Snowden Interview in The Intercept

Mass surveillance is worse than five years ago, and it’s cool to think about the initial disclosures and then fast forward to this interview. Also, if you haven’t seen the documentary Citizenfour, I recommend watching it.

Mehdi Hasan: I’m Mehdi Hasan, welcome to Deconstructed.

My guest today is the NSA whistleblower Edward Snowden. Yes, the man himself, who became a global household name almost exactly five years ago.

[…]

So I started off by asking Edward Snowden: “Is privacy dead?”

ES: No, and I think this is the thing that is really taken out of context by politicians and all of these corporate powers that are working to use that as a justification to extend and further the abuses that we’ve seen in the last decade or so. When you look at the polling and all of these different issues and you ask young people, particularly, you know: Do you care about privacy? They actually seem to care more than older generations because this is affects their lives everyday. They understand what it means to make a mistake, have someone with a smartphone in the room and then have it haunt you for the rest of your time in high school or college or whatever.

There is this feeling of powerlessness that’s surrounding all of us every day on this issue, because we see that we are being abused. People openly admit that they’re abusing us. You know, Mark Zuckerberg in front of Congress is talking about this quite unashamedly.

[…]

MH: Your enemies here in the U.S. have accused you of being ultra-critical of the. U.S. government but soft on the Russian government, on President Vladimir Putin. And yet in March, I saw that you were on Twitter suggesting there had been vote-rigging in the Russian presidential election. You even called on Russians to “demand justice.” More recently you called the Russian government’s attempt to crack down on the messaging app Telegram “totalitarian.”

Now, from where I’m sitting, those were pretty bold, ballsy, principled moves by you, but were they also foolish moves? Aren’t you risking pissing off Putin and him then sending you back into the U.S. in a fit of rage?

ES: You know, yeah there’s definitely risks involved. And it’s not a smart thing to do. Every one of my lawyers tells me it’s a mistake to keep criticizing the Russian government. They say: Look, you’ve done enough. But that’s not what I’m here for, right? If I wanted to be safe, I never would have left Hawaii. I believe that this world can be better. I believe that this world should be better, but it’s not going to get better unless we make it better. And that requires risk, that requires hard work, that ultimately might require sacrifice.

[…]

MH: Where do you think you’ll be another five years from now?

ES: I don’t know. I honestly don’t know. There have been so many times, over the last five years, where I’ve been sure that things were going to change, that people understood, there were days I was sure that nothing was ever going to change, and it’s status quo forever. But it’s that uncertainty that actually gives me optimism, that gives me hope.

So many people look at the world today, they look at how broken and ruined things are, and they are just disempowered and lost. But what I want people to focus on is the fact that things changed, right. And if they can change for the worse, they can change for the better. And the only reason the world is changing for the worse is because bad people are working to make it happen that way. And if more good people are organizing, if we’re talking about this stuff, if we’re willing to draw lines that we will not allow people to cross without moving us out of the way, the pendulum will swing, and I’ll be home sooner than you think.

Availability of 3D-Printed Weapons Present Risks, and 3D Printers Present Other Opportunities

The main cause of violent street criminality is poverty. Having many of the same societal problems today — poverty, despair, isolation — exist at similar levels world where 3D-printed weapons are widely accessible is a recipe for more disasters.

While advances in additive manufacturing offer potential breakthroughs in prosthetic arms or jet engine parts, 3D printing, as it is known, may also accelerate weapons proliferation.

A new RAND Corporation paper suggests additive manufacturing could benefit military adversaries, violent extremists and even street criminals, who could produce their own weapons for use and sale.

3D printing technology is also susceptible to hacking, which could allow sabotage by hackers who maliciously instruct 3D printers to introduce flawed instructions or algorithms into mission-critical parts of airplanes, according to the paper.

[…]

Additive manufacturing may also indirectly support the survival and rise of pariah states like North Korea, which could avoid the costs of withdrawing from the international community by producing complex items domestically, skirting international sanctions.

