eprivacy

Data protection law has not fallen from the sky. Let me give you an example of this – the overblown discussion on consent.

The current Directive states since 1995 that consent has to be ‘unambiguous’. The Commission thinks it should be ‘explicit’. 27 national Data Protection Authorities agree. This has become a major talking point. What will this mean in practice? That explicit consent will be needed in all circumstances? Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists.

Citizens don’t understand the notion of implicit consent. Staying silent is not the same as saying yes.

— 

Viviane Reding, Vice-President of the European Commission

The EU’s Data Protection reform: Decision-Time is Now

http://europa.eu/rapid/press-release_SPEECH-13-197_en.htm

Imagine the government passed a law requiring all citizens to carry a tracking device. Such a law would immediately be found unconstitutional. Yet we all carry mobile phones. If the National Security Agency required us to notify it whenever we made a new friend, the nation would rebel. Yet we notify Facebook.

The government uses corporations to circumvent its prohibitions against eavesdropping domestically on its citizens. Corporations rely on the government to ensure that they have unfettered use of the data they collect.

— 

The Public/Private Surveillance Partnership

Really good way of looking at surveillance - in the world we live in now, it’s only because of this interplay between companies and government that the current level of surveillance can happen.

Whilst the world looks onto Palestine’s (a bit irrelevant) “statehood” bid, Syria’s internet has been totally taken down.

Syria’s shutdown of all Internet services has been confirmed by two web-monitoring services. One of them, Akamai, says the traffic is at zero, a remarkable indication of how swiftly and completely Syria seems to have taken its offline. Removing an entire country from the Internet is no small feat, and has potentially serious implications for Syria’s economy, its security and the uprising that began last year.

Still, the country has already taken far more severe action, including reports of targeting children, so the government’s apparent decision not to switch off Web access until now was in some ways surprising. Egypt and Libya both shut down Internet service early in their own uprisings last year.

Read more

REVEALED: UK spy-base in Middle East taps into WHOLE REGION’S internet communications

Above-top-secret details of Britain’s covert surveillance programme - including the location of a clandestine British base tapping undersea cables in the Middle East - have so far remained secret, despite being leaked by fugitive NSA sysadmin Edward Snowden. Government pressure has meant that some media organisations, despite being in possession of these facts, have declined to reveal them. Today, however, the Register publishes them in full.

The secret British spy base is part of a programme codenamed “CIRCUIT” and also referred to as Overseas Processing Centre 1 (OPC-1). It is located at Seeb, on the northern coast of Oman, where it taps in to various undersea cables passing through the Strait of Hormuz into the Persian/Arabian Gulf. Seeb is one of a three site GCHQ network in Oman, at locations codenamed “TIMPANI”, “GUITAR” and “CLARINET”. TIMPANI, near the Strait of Hormuz, can monitor Iraqi communications. CLARINET, in the south of Oman, is strategically close to Yemen.

British national telco BT, referred to within GCHQ and the American NSA under the ultra-classified codename “REMEDY”, and Vodafone Cable (which owns the former Cable & Wireless company, aka “GERONTIC”) are the two top earners of secret GCHQ payments running into tens of millions of pounds annually.

More info

firstlook.org
GCHQ spied on everyone visiting Wikileaks site [Snowden Docs]

Actually, not just the IP addresses of all visitors to the site, but also what search terms they used to get there.

If that’s not enough, they also monitor all Pirate Bay.users. IF THAT’S NOT ENOUGH, they back-trace uploads to Pirate Bay to find out original sources, even if people used proxies to mask themselves.

independent.co.uk
If you store information in American "cloud" storage (Amazon, Google, Apple), the FBI can spy on it with no reason - even if you're British

Mega-terrifying.

Worth remembering: if you’re doing something you don’t want the state to know about, and you need to store it on a computer, do security right.

Encrypt files, properly. Don’t store everything in one place. Don’t store anything in the cloud. Don’t keep files on computers if you can avoid it.

Check out our digital rights tag for more resources and tips.

My friend M is working on a series of easy-to-understand, practical posts about computer security for the vaguely security conscious. Enjoy this first one!

M’s Computer Security 101: Let’s start at the beginning….Passwords!

****************************************
Madame M looks into his crystal ball and sees your passwords they consist of a dictionary word, or a proper noun (lovers, childrens, pets, places names) with a couple of numbers on the end. Maybe you’ve jazzed it up with a capital letter at the start. Madame M sees you have a piss poor password.
****************************************

Last week revealed a huge percentage of the world’s email, instant messaging, VPNs and a shit loads of other services you log on to have been vulnerable to being hacked. This bug allows an attacker to extract information from the memory of a server, which may include passwords. This has been out in the wild for about 2 years. Intelligence services around the globe may have on record your passwords.

This is a very good time to review and change all of our passwords!

Hackers use a variety of tools to crack a password. Such as brute forcing (checking all possible combinations), dictionary attacks (using a huuuge hackers password list of possible passwords), rainbow tables (pre-computed mappings of encrypted passwords to clear text), phishing emails (nefarious emails prompting you to follow a link and login to it’s fake server) and fuck loads of other techniques….

So, what makes a good password?

  • Length (over 14 characters)
  • Complexity (mix of upper case, lower case, numbers and special characters)
  • Unpredictability (apparent random nonsense)

BUT it needs to be memorable! (to prevent you writing it down)

How the fuck do we achieve that? Use the mnemonic of taking the first letter of each word of a phrase, song lyric or line from a book and shove them all together. Then swap certain letters for special characters (e.g. a for @, e for 3 etc) and leave in the punctuation.

