Hard News by Russell Brown

Read Post

Hard News: The Real Threat

192 Responses

First ←Older Page 1 2 3 4 5 8 Newer→ Last

  • Stephen Judd, in reply to Jarno van der Linden,

    The deal with treating metadata properly in the legislation is that many people fear that the GCSB currently belives comms metadata -- who calls whom, when, where, etc -- is not classed by them as a "communication", and therefore not subject to the same rules re warrants and oversight etc. So the reason we want a proper treatment of metadata in law is to clarify that metadata collection and analysis in the comms context is equally intrusive, in order that the GCSB be more restrained, not less.

    In making this argument we're strictly concerned with the point of view that says the message is the communication and the details about the message are metadata. I agree that actually, the "meta-ness" of metadata is a matter of your current view of what the data is.

    Wellington • Since Nov 2006 • 3122 posts Report Reply

  • Trevor Nicholls, in reply to Sacha,

    Defence Force denies spying on Stephenson. Minister believes them.

    Have they actually denied spying on him in any way? The report I heard said they denied any unlawful/illegal surveillance. Given that the legality of what the GCSB et al have been doing is one of the points at issue, y'know....

    Wellington, NZ • Since Nov 2006 • 325 posts Report Reply

  • Sacha, in reply to Trevor Nicholls,

    good point, yes.

    "Minister hears what suits him"

    Ak • Since May 2008 • 19745 posts Report Reply

  • David Hood,

    I agree with Martin 's observation that https isn't s, not so much because of the other end of the cloud, but because the security of the system depends on the independence of the root certificate authorities.

    Dunedin • Since May 2007 • 1445 posts Report Reply

  • SteveH, in reply to David Hood,

    I agree with Martin ’s observation that https isn’t s, not so much because of the other end of the cloud, but because the security of the system depends on the independence of the root certificate authorities.

    But the other end of the connection is critical. Encrypting communication is irrelevant if the government (assuming that's who you're trying to keep your communication private from) can force the other party to reveal what you've communicated, or worse if they have a system like Prism that provides a backdoor into the data held by the other party. Using https for gmail is literally worse than useless if the NSA are harvesting data directly from Google's servers - functionally it's useless but it's actually worse than useless because it gives the illusion of security, possibly tricking you into trusting a communication channel that is not secure.

    Since Sep 2009 • 444 posts Report Reply

  • Jarno van der Linden,

    https does not hide what website you are communicating with, only the data sent between you and the site.

    It should also be remembered that government and government-controlled organisations are in the trusted certificate authority lists of your typical browser. That means that they can redirect your internet traffic through an intermediate site using their encryption and decryption keys. They can pretend to be publicaddress.net and your browser will be perfectly happy with it as it has a certificate from a trusted source that it is the real deal.

    Nelson • Since Oct 2007 • 82 posts Report Reply

  • Paul Campbell,

    I don't disagree - but making life difficult for the spooks by requiring them to do much more intrusive things (like demanding certs or backdoors into web sites) rather than just sitting there quietly and reassembling our packets and interpreting them in their own paranoid ways (think of it as a game of "telephone" with consequences) without out us having any knowledge it's even going on.

    We've known about thing like the San Francisco AT&T internet tap (where the NSA takes a copy of every packet passing through that exchange) for several years now, Snowden tells us it's wider and more pervasive that we ever imagined. I have no controls over how my packets, my voip calls, my web accesses, etc get to the UK or Europe - I can't choose an ISP who promises not to send them through the US or through a switch tapped by the NSA - but what I can do is encrypt my packets, hopefully putting them in the "too hard" basket for casual NSA snooping.

    I tossed Skype last week after we learned that Microsoft was enabling supposedly encrypted calls - peer-to-peer is the way to go - anything with a centralised service can be compromised by spooks quoting secret laws - luckily the crypto cat is out of the bag and we can all find our own secret large primes.

    Dunedin • Since Nov 2006 • 2623 posts Report Reply

  • Stephen R,

    http://www.salon.com/2013/07/29/can_apple_and_google_be_trusted/

    “Strongly encrypted data are virtually unreadable,” NSA director Keith Alexander told the Senate earlier this year.

    Unless, of course, the NSA can obtain an Internet company’s private SSL key. With a copy of that key, a government agency that intercepts the contents of encrypted communications has the technical ability to decrypt and peruse everything it acquires in transit, although actual policies may be more restrictive.

