carlo von lynX, youbroketheinternet.org,
An Inventory of Impotence: Overview of the Sorry State of Security and Legality of IT InfrastructureWhen bringing non-technical persons and businesses up to date on the sorry state of post-Snowden information technology (IT), I was surprised not to find a document that would deliver a reasonable overview of IT under consideration of what we learned from the leaks since 2013. I was lucky to get financed to produce this document. The focus is on protecting the privacy of patients with post-war traumata, but it likely applies to dissidents, whistleblowers and anyone seeking legal advice from a lawyer. Some lucky individuals may not feel affected by the things described in this document, except on a larger societal level by the deconstruction of democracy implied. For techies, all articles and documents cited in this document are available en bloc from the git://git.psyciumunsqarzsehz5xlgsi2mg4dkvntwf5bwj5kwbcbazwiuhna2ad.onion/youbroketheinternet-knowledge.git repository. The Table of Contents resides at the end of the document, for pragmatic reasons.
1. Data Protection and the Cloud
While Angela Merkel goes about suggesting to reduce data protection in favour of an illusionary gain in participating in the race to the bottom of devolution of digital citizen rights, the European Union has agreed on harsher data protection standards and expects also the Bundestag to put them into law by 2018-05-25.[1][2] According to the EU Court of Justice, the "national security, public interest and law enforcement requirements of the United States prevail over the 'safe harbour' scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons".[3][4] In fact the 'Freedom Act' legislation which reformed 2001's 'Patriot Act' in 2014, after the revelations of Edward Snowden, merely introduced some improvements for American citizen:[5][6][7][8][9] "It focuses exclusively on reining in the NSA’s direct spying on Americans. As Snowden’s disclosures have shown, the NSA collects far more private information on foreigners—including the content as well as the metadata of e-mails, online chats, social media, and phone calls—than on US citizens." So it isn't even legal to use cloud systems within the EU when handling personal data of clients and patients, as most cloud systems replicate data into the United States. The Commission has since produced the so-called "EU-US Privacy Shield", which the European Data Protection Supervisor considers not good enough to withstand before the EU Court as it merely gives EU citizen the possibility to sue American companies before American courts.[10] Quite evidently this isn't helpful in cases when dissidents have already died because of data breaches, or whenever entire populations have been politically manipulated.
"In mid-2014, the Russian parliament passed a law obliging all internet companies to store the personal information of Russian citizens inside the country", motivated by distrust in Western cloud infrastructure.[11][12] The BBC's take on that, is, that it's better if the NSA can spy on Russian citizen rather than their own government.[13]
Footnotes:
2. How American government got a grip on digital technology
Up into the 80's, all of the technological world attempted its own designs of computers and operating systems, but during the 90's the USA has established a worldwide dominance in operating systems from Microsoft Windows and MacOS to today's Apple iOS and Google Android. While predicating the principles of free market and deregulation to the rest of the world, the US was silently adamant in actually subsidizing technological start-ups well enough to kick other nations out of business.[14][15] Oracle, the market leader in database technology that produced one of the richest people on the planet, was named after a CIA program.[16]
2.1 1995: Pentagon decides to control the Internet
As a reminder, the NSA has been collecting more or less all e-mails, phone calls and SMS text messages since the creation of the Internet. In 1995, as the Internet started becoming popular, the US government made a strategic decision to keep total control of digital networking.[17] The aim was to “enable leaders and policymakers from government, industry, and academia to address key issues surrounding information warfare to ensure that the United States retains its edge over any and all potential enemies.”One NSA slide from Snowden's archives describes it like this:[18] The US was the major player in shaping today's Internet. This resulted in pervasive exportation of American culture as well as technology. It also resulted in a lot of money being made by US entities.
2.2 1996: How the CIA created Google and XKEYSCORE
It is then that the CIA financed the research of some Stanford students regarding the PageRank algorithm, essentially funding the creation of Google.[19] With such powerful ability to find needles in the haystack of the web, the secret services also wanted such a tool for all of the e-mails and text messages. Journalist Nafeez Ahmed has researched, how Google empowered the NSA to become the gigantic beast it is today.[20]
2.3 1999: Companies caught collaborating with the NSA
It is no surprise that Silicon Valley companies have a long tradition of friendly collaboration with the secret services that are among their best customers.[21] The impressive effectiveness of the PRISM program is a result of that, but there are earlier cases like IBM allowing the NSA to have a backdoor in Lotus Notes in 1999[22][23] or Microsoft being caught with the mysterious _NSAKEY.[24][25]