For example…
“Wwtfw@th,wwth,@wwtn!”

Has been made from……….
“We want the finest wines available to humanity, we want them here, and we want them now!”

That’s a strong yet memorable password!

Now that we’ve created a strong password only use it in one place. If a hacker cracks one of your passwords they will try if for everything they can find you use.

“Madame M, how can I remember all these passwords for the umpteen logins I have” I hear you cry.

Use an encrypted password safe such as the excellent Keepass. This will safe store your complex passwords leaving you only the master password to remember.

So, now we have strong passwords, not reused on more than one login and a safe way to store these good passwords….but there is one final thing.

You should change them regularly. If one password becomes known for any reason the hacker will have access to this service for as long as it’s not change. Every 3 months would be a sensible time to change you passwords.

So, in short….

  • Use long, complex, unpredictable but memorable passwords.
  • Do not use the same password on more than one login.
  • Change your password regularly (at least every 3 months).
  • Keep you passwords safely in Keepass.

****************************************
Madame M leers into his crystal ball but cannot see your naked selfies as you now have a bad ass password policy!
****************************************

commondreams.org
Chevron Granted Access to Activists' Private Internet Data

Chevron has been allowed, by a USA federal judge, access to the personal data of environmental activists, journalists and lawyers.

The info in question contains where they were in the world when they logged onto their email accounts.

This may not sound like much, but with this information Chevron will be able to work out where over the nine year period users went, who they went with, and so what relationships exist.

This is all because Chevron shat on indigenous people when it dumped 18 BILLION gallons of toxic waste in the Ecuadorian Amazon.

arstechnica.com
“TrueCrypt is not secure,” official SourceForge page abruptly warns

One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn’t safe to use.

“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” text in red at the top of TrueCrypt page on SourceForge states.

For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives.

so what’s probably happened is that the NSA has harassed TrueCrypt into shutting down, via some scheme TrueCrypt probably can’t even legally mention (cf. Lavabit) – probably by asking them to install a backdoor, which I can imagine they’d refuse to do – which will just push users onto shitter ‘encryption’ programs that the NSA can crack.

terrifying.

Resources Friday!

*** super useful *** SpeakSafe: Media Workers’ Toolkit for Safer Online and Mobile Practices - useful if you’re a journo/blogger that works with people whose security you want to protect. Covers emailing, online chat, WiFi safety, social networks and more.

Social Media Strategies for Advocacy and Targeted Communications - some how-tos, dos and don'ts for using social media as a campaigning tool (for NGOs largely but still useful!)

Visualise Beautiful Trouble - made by Marian Dörk at Newcastle University, this visualisation of the recent creative direct action handbook displays the content in a very pretty way, highlighting articles by relevance and interconnectedness. Give it a whirl!

youtube

To Protect and Infect: the nuts and bolts of NSA/GCHQ spying

Even if you think you know about the NSA/GCHQ hacking fuckery, there will be things in here that will blow your mind. An example quote:

“I think the laws here are wrong. They are in favour of an oppressor who is criminal, and when we redact names of people who are engaged in criminal activity - including drone murder - you’re actually not doing the right thing.”

The first video of this two part set from the 2013 Chaos Communication Congress covered how Middle Eastern activists from Bahrain Watch and Mamfakinch (Morocco) were harassed using some spying software FinFisher that was made in the UK.

blogs.computerworld.com
Perfect Forward Secrecy can block the NSA from secure web pages, but no one uses it

When computer power is advancing so rapidly, encrypting your data online is becoming more and more of a challenge. Organisations like the NSA can just store your data now, and wait for technology updates down the line before decrypting it.

Most web encryption is done so that everything is encrypted using the same password. If you can work out the password for a given website, you can then decode everything that website encoded.

Luckily, there is a solution to keep “today’s information secret even if the private key is compromised in the future” - read on for more info!

democracynow.org
If you use Windows, the NSA can "literally watch every keystroke you make"

Since 1997, hackers inside the NSA have developed a way to break into computers running Microsoft Windows by gaining passive access to machines when users report program crashes to Microsoft. In addition, with help from the CIA and FBI, the NSA has the ability to intercept computers and other electronic accessories purchased online in order to secretly insert spyware and components that can provide backdoor access for the intelligence agencies.

Fuckers

guardian.co.uk
US military collects confidential user data from Google, Skype, Facebook and others

The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.

The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.

The Guardian has verified the authenticity of the document, a 41-slide PowerPoint presentation – classified as top secret with no distribution to foreign allies – which was apparently used to train intelligence operatives on the capabilities of the program. The document claims “collection directly from the servers” of major US service providers.

Although the presentation claims the program is run with the assistance of the companies, all those who responded to a Guardian request for comment on Thursday denied knowledge of any such program.

Read more

Not surprising at all, but still creeeeeeeeepy as shit.

Let’s say that Microsoft do not provide any government, blanket or direct access to their products, there is no hidden backdoor in Skype and they did not hand over any kind of encryption key to the NSA.

Although Microsoft engineers seem to have helped the FBI/NSA to tap into the Skype application we have not (yet) seen any detail on how this access is technically done. It is generally known however that the NSA employs highly skilled hackers and it would not be a crime for Microsoft to provide consulting services to the NSA in order to help them to hack into its products, including the Windows Operating System.

By doing this, Microsoft does not give direct access. It merely provides consulting services which could also have been provided by other, specialized companies. But, Microsoft will be much more effective as they clearly know all the intricate, technical details of their own software.

—  What if Microsoft is telling the truth about Skype, and they don’t give governments direct access to Skype? The alternative may not be much better…