    PGP encrypted mail is still reasonably secure, but HTTPS might not be. The problem with PGP mail is maintaining your list of public keys for the people you want to talk to, (if you can get your correspondents to take the whole thing seriously enough to install pgp) and managing my keys across the wide variety of computers, tablets, phones etc that I use on a daily basis to access my mail.

    Security, ease of use, or cheap price. Pick one.

    Wellington • Since Jul 2009 • 259 posts Report Reply

  • Richard Aston,

    Meanwhile back in the trenches ..
    A good friend of mine, a senior journalist, is running his own backlash campaign , this from his email
    " What I am seeking is an agreement that we will all, with effect from Monday August 5, copy j.key@ministers.govt.nz into every email we send.
    Since he is so keen to read them, it seems to me that it is our patriotic duty to assist him. Obviously we can elect to except matters of a private nature; if they want to read them, they can spy on us.
    But dentists' appointments; minutes of the tennis club committee meetings; correspondence with TradeMe traders; rsvps, anything. Stuff with massive attachments would be really good.
    I expect this to have no effect other than nuisance value. But who knows: with a bit of luck one or two of us might get arrested. Or one of those subversive reporters might get onto it."

    Be interesting to see if it makes the news on 5 Aug .

    Northland • Since Nov 2006 • 510 posts Report Reply

  • Paul Campbell,

    yeah what we really need is a secure, decentralised, easy key distribution system - as you point out currently it's a pain

    The problem is that the current centralised system takes care of much of what we need quietly behind our backs but it provides a single point of failure that allows for the possibility that someone can forge my bank's public key - really I should be snarfing my bank's key off of my ATM card, or grabbing it directly at the bank rather than depending on some third party to provide the infrastructure.

    Every couple of months I have a conversation with a bank teller pointing out that I have no way to know whether their banking web site is safe to use - they usually dismiss my complaints .... then I point out that the DECT phone that they just used to talk over their secure phone system is easily hackable and was broken years ago (I implement DECT for a living) - I've been pointing this out for years now but they haven't reverted to corded phones yet

    Dunedin • Since Nov 2006 • 2623 posts Report Reply

  • Rich of Observationz, in reply to Jarno van der Linden,

    If they did that, they'd give themselves away to the first person who wanted to dig deeply (e.g. by obtaining the (imaginary?) publicaddress.net SSL certificate via a side channel, like visiting Russell and asking for it on memory stick and then comparing it with the one the site is serving to you).

    What they need is the actual certificate and private keys from e.g. publicaddress.net which would let them extract session keys and read encrypted traffic. (What the perfect forward secrecy thing, as implemented by Google does is to ensure that they can only read traffic *after* obtaining the key).

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Paul Campbell,

    I see Anonymous has taken down a bunch of Nat web sites - I bet there will be lots of gnashing of teeth, outraged people complaining about evil organisations hacking into people's website .... completely unaware of the irony

    Dunedin • Since Nov 2006 • 2623 posts Report Reply

  • Rich of Observationz, in reply to Paul Campbell,

    I'm sure the bank teller will have taken your comments on board. All bank tellers are educated to at least MSc level in the design of cryptographic systems, as well as their training in finance and economics. It's amazing many of them look so young after 14 years at university..

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Paul Campbell,

    heh - it's usually more a response to "why don't you do this on line?" - if they were that smart they'd probably realise that continually asking that question probably wasn't particularly encouraging of their long term future job prospects.

    Seriously though telling someone at the bank "there's a hole in the side of your ATM, people can reach in and grab fistfulls of money" is likely to be reported upwards and something done about it. "People can break in to your phone system when you call the central office and record account numbers, passwords, security questions, etc then make the same calls themselves looking as if they were talking from your phone" probably should too.

    Dunedin • Since Nov 2006 • 2623 posts Report Reply

  • Aidan,

    Canberra, Australia • Since Feb 2007 • 154 posts Report Reply

  • Russell Brown,

    Just breaking ...

    Answers to questions from Russel Norman indicate that Parliamentary Services DID hand over Andrea Vance's phone records to David Henry.

    How and why were we told otherwise in the first place?

    Auckland • Since Nov 2006 • 22850 posts Report Reply

  • Graeme Edgeler, in reply to Russell Brown,

    Answers to questions from Russel Norman indicate that Parliamentary Services DID hand over Andrea Vance’s phone records to David Henry.

    How and why were we told otherwise in the first place?