2.4 Had Skype to be acquired at all costs?
In rare cases, when technologies arise out of the control of the US government, an American company quickly acquires such technology. Skype originally provided video telephony that the secret services were unable to decrypt.[26] So, eBay bought Skype from the Estonians even though it never really had a business case for it.[27][28] This way Skype became an American company, and got integrated into NSA's PRISM surveillance program.[29][30][31][32]
2.5 PRISM: Integrating corporate cloud systems into XKEYSCORE
The NSA search engine encompassing all private data of digital humanity, including access to the Google, Facebook, Microsoft, Apple, Skype, Yahoo, Youtube and other PRISM[33] partner data centers, goes by the name of XKEYSCORE[34] or "XKS" among insiders. According to leaked slides it has access to e-mail, chat, photos, videos, stored data, file transfers, login activity, social networking ("personal details", "pattern of life", "connections to associates"), telephony (both on and off the Internet) and video conferencing. Also Twitter, CNN, mail.ru and Wikipedia are listed as being under observation.[35] Passwords are used as a way to identify multiple accounts of the same person, as people frequently use the same password across platforms even when varying usernames. The NSA is known for letting their Five Eyes partners (Australia, Canada, Great Britain, New Zealand) collect data about American citizen whenever it wouldn't be legal for the NSA to do it.[36] Some U.S. telecommunications companies willingly provide intelligence agencies with access to facilities and data offshore that would require a judge’s order if it were done in the U.S., one of the four people said. In these cases, no oversight is necessary under the Foreign Intelligence Surveillance Act, and companies are providing the information voluntarily. The extensive cooperation between commercial companies and intelligence agencies is legal and reaches deeply into many aspects of everyday life, though little of it is scrutinized by more than a small number of lawyers, company leaders and spies. […] Typically, a key executive at a company and a small number of technical people cooperate with different agencies and sometimes multiple units within an agency, according to the four people who described the arrangements. If necessary, a company executive, known as a “committing officer,” is given documents that guarantee immunity from civil actions resulting from the transfer of data.
2.6 TEMPORA: Your life over intercontinental cables
The British GCHQ operates TEMPORA, a system used to capture most Internet communications passing intercontinental fibre-optic cables, so they can be accessed using the XKEYSCORE search engine. No distinction is made in the gathering of data between public citizens and targeted suspects. "Tempora is said to include recordings of telephone calls, the content of email messages, Facebook entries and the personal Internet history of users."[37][38][39][40] Another GCHQ program targeted at Google and Yahoo data centers is called MUSCULAR. [41]
2.7 2016: Hackers broke into the NSA, found tools to subvert Cisco devices
Among the many Snowden revelations, the subversion of Cisco equipment barely made the news.[42] In 2016, hackers broke into the NSA and published some of its most precious "cyber weapons":[43] The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet. According to the leaked files, Chinese company 'Topsec' was also an Equation Group target.Cisco soon confirmed the effectiveness of the tools.[44] NSA had leveraged vulnerabilities in proprietary Cisco devices to extract private crypto keys, enabling the agency to decrypt and archive all ongoing communications for a decade.[45] A month later, other people used those NSA tools to break into Cisco firewalls, routers and switches.[46] This is relevant not only because it empowers secret services to monitor traffic from all kinds of locations, aiding in the de-anonymization of Tor users for example.[47] It also means that, wherever you place a server in a data center, a potentially hacked routing hardware is its best friend and gateway to the world. See also further below in regard to Intel's Active Management Technology (AMT). Other manufacturer's hardware like Juniper's[48][49] and Huawei's[50][51] is also known to be insecure.
2.8 2017: XKEYSCORE now available to anyone who can afford to bribe
Just days before Donald Trump took office, the Obama administration has chosen to make the NSA search engine, apparently rebranded with a new name, available to sixteen other agencies including CIA, FBI, Homeland Security and even the Drug Enforcement Agency.[52] The risk of the US turning into a totalitarian police state with even the DEA being able to read the private mails of each and every minor drug offender or innocent human, worldwide, is mindboggling. A subtler long-term risk in this development is that all kinds of foreign governments and savvy criminals have a chance of accessing the grand collection of private data that allows to blackmail just about any person on the planet. That spells new business opportunities for mafia organizations and oppressive regimes all over the world.
2.9 Dropbox: giving every person's private files to the NSA
The Dropbox company introduced a new dimension of snooping with its technique of maintaining backups of each of its users' files. Its extreme efficiency is achieved by detecting whenever several users possess identical files, as is the case with most of the operating system on the machine. In that case Dropbox would only store the fact that the user, too, has that file rather than actually uploading it to the cloud. This trick can only be achieved by maintaining an unencrypted copy of all files in the cloud. What a great gift to the NSA for any kind of cyber espionage or blackmailing of individuals if they trusted Dropbox to provide back-up services for them of all the important things they keep on their private computers.[53][54][55]
Footnotes:
