“A Song for the Deaf” (and the Blind)

Songs for the Deaf, released on August 27 2002, was the third studio album by Queens of the Stone Age. There is a track on there called “A Song for the Deaf” with a line in the lyrics:

No talk will cure what’s lost, or save what’s left

That line does just fine at summing up my attitude to the long term prospects for the privacy of our data and our privacy rights as individuals. The multiplicity of additional data points that will become available with the mainstream adoption of wearables, AR, and VR squares the circle by adding kinematic fingerprinting and emotion detection to the digital surveillance arsenal.

The concerted effort by “authority” to normalise the invasion of our privacy as citizens of democracies will succeed. It is worth noting at this point that the historic permission to look at our (non-US citizens) data is for the most part secretively mandated or just plain illegal.

In the interim I simply see it as my hobby to be a contrarian and frankly I do not give one iota what that looks like to prospective employers, clients, or colleagues. Too many people look at you sideways these days when you seek to insist that we are throwing away our rights in favour of some US manufactured bogey-man fear figure.

But despite the ever increasing powers granted there are far too many people gainfully employed in law enforcement, the intelligence community, and the cottage industries and corporates that serve them to hope that one day their combined efforts might actually result in an improvement in the threat landscape.

Narrowing the Debate

One of the methods often used to divert attention from the overall issues that present themselves with respect to mass surveillance is to seek to narrow the debate. Some people will say that debating each element in isolation is enough. It is not.

The police-intelcom barrier or rather the lack of a barrier between police organizations and intelligence organizations or the illegal overriding of such barriers is one of the reasons why. Too many blurred lines exist. Mass surveillance data acquired for national security purposes now routinely ends up in the hands of local law enforcement investigating matters unrelated to national security.

The opacity of US laws and SIGINT collection methods is potentially an abuse of the rights of every defendant that comes in front of their Courts. Increasingly, that is just about anybody that they can lay their hands on, from anywhere. The US position on most of these matters is ephemeral. [Max Schrems maintains the main protections provided by the US for data privacy rights of EU citizens have no statutory basis and “could be altered tomorrow”]

To suggest that one can compartmentalise each different element of the mass surveillance equation and debate each piece of legislation on its own merits, to the exclusion of the others, is a fallacy.

They all add up to the same thing in the hands of the governments or organisations that possess the resources, access, and “authority” (normally self granted) to mine the data.

This post was prompted by Chris Gebhardt‍ and the article he penned on Peerlyst‍ titled “The US Government Should Have Access to All Encrypted Devices of US Citizens“.

I commented “I utterly disagree with your thesis on every level. I disagree with you on the basis that I do not accept your segmentation of rights and protections in statute that govern legacy personal freedoms, due process, habeas corpus, et al. and the stratagem that you have employed to roll them up into an argument for weakened privacy (encryption). I believe that your reliance on these legacy instruments makes the flawed assumption that they were correct. In my view, they were not.

Chris was keen to keep the debate focussed on the US. So I asked:

Maybe we can circumvent the specifics of either geography and focus the discussion on a universal question which is capable of also addressing the specifics of your argument. The US does not respect digital borders and engages in frequent – and as policyillegal searches and seizures in a clandestine manner for non natsec matters and “ordinary” criminal matters. Now the US having weathered the outrage storm is legislating vigourously for the normalisation of these abnormalities which were in fact illegal under traditional law also.

The debate between us therefore could be something like – to date have existing laws and the application and oversight of the powers granted by those laws served us well and if so are they also suited for export to the digital domain. If not, then why should those who currently enjoy freedoms in the digital domain subject themselves to laws that they disagreed with in the real world context or were shown to have been widely abused, and more specifically how can a body of agencies who gladly engaged in widespread illegal activities expect people to surrender to their request?

Chris replied:

That is fine but I believe it is a separate post. Perhaps you should start one. I started this one to specifically target the US privacy issue under Constitutional authority. International expectations are a completely different matter.

