The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | Internet

Turkey Rubber StampTurkey passed legislation to allow the government to censor access to websites within four hours of receiving an allegation of privacy violations. WSJ Article behind paywall.  CNET Article

The law also requires web hosts to store all traffic information for two years. While the putative purpose of the legislation is privacy protection, it is widely assumed that this is an attempt to grab more control of the Internet, which has been repeatedly blasted by the Turkish government reporting on government corruption and graft.

As usual with these attempts at censorship, interested citizens can generally get around them. VPNs like Anonymizer Universal allow anyone to punch a hole through the national censorship firewalls to access any content.

I would be very interested to hear about efforts to block tools like Anonymizer in countries enforcing Internet censorship, like Turkey and the UK. Blocking of circumvention tools is already well documented in both China and Iran, and has been seen sporadically in many other countries.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

· ·

NSA’s TAO — Dark Reading

The Internet has been buzzing with reports of the recently leaked NSA exploits, backdoors, and hacking / surveillance tools. The linked article is good example.

None of this should be news to anyone paying attention. Many similar hacking tools are available from vendors at conferences like BlackHat and DefCon.

We all know that zero-day exploits exist, and things like Stuxnet clearly show that governments collect them.

Intentionally introducing compromised crypto into the commercial stream has a long history, perhaps best demonstrated by the continued sales of Enigma machines to national governments long after it had been cracked by the US and others.

This reminds me of a quote I posted back in March. Brian Snow, former NSA Information Assurance Director said “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

One can focus on making this difficult, but none of us should be under the illusion that we can make it impossible. If you have something that absolutely must be protected, and upon which your life or liberty depends, then you need to be taking drastic steps, including total air gaps.

For the rest of your activities, you can use email encryption, disk encryption, VPNs, and other tools to make it as difficult as possible for any adversary to easily vacuum up your information.

If you are of special interest, you may be individually targeted, in which case you should expect your opponent to succeed. Otherwise, someone hacking your computer, or planting a radio enabled USB dongle on your computer is the least of your worries. Your cell phone and social media activities are already hemorrhaging information.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook and Google+.

· · ·

The South China Morning Post reports that the ban on Facebook, Twitter, the New York Times, and many other sites, will be lifted, but only in the Shanghai free-trade zone.

The information came from anonymous government sources within China. The purpose is to make the zone more attractive to foreign companies and workers who expect open Internet access. The sources say that the more open access may be expanded into the surrounding territory if the experiment is successful.

It will be interesting to see if this actually comes to pass.

Two questions occur to me. First, will the free-trade zone be considered to be outside the firewall, and hard to access from within the rest of China? Second, is this as much about surveillance of activity on those websites as it is about providing free access?

· · ·

Another from the “if the data exists, it will get compromised” file.

This article from the Washington Post talks about an interesting case of counter surveillance hacking.

In 2010, Google disclosed that Chinese hackers breached Google’s servers. What only recently came to light was that one of the things compromised was a database containing information about government requests for email records.

Former government officials speculate that they may have been looking for indications of which of their agents had been discovered. If there were records of US government requests for information on any of their agents, it would be evidence that those agents had been exposed. This would allow the Chinese to shut down operations to prevent further exposure and to get those agents out of the country before they could be picked up.

I had not thought about subpoenas and national security letters being a counter intelligence treasure trove, but it makes perfect sense.

Because Google / Gmail are so widely used, they present a huge and valuable target for attackers. Good information on almost any target is likely to live within their databases.

· · · ·

Wired reports on a move by the Japanese government to ask websites to block users who “abuse” TOR. 

I assume that TOR is being used as an example, and it would apply to any secure privacy tool.

The interesting question is whether this is simply a foot in the door on the way to banning anonymity, or at least making its use evidence of evil intent.

Currently, public privacy services make little effort to hide themselves. Traffic from them is easily detected as being from an anonymity system. If blocking becomes common, many systems may start implementing more effective stealth systems, which would make filtering anonymity for security reasons even harder.

· · · ·

The Register has an article on Firefox black listing an SSL Certificate authority.

Certificates and certificate authorities are the underpinnings of our secure web infrastructure.

When you see the lock on your browser, it means that the session is encrypted and the site has presented a valid site certificate (so it is who it claims to be).

That site certificate is signed by one of many certificate authorities.

I see 86 certificate issuing authorities in my Firefox now.

Many of those certificate authorities have multiple signing certificates.

Additionally the certificate authorities can delegate to subordinate certificate authorities to sign site certificates.