3. How dangerous is it to employ Microsoft?
Microsoft always assimilates good ideas from competitors (remember Novell?), so with SkyDrive (quickly renamed into OneDrive) it produced its own Dropbox, including the backdoor for the NSA.[56] Some versions of Microsoft Office store directly to SkyDrive, says one of the NSA slides.[57] So the question is, are files containing sensitive or personal information safe to store on a Microsoft device at all? No! Because here's what Microsoft's Privacy Policy bluntly declares:[58] “We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to”, for example, “protect their customers” or “enforce the terms governing the use of the services”. Yet, until recently, when a government agency wanted to gain access to a PC running Windows, they would have to wait for the user to run 'Windows Update' in order to insert a spyware trojan. By now it is generally known how to crack that system.[59] With the introduction of mandatory automatic updates since Windows 10[60] the OS can send any data of interest to its cloud and into XKEYSCORE as there is no way to distinguish legitimate software updates from exfiltration of user data or installation of spyware. In practice we should assume that any Windows system is fully remote controllable by the US authorities.[61] [62] Upgrading to business editions of Windows 10 is of no help since Microsoft slowly dismantles privacy features and other controls on those as well — even manual modifications of the Registry are suddenly ignored by "Windows 10 Pro".[63] Some governments are now requiring Microsoft to ship special versions with spying switched off, but how can they really be sure?[64] Using the Dropbox checksum strategy, it is obvious which files are unique to a person as they aren't also owned by other people. The NSA can choose to slowly pull a copy of any file a user stores to the Windows 10 hard disk for closer inspection. NSA might just be keeping a copy of every file created on the surveilled Internet, just in case. Or it could be applying big data analysis algorithms on which files to fetch, although NSA has shown in the past to always prefer collecting it all. Again, no file is safe on your hard disk. Microsoft is also known for keeping backups of your disk encryption keys, for letting the NSA read user mail, having the ability to delete files and applications from your system and more.[65][66][67][68][69][70][71][72][73] Examples of data we collect include your name, email address, preferences and interests; browsing, search and file history; phone call and SMS data; device configuration and sensor data; and application usage. Even the Windows 7 and 8 systems have retroactively been "enhanced" with surveillance software that tracks the owner's computer memory, possibly enough to extract private data and cryptographic keys (so that they can snoop when you visit "secure" HTTPS websites, for example).[74][75] But the problem isn't only the American government: Mark Loveless says Windows 8.1 and Windows 10 are so insecure, you can't unpack your laptop and walk into an open WiFi (= WLAN) bar without risking that somebody breaks into it – anybody, who knows how to run a bunch of freely available hacking tools.[76] Another bug that was found in 2014 and fixed only an entire year later had been serving as a backdoor since 2003. Since Microsoft stopped updating systems prior to Windows 7, that actually means that all Windows Server 2003 and Windows XP systems still in existence are running with a known gaping hole.[77] Windows Vista has seen a helping hand from the NSA as well,[78][79][80] so there isn't even any old version of Windows, of which can safely be claimed that it is compliant with the upcoming data protection standards.[81] Apparently, Windows users have given up thinking their computer is safe, but rather resort to thinking that it won't happen to them. Well, the bad news is: the Five Eyes scan the entire Internet for computers they can control, automatically. Simply because they are useful to cover traces of their operations, even should the victim's computer be of no particular interest.[82][83] So, even as a private person, merely using the Internet with Windows easily becomes a harm to society as a whole. In a leaked document the German Federal Office for Information Security is worried that agencies and critical infrastructures should not employ Microsoft, because of a cryptographic backdoor available to the NSA and possibly to China.[84][85] Also, Russian parliament has been discussing a ban of Windows 10 systems in state agencies. In particular the service agreements that people must legally accept, in order to be able to use their property "allow Microsoft to access all passwords, password prompts and other information used for data protection. The US corporation also receives other types of data, from users’ contacts, their emails and even location. Microsoft warns that the received information will be stored and processed in the United States or any other country for an indefinite period of time and transferred to US state agencies."[86][87][88] Indeed, several sources agree that Windows 10 legally imposes tracking and surveillance on its users:[89][90] "By default, Windows also gives itself permission to display ads in the Start Menu, to collect telemetry about your device (this can only be turned off with the Enterprise edition of the operating system), and to send your browser history and keystrokes directly to the company for analysis."[91] The old adage “If you aren’t paying for the product, you are the product” doesn’t apply here, because Microsoft doesn’t offer retail purchasers of Windows 10 any additional controls or default opt-in settings than it gives to the free upgrades. You’re the product whether you pay for it or not.
Summary: The only way to use Microsoft systems legally as a company or organization that deals with personal data, is to never allow Windows systems to connect to the Internet.
3.1 What about anti-virus software?
Apparently it is a big money-making machine with hardly any gain for the consumers.[92] But, on top of that, NSA and GCHQ have been working closely with anti-virus software firms in order to "track users and infiltrate networks, according to documents from NSA whistleblower Edward Snowden." They would also target anti-virus companies that do not collaborate, such as the Russian Kaspersky Lab.[93][94] Gizmodo deduces, the NSA doesn't want anti-virus software to actually do its job.[95] One slideshow on the NSA’s 2010 Project CAMBERDADA (actual subtitle: “An Easy Win”) shows how the agency monitored emails from anti-virus companies to look for new security flaws to exploit.
Summary: So if you want less spying on your computer, get rid of that anti-virus spyware.
3.2 What if I buy a completely new computer?
Doesn't solve any problem if the manufacturer of your computer sold it to you with a huge extra security problem:[96] The preloaded Superfish adware does more than hijack website ads in a browser. It also exposes Lenovo owners to a simple but dangerous hack that could spell disaster.
