return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Cybersecurity Public ]

The human side of 'Public radio deposes a sitting president'


Part 1, Public radio deposes a sitting president, described how Radio La Luna and other stations in Ecuador created an improvised 'battlefield' communications network that forces a sitting president from office by orchestrating virtually continuous peaceful demonstrations against him and his administration. This is a 'human supplement' to those mechanics in two parts: two of the emails that swirled through Ecuador, and snippets of the impacts orchestrated by these stations over that past five days.

It should also be noted that humor made its appearance among the drama. Stores in downtown Quito hire clowns to promote their stores. One of them "was among those in front of the presidential palace singing and demonstrating, very spontaneous and funny."

Emails [private communications]:

The Chamber of Commerce of Quito (CCQ) openly rejected President Gutiérrez by calling him a dictator and announcing a hotline to capture actions against affiliated businesses:

La Cámara de Comercio de Quito, por el respeto a la dignidad ciudadana, rechaza la violencia que ha generado el abuso del dictador Gutiérrez, Ayerve y Borbúa.
Rechacemos la violencia y defendamos nuestros derechos, movilizándonos y haciendo escuchar nuestras voces de protesta para enaltecer nuestra dignidad.
La CCQ abre un canal de comunicación directa para recibir denuncias sobre agresiones a los negocios de los afiliados a través de la línea 1-800 CCQ CCQ
( 1800-227-227 )

PRESIDENTIAL JOKES (Chistes Presidenciales) circulated widely at Gutiérrez's expense. Here are three:

A black dog bites Gutiérrez's daughter. Upon hearing this, the father orders all black dogs of Ecuador killed. As black dogs everywhere begin to flee, they are joined by a small white dog. A black dog asks, 'Why do you run? He said to kill the black dogs,' to which the white dog replied, 'And you are going to believe that liar?'

Un perro negro muerde a la hija del coronel Lucio. Ella informa a su papá y éste ordena matar a todos los perros negros del Ecuador. Los perros negros empiezan a correr por la carretera y al fondo corre un perrito blanco. Un perro negro le pregunta : -Y tú, ¿ porqué corres? El mandó matar a los perros negros. -"Y tú, ¿vas a creer a ese mentiroso de mierda?"

A drunk demands access to the presidential palace, wanting to the new president of the Ecuador, only to be asked by the guards if he is a fool, crazy, retarded, or has crap in his head. In a moment of reflection, the drunk reflects, 'Maybe not, I didn't know that there were so many requirements for the job.'

Llega un borrachito a la Plaza Grande y habla con uno de los guardias del palacio: - ¡Apártense, voy a pasar!... ¡Yo quiero ser el nuevo presidente del Ecuador, carajo! - ¿Quéeee?, ¿Eres tonto...?, ¿Estás loco..?, ¿Eres retrasado mental...?, ¿Tienes excremento en la cabeza...? -¿Ah? ¡No! ¡Que va! Mejor no; no sabía que pedían tantos requisitos...¡HIP!

Another drunk wanders into the grand plaza shouting, "THE PRESIDENT IS A SON OF BITCH! THE PRESIDENT IS A SON OF BITCH! Two policemen quickly appear and begin to beat him, accusing him of treason. The poor drunk implores the police, 'But I was referring to the U.S. President!,' to which the police officers respond, 'Idiot, do not try to confuse us! We know who is the Son of a Bitch!'

Un borracho está en la Plaza Grande gritando : ¡EL PRESIDENTE ES UN HIJO DE PUTA! ¡EL PRESIDENTE ES UN HIJO DE PUTA! Rapidamente aparecen dos chapas (policías) y le empiezan a dar de golpes por traición a la Patria, y luego se lo llevan a rastras. El pobre borracho empieza a implorarles: - ¡Pero si me refería al Presidente de Estados Unidos! Y los policías le contestaron : - ¡No trates de confundirnos! Nosotros sabemos quién es el Hijo de Puta!!!

