Is true mobile phone security a lost cause? With the increasing popularity of mobile messaging applications with weak security practices, the escalation of sim card registration requirements, and the nearly antiquated legal definitions of the ways that mobile phones are used by citizens, securing mobile phone communications is a multi-faceted problem.
I’ve done mobile security trainings for a number of years now. And one of the biggest challenges that emerges with thinking through mobile security is all of the different areas where threats can emerge: the technical infrastructure of GSM networks, the personal information that’s needed to obtain a sim card, the location tracking capabilities of phones, and the list goes on.
During RightsCon, I had the opportunity to chat with the following rockstars about the current state of mobile security and what can be done to make improvements:
Last week, many of China’s major websites were inaccessible for nearly 24 hours to Chinese internet users. Chinese users trying to reach a range of websites ending in .com were re-routed instead to an IP address owned by Dynamic Internet Technology, which is the provider of the circumvention tool Freegate. DIT has been closely affiliated with the Falun Gong, a religious organization banned in China.
GreatFire.org, which examines Chinese censorship, has a detailed report investigating this outage, illuminating that all attempts within China to visit popular websites such as Sina Weibo, Baidu, etc. would be incorrectly re-routed to 184.108.40.206 (an IP address in Wyoming).
While state news agency Xinhua raised the possibility of hacking, and CNNIC attributed the breakdown to a "root server for top-level domain names", others blame the breakdown on a failure of the Great Firewall. As Chinese internet censorship expert Xiao Qiang states to Reuters, "It all points to the Great Firewall, because that's where it can simultaneously influence DNS resolutions of all the different networks (in China). But how that happened or why that happened we're not sure. It's definitely not the Great Firewall's normal behavior."
Proper implementation of a DNS to match the domain name and the IP address of a website or web service is critical to ensuring that the Internet functions properly. As GreatFire points out, DNS poisoning, or hijacking of DNS routing to send a visitor to an incorrect domain name or IP address, is a technique deployed by the Great Firewall to render ‘blacklist’ websites inaccessible. READ MORE »
Auditing of software of both the license and the source code is nothing new, especially of tools that are new to the digital security plethora of tools. But what about software whose use is widely recommended, but where little is known about the licensing decisions and the differences between original code and platform-specific applications? This is the impetus for the audit of the encryption software TrueCrypt.
TrueCrypt allows you to create an encrypted container on your computer's hard drive to store sensitive files, that to the untrained eye, appear like any other file you might find on a user’s computer. TrueCrypt storage “volumes” are typically made to look like a large video file (and hey, we even have a tutorial on how to make one that actually plays part of a video).
Despite being an open-source licensed project, there are legal and technical limitations to its openness.
While TrueCrypt’s source code is publicly available, the binaries (what makes TrueCrypt function without any installation process), are not. This matters because use of these binaries could potentially have security flaws that are unknown and unfixed. As cryptographer Matthew Green points out, the majority of TrueCrypt users only run and install it through the binaries, and while the source code sems trustworthy, it’s unclear if the binaries are. READ MORE »
Earlier this month, I had the opportunity to participate in an event to determine how human rights defenders might approach an emergency alert mobile app given their diverse risks, and to ensure that activists first consider their risks before adopting such a tool.
The following is a summary of this event, written by Alix Dunn of the Engine Room and Libby Powell of Radar.
How can an app developer make sure that an app doesn’t do more harm than good? For Amnesty International, that question could be one of life or death for human rights defenders using their new Panic Button app. READ MORE »
Officials of national and local governments who are responsible for responding to citizens’ requests for information must be properly organized, trained, funded, and protected.
Because government touches everything, a FOI law should touch everything.
It should be recognized that a FOI law is most important to average citizens at the local government level.
Many FOI laws are based on a presumption of access, stating that government records are accessible with certain exceptions; the exceptions should be based on the likelihood of harm that could arise as a result of disclosure.
The law should not require that government officers, employees, or agencies go to unreasonable lengths to accommodate applicants.
Early this summer, the Wall Street Journal published a widely-circulated article on the increasing restrictions to free speech online. South East Asia continues to be a region where internet freedom is under threat.
The most notable case is in Vietnam, where the draconian Decree 72 has been implemented. (More details on other restrictions in Vietnam can be found here). According to the decree, “[A] personal information webpage is a webpage created by individual on their own or via a social network. This page should be used to provide and exchange information of that individual only; it does not represent other individual or organization, and is not allowed to provide compiled information.” This law has severe implications for any journalists, academics, and others who seek to share work accomplished by others. In addition, the decree requires all foreign websites to include at least one server in Vietnam, so that the data stored on those servers can be accessed by local authorities. READ MORE »
What would the world look like if every citizen had access to affordable internet? That’s a question attempting to be solved by internet.org, a joint effort by Facebook, Ericsson, MediaTek, Nokia, Opera, Qualcomm and Samsung, that aims to “make internet access available to the two-thirds of the world who are not yet connected, and to bring the same opportunities to everyone that the connected third of the world has today.” READ MORE »
Internet freedom has been under threat in Vietnam for some time. The most recent action to repress free speech online is in the form of “Decree 72”, a legislation which requires Internet companies to cooperate with the Vietnamese government to enforce prohibition of: opposing the " the Socialist Republic of Vietnam," undermining "the grand unity of the people", damaging 'the prestige of organizations and the honour and dignity of individuals”, and other ambiguously worded means to express oneself online.
