Showing 169 posts tagged security
Showing 169 posts tagged security
The security design of the system as implemented in tests so far will require a national certificate infrastructure much like that used for preventing domain spoofing and securing the Web. It will require a database of certificates—like the X.509 certificates used in public key infrastructure (PKI)—to verify that devices are legitimate and make it possible to rescind permissions to ensure that no one can send out spoofed messages. If a certificate were to become compromised or if a manufacturer misconfigured a batch of V2V systems, the certificate authority would be able to revoke the associated certificate. This prevents spoofing much in the way that DNS SEC prevents the “poisoning” of Internet domain address tables by a rogue Domain Name Service server.
The problem is that no one has ever developed a PKI system large enough to handle every vehicle in the United States—every car, truck, bus, and motorcycle. The revocation table for expired or compromised certificates would have to be distributed constantly to cars to make sure they weren’t victimized by recorded data attacks or other systems that used hacked hardware to spoof traffic.
So far, there hasn’t been any agreement yet on how this PKI would distribute its certificates. Proposals have included having roadside systems issue certificates as vehicles drive by and having certificates sent to vehicles out-of-band over cellular connections. The latter would mean that every car in the country would have to have its own integrated cellular phone or that drivers would have to connect their phones regularly to the systems to ensure they didn’t get shut out of the network.
Oh yes, please: let’s build a mass communications network dependent on a (largely) creaky Certificate system, deploy the devices to the attackers (i.e. car owners), and just trust that no one’s gonna hack a mass, nation-wide, Vehicle-to-Vehicle communications network.
Also: taking bets on it being an escrowed certificate system. For public safety and all that good stuff.
On Tuesday, Interim Privacy Commissioner Chantal Bernier called for more surveillance disclosure and a rewrite of Canada’s privacy laws
Christopher Parsons, a postdoctoral fellow at the Munk School of Global Affairs’ Citizen Lab, who studies state access to telecommunications data.Some of the recommendations in the report are similar to those made before – including a call for broader powers and more robust laws to allow watchdogs to do their job.
“Many of these suggestions the privacy commissioner has put forward are indicative of that office not being able to play its role. It doesn’t have the required powers to understand what’s going on in order to a) make things right or b) blow the whistle,” he said, later adding: “Should Canadians be concerned? Yeah. What the Commissioner’s office is saying is we do a good job, we do the best we can within our mandate, but our mandate is to narrow.”
Hopefully the Commissioner’s recommendations are implemented by the federal government given how pressing national security and signals intelligence issues have become.
Ars Technica has a good piece on how cyberstalkers and bullies operate, with reporting based on studies (circa 2006, admittedly) and some anecdotal evidence. In effect, the mechanisms to stalk and bully online are often easy to use, reasonably accessible, and capable of significant intrusion into people’s lives. However, what struck me most poignantly was the concluding section of the article:
In this particular case, going to law enforcement wasn’t going to be much of an option. The woman said she had gotten rid of the BlackBerry, so there was no way to perform forensics on it to gather evidence. The same was true of her father’s computer, which the technician had wiped clean.
That’s a common problem in dealing with these sorts of cases, Southworth said. “Some victims just want their device clean and just want the stalking to stop. But if you clean off the device, you’re destroying the evidence.” And for victims who are trying to deal with an abusive relationship, trying to do anything to remove malware from a phone or computer could put the victim in danger. “Even looking for the spyware can raise the risk,” Southworth said, because the software could alert the attacker of the attempt and trigger violence.
And even when software is removed, the persistence of such stalkers usually means that they won’t stop their behavior—they’ll just take different approaches. That, paradoxically, is an upside for law enforcement, Southworth said. “They don’t stop, so if she wants law enforcement to get involved,” she said referring to the victim, “there’s likely another form of stalking going on for them to catch him with.”
People who haven’t experienced stalking, or the fear of stalking, may not appreciate the emotional desire to just make it stop. Such desires are often based on an attempt to feel ‘safe’ again, often when doing simple things like buying groceries, waiting for a bus, or just going home. As such, wanting to remove the suspicious tracking systems - instead of leaving them there, and maintaining the fear, in the hopes of a criminal arrest - will often take priority over ‘catching’ the perpetrator. But, at the same time, there is often a fear that the very act of ‘making the surveillance stop’ could lead to physical consequences. It’s a lose-lose experience, where any decision merely modifies the ‘kind’ of fear instead of terminating the experience of fear itself.
Moreover, removing suspected surveillance-ware may not alleviate the fear of being monitored: most technical systems (effectively) operate like magic for the majority of the computer-using population. How the surveillance-ware was even installed, or if it was all purged, or if it could infect a person’s computer systems again, will often pervade how a person uses computers. In light of specific concerns (surveillance) that are imprecisely directed (i.e. is my phone, my computer, or other device infected and, if so, would I even know?) a person may simply avoid some actions or actively engage in deceptions to ‘throw off’ someone who might be watching.