Drumbeat of events orchestrated by these stations over that past five days:

Ecuador's President Says He Won't Quit
The Associated Press
April 20, 2005; 7:59 AM

Hours after Ecuador's embattled president said he would not resign, at least 30,000 people tried to march to the presidential palace in the capital's largest demonstration yet against the country's leadership, demanding that [Gutierrez] resign. [Gutierrez was removed later in the day.]

Ecuador Police Tear Gas Protesters Near Palace
April 20, 2005; 1:32 AM
By Carlos Andrade and Alexandra Valencia

Ecuadorean police fired tear gas at tens of thousands of protesters marching on the presidential palace on Tuesday night to demand the resignation of President Lucio Gutierrez... Demonstrators, who had been peaceful, responded to the gas by throwing stones at police.

Thousands in Ecuador Protest President
The Associated Press
April 19, 2005; 9:15 AM

Chanting "Lucio, get out," a river of demonstrators poured into the streets of Guayaquil, Ecuador's largest city, Monday night to demand that President Lucio Gutierrez step down, as anti-government protests spread from Quito, the capital…

Gutierrez… also declared a state of emergency Friday that banned public protests in Quito. But the moves only escalated the street marches as residents reacted indignantly… Thousands of people disobeyed the state of emergency Saturday and staged a peaceful demonstration.

Thousands in Ecuador Protest President
The Associated Press
April 18, 2005; 10:22 PM

[Gutierrez] said he recognized that the marches showed there is "discontent in part of the population of Quito." But he said the people participating represented only a small portion of the capital's inhabitants. "We have more than 2 million inhabitants and I think that the marches have not exceeded 10,000, 20,000 people," he said. "We could say that 1 percent of the people are actively participating.

Ecuadorans Defy Ban on Protests to Demand Leader Quit
By Monte Hayes
Associated Press
April 17, 2005

Ecuador's president called off a state of emergency in the capital on Saturday -- as thousands of Ecuadorans defied his ban on demonstrations and demanded his resignation… Gutierrez imposed the emergency after three days of street marches demanding his resignation.

Ecuador's Gutierrez Lifts Emergency After Protests
April 16, 2005; 8:25 PM
By Alexandra Valencia and Carlos Andrade

President Lucio Gutierrez on Saturday retracted a state of emergency [less than 24 hours after imposing it] he decreed less than a day earlier in the capital Quito after thousands took to the streets in open defiance of his orders… Thousands of people bashed saucepans and honked car horns in Quito, calling for Gutierrez to resign.

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

Public radio deposes a sitting president: Ecuador, Radio La Luna, and improvised battlefield communication networks


Given that the President of Ecuador, Lucio Gutierrez, was ousted an hour ago, one would have to agree with the Post's comment that Radio Is Blamed For Unrest In Ecuador. An interest in South American politics and ad hoc, low cost C3 (Command, Control and Communication) 'citizen systems' outside government control coincided in Ecuador where Radio La Luna, first among equals of several radio stations that included Radio Democracia, and some TV stations coordinated and retransmitted events that led to the President's removal [private email communication].

These radio and TV stations acted as a tactical battlefield communication network. Radio La Luna, a local FM station that is part of a NGO called the Popular Education Center, alone "directed the public to an estimated 200 demonstrations in the past six days."

[La Luna] regularly informed listeners where and when demonstrations would occur. During the height of tonight's chaotic demonstrations, the station provided directions for protesters wishing to navigate street closures and avert police blockades to reach the presidential palace. [La Luna's owner] said his station had not organized any protests, but instead had relayed information from helpful callers. He said cell phones had been the instruments behind the widespread demonstrations… "I am just trying to respect the dynamic that is out there among the people... The people want the government to leave, and we're just providing them with a place to be heard. We simply opened our microphones to the public."

For its efforts, La Luna, a "small station that has adamantly criticized the government's handling of the crisis and has called for the dismissal of Gutierrez," saw its signal "cut for several hours Monday, during the evening, when most street actions have been organized." (A small price to pay, the government also shut down a state-run TV station among others. Ecuadorians were not impressed.)