Footnotes:
4. How dangerous are Apple, Google and other American companies?
"Apple and Google may have ignited the trend of collecting increasing amounts of their customers’ information, but with Windows 10, Microsoft has officially joined that race."[97] Apple’s and Google’s privacy policies both have their own issues of collection and sharing, but Microsoft’s is far vaguer when it comes to what the company collects, how it will use it, and who it will share it with—partly because Microsoft’s one-size-fits-all privacy policy currently applies to all your data, whether it’s on your own machine or in the cloud. Computerworld writer Preston Gralla instead thinks Apple and Google aren't in any way better than Microsoft. They too have designed their operating systems around the cloud business model and get your permission for access to your data in order to monetize it.[98] Apple, like Microsoft, gives surveillance agencies extra time to exploit vulnerabilities before fixing them.[99][100] The Skycure Team found 150 security vulnerabilities in iOS in 2014, and 374 in 2015, showing there are plenty of ways for crooks to potentially subvert iDevices.[101] Sitting in a café with your Mac turned on might actually be dangerous to the data you have on it. But the problem isn't limited to Silicon Valley corporations. Any US company probably shares private data with the agencies:[102] Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said. These programs, whose participants are known as trusted partners, extend far beyond what was revealed by Edward Snowden. Few months earlier, before the Snowden revelations, the government was preparing legislation that would allow security agencies to fine companies that do not comply with the order to collaborate.[103]
Footnotes:
5. In Linux we trust?
ZDNet has officially declared that 2015 was the year Linux and open-source software took over the IT world. Microsoft embraced Linux, Apple open-sourced its newest, hottest programming language, and the cloud couldn't run without Linux and open-source software. Microsoft has said it won't be releasing a Windows 11: Instead, it'll be upgrading desktop systems to the point where Windows is actually running in the cloud within Ubuntu-powered containers (Ubuntu being a commercial brand of Linux).[104] But even with Linux, we may get nervous that most distributions are assembled in the US (Redhat, Fedora, Arch), have crucial parts coming from the US (Debian, Ubuntu, Mint, TAILS) or belong to a US company (like SuSE, a German company that got acquired by Novell[105]). But that by itself doesn't give a Linux system the possibility to spy on all its users like the other systems do — simply because unknown network communications leaving the computer are likely to get noticed by proficient experts. Linux systems do not possess a carte blanche to talk to the companies that manufactured them… … if it wasn't for the automatic software update facility. As Leif Ryge observes, somebody must detain the cryptographic keys to sign and guarantee the authenticity of any provided programs and software updates. With that role comes a lot of risk and responsibility. And that somebody might just be subject to pressures:[106] Having access to a "secure golden key" could be quite dangerous if sufficiently motivated people decide that they want access to it. Being free of single points of failure should be a basic requirement for any new software distribution mechanisms deployed today. So far, I am not aware of such an attack taking place in large scale. Authorities, as we have seen in the case of HACIENDA, typically use known vulnerabilities which are regularly found and documented publicly[107] and can be handled by frequent updating. So it is probably okay to use any Linux distribution. We might prefer European (Sabayon, Manjaro) over American ones. QubesOS is interesting for its ability to separate critical applications from unsafe ones in multiple virtual machines, allowing to integrate and isolate an instance of Microsoft Windows if necessary — although it needs powerful machines to run smoothly. But there actually exist free and open source systems that do satisfy Leif's criterion of better security by providing better transparency of the software update mechanism:
You may think, what a simple and obvious thing to ask for: that software executables actually do what the corresponding program code says they would be doing — and yet, this is a fresh new approach that only took off since, guess what, the revelations of Edward Snowden. Until now, the entire computing world has always accepted that it actually has no proof of what the computer is doing. All computing was based on trust.
Summary: All in all, most Linux operating systems should be a legal and reasonable choice, vastly safer than those proprietary systems which are designed to monetize the data we produce on them. Yet with the new generation of reproducible Linuxes we get an extra degree of security that may just be worth it. Especially should they turn out to work just as well as the traditional Linux systems.
Another dark side of Linux is, that it was the key strategic advantage of Google compared to other Internet start-ups: Google was the first to build a large cloud of cheap Linux computers, monetizing the volunteer work of thousands of Internet activists.[109][110] And then they leveraged Linux further, by bringing it to the mass consumer market in form of smartphones.
