National and personal security are on a collision course
Fri 19 Sep 2014
It’s convention/expo season, and this autumn’s keynote speeches promise to be threaded with talk of security for the end-user or corporate client. Far away from the ambit of counter-terrorism, business and consumer solutions are being developed and enthusiastically promoted, as if personal and corporate security was an unrelated issue to general or intergovernmental security. Cisco is investing heavily in the future of its Intercloud infrastructure, which partially obscures information flow in a hybrid cloud environment, whilst Germany posits an exclusive sovereign cloud structure to prevent further NSA intrusions, and Russia considers an internet ‘kill switch’ in the event of national emergency.
Elsewhere the use of Warrant Canaries is on the rise, with the Snowden-recommended SpiderOak cloud storage system adopting one that will be renewed (or not) on a six-monthly basis, and which presumably is of little value even when breached, since SpiderOak data is encrypted client-side and cannot be decrypted on site by the proprietors.
The business ecostructure is treating security, not unsurprisingly, as a private matter, but current trends and developments indicate that any technology-led security solutions are headed for political disruption, particularly as the international security arena is so conflicted at the moment.
The end of the Right to Obscurity on the net
A newly proposed amendment by the Department of Justice to Rule 41 of the Federal Rules of Criminal Procedure would effectively give the FBI free reign to investigate any person or entity attempting to obscure their network packets – for instance via Tor, VPN or proxies. There is currently some argument as to whether the amendment, if passed, would only ratify currently existing practices: in 2013 the FBI acknowledged its attack on a highly anonymised French TOR host thought to be facilitating the distribution of child pornography.
In a climate where the notion of data sovereignty is constantly eroded by the statelessness of technology, the proposed amendment is arguably the killer blow regarding jurisdiction, since net traffic obfuscated via technologies such as Tor gets routed in such a manner as to reveal no IP addresses for relayed traffic. In fact the FBI signature in the 2013 Freedom Hosting operation was the use of a JavaScript exploit in the Tor browser to send the user’s MAC address to an FBI-accessible database, in order to de-anonymise the session activity.
In practice the identification of obscured network traffic cannot possibly give any indication of jurisdiction until it’s too late; if rule 41 is amended as proposed, all non-transparent global traffic, much of which may only be briefly crossing into the jurisdiction of the U.S. or other FiveEyes countries via a volunteer node, would become fair target for investigation. The node-based Tor system is an ‘anti-cloud’-style communications network, with bittorrent-style atomisation and redundancy of relays and servers.
A kingdom divided
In the case of Tor, the less-salubrious use of which is now commonly referred to as the ‘Dark Net’, it is easy to forget that it was invented by the U.S. Navy in the mid-1990s to facilitate secure communications for field operatives, and is still used for this purpose. The fact that the National Security Agency (NSA) is making such efforts to defeat TOR rather depicts American military intelligence as a kingdom divided against itself, the more so as every publicly successful exploit the NSA undertakes will end up patched and defended against by the U.S. Naval Research Laboratory in Washington, which originated The Onion Router (TOR) protocols and which protects them via its research department, The Center for High Assurance Computer Systems (CHACS).
Among its portfolio of projects, CHACS evaluates security risks to Tor and publishes attack strategies such as The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network [PDF], practically hunting manuals for the NSA, with emphasis on exploiting ‘exit nodes’ – the points where encrypted information leaves the Tor network to become accessible to the end-user.
So long as Tor can still do the job that it was designed for twenty years ago, and which it accomplishes with a non-partisan purity that we can only presume annoys some of its creators, we cannot reasonably expect lobbying for ISPs to ban or throttle the protocol, despite the occasional scare story which circulates among those who use it to view out-of-region video services or to bypass ISP-blocked domains. Even the FBI’s 2013 attack on Freedom Hosting doesn’t seem to be an attempt at demonising the protocol, or creating another ‘Reichstag fire’ effect using the reliable demon of child pornography.
Neither does the proposed amendment to Rule 41 seem intended to curb the use of Tor, VPN systems and proxy servers, since government needs all these technologies for its own purposes, but to remove the right to privacy for those who use them without an official mandate. This is paperwork, not propaganda.
On a day to day level, if passed, the immediate effect of the amendment would be hundreds of thousands of voices on the dark net crying out ‘I’m Spartacus’. And business is increasingly represented among those voices.