From an economic perspective, by decentralizing manufacturing individuals and firms may choose to produce locally rather than importing goods. 3D printing could therefore weaken international connections currently sustained by complex, multi-country supply chains, the authors conclude. That in turn may create upheaval in labor markets — and subsequent social conflict.

“Unemployment, isolation and alienation of middle and low-skilled laborers may be exacerbated by additive manufacturing, potentially leading to societal unrest in both developed and developing countries,” said Troy Smith, an author on the paper and an associate economist at RAND. “The potential security implications of large masses of unemployed, disconnected people are substantial.”

[…]

The paper, “Additive Manufacturing: Awesome Potential, Disruptive Threat,” is part of a broader effort to envision critical security challenges in the world of 2040, considering the effects of political, technological, social and demographic trends that will shape those security challenges in the coming decades.

Polisis AI Developed to Help People Understand Privacy Policies

It looks as though this AI development could be quite useful in helping people avoid the exploitation of their personal information. Someone reading this may also want to look into a resource called Terms of Service; Didn’t Read, which “aims at creating a transparent and peer-reviewed process to rate and analyse Terms of Service and Privacy Policies in order to create a rating from Class A to Class E.”

But one group of academics has proposed a way to make those virtually illegible privacy policies into the actual tool of consumer protection they pretend to be: an artificial intelligence that’s fluent in fine print. Today, researchers at Switzerland’s Federal Institute of Technology at Lausanne (EPFL), the University of Wisconsin and the University of Michigan announced the release of Polisis—short for “privacy policy analysis”—a new website and browser extension that uses their machine-learning-trained app to automatically read and make sense of any online service’s privacy policy, so you don’t have to.

In about 30 seconds, Polisis can read a privacy policy it’s never seen before and extract a readable summary, displayed in a graphic flow chart, of what kind of data a service collects, where that data could be sent, and whether a user can opt out of that collection or sharing. Polisis’ creators have also built a chat interface they call Pribot that’s designed to answer questions about any privacy policy, intended as a sort of privacy-focused paralegal advisor. Together, the researchers hope those tools can unlock the secrets of how tech firms use your data that have long been hidden in plain sight.

[…]

Polisis isn’t actually the first attempt to use machine learning to pull human-readable information out of privacy policies. Both Carnegie Mellon University and Columbia have made their own attempts at similar projects in recent years, points out NYU Law Professor Florencia Marotta-Wurgler, who has focused her own research on user interactions with terms of service contracts online. (One of her own studies showed that only .07 percent of users actually click on a terms of service link before clicking “agree.”) The Usable Privacy Policy Project, a collaboration that includes both Columbia and CMU, released its own automated tool to annotate privacy policies just last month. But Marotta-Wurgler notes that Polisis’ visual and chat-bot interfaces haven’t been tried before, and says the latest project is also more detailed in how it defines different kinds of data. “The granularity is really nice,” Marotta-Wurgler says. “It’s a way of communicating this information that’s more interactive.”

[…]

The researchers’ legalese-interpretation apps do still have some kinks to work out. Their conversational bot, in particular, seemed to misinterpret plenty of questions in WIRED’s testing. And for the moment, that bot still answers queries by flagging an intimidatingly large chunk of the original privacy policy; a feature to automatically simplify that excerpt into a short sentence or two remains “experimental,” the researchers warn.

But the researchers see their AI engine in part as the groundwork for future tools. They suggest that future apps could use their trained AI to automatically flag data practices that a user asks to be warned about, or to automate comparisons between different services’ policies that rank how aggressively each one siphons up and share your sensitive data.

“Caring about your privacy shouldn’t mean you have to read paragraphs and paragraphs of text,” says Michigan’s Schaub. But with more eyes on companies’ privacy practices—even automated ones—perhaps those information stewards will think twice before trying to bury their data collection bad habits under a mountain of legal minutiae.

