Övervakning inte bara vid gränserna?

Det har hittills sagts att staten bara övervakar datatrafik när den passerar landets gränser. Detta håller nu på att luckras upp, vilket vi har kunnat läsa om de senaste dagarna:

Internetleverantören Bahnhof har varit ledande i motståndet mot övervakning sedan det tidiga 90-talet. Idag slog de larm i ett mail till sina kunder att de inte kan garantera säkerheten för vissa kunder just p.g.a. stadsnäten. De lovar också att snart publicera en lista över alla stadsnät som berörs av detta, och i vanlig Bahnhof-ordning kampanja och bilda opinion mot övervakningen:

"Problemet är de så kallade öppna stadsnäten, där nätägaren kontrollerar de sista kablarna fram till ditt bredbandsuttag. Det har kommit till vår kännedom att vissa av dessa stadsnät i Sverige är anslutna till Maintrac – det företag i Linköping som pekats ut i nyheterna som en bas för övervakning och avlyssning.

Det innebär att vissa av vår kunder riskerar en avlyssning av IP-nummer i "slutsteget" av nätet på vägen till fastigheten och bredbandsuttaget. (När Bahnhof dragit fibern hela vägen fram, vilket är fallet med många bostadsrättsföreningar och företag, finns ingen sådan risk.)

Vi kommer inom kort att lista de stadsnät som är anslutna till Maintrac på vår hemsida. [...] Vi ska ruska om respektive stadsnät för att få dem att inse det vansinniga i denna typ av registrering. [...] Vi kommer att ge alla möjlighet att själva kontakta stadsnäten och ge sina synpunkter. Detta gäller ju inte bara Bahnhofs kunder utan samtliga i de berörda stadsnäten."

Hacktivist attack against Obamacare

Just as I was finishing up my previous post, about the seeming self-sabotage involved in the development of the Obamacare website, this interesting piece of news turned up in my feed:

Denial-of-service tool targeting Healthcare.gov site discovered

Here is the message from the supposed hacktivists:

Destroy Obama Care.

This program continually displays alternate page of the ObamaCare website. It has no virus, trojans, worms, or cookies.

The purpose is to overload the ObamaCare website, to deny service to users and perhaps overload and crash the system.

You can open as many copies of this program as you want. Each copy opens multiple links to the site.

ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience.

Perhaps it is just the coincidence with the other blog post (which I started writing yesterday), but I feel a bit skeptical here. First of all, this is not a serious threat on a technical level (see the article for details), but rather a symbolic action of some kind. The note strikes me as odd, not the kind of thing I would expect either from hacker types or constitutionalist activist types. I generally appreciate this kind of civil disobedience, but given the ineffectiveness of the attack itself, I wonder if this does not play into the hands of the White House, which is already building a narrative where threats of external sabotage is used to explain the failed website launch.

Deep Packet Inspection as a Service

Deep packet inspection is an advanced method used, among other things, for monitoring data traffic. A strength of this technique is that it enables secret monitoring, since it operates at the network level. In a nutshell, a network operator grabs each packet of data sent, does what it wants with it and then sends it along on its way. To the intended recipient it looks exactly like a normal transfer.

TeliaSonera is the largest telecom operator in Sweden and Finland. The company was created by merging two former state monopolies and is now notorious for providing surveillance technology to foreign states with dictatorial regimes. The company has a page on its website about "Freedom and expression and privacy" where we find these rather vague sentences about customer privacy:

Much of the business of our sector in general is built upon the collection of data about individuals and their communication. [...] In this context, there are technological trends that pose challenges to all kinds of players in the field of ICT, including TeliaSonera. [...] These trends are such as; virtual networks and software available remotely for access by users (the ‘cloud’), behavioral advertising, examination of a data of a computer’s network enabling for instance, network management, security and data mining (‘deep packet inspection’), location awareness and the risk that seemingly anonymous data can be re-identified. [...] We are committed to protect and safeguard our customer’s privacy.

Did you notice the words "deep packet inspection"? Did you interpret that as a commitment from TeliaSonera to protect their customers from this type of monitoring? Think again. Deep packet inspection is actually a service being sold by TeliaSonera to their ISP customers. It is an optional feature that an ISP can buy to increase their control over what traffic is allowed to the end customer.