This morning I asked a trusted colleague in Quito, Ecuador for his opinion:

It is amazing what is happening. This revolt is organized by the citizens and coordinated by this radio station and a couple of other radio stations. [The] politicians have been unable to stop the chaos [over] the supreme court [and] the pressure of the pacific demonstrations is forcing the government to change course.

These questions immediately followed:

  1. Are Luna and other stations acting cooperatively or independently? (It would be a much bigger deal if they cooperated.)
  2. Do these stations try to cover for one another, i.e., if one goes off air, does one or more try to cover their content?
  3. Do they carry complementary information, i.e., each one focusing on certain categories of information?
  4. Who owns these stations?
  5. Do you hear anything of these "smart mob" type activities in addition to the radio broadcasts?

Reply was rapid:

  1. at this point there are several radios and TV stations retransmitting the events . Radio Democracia is also transmitting live the events and coordinating the people. Celular phones are playing a key role as ordinary citizens report to the radios the events and what people should be doing.
  2. the government has lost control and at this point it would be impossible to formally act against these radios. What they are doing is bringing thugs from other regions and inciting to go and burn these radio stations.
  3. these stations are owned by known news people, simple people. their only power is the information.
  4. email is also playing a key role. I will forward to you some of the emails.

Shortly thereafter, I received this email:

it was announced that tomorrow [CONATEL] the communication commission formed by the government, armed forces, etc… will cancel the license of la Luna. All the other radios are protesting. The USA ambassador just entered a meeting with the President! I guess the outcome of this meeting will be crucial since so far they have supported the president.

Then another announcing that the "head of the police just resigned . He could not continue giving orders to combat the population."

 Radio La Luna and its cellular 'reporters' prevented a much grimmer outcome:

the government in order to protect itself ferried in [as many as] 50 buses [of] thugs from the coast and the oriente region, once the people saw these buses [approaching, the] major of quito ordered the municipal tractors and garbage trucks to block the highways [thereby closing] access to the city and prevented these guys from entering the city and creating chaos… several of them entered the city the night before and from the ministry of social welfare [Ministro de Bienestar Social,] they [started] to shoot at the crowds with 2 people injured… the end of the story would have been different had these guys entered the city.

Three hours after the resignation of the police chief:

The president has been deposed as of some minutes ago. The Vice President has taken over. The Luna is alive and well! They deserve a Pulitzer prize

My reply:

Public radio at its best. Yes, La Luna probably does deserve a prize, yet its greatest challenge may lie ahead in helping to guide the discussions, even the agenda of discussions, that will follow in the new political vacuum. While it is the harder job, it is the greater prize.

My friend closed with:

The radio deserves a prize (as well the US Ambassador!)

The radio station is a "one-to-many" network that is mostly thought of as unidirectional (station to listener) transmission to a low cost "receiver" - a radio that most people have. In this case the stations acted as mass relay or rebroadcast links based on cellphone and email input, although to be fair to La Luna and its peers, I imagine that like most "command centers" they integrated their inputs into a coherent action plan.

The combination, even in rural areas such as Nigeria, of cellphone, IM (Instant Messages) Text Paging and, in this case, radio produced an effective "many to many" C3 network that deposed a government.

Part 2, for the determined reader, will have a few of the emails that circulated in Ecuador as well as snippets of the impacts orchestrated by these stations over that past five days.

Radio Is Blamed For Unrest In Ecuador
Small FM Station Is Fomenting Protests, Officials Contend
By Monte Reel
Washington Post
April 20, 2005

Ecuador's President Says He Won't Quit
The Associated Press
April 20, 2005; 7:59 AM

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

Fun on both sides of the Golden Shield: escape & evasion applicable to civil libertarians and terrorists alike


In Finding Zhao Ziyang through the Golden Shield , part 2 of "If you want food, find Ziyang"; If you want Ziyang, pierce the Golden Shield, I noted that the response to Chinese media restrictions on state-run TV and newspapers of the death of Zhao Ziyang was a spike of activity on internet bulletin boards, chat rooms, and blogs.