Central Database for Helping People Fight Ransomware

Ransomware is malware that encrypts or locks user files and is often attached to a ransom demand by a malicious entity. This No More Ransom database includes the encryption keys and tools for several of the existing ransomware threats, although they are predominantly of ransomware strains that have already been around for a while. Nonetheless, No More Ransom should help some people neutralize ransomware without paying a ransom.

NoMoreRansom

Two Critical Flaws Discovered in the World’s Computers

The Spectre and Meltdown security flaws are definitely very severe indeed.

Computer security experts have discovered two major security flaws in the microprocessors inside nearly all of the world’s computers.

The two problems, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.

There is no easy fix for Spectre, which could require redesigning the processors, according to researchers. As for Meltdown, the software patch needed to fix the issue could slow down computers by as much as 30 percent — an ugly situation for people used to fast downloads from their favorite online services.

“What actually happens with these flaws is different and what you do about them is different,” said Paul Kocher, a researcher who was an integral member of a team of researchers at big tech companies like Google and Rambus and in academia that discovered the flaws.

Meltdown is a particular problem for the cloud computing services run by the likes of Amazon, Google and Microsoft. By Wednesday evening, Google and Microsoft said they had updated their systems to deal with the flaw.

Amazon told customers of its Amazon Web Services cloud service that the vulnerability “has existed for more than 20 years in modern processor architectures.” It said that it had already protected nearly all instances of A.W.S. and that customers must update their own software running atop the service as well.

To take advantage of Meltdown, hackers could rent space on a cloud service, just like any other business customer. Once they were on the service, the flaw would allow them to grab information like passwords from other customers.

That is a major threat to the way cloud-computing systems operate. Cloud services often share machines among many customers — and it is uncommon for, say, a single server to be dedicated to a single customer. Though security tools and protocols are intended to separate customers’ data, the recently discovered chip flaws would allow bad actors to circumvent these protections.

The personal computers used by consumers are also vulnerable, but hackers would have to first find a way to run software on a personal computer before they could gain access to information elsewhere on the machine. There are various ways that could happen: Attackers could fool consumers into downloading software in an email, from an app store or visiting an infected website.

According to the researchers, the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

Customers of Microsoft, the maker of the Windows operating system, will need to install an update from the company to fix the problem. The worldwide community of coders that oversees the open-source Linux operating system, which runs about 30 percent of computer servers worldwide, has already posted a patch for that operating system. Apple had a partial fix for the problem and is expected to have an additional update.

The software patches could slow the performance of affected machines by 20 to 30 percent, said Andres Freund, an independent software developer who has tested the new Linux code. The researchers who discovered the flaws voiced similar concerns.

This could become a significant issue for any business running websites and other software through cloud systems.

There is no evidence that hackers have taken advantage of the vulnerability — at least not yet. But once a security problem becomes public, computer users take a big risk if they do not install a patch to fix the issue. A so-called ransomware attack that hit computers around the world last year took advantage of machines that had not received a patch for a flaw in Windows software.

The other flaw, Spectre, affects most processors now in use, though the researchers believe this flaw is more difficult to exploit. There is no known fix for it, and it is not clear what chip makers like Intel will do to address the problem.

The Meltdown flaw is specific to Intel, but Spectre is a flaw in design that has been used by many processor manufacturers for decades. It affects virtually all microprocessors on the market, including chips made by AMD that share Intel’s design and the many chips based on designs from ARM in Britain.

Spectre is a problem in the fundamental way processors are designed, and the threat from Spectre is “going to live with us for decades,” said Mr. Kocher, the president and chief scientist at Cryptography Research, a division of Rambus.

“Whereas Meltdown is an urgent crisis, Spectre affects virtually all fast microprocessors,” Mr. Kocher said. An emphasis on speed while designing new chips has left them vulnerable to security issues, he said.

“We’ve really screwed up,” Mr. Kocher said. “There’s been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”

[…]

A fix may not be available for Spectre until a new generation of chips hit the market.