So here it is.

Image: Screen grab from the QOTSA video “Go With The Flow

ENDS

PODCAST Panel #1: PeerTalk™ Privacy -vs- National Security

 

Since mid December 2017 our panel was preparing for this first in the series of discussions regarding Privacy -vs- National Security hosted by and drawn from Peerlystcommunity members.

The panel was drawn from a range of disciplines and interests but what united all of the participants was that we are people who are passionate about infosec, civil liberties, and the rule of law.

This series is primarily concerned with how we might align the privacy rights of citizens with the imperatives of predicting, preventing, and reacting to internal & external national security threats.

Our objective was to deliver an opening discussion on the subject matter that would compel further debate and interest, but also attempt to compartmentalise the discrete elements, for discussion on future panels , while at the same time demonstrating the scale of the issues involved with practical real world, non-theoretical examples.

Over the preparation period several pieces were authored on the subject of Privacy -vs- National Security. The links to these associated posts are:

  1. PeerTalk™ Privacy -vs- National Security: One Post To Rule Them All
  2. Video Introduction to Podcast #1 of the PeerTalk™ Privacy -v- National Security Podcast Panel Series
  3. PeerTalk™ Privacy -vs- National Security: Preserve Peace Through (Cyber & Intelligence) Strength
  4. PeerTalk™ Privacy -vs- National Security Sources: In Isolation & Where They Intersect
  5. PeerTalk™ Peerlyst Panel: Privacy vs National Security
  6. PeerTalk™ Privacy -vs- National Security: Gülen FETÖ/PDY, Millî İstihbarat Teşkilatı (MİT) & ByLock
  7. PeerTalk™ Privacy -vs- National Security: You (encryption advocates) are “jerks”, “evil geniuses”, and “pervert facilitators”
  8. PeerTalk™ Privacy -vs- National Security: The Rogues Gallery of Encryption Luddites (Updated 01.16.2018)
  9. Also included below were two essays from panel member Geordie B Stewart MSc CISSP
    1. Polluting the Privacy Debate
    2. Ethical Compromises in the Name of National Security

The questions to the panel in preparation for the discussion were these:

  1. Are recent actions by the Turkish intelligence community reasonable with the backdrop of an alleged serious threat to the security of the state?
  2. Could one ever imagine a similar scenario in the West and if so would it ever be justified?
  3. Does the panel think that while broad brush application of these types of tools and methods by law enforcement and the intelligence community does not happen in the West, does it happen on a case by case basis?
  4. If so, is protecting one person from a miscarriage of justice using illegally obtained surveillance data more important than allowing warrantless mass surveillance and trusting that the intelligence community and political / commercial interests will not abuse the knowledge yielded from the data and rather use it for the national interest?
  5. Finally, does the panel have faith in the oversight and governance mechanism looking to protect citizens of Western nations whose data is acquired by programs such as PRISM and queried using tools such as XKeyscore?”

The panellists were:

Graham Joseph Penrose‍ (Moderator), Interim Manager in a range of Startups, Privacy Advocate, Avid Blogger, and Homeless Activist. I began my career in IT 30 years ago in Banking and in the intervening period I have applied technology and in particular secure communications to assist me in various roles but most aggressively as the owner of a Private MilitarySecurity Company operating in High Risk Areas globally. I am apparently a Thought Leader and Authority in the Privacy space according to various independent third party research organisations and I am member of the IBM Systems Innovators Program.

Kim Crawley‍, Cybersecurity Journalist. A respected and valued contributor to Peerlyst and publications including Cylance,AlienVault, Tripwire, and Venafi.

Emily Crose‍, Network Security Researcher with 10 years experience in both offensive and defensive security roles, 7 of those years were spent in the service of the United States Intelligence Community. She is currently the director of the Nemesis projectand works for a cyber security startup in the Washington DC area.