Chatroom monitoring, both self-imposed and external) is part of the Golden Shield, called the Great Firewall of China by its detractors, a "communication network and computer information system for police to improve their capability and efficiency." At the time it was described as employing:

a variety of methods starting with Chinese backbone routers that blocked a list of objectionable web addresses combined with filtering technology searching for objectionable words and a tracking system to identify offenders. Failed searches with sensitive terms do not even send back error messages. Internet-service firms add "their own censoring, removing provocative comments and blocking messages deemed sensitive." Moving on, newer Chinese instant-messaging services are allegedly requiring users "to download software to their PCs that contains a filtering mechanism"… Having been barred from China, Google responded with a version that disabled its cache function, blocked objectionables, becoming "a form of geolocation filtering since users who access Chinese Language Google News from anywhere but China are not subjected to the filtering and receive full search results."

From such comments and personal experience, it was a modest leap for a Chinese civil rights activist, Issac Mao, to craft a diagram of the Golden Shield's filtering mechanism, Guess on China's Great Firewall Mechanism, whose posting and linking to it as an April Fool's jest was apparently enough to have Chinese authorities to instruct ISPs to not resolve requests to his primary blog. Global Voices notes that they and others have offered to host Mao's blog outside China, but that Mao is "planning on keeping it in China, seeing situations like this as an excellent chance to learn more about internet filtering in China":

To my personal blog, I’m not so eager to move my blog to oversea’s hosting. It’s so good to study this space with more local experience.

Mao has a backup blog for such occasions where he is able to announce the blocking and continue his research, but other bloggers, Falun Gong perhaps, might not receive such permissiveness, and there might be interest as to who such insiders spoke to on the outside beyond national jurisdiction.

Enter the Onion Routing program designed by US Naval Research Laboratory to create net-based anonymous communications systems "that resist traffic analysis, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routers themselves). Onion Routing prevents the transport medium from knowing who is communicating with whom -- the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network"

This protection is given independent of whether the identity of the initiator of a connection (the sender) is hidden from the responder of the connection, or vice versa. The sender and receiver may wish to identify and even authenticate to each other, but do not wish others to know that they are communicating. The sender may wish to be hidden from the responder. There are many ways that a web server can deduce the identity of a client who visits it; several test sites can be used to demonstrate this. A filtering proxy can be used to reduce the threat of identifying information from a client reaching a server.

Onion routing can be non-invasive when unmodified Internet applications use proxies or can be moderately or highly-invasive when a computer's network protocol stack is modified. Note that encryption is not mentioned here as body text encryption does not defeat traffic analysis that can divine who is talking to whom and when.

Now supported by the Electronic Frontier Foundation, an offshoot of the Onion project called Tor, a network of virtual tunnels, is now available to anonymize the likes of web browsing and publishing, instant messaging, IRC, and SSH with the goal to defeat or complicate traffic analysis by "preventing eavesdroppers from finding out where your communications are going online, and by letting you decide whether to identify yourself when you communicate."

I recommend that readers investigate Tor from two aspects, the first being the use of Tor as a means of masking critical communications and/or using Tor as an investigative and market analysis tool, and the second being to determine how Tor might be used against you, your firm, your employees and your suppliers:

[T]he German "Diabetes People" organization recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) are supporting Tor's development as a mechanism for maintaining civil liberties online. Corporations are investigating Tor as a safe way to conduct competitive analysis, and are considering using Tor to test new experimental projects without associating their names with these projects. A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently.

[O]nline advertising company Doubleclick uses traffic analysis to record what web pages you've visited, and can build a profile of your interests from that. A pharmaceutical company could use traffic analysis to monitor when the research wing of a competitor visits its website, and track what pages or products that interest the competitor. IBM hosts a searchable patent index, and it could keep a list of every query your company makes. A stalker could use traffic analysis to learn whether you're in a certain Internet cafe.

Now think how much fun terrorist groups could have with Tor, both for sheltered communications and for target analysis, personal and corporate.

P.S. Visit the privacy test sites that Onion recommends. You will likely be startled to see how vulnerable you are.

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  


  discuss this article

The world is flat save for the depression that we occupy: Friedman on global opportunity and competition


The head of Infosys (India) told Tom Friedman that "the playing field is being leveled" as decades of massive investment in technology, computers, global broadband connectivity, education, communication and information processing tools created a condition in which "countries like India were now able to compete equally for global knowledge work as never before -- and that America had better get ready for this."