“This will be a festering problem over hardware life cycles. It’s not going to change tomorrow or the day after,” Mr. Kocher said. “It’s going to take a while.”

Antivirus Software Can be Turned Into a Powerful Spy Tool

Antivirus has fulfilled a useful role in removing malware, but it’s also quite overrated. Often better is installing security updates and using more robust software more generally. I have long used the highly secure Qubes operating system much of the time myself, and there isn’t any need to use antivirus in it.

It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.

Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There’s good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.

By downloading security software, consumers also run the risk that an untrustworthy antivirus maker — or hacker or spy with a foothold in its systems — could abuse that deep access to track customers’ every digital movement.

“In the battle against malicious code, antivirus products are a staple,” said Patrick Wardle, chief research officer at Digita Security, a security company. “Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect.”

Mr. Wardle would know. A former hacker at the National Security Agency, Mr. Wardle recently succeeded in subverting antivirus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents.

Mr. Wardle’s curiosity was piqued by recent news that Russian spies had used Kaspersky antivirus products to siphon classified documents off the home computer of an N.S.A. developer, and may have played a critical role in broader Russian intelligence gathering.

[…]

For years, intelligence agencies suspected that Kaspersky Lab’s security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward J. Snowden, the former National Security Agency contractor, described a top-secret, N.S.A. effort in 2008 that concluded that Kaspersky’s software collected sensitive information off customers’ machines.

The documents showed Kaspersky was not the N.S.A.’s only target. Future targets included nearly two dozen other foreign antivirus makers, including Checkpoint in Israel and Avast in the Czech Republic.

At the N.S.A., analysts were barred from using Kaspersky antivirus software because of the risk it would give the Kremlin broad access to their machines and data. But excluding N.S.A. headquarters at Fort Meade, Kaspersky still managed to secure contracts with nearly two dozen American government agencies over the last few years.

[…]

But, as Mr. Wardle’s research demonstrated, an untrustworthy vendor, or hacker or spy with access to that vendor’s systems, can abuse its deep access to turn antivirus software into a dynamic search tool, not unlike Google, to scan customers’ computers for documents that contain certain keywords.

serveimage

This picture above here is still fairly relevant even though it’s based on research that I would have done differently a few years ago.

New Haven App Uses a Smartphone to Guard Devices

Haven looks useful for more than it was designed for too, of course. Someone looking to secure a room in general could use the app to identify any unauthorized visitors.

It’s still in the early stages of development, but it’s one of the most promising attempts at defending against evil mail attacks for those with heightened threat models.

LIKE MANY OTHER journalists, activists, and software developers I know, I carry my laptop everywhere while I’m traveling. It contains sensitive information; messaging app conversations, email, password databases, encryption keys, unreleased work, web browsers  logged into various accounts, and so on. My disk is encrypted, but all it takes to bypass this protection is for an attacker — a malicious hotel housekeeper, or “evil maid,” for example — to spend a few minutes physically tampering with it without my knowledge. If I come back and continue to use my compromised computer, the attacker could gain access to everything.

Edward Snowden and his friends have a solution. The NSA whistleblower and a team of collaborators have been working on a new open source Android app called Haven that you install on a spare smartphone, turning the device into a sort of sentry to watch over your laptop. Haven uses the smartphone’s many sensors — microphone, motion detector, light detector, and cameras — to monitor the room for changes, and it logs everything it notices. The first public beta version of Haven has officially been released; it’s available in the Play Store and on F-Droid, an open source app store for Android.

[…]

You can configure Haven to send you real-time encrypted alerts of what it detects to your other phone, the one you carry with you, when an intrusion is detected. You can choose to get encrypted Signal notifications, and you can also configure Haven to run a Tor onion service website (that is, a darknet site), and use Tor Browser on another device to connect in and view all of the alerts — all without giving anyone else access to these evidence logs unless you choose to share them. Haven also supports SMS text notifications, which can be intercepted but which might be more reliable in some situations.