Category Archives: Anonymity

“A Song for the Deaf” (and the Blind)

Songs for the Deaf, released on August 27 2002, was the third studio album by Queens of the Stone Age. There is a track on there called “A Song for the Deaf” with a line in the lyrics:

No talk will cure what’s lost, or save what’s left

That line does just fine at summing up my attitude to the long term prospects for the privacy of our data and our privacy rights as individuals. The multiplicity of additional data points that will become available with the mainstream adoption of wearables, AR, and VR squares the circle by adding kinematic fingerprinting and emotion detection to the digital surveillance arsenal.

The concerted effort by “authority” to normalise the invasion of our privacy as citizens of democracies will succeed. It is worth noting at this point that the historic permission to look at our (non-US citizens) data is for the most part secretively mandated or just plain illegal.

In the interim I simply see it as my hobby to be a contrarian and frankly I do not give one iota what that looks like to prospective employers, clients, or colleagues. Too many people look at you sideways these days when you seek to insist that we are throwing away our rights in favour of some US manufactured bogey-man fear figure.

But despite the ever increasing powers granted there are far too many people gainfully employed in law enforcement, the intelligence community, and the cottage industries and corporates that serve them to hope that one day their combined efforts might actually result in an improvement in the threat landscape.

Narrowing the Debate

One of the methods often used to divert attention from the overall issues that present themselves with respect to mass surveillance is to seek to narrow the debate. Some people will say that debating each element in isolation is enough. It is not.

The police-intelcom barrier or rather the lack of a barrier between police organizations and intelligence organizations or the illegal overriding of such barriers is one of the reasons why. Too many blurred lines exist. Mass surveillance data acquired for national security purposes now routinely ends up in the hands of local law enforcement investigating matters unrelated to national security.

The opacity of US laws and SIGINT collection methods is potentially an abuse of the rights of every defendant that comes in front of their Courts. Increasingly, that is just about anybody that they can lay their hands on, from anywhere. The US position on most of these matters is ephemeral. [Max Schrems maintains the main protections provided by the US for data privacy rights of EU citizens have no statutory basis and “could be altered tomorrow”]

To suggest that one can compartmentalise each different element of the mass surveillance equation and debate each piece of legislation on its own merits, to the exclusion of the others, is a fallacy.

They all add up to the same thing in the hands of the governments or organisations that possess the resources, access, and “authority” (normally self granted) to mine the data.

This post was prompted by Chris Gebhardt‍ and the article he penned on Peerlyst‍ titled “The US Government Should Have Access to All Encrypted Devices of US Citizens“.

I commented “I utterly disagree with your thesis on every level. I disagree with you on the basis that I do not accept your segmentation of rights and protections in statute that govern legacy personal freedoms, due process, habeas corpus, et al. and the stratagem that you have employed to roll them up into an argument for weakened privacy (encryption). I believe that your reliance on these legacy instruments makes the flawed assumption that they were correct. In my view, they were not.

Chris was keen to keep the debate focussed on the US. So I asked:

Maybe we can circumvent the specifics of either geography and focus the discussion on a universal question which is capable of also addressing the specifics of your argument. The US does not respect digital borders and engages in frequent – and as policyillegal searches and seizures in a clandestine manner for non natsec matters and “ordinary” criminal matters. Now the US having weathered the outrage storm is legislating vigourously for the normalisation of these abnormalities which were in fact illegal under traditional law also.

The debate between us therefore could be something like – to date have existing laws and the application and oversight of the powers granted by those laws served us well and if so are they also suited for export to the digital domain. If not, then why should those who currently enjoy freedoms in the digital domain subject themselves to laws that they disagreed with in the real world context or were shown to have been widely abused, and more specifically how can a body of agencies who gladly engaged in widespread illegal activities expect people to surrender to their request?

Chris replied:

That is fine but I believe it is a separate post. Perhaps you should start one. I started this one to specifically target the US privacy issue under Constitutional authority. International expectations are a completely different matter.