Lewis De Payne‍, Board Member, Vice President & CTO/CISO of medical diagnostics company aiHEALTH, LLC. CTO/CIIO of a social commerce startup and a founding shareholder in Keynetics responsible for the patented online fraud control tools known as Kount. Lewis has had some adversarial contacts with the FBI that are documented in several of Kevin Mitnick’s (and other writers’) books. Lewis electronically wiretapped the FBI and other law enforcement bureaus, and recorded some of their activities (which included having informants perform illegal wiretaps, so they could gain probable cause to obtain search warrants). In his younger days, Lewis took the US government to court several times In one case his proceedings set legalprecedent when the 9th Circuit Court of Appeals heard his Jencks Action and ruled in his favour causing the FBI to have to return all seized property (and computers) to him, and others.

Geordie B Stewart MSc CISSP‍, Director at Risk Intelligence which company provides a range of specialist infosec services to organisations including risk analysis, policy development, security auditing and compliance, education, training, and continuity planning. Geordie writes and speaks frequently on the topics of Privacy, Ethics and National Security. Partly because he thinks they are important topics, but partly to increase his embarrassment when his web history eventually leaks. Geordie also writes the security awareness column for the ISSA Journal and works in senior security leadership roles for large organisations.

Dean Webb‍, Network Security Specialist. Dean has 12 years of experience in IT and IT Security, as well as over two decades as an instructor and journalist with particular focus on national security issues, espionage, and civil rights.

We enjoyed a wide ranging and informative discussion over the course of the 90 minutes and while we were not in a position to cover all of the material it was a very acceptable starting point and a stake in the ground with respect to what the community can expect from this series of panels.

I opened the discussion with the question:

“Where do the panellists believe that the line should be drawn between what are personal privacy rights versus the needs of national security and do the panellists think that in recent years the public in an atmosphere of “fear” has too easily surrendered a range of privacy rights in favour of national security?”

Please enjoy the recording below which we hope you will find compelling enough to share with your community. We are looking forward to your feedback and we would be very pleased to have your comments, suggestions, and questions. (Don’t forget to subscribe to the Peerlyst YouTube channel so as not to miss the next in our series and also recordings of all of the other panels coming out of the PeerTalk™ initiative.)

ENDS

Top Cybersecurity Threats in Sport (2025)

On October 10th, 2017 at a panel discussion about “Cybersecurity of the Olympic Games” at the University Club, California Memorial Stadium – Missy Franklin, (five-time Olympic medalist) said “We constantly get new technology thrown at us. It’s crazy, but that’s where sports are going.”

Extract:Digital technologies pose an increasingly diverse set of threats to Olympic events, and the newer forms of threat are likely to have more serious consequences. While most hacks today focus on sports stadium IT systems and ticket operations, future risks will include hacks that cut to the integrity of the sporting event results, as well as to core stadiums operations.”

The study The Cybersecurity of Olympic Sports: New Opportunities, New Risks identifies eight key areas of risk for future sporting events:

  1. Stadium system hacks
  2. Scoring system hacks
  3. Photo and video replay hacks
  4. Athlete care hacks
  5. Entry manipulation
  6. Transportation hacks
  7. Hacks to facilitate terrorism or kidnapping
  8. Panic-inducing hacks

Key Olympic sports technology trends that represent several vectors of additional risk:

  1. Gymnastics
    1. Artificial intelligence in scoring
    2. Possible Surprises: Embedded tracking in gymnastics equipment
  2. Swimming
    1. Automated start/finish technology
    2. Possible Surprises: Biometrics in swimsuits
  3. Rowing
    1. Drones above race
    2. GPS tracking of boats
    3. Possible Surprises: Virtual reality real-time viewing
  4. Track & Field
    1. Automatic field event measurement
    2. Possible Surprises: 3D images for track finishes

Selected known cybersecurity incidents from the last three summer Olympic Games include:

BEIJING:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure

LONDON OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. False alarm threat to the electrical grid

RIO OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. Athlete data hack

END

Profile of “genius” Parscale, who “won” for Trump & the Facebook political influence juggernaut

Parscale — and every political consultant in a similar situation — is doing this interview to build his business. The introduction of sophisticated digital tools to the process of electing candidates has resulted in a bumper crop of people claiming that they have mastered this inscrutable system and that you should hire them.

