Technology, Thoughts & Trinkets

Touring the digital through type

Year: 2014 (page 1 of 4)

The Canadian SIGINT Summaries

Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, FryslânJournalists with access to leaked documents have reported on the partnerships and activities undertaken by Canada’s foreign signals intelligence (SIGINT) agency, the Communications Security Establishment (CSE), since October 2013. As a result of their stories we know that the Canadian government hosts collection facilities in its diplomatic outposts for American SIGINT operations, has co-ordinated with the NSA to monitor for threats to international summits that took place in Canada, and shares a cooperative relationship with the National Security Agency (NSA) to protect North America from foreign threats. CSE, itself, was found to be conducting signals intelligence and development operations against the Brazilian government, running experiments using domestically collected metadata to track Canadians’ devices, and automating both the discovery of vulnerable computer devices on the Internet for later exploitation and identifying network administrators’ Internet traffic.

The aforementioned revelations are just a sample of what Canadians have learned as journalists have reported on documents leaked to them by Edward Snowden and other whistleblowers. But it has been challenging for even experts to keep track of the Canadian discoveries amongst the tidal wave of information concerning American and British SIGINT agencies. I have created and published a resource to help researchers and members of the public alike track mentions of CSE in documents that have been reported on by professional journalists.

The Canadian SIGINT Summaries page of this website currently includes downloadable copies, along with summary, publication, and original source information, of leaked CSE documents. The page will be updated  as new whistleblower documents are released and as I parse and add information about CSE’s operational guides that have been released to the public under Access to Information and Privacy (ATIP) laws. I plan to also include copies of the CSE Commissioner’s reports. While I will try to exhaustively collate documents it is entirely possible that I have, or will, miss some; if you believe I have failed to include a primary document and would like me to add it to the SIGINT Summaries page please contact me with the document and a link to the journalistic source which reported on it.

The Canadian SIGINT Summaries are not meant to replace the detailed reporting of documents nor the exhaustive examination of them by other researchers, scholars, or other analysts. And I expect to write more extensive analyses based upon the documents that extend beyond my summarizations of them. The Canadian SIGINT Summaries are meant as a public resource, listing all of the relevant public documents, briefly describing their contents and publication data, and letting readers download them to draw their own conclusions.

As I update the page with new items or sections I will publish blog posts which either include the item (if just one or two are added) or short summaries when larger updates are published. I hope that you find the Canadian SIGINT Summaries helpful and, for international visitors, encourage you to replicate this model to summarize information about your own domestic SIGINT agency.

Review of Desk.PM’s Publishing App (v. 1.0)

Desk.pmI downloaded a copy of Desk last week, an OS X applications that is designed for bloggers by bloggers. It costs $30 from the Mac App Store, which is in line with other blogging software for OS X.

To cut to the chase, I like the application but, as it stands right now, version 1.0 feels like it’s just barely out of beta. As a result there’s no way that I could recommend that anyone purchase Desk until a series of important bug fixes are implemented.

What’s to Love

I write in Markdown. At this point it’s so engrained in how I stylize my writing that even my paper notebooks (yes, I still use those…) prominently feature Markdown so I can understand links, heading levels, levels of emphasis, and so forth. Desk uses Markdown and also offers a GUI where, after highlighting some text, you’re given the option to stylize add boldface or italics, insert a hyperlink, or generally add in some basic HTML. That means that people like me (Markdown users) are happy as are (presumably) those who prefer working from a graphical user interface. Everyone wins!

In line with other contemporary writing applications (e.g. Byword, Write) the menu options are designed to just fade away while you’re writing. This means there are no distractions when you’re involved in writing itself and that’s a good thing. You always have the option to calling up the menu items just by just scrolling somewhere in the main window. So, the menu is there when you want it and absent when you’re actually working. Another win.

Continue reading

CSIS’s New Powers Demand New Accountability Mechanisms

6165458242_97e0572d03_oThe Government of Canada recently tabled Bill C-44, the Protection of Canada from Terrorists Act, in response to a series of court defeats concerning how the Canadian Intelligence and Security Service (CSIS) collects intelligence about Canadian residents. The federal courts took CSIS to task after Justice Richard Mosley realized that warrants issued to CSIS, which enabled CSIS to collaborate with Canada’s foreign signal intelligence agency to monitor Canadians abroad, were also being used to enlist the assistance of other nations’ signals intelligence agencies. In addition to the warrants not being issued with such foreign collaboration in mind there was — and remains — a judicial belief that CSIS’ lawyers deliberately misled the court when requesting the warrants.