If you have been following recent events, this should not surprise you. But perhaps it would interest you to see an example of how TeliaSonera markets this technology to their corporate customers. Of course, as always when new methods of Internet control is rolled out, it is sanctified in the name of protecting children. When it comes down to it, what they are selling is, in the exact words of TeliaSonera:

a technical solution combining intelligent routing with deep packet inspection in order to deny access to URLs

 Here is the original document:

Snowden: A Manifesto for the Truth

This article by Edward Snowden was published today in Der Spiegel. Since I could not find a translation online, I decided to publish one (suggestions for improvements are welcome). I previously published the full text in German.

In a very short time, the world has learned much about unaccountable secret agencies and about sometimes illegal surveillance programs. Sometimes the agencies even deliberately try to hide their surveillance from high officials and the public. While the NSA and GCHQ seem to be the worst offenders - this is what the currently available documents suggest - we must not forget that mass surveillance is a global problem in need of global solutions.

Such programs are not only a threat to privacy, they also threaten freedom of speech and open societies. The existence of spy technology should not determine policy. We have a moral duty to ensure that our laws and values limit monitoring programs and protect human rights.

Society can only understand and control these problems through an open, unbiased and informed debate. At first, some governments feeling embarrassed by the revelations of mass surveillance initiated an unprecedented campaign of persecution to supress this debate. They intimidated journalists and criminalized publishing the truth. At this point, the public was not yet able to evaluate the benefits of the revelations. They relied on their governments to decide correctly.

Today we know that this was a mistake and that such action does not serve the public interest. The debate which they wanted to prevent will now take place in countries around the world. And instead of doing harm, the societal benefits of this new public knowledge is now clear, since reforms are now proposed in the form of increased oversight and new legislation.

Citizens have to fight suppression of information on matters of vital public importance. To tell the truth is not a crime.

This text was written by Edward Snowden on November 1, 2013 in Moscow. It was sent to SPIEGEL staff over an encrypted channel.

Snowden: Ein Manifest für die Wahrheit

This was published today by Der Spiegel. It is currently a bit tricky to get the full text, since it is behind the Spiegel paywall, and also in a very strange format. So I decided to re-publish it.

Update: Here is the article in english translation.

In sehr kurzer Zeit hat die Welt viel gelernt über unverantwortlich operierende Geheimdienste und über bisweilen kriminelle Überwachungsprogramme. Manchmal versuchen die Dienste sogar absichtlich zu vermeiden, dass hohe Offizielle oder die Öffentlichkeit sie kontrollieren. Während die NSA und (der britische Geheimdienst –Red.) GCHQ die schlimmsten Missetäter zu sein scheinen – so legen es die Dokumente nahe, die jetzt öffentlich sind –, dürfen wir nicht vergessen, dass Massenüberwachung ein globales Problem ist und globale Lösungen braucht.

Solche Programme sind nicht nur eine Bedrohung der Privatsphäre, sie bedrohen auch die Meinungsfreiheit und offene Gesellschaften. Die Existenz von Spionagetechnologie darf nicht die Politik bestimmen. Wir haben die moralische Pflicht, dafür zu sorgen, dass unsere Gesetze und Werte Überwachungsprogramme begrenzen und Menschenrechte schützen.

Die Gesellschaft kann diese Probleme nur verstehen und kontrollieren durch eine offene, ohne Rücksichten geführte und sachkundige Debatte. Am Anfang haben einige Regierungen, die sich durch die Enthüllungen der Massenüberwachungssysteme bloßgestellt fühlten, eine noch nie dagewesene Verfolgungskampagne initiiert, die diese Debatte unterdrücken sollte. Sie schüchterten Journalisten ein und kriminalisierten das Veröffentlichen der Wahrheit. Zu dieser Zeit war die Öffentlichkeit noch nicht imstande, den Nutzen dieser Enthüllungen zu ermessen. Sie verließ sich darauf, dass ihre Regierungen schon richtig entscheiden.