Fleshed out, Parscale is the man behind the Trump campaign’s digital media efforts in 2016. He was hired to create a website for $1,500 (as he explained in that “60 Minutes” interview) and then his role expanded until he was managing tens of millions of dollars intended to promote the presidential candidate online.

The point of the interview was, in part, to serve as a profile of Parscale but, more broadly, to explain the primary way in which those millions were spent. Per Parscale’s accounting, that was largely on Facebook advertising. Trump’s team advertised on other platforms, too, but “Facebook was the 500-pound gorilla, 80 percent of the budget kind of thing,” Parscale said.

If you do a search for Brad Parscale’s appearance on “60 Minutes,” the first thing that pops up above the results as of Monday morning is an ad for Brad Parscale. And that, in a nutshell, is Brad Parscale.

Right after the campaign, it was the firm Cambridge Analytica that was making this case, arguing that its black-box analysis of the psychology of American voters allowed Trump to target specific sorts of people with ads that dug deep into their brains to trigger a response. The company (owned in part by the family of Robert Mercer, which was in other ways essential to Trump’s success) wanted to convince future candidates that they could work their magic to get them elected, too.

To “60 Minutes,” Parscale dismissed that claim — in part because he was in the midst of claiming that he was the one with the magic touch. He didn’t think Cambridge Analytica’s system of creating “psychographic” profiles of people was sinister, he said — he just didn’t think it worked.

Which is a simply bizarre claim in the broader context. It isn’t that Parscale doesn’t think that building profiles of people to target ads to them doesn’t work. It’s that Parscale doesn’t seem to realize that this is basically what Facebook was doing for him, in real-time.

By its very nature, Facebook does a more complete and more robust version of what Cambridge Analytica claims to accomplish. In 2014, we explained how Facebook’s political tools work, how it combines data about what you’ve clicked with outside consumer data to get as complete a picture of who you are and what you like as anything that exists. But then it overlays the ability to advertise specific things to specific people — and to test and refine and improve on those ads.

This is what Parscale was describing to “60 Minutes” — not his genius, but Facebook’s. He shows the nifty tricks that you can do with Facebook, A/B testing (as the process is known) different versions of ads with different photos and ads that allow the most effective to quickly rise to the surface. He clearly used all of those secret buttons, clicks and technology that he sought, leveraging Facebook’s deep sense of its individual users and tools to target them. Stepping back, Parscale comes off like the guy who hires LeBron James to play on his team in a 3-on-3 basketball tournament and then brags about his capable coaching. He’s an ad buyer, who lets the platform — say, on Google, when you search for his name — do the work.

The takeaway from the “60 Minutes” interview is simple. Facebook is a juggernaut that’s probably more influential in politics than it realizes itself. (See this New York magazine article to that end.)

Parscale says that his wife likes to say that “[he] was thrown into the Super Bowl, never played a game and won.” Right. It’s just that, in that example, he’s neither Tom Brady nor Bill Belichick. At best, he’s the guy who decided to hire them.

Full story ‘60 Minutes’ profiles the genius who won Trump’s campaign: Facebook https://www.washingtonpost.com/news/politics/wp/2017/10/09/60-minutes-profiles-the-genius-who-won-trumps-campaign-facebook/?utm_term=.5c686f2463e8

Focus on Kaspersky hides facts of another NSA contractor theft

The Wall Street Journal based their story on the fact that another NSA contractor took classified documents home with him. Yet another Russian intelligence operation stole copies of those documents. The twist this time is that the Russians identified the documents because the contractor had Kaspersky Labs anti-virus installed on his home computer.