Footnotes:
6. Android, the Linux for small devices
Google's Android is a derivate of Linux, but the way it is shipped by the manufacturers, it has plenty of untrustworthy extensions. Here's how Mike Perry of Tor describes it:[111] Android is the most popular mobile platform in the world, with a wide variety of applications, including many applications that aid in communications security, censorship circumvention, and activist organization. Moreover, the core of the Android platform is Open Source, auditable, and modifiable by anyone. Android is the tragic example how the ideology of open source backfired, enabling corporations to sell us expensive devices that make use of decades of volunteer work to spy into our lives. Free software contributors like me first powered the Google revolution, then unwittingly helped build the world's most pervasive surveillance network.[112] At least, most devices can be rooted or jailbroken. In the case of Android devices, one can then disable or uninstall most surveillance tools which are provided with them. In some lucky situations, depending on the manufacturer and model of devices you buy, you can even replace the Android system image with a fully open source one.[113] Even that isn't a guarantee for complete safety, but at least there is no more easy way to abuse those devices. In any case one needs to disable the Google Play Store, also because of all the other apps – any of them possibly being a tool that enables strangers to check on what you do and how you look like.[114][115] Also, malware apps can still bypass the automatic quality checks of the Apple and Google stores. Therefore, installing random apps can be a danger to anyone.[116] Remember also the noteworthy case of NSA exploiting the unencrypted data leaks from the 'Angry Birds' game.[117] But even the most established, popular and apparently trustworthy apps are a major cause of concern: Observers have caught the Facebook app listening in and analyzing what people say while the telephone is sufficiently near.[118] Facebook said that it does listen to audio and collect information from users – but that the two aren't combined, and that sounds heard around people aren't used to decide what appears in the app.Personal friends have confirmed the experience of hearing something on television or mentioning it in a conversation, then minutes later the same thing would appear as an advertizement on Facebook. Facebook has also filed a patent for detecting user emotions by analyzing the face as they use their phone,[119] knowing that the best time for intrusive advertizing is when the user is in a happy mood. In Stasi days, you at least knew why they were surveilling everybody, but these companies come up with phony reasons why it may constitute a service to eavesdrop on conversations, in disregard of constitutional principles (see end of document for considerations on constitutionality). If you want to keep those kinds of surveillance apps off of your phone, you better get trustworthy ones from F-Droid. F-Droid is a catalogue of independently built free and open source applications for Android. It has a vast choice of solutions for all kinds of challenges including enough games to keep you entertained in the subway.[120] For the needs of basic communication, a decent XMPP client called 'Conversation' is provided, but most people will probably want to install Telegram. Of the large commercial social networking services, Telegram is the only one that allows F-Droid to ship a secure version of it.
Footnotes:
7. What about the hardware? Can we use computers?
Since about 2008[121] each Intel CPU (central processing unit, aka processor) is equipped with remote control features. An entire networking stack with a website is built directly into the CPU's microcode, the program the processor uses to do ordinary jobs like distributing execution to the various cores and assigning which parts of the memory the operating system is allowed to access. The genius thing is that the microcode reserves memory portions for its own use that the operating system is never allowed to look at. It can't even know how much is being withheld. This way, even if you install Linux or BSD,[122] the Intel processor can hide extra data it is secretly processing and spy on what you are doing without Linux having a chance to notice. Intel sells this ability as a feature called "Active Management Technology",[123] so as crazy as all of this sounds — it's not paranoid, it's real. Some people even posted videos on Youtube that show how the Linux is controlled by AMT.[124] This allows a systems administrator to snoop into an employee's computer (hard disk, running memory, keystrokes, the image displayed on the screen) even when it is running Linux or when it is turned off (as long as the power cable is plugged in or the battery is charged). Quite likely even microphone and webcam can be operated while the computer appears to be powered off.
You may ask, how come you haven't heard about all of this before? Maybe because, when the news came out, not many really bothered. It was years before Snowden. Given previous collaboration of Intel with the NSA, it is not a stretch to expect that the NSA has a spare key by which it can access any Intel hardware on the planet.[125] According to 'phibetaiota', an Intel employee complained in 2017 that he would not understand why working on ME (a subsystem of AMT) requires him to obtain security clearance from the US government.[126] But even without such a collaboration, several vulnerabilities have been found and exploited.[127][128] Being in hardware they are obviously less easy to repair. Researcher Vassilios Ververis found that the "zero touch" provisioning mode remains available even when the AMT appears to be disabled in BIOS. So he purchased a certificate that is accepted by the ME firmware, allowing him to remote control intel systems in the local network.[129] That was in 2010, so intel may have fixed that vulnerability in the meantime. Still, this is the stuff TV hacker series are made of, and quite symbolic of the overall state of digital technology: an utter mess of irresponsibly assembled madness. Regarding other chip producers, with AMD[130] being a US company it is not reasonable to expect it not to have been legally required to provide some special access for the NSA.[131] Whereas the Japanese/British ARM has not been seen holding hands with either NSA or GCHQ, but there are several manuals out there describing how to exploit the ARM architecture.[132][133] ARM produces chips that run in most smartphones, consumer electronics and Internet-of-Things (IoT) devices.
7.1 Hardware is probably not the problem.
As despicable and politically inacceptable these hardware backdoors are, it is unlikely for them to become a problem for everyday people as much as other things: The NSA has not been seen using the Intel remote control features, probably because it would get caught with the hands in the cookie jar. Some companies and techies install trustworthy operating systems on their hardware so they can control each and every communication their machines make with the outside world. Should the NSA try to use the Intel backdoor, it would be visible in the network traffic. This is completely different from the way Microsoft, Apple or Google track us — they can hide any spying in the middle of regular incomprehensible interactions with their respective cloud systems, therefore indistinguishable from normal system updates and other intended operation. So, ironically, the less sophisticated threat is more relevant.