Heute wissen wir, dass dies ein Fehler war und dass ein solches Handeln nicht dem öffentlichen Interesse dient. Die Debatte, die sie verhindern wollten, findet nun in Ländern auf der ganzen Welt statt. Und anstatt Schaden anzurichten, wird jetzt der Nutzen dieses neuen öffentlichen Wissens für die Gesellschaft klar, weil nun Reformen in der Politik, bei der Aufsicht und bei Gesetzen vorgeschlagen werden.

Die Bürger müssen dagegen kämpfen, dass Informationen über Angelegenheiten von entscheidender öffentlicher Bedeutung unterdrückt werden. Wer die Wahrheit ausspricht, begeht kein Verbrechen.

Diesen Text schrieb Edward Snowden am 1. November 2013 in Moskau. Er erreichte die SPIEGEL-Redaktion über einen verschlüsselten Kanal.

An alternative view on Snowden

I am among those who have thought of Edward Snowden as a hero. I certainly think that we are in a better situation now that the public has more information about government surveillance. And I imagine that whatever his precise circumstances has been, Snowden has shown considerable and admirable courage - considering that the most likely outcome for him (acknowledged by himself in the first interview) is that he gets to spend the rest of his life in a supermax prison.

However, we can not be certain of his motives. Neither of the details in his story. It is always very useful when ideas you feel strongly about (e.g. "Edward Snowden is a hero") are analyzed and challenged. Today I read an article that did just that, and since it might do the same for you, I want to recommend it:

Sojuznik Snowden: A solid Russian investment

Jan Kallberg outlines an alternative story about how Snowden might have arrived in the public eye. His take on it is provocative and seemingly insightful. Basically he says that the official story is to good to be true, but if you assume that Snowden was recruited by the FSB and is releasing information on their behalf, things start to make sense:

Let us instead ask if this way of telling the story is more accurate: Snowden aired dissent in online forums and social media, was identified by Russian intelligence and then approached. Snowden was at that point disappointed with the US government and, with the right compensation, he was ready to jump. They gave him an offer: money and secure way out after they ensured a free passage through China to make it less obvious. The Russians already had all the knowledge about the NSA activities Snowden revealed. This information had been gathered through still-active Russian spies within the US classified environment, cyber breaches and traditional intelligence gathering. The FSB operatives had the whole package, the classified documents and the game plan, when they met Snowden in Hong Kong. The rest is a well-orchestrated drawn out spreading of the information FSB had.

I have no idea whether or not Kallberg's theory is likely to be true, but assuming it is - what would the consequences be? I have not really thought this through, but if it turned out that the information releases have all been part of a Russian psy-op, I suppose that I would no longer consider Snowden to be a hero. However, I also suppose that my basic reflection would still be valid, i.e. the public is better of having the information than not having it, even if some or all of it is edited for FSB propaganda purposes. I take the fact that the US government has denied precious few of the allegations as an indication that most of the information is accurate.

Encrypted mailing lists with Schleuder

I recently needed to have a way for a group of people to send encrypted messages to each other. Regular PGP is designed for one-to-one communication, so this is a bit of a tricky problem. Multiple strategies are possible, but they all involve some kind of trade-off in regards to security or practical feasibility.

One option is to use a secret key which is shared by all members. The benefit of this model is that it provides proper end-to-end encryption. The drawback is the practical problem of securely distributing the shared secret. If there is geographical separation and few other secure channels, this can be a very difficult problem. What happens if you need to revoke access for one of the members - do you create a new secret and go through the process of securely distributing it to everyone again?

The second option is to have users encrypt messages with a special public key, the list key. The list server receives messages, decrypts them with the private list key and immediately re-encrypts them with the public key of each member of the group. One benefit of this approach is that key management is a non-issue (same as normal PGP mail). The drawback is that messages will be decrypted and at some point held in cleartext before reaching the recipients. So there is not end-to-end encryption - in effect, the server does a benevolent version of a man-in-the-middle attack.

The drawback of the first option is huge - I don't think I could convince anyone to participate in my mailing lists if they were so cumbersome to manage. The drawback of the second option on the other hand is rather limited. Temporarily decrypted messages need only be stored in RAM, and never for more than a few seconds. Given that we have some degree of trust in the list server, this is probably not one of our primary security concerns.