This is either an example of the Russians subverting a perfectly reasonable security feature in Kaspersky’s products, or Kaspersky adding a plausible feature at the request of Russian intelligence. In the latter case, it’s a nicely deniable Russian information operation. In either case, it’s an impressive Russian information operation.

This is a huge deal, both for the NSA and Kaspersky. The Wall Street Journal article contains no evidence, only unnamed sources. But I am having trouble seeing how the already embattled Kaspersky Labs survives this.

What’s getting a lot less press is yet another NSA contractor stealing top-secret cyberattack software. What is it with the NSA’s inability to keep anything secret anymore?

And it seems that Israeli intelligence penetrated the Kaspersky network and noticed the operation.

Full story on CRYPTO-GRAM October 15, 2017 by Bruce Schneier CTO, IBM Resilient schneier@schneier.com https://www.schneier.com

END

Art For Action – Call for Pledges of Donations of Photography and Prints

Hello Everyone,

In preparation for our launch this December (31st) Art for Action (Twitter: @Art4Homeless) are calling for pledges of donations from artists and photographers.

It has been a pretty hectic process getting everything set up to support the charity and to ensure that we comply with the various regulations and to guarantee transparency for everyone involved.

Worthy of note before we say anything else is that all of the proceeds from the sale of donated art and photography will go to homeless charities in Ireland and the United Kingdom.

There will be no fees, no administration charges, no hidden this, that, and the other levied by Art for Action. All staff provide their services on a voluntary basis. Our founder is providing for the cost of all setup and ongoing costs. Some third party costs will be incurred in terms of payment processing fees and auction site fees and these will be paid from the purchase price of each piece – as is the norm – but that is it.

When the website launches there will be an entire section devoted to how Art for Action conducts its affairs and the accounts of the charity will be available for inspection by any member of the public – on request – without cost.

Call for Pledges of Donations – Artists, Photographers, Photojournalists

There are three ways to pledge:

1. Donate a digital version of your print to Art For Action and explicitly consent in writing that Art for Action have been granted the right to promote and resell the print and also specify the number of prints Art for Action can sell of this print, or specify unlimited;

2. Donate a printed version which the artist or photographer or photojournalist sends to our offices for resale;

3. Donate a printed, mounted, and framed version which is sent to our offices for resale;

All of the above choices are at the complete the discretion of the person donating their work. In each case the following information is also required:

  1. Title of the piece and description;
  2. A sample watermarked digital version of the piece (if applicable);
  3. A suggested guide price;
  4. Please email all details of donations (1-3 above) to Art4Action@intelography.com.

We are very grateful for your assistance and we look forward to publishing success stories throughout the coming years while improving the plight of the many people suffering from the effects of homelessness.

Thank you.

Mining for Tickets – Touts & Ticket Stealing Bots

My Face Value is preparing for launch on 31st December 2017. To keep up to date with the latest news follow us on Facebook and Twitter

Automated ticket mining bots can get around security measures designed to limit ticket purchases. These bots can hoover up hundreds of tickets within seconds of their release. The tickets then almost immediately appear at vastly inflated prices on resale websites.

In early 2017 Viagogo a secondary ticketing website was accused of “moral repugnance” for reselling tickets to an Ed Sheeran cancer charity gig for up to £5,000. An £85 seat to see Adele at the London O2 in 2016 was reportedly being sold online for £24,840.

The use of bots will soon become a criminal offence as part of a crackdown on resale websites. Touts who use bots to mine for concert tickets before selling them for massive profits – and blocking fans from seeing their favourite artists – will also face unlimited fines.

Ticketing firms must introduce tougher anti-bot measures and stronger enforcement of consumer rights laws. Presently, too much lip service is paid to the problem without any real steps being taken to combat it. 

Sources

  • Sky News
  • Sky Sports News

ENDS