadron 12." 'via Blog this'