With this decision made, I started looking for specific software to use. I quickly found a very nice open source project called Schleuder (meaning 'slingshot' in German), which had exactly the features I was looking for, a few little extras that I hadn't thought of but liked, and basically nothing else - perfect! And when I downloaded the source I got another nice surprise: Schleuder is written in Ruby which happens to be my weapon of choice for everyday scripting.

Thus began my love affair with Schleuder. About a week later it was consummated when I had a server set up and could start playing around with encrypted lists. So far there are a couple of small groups keeping in touch through the Schleuder lists on my server, and I'm working on getting more people to start using encryption and joining lists. I have also written my first Schleuder plugin and hopefully I will find the time to write a few more.

Some of the extra features that Schleuder comes with:

  • Anonymous remailer. Lists can act as mail gateways for groups, exchanging mail with any external address. Might be useful e.g. for info-type addresses or for anonymity purposes.
  • Lists are to a large extent managed by sending text commands in emails to the list server. Commands include things like adding new members, listing current members, requesting a specific public key etc.
  • Flexible plugin system, which has worked without a hitch for me. Very easy to create new mail based commands. My first plugin experiment was a mail based web browser.

For more information about Schleuder, check out the project web site. And by all means, if you are interested in this kind of thing and want to share your thoughts, please send me an email. To anyone interested in having an encrypted mailing list for some project or just messing around, let me know and I will create a list for you on my server. The only requirement is that you are able to send and receive PGP encrypted mail.

IS4WCN 2013

This is a travel report I sent to a private mailing list after attending the 2013 International Summit for Wireless Community Networks in Berlin.

Jag har begränsat med tid att skriva, så här kommer några slumpmässiga reflektioner:

  • Konferensen hölls på c-base i Berlin, vilket är ett otroligt coolt ställe. Om ni inte känner till det bör ni googla. Sedan jag kom hem har jag inte kunnat släppa tanken på att jag vill skapa en ny plats i Stockholm... Vi kommer nog aldrig att kunna skapa något i Sverige som liknar c-base, men vi skulle kunna ta både ett och två blad ur deras bok...
  • Deltagarna på konferensen var extremt trevliga, öppna, ödmjuka typer. Alla var generösa med sin tid och när jag t.ex. nämnde för någon att jag ville prata med folk från Aten, kom någon helt annan fram en timme senare och presenterade två greker. Jag är van att hänga på programmeringskonferenser och i någon mån politiska konferenser, så för mig har kanske ett visst mått av asociala beteenden blivit normala. Det var hur som helst en mycket trevlig upplevelse i Berlin och jag knöt många intressanta kontakter.
  • Det finns massor av stora meshnätverk runt om i världen. Jag blev förvånad över hur många det var som jag aldrig hittat i mina försök att göra research. Det finns både stor spridning i vilken teknik folk använder, och anmärkningsvärda likheter. Folk använder t.ex. ganska olika sorters hårdvara, routingprotokoll osv, men tjänsterna som möter slutanvändare är ganska lika.
  • De flesta nätverksprojekt står inför ett dilemma när wifi-uppkopplingar plötsligt är väldigt tillgängliga. Normala svenskar har ju obegränsat 3G-internet i sina telefoner, och ofta dessutom tillgång bra wifi-nät på offentliga platser osv. Så dessa projekt som marknadsfört sig som leverantörer av internetuppkoppling kan plötsligt se överflödiga ut. Folk pratade väldigt mycket om hur man kan få människor att stanna kvar på communitynäten, men det slog mig att man nästan aldrig pratade om varför man ville hålla kvar folk.  För mig som vill bygga meshnät som ett försök till politiskt självförsvar, framstår städer som Aten, Barcelona och Bogota som extremt lyckligt lottade i det att de redan har en parallell infrastruktur på plats. Jag undrar om de här nätverken kan ges nytt liv med ett mer aktivistiskt syfte.
  • Det är ofta mer intressant att lära sig om projekt i utvecklingsländer. Deras lösningar är lo-tech, billiga, flexibla, robusta och ofta mindre ideologiska, helt enkelt för att det krävs. Snackade ganska mycket med en person från Kamerun vars internetuppkoppling var 10 b/s (sic!). Vissa av projekten från rikare länder verkar vara mer fluff och lägger energi på t.ex. att migrera från den ena hipsterteknologin till den andra (byte från MongoDB till CouchDB diskuterades).
  • Jag är inte längre lika intresserad av att installera OpenWRT på commodity-routrar. Var på en workshop med en snubbe från Bogota som visade hur man kunde sätta upp en extremt flexibel meshnod på en Raspberry Pi med wifi-anten, minimal Debian-installation och några enstaka normala unixdemoner för OLSR-routing, DHCP-server osv. Ett exempel han visade var att med några knapptryckningar installera en Mumble-server som vi fick testa att VoIPa genom. Såklart busenkelt att köra webserver eller precis vad som helst. Och det finns bättre/billigare mikroarkitekturer än Raspberry Pi, och jag tänkte börja experimentera med några sådana.
  • De flesta projekt verkar använda en splashscreen, lite som när man surfar på hotell-wifi, men med de två alternativen "Lokala tjänster" respektive "Internet". Om man gör en sådan splashscreen bra kan den räcka som det enda standardiserade gränssnitt man behöver. Tänker att det vore en smal sak att baka in service discovery (via OLSR-lagret) och visa direkt på splashen vilka tjänster som finns på närliggande noder. Mycket mer än så behöver man inte.
  • Har inte direkt kommit på något som känns som en killer app, men tror fortfarande att grundläggande kommunikation är vad jag personligen vill försöka utveckla till att börja med. Textmeddelanden, t.ex. genom Bitmessage, VoIP-tjänster, fildelning. Det man egentligen vill är att hitta saker som inte går att göra på vanliga internet, men som går på ett lokalt nätverk, men trots alla smarta kreativa personer på konferenser fanns det förvånansvärt få idéer i den riktningen.