So here it is.

Image: Screen grab from the QOTSA video “Go With The Flow

ENDS

PODCAST Panel #1: PeerTalk™ Privacy -vs- National Security

 

Since mid December 2017 our panel was preparing for this first in the series of discussions regarding Privacy -vs- National Security hosted by and drawn from Peerlystcommunity members.

The panel was drawn from a range of disciplines and interests but what united all of the participants was that we are people who are passionate about infosec, civil liberties, and the rule of law.

This series is primarily concerned with how we might align the privacy rights of citizens with the imperatives of predicting, preventing, and reacting to internal & external national security threats.

Our objective was to deliver an opening discussion on the subject matter that would compel further debate and interest, but also attempt to compartmentalise the discrete elements, for discussion on future panels , while at the same time demonstrating the scale of the issues involved with practical real world, non-theoretical examples.

Over the preparation period several pieces were authored on the subject of Privacy -vs- National Security. The links to these associated posts are:

  1. PeerTalk™ Privacy -vs- National Security: One Post To Rule Them All
  2. Video Introduction to Podcast #1 of the PeerTalk™ Privacy -v- National Security Podcast Panel Series
  3. PeerTalk™ Privacy -vs- National Security: Preserve Peace Through (Cyber & Intelligence) Strength
  4. PeerTalk™ Privacy -vs- National Security Sources: In Isolation & Where They Intersect
  5. PeerTalk™ Peerlyst Panel: Privacy vs National Security
  6. PeerTalk™ Privacy -vs- National Security: Gülen FETÖ/PDY, Millî İstihbarat Teşkilatı (MİT) & ByLock
  7. PeerTalk™ Privacy -vs- National Security: You (encryption advocates) are “jerks”, “evil geniuses”, and “pervert facilitators”
  8. PeerTalk™ Privacy -vs- National Security: The Rogues Gallery of Encryption Luddites (Updated 01.16.2018)
  9. Also included below were two essays from panel member Geordie B Stewart MSc CISSP
    1. Polluting the Privacy Debate
    2. Ethical Compromises in the Name of National Security

The questions to the panel in preparation for the discussion were these:

  1. Are recent actions by the Turkish intelligence community reasonable with the backdrop of an alleged serious threat to the security of the state?
  2. Could one ever imagine a similar scenario in the West and if so would it ever be justified?
  3. Does the panel think that while broad brush application of these types of tools and methods by law enforcement and the intelligence community does not happen in the West, does it happen on a case by case basis?
  4. If so, is protecting one person from a miscarriage of justice using illegally obtained surveillance data more important than allowing warrantless mass surveillance and trusting that the intelligence community and political / commercial interests will not abuse the knowledge yielded from the data and rather use it for the national interest?
  5. Finally, does the panel have faith in the oversight and governance mechanism looking to protect citizens of Western nations whose data is acquired by programs such as PRISM and queried using tools such as XKeyscore?”

The panellists were:

Graham Joseph Penrose‍ (Moderator), Interim Manager in a range of Startups, Privacy Advocate, Avid Blogger, and Homeless Activist. I began my career in IT 30 years ago in Banking and in the intervening period I have applied technology and in particular secure communications to assist me in various roles but most aggressively as the owner of a Private MilitarySecurity Company operating in High Risk Areas globally. I am apparently a Thought Leader and Authority in the Privacy space according to various independent third party research organisations and I am member of the IBM Systems Innovators Program.

Kim Crawley‍, Cybersecurity Journalist. A respected and valued contributor to Peerlyst and publications including Cylance,AlienVault, Tripwire, and Venafi.

Emily Crose‍, Network Security Researcher with 10 years experience in both offensive and defensive security roles, 7 of those years were spent in the service of the United States Intelligence Community. She is currently the director of the Nemesis projectand works for a cyber security startup in the Washington DC area.