7.2 Update 2018: What's the buzz with Meltdown and Spectre
In January 2018 we were told about vulnerabilities in the execution prediction mechanisms of all modern microprocessors. The main risk is if you install any software you cannot trust — in that case these vulnerabilities introduce yet another way for such software to escape from sandboxing or virtualization safety systems provided by all modern operating systems. In fact most OS already have vulnerabilities of this type, whereby this new hardware-based variation only helps making technologists feel more helpless than usual, as this time there is system update that can resolve the problem. The attempted solution so far has been to disable these optimizations in the microprocessors which has devastating consequences for performance. By using free and open source software we are mostly on the safe side. There is an additional risk introduced by Javascript in web browsers. These hardware vulnerabilities could theoretically be exploited by evil websites, trying to snatch some private data like passwords or https encryption keys from your computer.[134][135] The pragmatic strategy in this case, until the web browser producers find solutions to mitigate these potential attacks, would be to not leave (other) websites open while you work on private communications and data. Even better if you install a Javascript execution manager like "NoScript" and selectively only allow execution of potentially malicious Javascript when really necessary.
Summary: Still, Meltdown and Spectre are mostly theoretical risks -- not an immediate threat like using Windows 10 in the first place. Given a trustworthy set of free and open source software, we can keep our laptops in check and do not need to be excessively afraid.
The issue is more complicated when the hardware is placed in a rack in some computing center. Since the AMT vulnerabilities can be exploited by other computers in the local ethernet, the hacked Cisco, Juniper or Huawei device (see above) gatewaying your server into the Internet may just be waiting for the technician to plug that cable in. NSA can therefore systematically break into most Intel servers on Earth and have them look out for encryption keys and other sensitive data, automatically, without the server's administrator having the slightest chance of finding out this is happening.[136]
7.3 Tailored access operations: Computer implants
NSA slides indicate that over 50,000 so-called implants have been deployed in computer systems around the world. Implants are physical modifications of the computer with custom surveillance hardware.[137] The slides also show photos of the lab where beacons are implanted (on page 149).[138][139]
Summary: As this is a rather expensive tactic for NSA, only few need to worry they may be subject to such treatment. We should probably welcome those few law enforcement techniques that do not scale up to destabilizing democracy.
7.4 But keep the Bluetooth switched off
In Septemer 2017, tremendous vulnerabilities have been found in Bluetooth implementations of all operating systems. All of them![140] Researchers disclosed a bevy of Bluetooth vulnerabilities that threaten billions of devices from Android and Apple smartphones to millions of printers, smart TVs and IoT devices that us the short-range wireless protocol. Worse, according to researchers at IoT security firm Armis that found the attack vector, the so-called “BlueBorne” attacks can jump from one nearby Bluetooth device to another wirelessly. It estimates that there are 5.3 billion devices at risk. [...] According to researcher, only 45 percent of Android phones (960 million) are patchable, leaving 1.1 billion active Android devices older than Marshmallow (6.x) vulnerable. [...] All Windows computers since Windows Vista are affected. [...] Also vulnerable are millions of smart Bluetooth devices running a version of Linux. [...] “This set of capabilities are every hacker’s dream. BlueBorne can serve any malicious objective, such as cyber espionage, data theft, ransomware, and even creating large botnets out of IoT devices like the Mirai Botnet or mobile devices as with the recent WireX Botnet,” according to the company. “This means almost every computer, mobile device, smart TV or other IoT device running on one of these operating systems is endangered by at least one of the eight vulnerabilities. This covers a significant portion of all connected devices globally,” researchers said. [...] “The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, make these vulnerabilities all the more serious and pervasive,” they said. “Once a device is infected with malware, it can then easily broadcast the malware to other Bluetooth-enable devices in its vicinity, either inside an office or in more public locations.” “These silent attacks are invisible to traditional security controls and procedures. Companies don’t monitor these types of device-to-device connections in their environment, so they can’t see these attacks or stop them,” said Yevgeny Dibrov, CEO of Armis. “The research illustrates the types of threats facing us in this new connected age.” [...] “These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date. Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device,” according to researchers.
7.5 What about smartphones, tablets and older mobile phones?
Let's assume we managed to put trustworthy software on such devices. Only under very unhappy circumstances can the device itself be a source of trouble: When a SIM card is inserted – maybe even when the device is connected in emergency call mode – then an attacker may be able to hack into the device over the regular GSM cellular phone network rather than over WiFi,[141][142][143] typically by sending a specially fabricated SMS message. Since the cryptography of SIM cards has been cracked, even a tech-savvy criminal may be able to break into a telephone.[144][145][146] While the world's largest SIM card producer, Gemalto, was busy putting Facebook Chat onto SIM cards,[147] the French-Dutch digital security giant became better known for having been hacked by the GCHQ and NSA.[148][149] Beyond what is possible with the GSM and SIM cards stacks alone, national operators are typically obliged to provide lawful interception services to their governments.[150] So an SMS could also be used to activate data roaming behind the back of the user and allow remote control that way. Also, governments can easily track the geographical movements of mobile phones, access meta data, messages and phone calls.[151]
Among hackers it is generally assumed that GSM telephones allow the local government to set-up a continous telephone call to listen in on the surroundings of the device.[152] You would typically notice this kind of activity by the fact that your battery is drained much earlier than usual. Another commonplace feature of GSM is the stealth SMS feature that is used to track the current location of a suspect person.[153] Both of these GSM features cannot be disabled even by the choice of operating system, because they are implemented in an external GSM chip whose proprietary code is kept secret since the 90s, even in the face of smartphone manufacturers. So if you really want a trustworthy telephone, you would need a custom WiFi-only device which then receives and calls out to regular telephones using VoIP. There are plenty of VoIP tools available for Linux and on F-Droid. Such a phone would not work if you're out of range of any friendly WiFi (= WLAN).