The tabled legislation would not alleviate the ruling that CSIS lawyers misled the court. It would, however, authorize CSIS to apply for warrants which authorize the service to monitor Canadians abroad even if doing so would violate the laws of foreign nations. Moreover, CSIS would be empowered to request the assistance of foreign organizations in monitoring the aforementioned Canadians. The Act would also provide the government the power to prevent courts from publicly examining informants as well as to revoke citizenship under certain situations. Finally, the legislation further clarifies (and arguably extends) prohibitions on revealing the identity of CSIS officers. Continue reading

Advancing Encryption for the Masses

CryptographyEdward Snowden’s revelations have made it incredibly obvious that signals intelligence agencies have focused a lot of their time and energy in tracking people as they browse the web. Such tracking is often possible at a global scale because so much of the data that crosses the Internet is unencrypted. Fortunately, the ease of such surveillance is being curtailed by large corporations and advocacy organizations alike.

Today, WhatsApp and Open Whisper Systems announced they have been providing, and will continue to deploy, what’s called ‘end to end’ encryption to WhatsApp users. This form of encryption ensures that the contents of subscribers’ communications are be secured from third-party content monitoring as it transits from a sender’s phone to a recipient’s device.

As a result of these actions, WhatsApp users will enjoy a massive boost in their communications security. And it demonstrates that Facebook, the owner of WhatsApp, is willing to enhance the security of its users even when such actions are likely to provoke and upset surveillance-hawks around the world who are more interested in spying on Facebook and WhatsApp subscribers than in protecting them from surveillance.

A separate, but thematically related, blog post the Electronic Frontier Foundation announced the creation of a new Certificate Authority (CA) initiative called ‘Let’s Encrypt’. Partnering with the Electronic Frontier Foundation are Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan. CAs issue the data files that are used to cryptographically secure communications between clients (like your web browser) and servers (like EFF.org). Such encryption makes it more challenging for another party to monitor what you are sending to, and receiving from, a server you are visiting.

Key to the ‘Let’s Encrypt’ initiative is that the issued certificates will be free and installable using a script. The script is meant to automate the process of requesting, configuring, and installing the certificate. Ideally, this will mean that people with relatively little experience will be able to safely and securely set up SSL-protected websites. Academic studies have shown that even those with experience routinely fail to properly configure SSL-protections.

The aim of both of these initiatives is to increase the ‘friction’, or relative difficulty, in massively monitoring chat and web-based communications. However, it is important to recognize that neither initiative can be considered a perfect solution to surveillance.

In the case of WhatsApp and Open Whisper Systems, end to end encryption does not fix the broader problems of mobile security: if an adversary can take control of a mobile device, or has a way of capturing text that is typed into or that is displayed on the screen when you’re using WhatsApp, then any message sent or received by the device could be susceptible to surveillance. However, there is no evidence that any government agency in the world has monitored, or is currently capable of monitoring, millions or billions of devices simultaneously. There is evidence, however, of government agencies aggressively trying to monitor the servers and Internet infrastructure that applications like WhatsApp use in delivering messages between mobile devices.

Moreover, it’s unclear what Facebook’s or WhatsApp’s reaction would be if a government agency tried to force the delivery of a cryptographically broken or weakened version of WhatsApp to particular subscribers using orders issued by American, European, or Canadian courts. And, even if the companies in question fought back, what would they do if they lost the court case?

Similarly, the ‘Let’s Encrypt’ initiative relies on a mode of securing the Internet that is potentially susceptible to state interference. Governments or parties affiliated with governments have had certificates falsely issued in order to monitor communications between client devices (e.g. smartphones) and servers (e.g. Gmail). Moreover, professional developers have misconfigured commerce backends to the effect of not checking whether the certificate used to encrypt a communication belong to the right organization (i.e. not checking that the certificate used to communicate with Paypal actually belongs to Paypal). There are other issues with SSL, including a poor revocation checking mechanism, historical challenges in configuring it properly, and more. Some of these issues may be defrayed by the ‘Let’s Encrypt’ initiative because of the members’  efforts to work with the Decentralized SSL Observatory, scans.io, and Google’s Certificate Authority logs, but the initiative — and the proposals accompanying it — is not a panacea for all of the world’s online encryption problems. But it will hopefully make it more difficult for global-scale surveillance that is largely predicated on monitoring unencrypted communications between servers and clients.

Edward Snowden was deeply concerned that the documents he brought to light would be treated with indifference and that nothing would change despite the documents’ presence in the public record. While people may be interested in having more secure, and more private, communications following his revelations those interests are not necessarily translated into an ability for people to secure their communications. And the position that people must either embark on elaborate training regimes to communicate securely or just not say sensitive things, or visit sensitive places, online simply will not work: information security needs to work with at least some of the tools that people are using in their daily lives while developing new and secure ones. It doesn’t make sense to just abandon the public to their own devices while the ‘professionals’ use hard-to-use ’secured’ systems amongst themselves.

The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.

Older posts