This decree also applies to “organization/individuals inside and outside Vietnam, directly/indirectly involved in managing/providing Internet services and information, and online games, ensuring information safety.” The decree was adopted on July 15th of this year, and will come into force on September 1st. The decree has largely been condemned by human rights organizations and internet industry operating in Vietnam. READ MORE »
Digital security can be quite challenging for activists working in conflict zones or similarly difficult environments. The SKeyes Center for Media and Cultural Freedom has produced the "Journalist Survival Guide", a series of animated videos aiming to provide journalists and citizen journalists operating in dangerous zones with the most essential recommendations on how to protect their physical and online safety.
Our favorite videos include "How to Protect your Computer against Hacking and Malware" ...
...as well as "How to Get a Secure Internet Connection".
Want to see more? All videos as well as accompanying scripts are available in English and Arabic. Enjoy!
While news of NSA and GCHQ surveillance continues to dominate the news, there are plenty of other countries that use legal and judicial means to justify online censorship and surveillance. Internet freedom is backsliding in these countries: READ MORE »
If your Twitter client didn't explode with the news about PRISM, here are the highlights, courtesy of the Washington Post:
An internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 articles last year. According to the briefing slides, obtained by The Washington Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.
The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.
Dropbox, the cloud storage and synchronization service, is described as “coming soon.”READ MORE »
Enter Snapchat, an app available on iOS and Android that allows users to take a photo, send it to a friend, and is deleted after 10 seconds. (It's so easy, even Stephen Colbert can do it). Sounds pretty great, right?
Snapchat photos appear to live "beyond the grave" in the memory of smartphones (perhaps making the Ghost logo all the more appropriate).
Decipher Forensics recently investigated if Snapchat photos actually are deleted, or if the image and any associated metadata with such photos can be recovered. Report author used two Android devices to send and receive Snapchat photos, and found that: READ MORE »
Elections and other political events can be a time in less transparent environments when there is increased internet monitoring and censorship. With notable elections coming up in the next few months, particularly in countries with a history of internet monitoring and filtering, utilizing circumvention technologies ahead of these events become extremely important. Circumvention technologies enable you to route your internet connection to an IP address outside of your country, allowing you to view otherwise filtered content. One of the best circumvention technologies is Tor.
However, in countries such as Iran and China, known Tor IP addresses (or "relays") had been intermittently blocked in the past, making it unusable. Expanded use of capabilities such as Deep Packet Inspection have even made it possible for some regimes to determine if internet traffic is being routed through Tor. READ MORE »
We preciously reviewed their report on Blue Coat, a U.S.-based company whose firewall and web filtering products have ended up in Syria, Burma, and other countries with a history of internet surveillance and censorship. READ MORE »
UPDATE: According to Koryo Tours, the only group that is currently sanctioned to bring foreigners into North Korea, "3G access is no longer available for tourists to the DPRK. Sim cards can still be purchased to make international calls but no internet access is available." Now, the only foreigners with 3G access will be permanent residents of the DPRK, not tourists.
Originally published February 28, 2013
This week, foreigners living in North Korea were able to connect to 3G services on their mobile devices and tablets. Koryolink (a joint venture between state-owned KPTC and Egyptian provider Orascom) informed foreign residents in Pyongyang that it will launch 3G mobile Internet service no later than March 1.
This newly-available access follows the reversal of regulations requiring visitors to surrender their phones at customs, and has been replaced with allowing foreigners to bring in their own mobile phones to use with Koryolink SIM cards.
Some have speculated that 3G access follows the highly publicized visit from Google CEO Eric Schmidt; however, Koryolink has stated the new service had “nothing to do” with his trip, and the carrier had "tried hard to negotiate with the Korean security side, and got the approval recently." READ MORE »
Myanmar used to have one of the highest costs for SIM cards in the world. However, after the 2011 election and subsequent efforts to open up Burma to the international community, prices for SIM cards have drastically dropped.
Quartz just published its findings on the decline of SIM cards prices, which have become vastly more affordable to average citizens in recent years:
Our trusted friends, the researchers at Citizen Lab recently published Planet Blue Coat, a report detailing the extent to which U.S.-manufactured network surveillance and content filtering technologies are used to facilitate repression against journalists, human rights activists, and other pro-democracy groups.