Friedman made a great tag line leap from 'leveled' to 'flattened' to 'flat' with the observation that:

When the world is flat, you can innovate without having to emigrate.

The impacts are enormous in terms of economic, political, military, and demographic changes at the level of shocks - and an inability to predict when and where those leaps will occur. Citing Marc Andreessen:

"Today, the most profound thing to me is the fact that a 14-year-old in Romania or Bangalore or the Soviet Union or Vietnam has all the information, all the tools, all the software easily available to apply knowledge however they want. That is why I am sure the next Napster is going to come out of left field. As bioscience becomes more computational and less about wet labs and as all the genomic data becomes easily available on the Internet, at some point you will be able to design vaccines on your laptop."

Or bioweapons.

Friedman sees the advances in "people-to-people and application-to-application connectivity" producing "flatterers" that in turn produced six more: outsourcing, offshoring, open-sourcing, insourcing, supply-chaining, and informing. His last "flattener" is accelerated communications in the form of wireless access and VoIP. I am not certain that I agree with his chain of causality, but I agree that all these enablers are present.

I can only wholeheartedly agree with his prediction that the US and Europe are lagging and whining while Asia is roaring. "Meeting the challenges of flatism requires as comprehensive, energetic and focused a response as did meeting the challenge of Communism... We have been slow to rise to the challenge of flatism":

When it comes to responding to the challenges of the flat world, [we] have to dig into ourselves. We in America have all the basic economic and educational tools to do that. But we have not been improving those tools as much as we should. That is why we are in what Shirley Ann Jackson, the 2004 president of the American Association for the Advancement of Science and president of Rensselaer Polytechnic Institute, calls a ''quiet crisis'' -- one that is slowly eating away at America's scientific and engineering base.

Jackson makes the understatement of the quarter century in noting, ''If left unchecked, this could challenge our pre-eminence and capacity to innovate.'' The challenge is already well underway and we are not distinguishing ourselves in the innovation of new technologies, products, services and firms that hire domestic employees and pay domestic taxes.

Friedman sees this quiet crisis as a product of three gaps:

  • An "ambition gap": "Compared with the young, energetic Indians and Chinese, too many Americans have gotten too lazy."
  • A numbers gap: insufficient numbers of engineers and scientists that were compensated for by importation from India, China and elsewhere, but "in a flat world, where people can now stay home and compete with us, and in a post-9/11 world, where we are insanely keeping out many of the first-round intellectual draft choices in the world for exaggerated security reasons, we can no longer cover the gap."
  • An education gap: A gap so startling that US firms outsource not merely because of lower salaries but because they "can often get better-skilled and more productive people than their American workers."

Friedman cites Microsoft's Bill Gates comment that the US high-school education system is "obsolete": "When I compare our high schools to what I see when I'm traveling abroad, I am terrified for our work force of tomorrow. In math and science, our fourth graders are among the top students in the world. By eighth grade, they're in the middle of the pack. By 12th grade, U.S. students are scoring near the bottom of all industrialized nations."

Gates also addresses the matter of numbers: "In 2001, India graduated almost a million more students from college than the United States did. China graduates twice as many students with bachelor's degrees as the U.S., and they have six times as many graduates majoring in engineering. In the international competition to have the biggest and best supply of knowledge workers, America is falling behind."

Friedman closes in his signature style, and while I have been cross of late with some of his international commentary as being excessively preachy, I believe that he is spot on here, and at the top of his game:

We need to get going immediately. It takes 15 years to train a good engineer, because [this] really is rocket science. So parents, throw away the Game Boy, turn off the television and get your kids to work. There is no sugar-coating this: in a flat world, every individual is going to have to run a little faster if he or she wants to advance his or her standard of living. When I was growing up, my parents used to say to me, ''Tom, finish your dinner -- people in China are starving.'' But after sailing to the edges of the flat world for a year, I am now telling my own daughters, ''Girls, finish your homework -- people in China and India are starving for your jobs.''