Lewis De Payne‍, Board Member, Vice President & CTO/CISO of medical diagnostics company aiHEALTH, LLC. CTO/CIIO of a social commerce startup and a founding shareholder in Keynetics responsible for the patented online fraud control tools known as Kount. Lewis has had some adversarial contacts with the FBI that are documented in several of Kevin Mitnick’s (and other writers’) books. Lewis electronically wiretapped the FBI and other law enforcement bureaus, and recorded some of their activities (which included having informants perform illegal wiretaps, so they could gain probable cause to obtain search warrants). In his younger days, Lewis took the US government to court several times In one case his proceedings set legalprecedent when the 9th Circuit Court of Appeals heard his Jencks Action and ruled in his favour causing the FBI to have to return all seized property (and computers) to him, and others.

Geordie B Stewart MSc CISSP‍, Director at Risk Intelligence which company provides a range of specialist infosec services to organisations including risk analysis, policy development, security auditing and compliance, education, training, and continuity planning. Geordie writes and speaks frequently on the topics of Privacy, Ethics and National Security. Partly because he thinks they are important topics, but partly to increase his embarrassment when his web history eventually leaks. Geordie also writes the security awareness column for the ISSA Journal and works in senior security leadership roles for large organisations.

Dean Webb‍, Network Security Specialist. Dean has 12 years of experience in IT and IT Security, as well as over two decades as an instructor and journalist with particular focus on national security issues, espionage, and civil rights.

We enjoyed a wide ranging and informative discussion over the course of the 90 minutes and while we were not in a position to cover all of the material it was a very acceptable starting point and a stake in the ground with respect to what the community can expect from this series of panels.

I opened the discussion with the question:

“Where do the panellists believe that the line should be drawn between what are personal privacy rights versus the needs of national security and do the panellists think that in recent years the public in an atmosphere of “fear” has too easily surrendered a range of privacy rights in favour of national security?”

Please enjoy the recording below which we hope you will find compelling enough to share with your community. We are looking forward to your feedback and we would be very pleased to have your comments, suggestions, and questions. (Don’t forget to subscribe to the Peerlyst YouTube channel so as not to miss the next in our series and also recordings of all of the other panels coming out of the PeerTalk™ initiative.)

ENDS

Lyrics for a Surveillance Society – The Hacking Suite for Governmental Interception

Lyrics by Hacking Team. Music by Azerbaijan, Bahrain, Egypt, Ethiopia, Kazakhstan, Morocco, Nigeria, Oman, Saudi Arabia, Sudan, and several United States agencies including the DEA, FBI and Department of Defense.

Criminals and terrorists rely on mobile phones, tablets, lap tops and computers equipped with universal end-to-end encryption to hide their activity. Their secret communications and encrypted files can be critical to investigating, preventing and prosecuting crime. Hacking Team provides law enforcement an effective, easy-to-use solution. Law enforcement and intelligence communities worldwide rely on Hacking Team in their mission to keep citizens safe. The job has never been more challenging or more important.

You have new challenges today

Sensitive data is transmitted over encrypted channels

Often the information you want is not transmitted at all

Your target may be outside your monitoring domain

Is passive monitoring enough?

You need more ….

You want to look through your target’s eyes

You have to hack your target

While your target is …. Browsing the web, Exchanging documents, Receiving SMS, Crossing the borders

You have to hit many different platforms – Windows, OS X, Linux, Android, iOS, Blackberry, Windows Phone, Symbian

You have to overcome encryption and capture relevant data – Skype & Voice Calls, Social Media, Target Location, Messaging, Relationship, Audio & Video

Being stealth and untraceable

Immune to protection systems

Hidden collection infrastructure

Deployed all over your country

Up to hundreds of thousands of targets

All managed from a single place

Exactly what we do

Remote Control System – Galileo – The Hacking Suite for Governmental Interception

Hacking Team – Rely On Us

ENDS

Does anyone have experience of “KAYMERA MOBILE THREAT DEFENSE SUITE”

We are looking at this platform in parallel with the SaltDNA app which I previously posted about.