8. Is it safe to make phone calls?
Even if we have a secure operating system on our telephones, that doesn't protect our calls from being recorded:[154] The National Security Agency has built a surveillance system capable of recording “100 percent” of a foreign country’s telephone calls, enabling the agency to rewind and review conversations as long as a month after they take place. […] The voice interception program, called MYSTIC, began in 2009. Its RETRO tool, short for “retrospective retrieval,” and related projects reached full capacity against the first target nation in 2011. Anything you ever say in a telephone conversation is being converted to easily searchable text, archived in Bluffdale for the rest of your life and available to thousands of spooks via XKEYSCORE.[155][156][157][158] Siri can understand what you say. Google can take dictation. Even your new smart TV is taking verbal orders. So is there any doubt the National Security Agency has the ability to translate spoken words into text? […] Top-secret documents from the archive of former NSA contractor Edward Snowden show the National Security Agency can now automatically recognise the content within phone calls by creating rough transcripts and phonetic representations that can be easily searched and stored. The documents show NSA analysts celebrating the development of what they called “Google for Voice” nearly a decade ago. […] In 1999, a young Australian cryptographer named Julian Assange stumbled across an NSA patent that mentioned “machine transcribed speech.” Assange, who went on to found WikiLeaks, said at the time: “This patent should worry people. Everyone’s overseas phone calls are or may soon be tapped, transcribed and archived in the bowels of an unaccountable foreign spy agency.” […] The Snowden documents describe extensive use of keyword searching as well as computer programs designed to analyze and “extract” the content of voice conversations, and even use sophisticated algorithms to flag conversations of interest. […] Spying on international telephone calls has always been a staple of NSA surveillance, but the requirement that an actual person do the listening meant it was effectively limited to a tiny percentage of the total traffic. By leveraging advances in automated speech recognition, the NSA has entered the era of bulk listening. And this has happened with no apparent public oversight, hearings or legislative action. Congress hasn’t shown signs of even knowing that it’s going on. The USA Freedom Act […] doesn’t address the topic at all. […] A 2008 document from the Snowden archive shows that transcribing news broadcasts was already working well seven years ago. […] The strategic advantage, invasive potential and policy implications of being able to turn spoken words into text are not trivial: Suddenly, voice conversations, historically considered ephemeral and unsearchable, can be scanned, catalogued and archived — not perfectly, but well enough to dramatically increase the effective scope of eavesdropping. NSA documents specifically indicate that the processing of the languages spoken in Afghanistan was already operational in 2011.[159][160] According to the Daily Mail, "Jihadi John" was found by automatic voice recognition.[161] For lawyers, doctors, journalists and politicians Microsoft Skype, Apple Facetime and Google Hangouts are obviously all no-gos. For secure phone calls one could try alternatives like Tox or Jitsi. There's also a conference call tool which is popular in activist circles, it is called Mumble and needs a secure server. WebRTC applications can be designed in such a way, that they are actually secure — the signaling server however needs to be placed in a surveillance-proof environment.
Summary: Phone calls may be harmless as long as you don't say anything that could put you or others at risk. But be aware that sometimes you will only realize when a phonecall was sensitive when it is too late.
Footnotes:
8.1 Building secure WebRTC systems
WebRTC is a mostly peer-to-peer (P2P) conferencing technology for exchange of audio, video and data, that has been built directly into several web browsers. Given reasonable safety of the participating computers and web browsers, WebRTC can be configured to support end-to-end encryption — from one person directly to the other. To achieve this, the web server that coordinates the session needs to be 100% trustworthy. In most cases, however, the main server is hosted in a virtual machine that isn't difficult for a state actor to automatically put under surveillance without its administrators even being able to find out.[162] It must be ensured that WebRTC websites use so-called DTLS-SRTP negotiation[163] and that the signalling web server relaying the cryptographic exchange between the peers is not corrupted to execute man in the middle (MITM) attacks.[164] Depending on the specific implementation, WebRTC communications may be vulnerable to a whole range of attacks if the signaling data becomes visible. This would happen if the server is used without encryption or if a MITM attack is performed on the HTTPS connection to the server.[165] Most governments own an X.509[166] certification authority and are therefore empowered to produce false certificates for any HTTPS address. You can protect your users by implementing a form of certificate pinning in your endpoint devices, be it tablets or computers.[167] Disclosure: I happen to be the initiator of the most popular certificate pinning implementation for Firefox. Even if we get all of this fixed, WebRTC still allows observing attackers to evaluate audio level metadata or attempt phoneme detection,[168][169] this way detecting the language being spoken[170] or identify a specific person speaking.[171] Technologies based on GNUnet could help in this regard, but they aren't available yet.[172]
8.2 Do we get to have all the tools we need?
You know that most proprietary softwares you are used to run on your laptop have some more or less compatible equivalent in the free world. Several decades of work were invested into LibreOffice, which originally started in the 90s as a start-up from Hamburg. It was called StarOffice. The inkscape vector graphics program is in many ways even superior to Adobe's. But should you really, really have a need that can only be satisfied by Microsoft, there are ways to run such software in an isolated sandbox.