This is not a new problem. Software developed by Western countries to filter web-hosted content or otherwise obtain data from internet users without their knowledge and consent has been a serious issue for over a decade. It first emerged in China where Cisco Systems sought lucrative business opportunities with China's Golden Shield project, more commonly known as the Great Firewall of China. In recent years, similar technologies have emerged in repressive regimes throughout the Middle East, such as censoring and monitoring technologies in pre-revolutionary Tunisia and in Syria, as well as in closed societies such as Burma. READ MORE »
Times are changing in Burma. The by-elections in April resulted in the NLD winning 43 out of 44 contested seats, removal of the press restrictions that require journalists to submit articles to the Press Scrutiny and Registration Department prior to publication, and the historic visit of President Obama to Myanmar (the first time a sitting president has visited the country).
Access to ICTs in Burma has historically been challenging. Throughout the country, there is low internet and mobile penetration. There were significant cost barriers to gaining access to basic technologies like sim cards (which can cost up to $900), and constant efforts to censor content and strike fear in activists through draconian telecommunications regulations.
This time of change has also reached the technology sector in Burma. The price of sim cards has dropped, the censorship of popular online news outlets such as the Irrawaddy and Mizzima News has been lifted, and use of Facebook has grown incredibly throughout the country. READ MORE »
New Year, new beginnings. The beginning of 2013 is a great time to try new ideas and improve upon existing projects. In this week's Monday Round-Up, we've collected a set of guides and resources that can help meet your resolutions to build your tech expertise:
While creating a Facebook page or group may be easy, maintaining and gaining meaningful impact can be difficult. The folks at Social Media Exchange (SMEX) recently published "Creating Facebook Pages with Impact: A Guide for Arab Civil Society Organizations", which breaks down several important components of a successful Facebook-based campaign or initiative. The main audience for this guide is MENA region-based organizations (Arabic language guide is here), but there are several lessons that can be applied to other regions where Facebook is the most popular social media platform.
The topics include:
Get to Know Facebook & Get Inspired
Lay Your Foundation
Assemble Your Team
Pinpoint Your Destination & Identify Who Can Help You Get There
Plan and Produce Your Content
Develop Interaction Guidelines
Publish & Promote Your Page
Monitor Your Page Performance with Insights
Survey Your Success, Tweak, and Do It All Over Again
As technology closes the time between when events happen and when they are shared with the world, understanding what approaches and tools are the best solutions to implement in crisis response and good governance programs is increasingly important. During the “Technology for Crisis Response and Good Governance” course, which I took earlier this month offered by TechChange at GW, our class was able to simulate different scenarios of how such tools can be used effectively.
The first simulation we did was on how to use FrontlineSMS and Crowdmap to track and respond to incidents in the event of a zombie apocalypse. Each team was responsible for managing FrontlineSMS, mapping incidents and other information on Crowdmap, and going into the field to get more information and verify reports. Management of the incoming data at this point becomes the highest priority. Designating specific responsibilities to different individuals, and determining how to categorize data (reports to be mapped, questions to be answered by other officials, overly panicked individuals, etc.) helps to more efficiently handle processing a large amount of information during a short timeframe. READ MORE »
This is a guest post from David Caragliano, NDI's Senior Program Officer on the Asia team in D.C. You can follow up with David on Twitter.
Citizen participation in Hong Kong is on the rise, but the results of the September 9 legislative council (LegCo) election and the March 25 chief executive election do not fully capture the nature of citizen participation. Voter turnout on September 9 stood at 53 percent – just two percentage points under the historical record in 2004. Public outrage at the candidacy of Chief Executive C.Y. Leung and his push to require Moral and National Education (MNE) courses in Hong Kong schools has been difficult to ignore. However, under Hong Kong’s complex electoral system, political parties have tended to be unresponsive. Civil society has driven political messaging and mobilization, increasingly through online tools.
The candidacy of C.Y. Leung in chief executive election generated frustration among Hong Kong’s voters. His victory only reaffirmed the reality that fifteen years after the Handover a small circle of elites continue to monopolize the chief executive selection process. What if the Hong Kong people could directly elect their chief executive? READ MORE »
The twitterverse is no stranger to hashtag-calls-for-action, spanning from #free an arrested activist to #stop a particular piece of legislation from moving forward. The most well-known example of a hashtag campaign was the one to stop SOPA and PIPA legislations in the United States. Despite the lack of coverage of these proposed laws on traditional media, mobilization spurred through social media was effective to build a full-on campaign that ended up stopping the passage of this legislation. Recently, NGOs and other civil society actors have been trying to capitalize on this success to try and stop the passage of other internet-restrictive laws, such as in Malaysia (#Stop114A) and in Jordan (#BlackoutJo).
While the revisions to section 114a in Malaysia’s Evidence Act and the proposed amendment to the Press and Publication Law in Jordan are alive and well, the online mobilizations to stop them can still teach us some valuable lessons in use of social media in the campaigns. READ MORE »
The need for civil society organizations and activists to understand best practices behind digital security and digital safety has grown exponentially over the past few years. This need has expanded beyond closed environments to more open societies that may not have as looming of a threat of communications interception, targeted malware attacks, and other dastardly deeds.
While there have been a lot of “wins” for civil society in restrictive environments to use ICTs to mobilize ahead of key political moments, these regimes continue to step up their efforts to counteract such communication.