Any certificate signed by any of these authorities or subordinate authorities is recognized as valid.

These entities are located all over the world, many under the control of oppressive governments (however you define that).

Certificate authorities can create certificates to enable man in the middle attacks, by signing keys purporting to be for a given website, but actually created and held by some other entity.

There are plugins like certificate patrol for Firefox that will tell you when a site you have visited before changes certificates or certificate authorities. Unfortunately this happens fairly frequently for legitimate reasons, such as when renewing certificates every year or few years.

Some certificate authorities are known or suspected to be working with various law enforcement entities to create false certificate for surveillance.

Here is how it works:

The government has certificate authority create a new certificate for a website.

The government then intercepts all sessions to that site with a server (at national level routers for example).

The server uses real site certificate to communicate with the real website securely.

The server uses the new fake certificate to communicate with user securely.

The server then has access to everything in the clear as it shuttles data between the two secure connections..

It can read and/or modify anything in the data stream.


Firefox is removing TeliaSonera’s certificate authority from the list in Firefox for this reason. Going forward no certificate issued by them will be recognized as valid. This will impact a large number of legitimate websites that have contracted with TeliaSonera, as well as preventing the fake certificates.

There is a lot of controversy about this. What is appropriate cooperation with law enforcement vs. supporting and enabling dictators.

In any case, this is a failure of the protocol. If the browser shows a certificate as valid when it has not come from the real website, then there has been a security failure.

The SSL key infrastructure is showing its age. It was “good enough” when there were only one or two certificate authorities and the certificates were not actually protecting anything of great importance. Now everyone relies heavily on the security of the web. Unfortunately, while it is broken, it is very hard to replace.

In the short term, installing a certificate checker like certificate patrol is probably a good idea, despite the number of false positives you will see.

In the longer term, there is a really hard problem to solve.

· · · · ·

According to the Telegraph, the UK government is instituting a code of conduct for public WiFi which would require blocking of pornography to protect kids.

I see a couple of problems here.

1) Porn proliferates very quickly, so the blocking is likely to always be behind the curve, and kids are really good at getting around these kinds of blocks.

2) Some people will feel that things are allowed that should be blocked.

3) Inevitably legitimate websites will be blocked. A common example is breast feeding web sties, which frequently get caught in these kinds of nets.

4) Implementing this requires active monitoring of the activity on the WiFi which generally enables other kinds of surveillance.

Most home networks don’t have filtering on the whole network, so kids at home would be exposed to raw Internet. The standard is generally to filter at the end device. It seems to me that would be the best option here.

Parents could choose exactly the blocking technology and philosophy they want to have applied, and it does not impact anyone else.

· · ·

Cnet reports that an internal DEA document reveals that the DEA are unable to intercept text messages sent over Apple’s iMessage protocol.

The protocol provides end to end encryption for messages between iOS and Mac OS X devices.

This is not to suggest that the encryption in iMessages is particularly good, but to contrast with standard text messages and voice calls which are completely unprotected within the phone company’s networks.

It appears that an active man in the middle attack would be able to thwart the encryption, but would be significantly more effort. The lack of any kind of out of band channel authentication suggests that such an attack should not be too difficult.

If you really need to protect your chat messages, I suggest using a tool like Silent Text. They take some steps that make man in the middle attacks almost impossible.

· · · ·

Since relatively few of you had a chance to hear my talk at RSA, here is a re-recording I did of the presentation I uploaded to YouTube.

It runs just under 30 minutes.

The talk is the flip side of my usual presentations. I typically talk about how to be stealthy on the Internet. This time I was talking to network defenders about how to identify people using privacy technologies, and to use that information to help them strengthen their network defenses.


· ·


Welcome to the February edition of The Privacy Blog Podcast. In this episode, I’ll discuss a topic that caught me by surprise in the recent weeks – the dark alleys of the Internet aren’t as scary as we once thought. According to Cisco’s Annual Security Report, the most common, trusted websites we visit everyday have the highest overall incidents of web malware encounters. For example, Cisco reports that online advertisements are 182 times more likely to infect you with malware than porn sites.

Secondly, I’ll be talking about corporate anonymity issues, where the stakes are often extremely high due to real dollar-losses corporations could face. A few examples I’ll hit on are: competitive pricing research, search engine only pages for spoofing search results, trademark infringement, and research and development activities.

Hope you enjoy the episode. Please leave feedback and questions in the comments section of this post.

· · · · ·

<< Latest posts

Older posts >>