Kaymera has a pre-installed secured Android OS with integrated high-end security components to detect, prevent and protect against all mobile security threats without compromising on functionality or usability. A contextual, risk-based app uses a range of indicators to identify a risk in real-time and apply the right security measure so mitigation is performed only when needed and appropriate. Their Cyber Command Centre framework manages and enforces organization-specific permissions, security protocols and device policies. Monitors risk level, threat activities and security posture per device and deploys countermeasures.

Any thoughts welcome.

ENDS.

The USA, Narcissistic Rage, A Sense of Entitlement & Holding Our Rights Hostage

The US is taking a giant shit on all of us, and our rights. And we are letting them. This is a nation that is currently led by extremists who inherited the job from a crazily compromised administration.

I previously wrote in All The Presidents’ Messes:

“In my lifetime the American people have elected Nixon (Vietnam, Laos, Cambodia), Ford (by accident), Carter (Iranian Revolution & Iran Hostage debacle), Reagan (Funded the Taliban / Iran-Contra Affair / Nicaragua / El Salvador / Guatemala), Bush the First (Gulf War I), Clinton (Somalia, Rwanda, Haiti / Israel-Palestine / Ethnic Wars in Europe – Croats, Serbs and Bosnian Muslims / Kosovo & Albania), Bush the Second (Iraq / Afghanistan), Obama (IRANDEAL, global appeasement, the relatively unopposed rise of ISIS, and the disintegration of Syria and Libya and Egypt as a result of US Foreign Policy failures) and now Trump.”

All US policy decisions and their side-effects, one way or the other, cascade down into our European democracies. In the current climate that should worry you.

Privacy Is An Absolute Right

I am interested in Privacy. The abuse of Privacy (1) has far more fundamental negative effects than might seem to be the case at first glance.

I am an advocate for the right of every citizen to a private life, the preservation of civil liberties, and the defence of other hard won rights. Technology or rather its unfettered deployment is the single biggest threat to our personal freedoms and by extension to the proper administration of justice.

And so I write about it. Sometimes the writing is a bit technical but most of the time it’s referencing the technical results of other peoples work to support my arguments (which I always acknowledge – most important that is)

Orwell 4.0

Technology facilitated developments have created new tools for the State, Law Enforcement, and Intelligence Agencies to monitor not just person’s of interest but everyone (2). Software industry greed and software developer naivety is also driving an assault on our personal privacy and security (3).

These phenomena have already resulted in wholesale abuses (4) of habeas corpus, an alteration of the perception of what constitutes a fair trial, have worn down the right to silence of a suspect, made the avoidance of self-incrimination almost impossible, made illegal searches and seizures (5) acceptable, and encroached on the ability of defendants to construct a proper defence.

Recently, Graham Cluley (@gcluley) posted a clarification of a definition on Twitter“It’s always bugged me how people say “Innocent until proven guilty”. It’s “Innocent *unless* proven guilty” folks.” – that is worth thinking about in an age of trial by media and JTC-as-a-Service (JTC – Jumping to Conclusions a.k.a Fake News).

In parallel with this there is an increasing trend of “ordinary” crimes being tried in “extra-ordinary” courts, tribunals, or military courts. The checks and balances that used to notionally counter the power of the state and where the actions of government could be publicly scrutinized has almost ceased to effectively exist.

Surveillance politics, the rise of extremists on the left and the right, religious fanaticism, the re-emergence of censorship and even actual talk of “blasphemy laws” in the parliaments of Western democracies leaves one bewildered. How will we fare when even newer technologies such as VRSN, and AI with even greater capacity to embed themselves in our lives begin to mature from the novel stage into the deployment stage?

What will be the effect of kinematic fingerprinting, emotion detection (6), psychographic profiling (7), and thought extraction (8) on the right to privacy and basic freedoms. These are questions and concerns that get lost in the rush to innovate. Software companies and developers have a responsibility but they do not exercise it very often.