Whole disk encryption and the boot partition

In most cases, so-called "whole disk encryption" does not in fact encrypt the whole disk. A small part of the disk is used for the boot partition, which must be stored unencrypted. This creates a potential attack vector. One description of this problem comes from Micah Lee in an interesting report originally published in 2600:

Pwning Past Whole Disk Encryption

In a nutshell: If an antagonist gets physical access to your computer (say, if you go to the bathroom and leave your laptop laying around, even if it is powered off), malicious software can be installed on the boot partition, e.g. a keylogger which grabs your hard drive decryption password the next time you enter it and/or any other kind of malware.

The suggested solution to this problem is to eliminate the local boot partition. Instead, have the boot partition on a flash drive which you insert temporarily every time you reboot your compuer (much like you insert a physical key to start your car). To prevent tampering with the flash drive, and to make sure it is not close to the computer when you are not, buy a nice and durable one and keep it on your keychain.

My personal setup costs less than $10 and involves the following hardware:

Kingston DataTraveler SE9

Stainless Steel 2.9mm Curb Chain

Own your mail

Most people use email addresses under domain names owned by their mail hosting provider, e.g. gmail.com or hotmail.com. This makes it very easy for providers to revoke access to personal mail accounts. For one thing, all the archived mail will be inaccessible if the user has not taken care to make an independent backup. More importantly, the user can be denied access to all future incoming mail. At any point such a provider has the capacity to intercept messages, impersonate the user etc.

This is no way to manage such important personal tools as ones email addresses!

Fortunately, it is easy to solve the problem:

  1. Register your own domain name and use it for your personal mail account. Most email providers (e.g. Google) will provide this as a free add-on service, i.e. you can continue to use the Gmail web interface or whatever. Now, if Google suspends your account, you can simply point your domain to another provider and immediately start recieving your mail through them.
  2. Have backups of your mail history. The easiest way to achieve this is probably to set a normal desktop mail client to store all messages locally. There are also several tools for exporting mail data from e.g. Gmail. Now, if Google shuts your mail down, not only can you continue to use the same email address, you will also have access to  your mail archive.
  3. Use cryptography to sign and encrypt messages as often as possible. Encryption takes away the ability of the mail provider to read the contents of messages sent through and stored on their servers. Signing removes the ability of external parties to impersonate you after taking control of your mail account. (This assumes, of course, that your private key remains private.)