In effect, concerns of possible but undetected surveillance are often accompanied by heightened privacy and security efforts. These efforts might be more or less effective (or even needed!), and taking such efforts will almost certainly diminish a person’s ‘normal’ uses of services (e.g. Facebook) that their (not-stalked/bullied) friends and colleagues get to enjoy. Moreover, the experience of having to use such privacy and security techniques is representative of the scarring left by online stalking and bullying: ‘normality’ becomes defined as a defensive posture online based on (often) physical fears. No one’s ‘normal’ should be predominantly defined by fear.
It’s this broader emotional fear that is challenging to address, both in terms of law (i.e. getting the data needed to pursue a meaningful conviction or punishment) and personal mental health (i.e. learning to ‘trust’ systems that aren’t really understood and that have previously compromised a person’s life possibilities).
In Canada, the federal government has recently introduced legislation ostensibly meant to crack down on cyberbullying linked to the unauthorized sharing of a person’s intimate images. While criminalizing the sharing of such images may be a helpful addition to the Criminal Code for certain kinds of cases, doing so doesn’t address the broader challenges linked to cyberstalking and cyberbullying. Addressing these challenges requires something else - though I don’t know what - that meaningfully responds to the societal issues associated with online stalking and bullying in a more holistic manner, a manner that frees people from the persistent fear of being a victim despite going to either law enforcement or removing the stalking-ware.
The story of Blackberry has gripped many technology watchers, watchers who are bearing witness to the trials and tributations of the company as it struggles to compete in the increasingly populated smartphone market. To some, it seemed that one way ‘out’ for Blackberry was for the company to be purchased by another firm looking to aggressively enter this market. Based on recent reporting by the Globe and Mail, however, it looks like any hopes that Blackberry might be purchased could be scuttled for ‘national security’ reasons.
Specifically, Steven Chase and Boyd Erman write that,
Ottawa made it clear in high-level discussions with BlackBerry that it would not approve a Chinese company buying a company deeply tied into Canada’s telecom infrastructure, sources said. The government made its position known over the last one to two months. Because Ottawa made it clear such a transaction would not fly, it never formally received a proposal from BlackBerry that envisioned Lenovo acquiring a stake, sources said.
on Monday the Canadian official took pains to emphasize that concerns about BlackBerry are not part of a trend to shut out Chinese investment. “This is a company that has built its reputation and built its success on system security and its infrastructure. That’s one of the reasons businesses use BlackBerries. … The security is robust and we’d obviously have an interest in making sure we didn’t do anything or allow anything that would compromise Last fall, citing a rarely used national-security protocol, Ottawa has sent a signal to Chinese telecom equipment giant Huawei Technologies that it would block the firm from bidding to build the Canadian government’s latest telecommunications and e-mail network. Huawei, founded by a former People’s Liberation Army member, has on numerous occasions found itself having to reject claims its equipment could be used to enable spying.
In October. 2012, a senior spokesman for Prime Minister Stephen Harper publicly hinted Huawei would be left out the cold. “I’ll leave it to you if you think that Huawei should be a part of [the] Canadian government security system,” Mr. MacDougall said.
I’m particularly mindful of the possible security issues that may be linked to letting foreign-located businesses playing significant roles in Canadian telecommunications networks. But, at the same time, the present Canadian government seems to be applying ‘national security considerations’ in a manner that prevents market analysts and watchers from clearly assessing when such considerations might be applied.
Without clear criteria, what are the conditions under which a non-Canadian company could purchase Blackberry? Could a well-financed American company buy it, based on what we’ve learned about NSA surveillance? Could a company that was known to comply with foreign governments’ lawful interception requirements buy Blackberry, given that such requirements could have a global reach? Could Blackberry be purchased by companies that operate in countries that, if their governments had access to Blackberry communications, could gain an edge in international diplomatic engagements with Canada or its closest international partners?
I don’t dispute that national security may sometimes demand terminating business deals that would violate the national interest. However, given that incredibly large investments are being killed by the federal government of Canada it is imperative that the government make clear what ‘national security’ interests are at play, and the security models that motivate terminating such deals. To date, neither the interests nor models are particularly clear. As a result, analysts are forced to read the outcome of federal decisions without the benefit of understanding the full rationale of what went into them in the first place. The result has been to make it incredibly uncertain whether foreign businesses will be legally permitted to engage in market operations with Canadian companies.
Canadians are all to aware that the current federal government has failed on its promise to provide a digital strategy for the Canadian marketplace. In the absence of such a strategy, perhaps the federal government could at least provide its rules for determining when a business proposal runs counter to national security?