What are the ethics? What are the acceptable limits? What are the unforeseen by-products?

The US Has Claimed “Absolute Privilege”

The US is the bully on the block and its “bitch” friends the UK (9), Canada, New Zealand (10), & Australia (11) just follow its lead or actively facilitate them.

The opacity of US laws (12) and SIGINT collection methods is an abuse of the rights of every defendant that comes in front of their Courts. Increasingly, that is just about anybody that they can lay their hands on, from anywhere (13).

The election of Trump just solidified my view that the world has turned upside down and it seems that taking action to reverse the trend of the normalisation of the abnormal (14) is a Sisyphean task and just seems to encourage the buggers (15).

The US position on most of these matters is ephemeral – not just on data protection (16) – and US national interest, national security, or just plain duplicity (17) governs their agenda.

There is so much abuse of power by the US that it is impossible to keep tabs. These things used to matter (18). These things used to enrage us (19). The US has led a race to the bottom on so many fronts that the rest of the world seems to be suffering from bad news fatigue (20) and has zoned out (21).

It is individuals and NGO’s now that are the gatekeepers of our rights and the ones that hold governments to account and increasingly they are being marginalized.

References

(1) Anonymous Chronic; 21st Nov 2016; NSA, GCHQ, The Five Eyes Handing Ireland Cyber-Security Opportunity; AirGap Anonymity Collective

(2) Anonymous Chronic; 21st Nov 2016; Mass Surveillance & The Oxford Comma Analogy; AirGap Anonymity Collective

(3) Anonymous Chronic; 21st Nov 2016; Software Industry Greed is Driving the Assault on our Privacy & Security; AirGap Anonymity Collective

(4) Kim Zetter; 26th Oct 2017; The Most Controversial Hacking Cases of the Past Decade; Wired

(5) Andy Greenberg; 10th Oct 2014; Judge Rejects Defense That FBI Illegally Hacked Silk Road – On A Technicality; Wired

(6) Anonymous Chronic; 3rd Jan 2017; Orwell 4.0: The Stealth Advance of Kinematic Fingerprinting & Emotion Detection for Mass Manipulation; AirGap Anonymity Collective

(7) Anonymous Chronic; 4th Feb 2017; Is Kosinski “Tesla” to Nix’s “Marconi” for Big Data Psychographic Profiling?;AirGap Anonymity Collective

(8) Ian Johnston; 18th Apr 2017; Device that can literally read your mind invented by scientists; Independent

(9) Anonymous Chronic; 30th Nov 2016; My Privacy Lobotomy or How I Learned to Stop Worrying & Love the IP Act; AirGap Anonymity Collective

(10) Anonymous Chronic; 3rd Nov 2016; Overwatch – The Five Eyes Espionage Alliance; AirGap Anonymity Collective

(11) Anonymous Chronic; 21st Nov 2016; Australia Is A Proxy War for the Five Eyes & Also Hogwarts; AirGap Anonymity Collective

(12) American Civil Liberties Union & Human Rights Watch; 21st Nov 2016; Joint letter to European Commission on EU-US Privacy Shield; Human Right Watch)

(13) Tom O’Connor; 6th Jul 2017; Russia Accuses US of Hunting and Kidnapping Its Citizens After Latest Arrests; Newsweek

(14) Anonymous Chronic; 29th Jan 2017; Take Action To Reverse The Present Trend Of The Normalisation of the Abnormal; AirGap Anonymity Collective

(15) Anonymous Chronic; 2nd Dec 2016; Silencing the Canary & The Key Powers & Reach of The IPA; AirGap Anonymity Collective

(16) Mary Carolan; 10th Mar 2017; Max Schrems claims US data privacy protections ‘ephemeral’; The Irish Times

(17) Shelley Moore Capito – United States Senator for West Virginia; 2nd Jul 2017; Stop Enabling Sex Traffickers Act of 2017; https://www.capito.senate.gov/