Footnotes:
9. Keep the Internet of Things off the Internet
Summary: In general we must be very careful which proprietary devices we connect to the Internet. The lesser the better.
10. Concluding...
Congratulations for making it down here. I am proud of you. I bet that was a lot of information to digest and a lot of expectations of safety shattered. Truth is, information technology has grown for decades without paying attention to human rights — and now even the highest courts of justice confirm that we are living in a house of cards, so tall, no individual person can grasp it all. Yet, not everything is lost. To each problem I described there is at least one more or less decent path we can take to make things better.
10.1 What if we could demand constitutional technology?
Given all of the above you should doubt whether the current Internet is constitutional in the first place. Constitutional documents are traditionally defined as contracts between the citizen and their respective governments. Given however that in a globalized and technological world, threats to the democratic constitutions are mainly coming from foreign governments and industries, it is reasonable to expect that supreme courts would rule that the constitutional principles also need to be applied to foreign powers and industry, especially when serving basic civil communication services. So far, little clarification on that matter exists. Since supreme courts are obliged only to maintain justice, ethics and constitutionality, there also shouldn't be much doubt on what their decision would be — given a case to rule. The 'Safe Harbor' rule was only a first cautious step in the right direction. Supreme courts need to be more adamant, if they intend to protect democracy and the biosphere in due time. Some critical parts of the Internet would need to be redesigned, [173] should the supreme courts ever put the ability of acquiring omniscience in relation with the effects it can have and is already having on democracy. The verdict could be, that all of IT industry has slowly slipped into unwittingly breaking constitutional law, for decades. Regulation is needed to counter this, as well-intended actors cannot commercially compete with the ones oriented at financial gains for shareholders. And then there still is us, the regular citizen. We, too, have a power, if we coalesce and manifest our wish for a secure computing infrastructure on the streets, in the eyes of our political leadership. A law that requires constitutionality of the Internet would also bring us a new telephone system that respects our rights and preconditions for democracy. Because it isn't democracy if it depends on the benevolence of the government in power. We should meet in the streets and demand such a constitutional Internet. To empower democracy rather than dismantle it further.
Footnotes:
11. Disclaimers
11.1 Quantum disclaimer
This report does not take into account the theoretical threat of quantum cryptography. Should such a technology become available we have to re-engineer almost everything we do on the Internet.[174][175][176] All the buzz about quantum computers might as well be a scare tactic designed to make us feel like all is lost anyhow. For all we know of the Five Eyes' methods, trying to actually break cryptography is rarely their focus as it fails most of the time.
11.2 Legal disclaimer
I think I know how to read and interpret data protection laws, but I am not a lawyer. I cannot ensure that my legal analysis is on a level with my technical analysis. But even if I was a lawyer I would not be able to predict the judgements of the European Court of Justice on several facets of the thorny issues around mass surveillance. Legally speaking I cannot afford to guarantee accuracy of my technical analysis either, but given my past record I am confident to say that my few deductions on the many facts I have collected are likely correct. In any case they honestly reflect my current state of expertise after 28 years on the Internet.
Footnotes:
1 Data Protection and the Cloud
2 How American government got a grip on digital technology 2.1 1995: Pentagon decides to control the Internet 2.2 1996: How the CIA created Google and XKEYSCORE 2.3 1999: Companies caught collaborating with the NSA 2.4 Had Skype to be acquired at all costs? 2.5 PRISM: Integrating corporate cloud systems into XKEYSCORE 2.6 TEMPORA: Your life over intercontinental cables 2.7 2016: Hackers broke into the NSA, found tools to subvert Cisco devices 2.8 2017: XKEYSCORE now available to anyone who can afford to bribe 2.9 Dropbox: giving every person's private files to the NSA 3 How dangerous is it to employ Microsoft? 3.1 What about anti-virus software? 3.2 What if I buy a completely new computer? 4 How dangerous are Apple, Google and other American companies? 5 In Linux we trust? 6 Android, the Linux for small devices 7 What about the hardware? Can we use computers? 7.1 Hardware is probably not the problem. 7.2 Update 2018: What's the buzz with Meltdown and Spectre 7.3 Tailored access operations: Computer implants 7.4 But keep the Bluetooth switched off 7.5 What about smartphones, tablets and older mobile phones? 8 Is it safe to make phone calls? 8.1 Building secure WebRTC systems 8.2 Do we get to have all the tools we need? 9 Keep the Internet of Things off the Internet 10 Concluding... 10.1 What if we could demand constitutional technology? 11 Disclaimers 11.1 Quantum disclaimer 11.2 Legal disclaimer
|