    The information I saw in the media suggested it was a contractor. However, there are a great many reasons why someone would make a mistake like that, and it doesn't necessarily suggest mal-intent.

    Wellington, New Zealand • Since Nov 2006 • 3215 posts Report Reply

  • Russell Brown,

    From Stuff:

    Henry had been called in by Key to investigate an unauthorised leak to Vance of a report on the Government Communications Security Bureau.

    It has previously been confirmed that Henry was provided with electronic records tracking Vance's movements in the parliamentary complex.

    Carter said today he became aware on Friday his answer in response to questions about Vance's phone records was wrong.

    Three months of phone records had "inadvertently" been supplied to Henry by Parliamentary Service during the course of his investigations. The information had been collated by parliamentary contractors Datacom.

    Henry immediately returned the records without viewing them and made it clear he had neither sought nor wanted them, Carter said.

    "I stress that the David Henry inquiry never requested this information and recorded that fact immediately the information was received. I am further advised that this information was not used by the inquiry."

    Carter confirmed, however, that Henry had sought phone records detailing which government ministers had phoned Vance.

    So the new story is that Henry only requested details of ministers' calls to Vance, but instead somehow, by accident, got details all Vance's calls.

    Carter quoted in the Herald:

    "I have been made aware that the phone records of a press gallery journalist were released by a Parliamentary Service contractor to the David Henry inquiry."

    Possibly throwing Datacom under the bus here?

    Auckland • Since Nov 2006 • 22850 posts Report Reply

  • Alastair Thompson, in reply to Russell Brown,

    Illegal stuff happens accidentally these days, apparently rather a lot.

    Wellington • Since Nov 2006 • 220 posts Report Reply

  • Stephen R,

    Quote from Stuff

    In response to written questions last week, Carter said a request from investigator David Henry for Vance's phone records had been declined.

    and once he'd "accidentally" got the records

    Henry immediately returned the records without viewing them and made it clear he had neither sought nor wanted them, Carter said.

    Does that make sense to anyone else? It looks like a contradiction to me which implies one of those statements is incorrect.

    Wellington • Since Jul 2009 • 259 posts Report Reply

  • Steve Reeves, in reply to Russell Brown,

    Well, naturally he blames someone else...

    A minister always takes the salary, but never the responsibility.

    Thank goodness for outsourcing, I say!

    Near Donny Park, Hamilton… • Since Apr 2007 • 94 posts Report Reply

  • Rob Stowell, in reply to Stephen R,

    Definitely fishy!
    As is 'there is no evidence Jon Stephenson was spied on". Which is quite compatible with: he was spied on, we know it, but we've destroyed all the evidence...

    Whakaraupo • Since Nov 2006 • 2120 posts Report Reply

  • Stephen R, in reply to Rob Stowell,

    As is 'there is no evidence Jon Stephenson was spied on". Which is quite compatible with: he was spied on, we know it, but we've destroyed all the evidence...

    One of the games played in our household at the moment is "With what technicality can this denial be true, while at the same time not be an actual denial".
    It's disturbing a) how many denials don't actually deny what they're accused of, and b) how rarely the initial denial is followed up by the reporters to whom it is given.

    Wellington • Since Jul 2009 • 259 posts Report Reply

  • Aidan, in reply to Rob Stowell,

    As is ’there is no evidence Jon Stephenson was spied on”. Which is quite compatible with: he was spied on, we know it, but we’ve destroyed all the evidence…

    Very Yes Minister-esque, e.g. "There is no evidence Jon Stephenson was spied on .. we've made quite sure of that".

    Gets to be every damn sentence needs to be parsed multiple ways for meaning. At the risk of seeming cliched, it really is Orwellian.

    Here in Aus the leader of the opposition has the fantastic phrase "I had no specific knowledge"! WTF does that mean? Whatever he feels like when knew facts emerge about the degree of his "knowledge". Post truth politics. GAH!

    Canberra, Australia • Since Feb 2007 • 154 posts Report Reply

  • Kumara Republic, in reply to Rob Stowell,

    Which is quite compatible with: he was spied on, we know it, but we’ve destroyed all the evidence…

    Speaking of which, Halliburton has just been pinged big time for destroying evidence relating to the Deepwater Horizon disaster.

    The southernmost capital … • Since Nov 2006 • 5446 posts Report Reply

First ←Older Page 1 2 3 4 5 8 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.