(18) Adam Taylor; 23rd Apr 2015; The U.S. keeps killing Americans in drone strikes, mostly by accident; The Washington Post

(19) HRW; 9th Dec 2014; USA and Torture: A History of Hypocrisy; Human Rights Watch

(20) Shannon Sexton; 30th Aug 2016; Five Ways to Avoid ‘Bad-News Fatigue’ and Stay Compassionately Engaged; Kripalu Center for Yoga & Health

(21) Susanne Babbel Ph.D.; 4th Jul 2012; Compassion Fatigue; Psychology Today

Cynic Modelling for Legacy Energy Infrastructure

A brief synopsis of my findings in “Legacy Energy Infrastructure Attack Surface Assessment, Threat Count, & Risk Profile” using my “cynic modeller”:

  1. Adversaries who are attracted to the contained assets: Everyone (hobbyists, criminals, state actors, your gran)
  2. Attack surface: As far as the eye can see
  3. Attackers who are capable of acquiring the assets starting from the attack surface: Lots
  4. Therefore the attacker population size is: Computer literate population of earth
  5. Threat count: Np-Complete;
  6. Emerging threats: IIoT and non-cybersec savvy devops rushing intodigital transformation projects
  7. Risk level: Orbital
  8. Impact of realized threat: Expansive (yes, expansive not expensive, but that too)

Assessment: Buy gas lamps, work on your natural night vision, learn to skin rabbits, move far far away from nuclear reactors, buy shares in candle companies.

ENDS

In Chamberlain-esque Pose EU Declares “Privacy in our Time”

The notional purpose of the EU-US Privacy Shield is to establish a framework that allows personal data for commercial purposes to be transferred between the European Union and the United States.

Personal data that is received by US companies operating in Europe is ostensibly governed by EU privacy laws. Pick any notable US organization and they have an office in Europe, typically serving the EMEA region.

But for the purposes of this rant suffice to say that we need only consider Google, Apple, Microsoft, Twitter, and Facebook (a.k.a “Farcebook”).

Do not buy into the high profile privacy battles that these organizations now raise high as examples of their commitment to their customers’ privacy. These are PR tactics.

All of these organizations were more than happy to be secretly willing accomplices to US intelligence agency antics and law-breaking before their activities were exposed and they suffered a backlash. They have been vigourously back-pedalling and papering over the cracks ever since. It is all meaningless posturing.

They are inherently compromised, every day, and in every way.

The EU-US Privacy Shield replaces what was called the International Safe Harbor Privacy Principles (ISHPP). Lofty names for a veneer that actually contains no verifiable substance or oversight when you examine the vast amount of exceptions and undermining laws that in fact render them all moot.

In late 2015 , the ISHPP was declared invalid in its entirety by the EU at a hearing in the European Court of Justice.

But like a smarmy salesperson, the US simply flicked the pages on the sales brochure asking “well, what about this?” – “no?” – “this?” – “no?” – “this?” – until some browbeaten Brussels technocrat bought the bullshit and agreed a new name for the same abuses.

In the usual garbled and meaningless language of the European Commission it was declared on 2nd February 2016 that the EU and the US had found new common ground on the privacy issue and an “Adequacy Decision” was published. (What exactly is an “Adequacy Decision” when it is at home eating chips and eavesdropping on its neighbours?)

In a Chamberlain-esque pose the EU held up this new agreement and declared that it was “…. equivalent to the protections offered by EU law.”

It is not.

ENDS

For more scholarly and considered thinking, read Joint letter to European Commission on EU-US Privacy Shield (July 26, 2017) from Human Rights Watch and Amnesty International to the European Commission to urge a re-evaluation of its Implementing Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield on the basis that the United States of America (United States) does not ensure a level of fundamental rights protection regarding the processing of personal data that is essentially equivalent to that guaranteed within the European Union (EU).