A signature trend of US technological slippage is our declining performance in the Olympics of programming, the 2005 world finals of the Association for Computing Machinery International Collegiate Programming Contest. Reflecting a "gradual ascendance of Asian and East European schools during the past decade," the first three winners were China's Shanghai Jiao Tong University, and two from Russia, Moscow State University and the St. Petersburg Institute of Fine Mechanics and Optics. The nearest US performance was a tie for 17th. Commenced in 1970, the US historically dominated this ACM contest, and dominated it in depth.

The technological and weapons systems that we have today are the product of designs twenty years earlier created by engineers and scientists educated a decade or more earlier still. Today we are coasting without a "moon shot" plan to resuscitate our scientific base and educational system. Worse we are trapped in a self-fulfilling prophecy in which US technology firms conduct basic research and development activities in Asia as US student interest in computer science declines amid the dot-com collapse and the well-advertised offshoring by US tech firms to low-wage countries like India.

I took the effort to look at the last 15 years of the ACM contest, not only for the winning school and nation, but the number of teams competing, and US standing towards the top of the rankings. The net results are worse than losing the title as it reflects a lack of US depth and bench strength in comparison to its scholastic competitors:

2005 Shanghai Jiao Tong University, China (second win), USA 17

2004 St Petersburg Institute of Fine Mechanics and Optics, Russia, from 3,150 teams, USA 5,7,9

2003 Warsaw University, Poland, from 3,850 teams, USA 13

2002 Shanghai Jiao Tong University, China, from 3,082 teams, USA 2,5,8

2001 The St. Petersburg State University, Russia (second win), from 2,700 teams, USA 2,7,10

2000 The St. Petersburg State University, Russia, from 2,400 teams, USA 9

1999 The University of Waterloo, Canada, from over 1,900 teams, USA 5,6,7,8

1998 Charles University, Prague, Czech Republic, from 1,250 teams, USA 5

1997 Harvey Mudd College, USA, from over 1,100 teams, USA 2,9

1996 University of California, Berkeley, USA, from 1,001 teams, USA, 2,5,7

1995 Albert-Ludwigs-Universitat Freiburg, Germany, from over 900 teams, USA, 2,4,5,6,7

1994 University of Waterloo, Canada, from 628 teams, USA, 3,4,6

1993 Harvard University, USA, from over 600 teams, USA, 2,3,4,6,7

1992 University of Melbourne, Australia, from over 600 teams, USA, 2,3,4,5,6,7

1991 Stanford University, USA, from over 500 teams

1990 University of Otago, New Zealand, from 459 teams

It's a Flat World, After All
New York Times
April 3, 2005

U.S. slips lower in coding contest
By Ed Frauenheim
April 7, 2005

Students saying no to computer science
By Ed Frauenheim
August 11, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

Considering plausibly deniable cryptography as a response to a Distributed Networking Attack


In Staying off the Wall of Sheep, the first lesson of Defcon was "the importance of using encryption, not just at Defcon but in all network traffic." For most users; however, unencrypted cleartext is the order of the day for transmitting UIDs, passwords, and body text as users do not equate their email with post cards, except that it is likely that more can read an email than the post card. Outside government systems, encryption tends to belong to legitimate commercial confidential business, criminal and terrorist enterprises, and the randomly paranoid.

The US Secret Service is responding to the widening use of encryption software by criminals in "higher profile and higher value targets [where] from an evidentiary standpoint they have more to hide" by harnessing its employees PCs (4,000 to date, extending to all 10,000 in 2005) in a Distributed Networking Attack (DNA) program running in background using a fractional part of each CPU's cycle time. As even networks far larger than that of the Secret Service would have great difficulty in brute force decryption of a 256-bit key, the authorities are turning their attention not to the encrypted text but to the encryption passwords

User generated passwords or passphrases are usually flawed, not random, and have some relation to an aspect of their personal or professional life. Information about the "suspect's personal life and interests collected by field agents" is blended with cleartext (email, documents, browser cache, frequented URLs, et al) resident on the suspect's PC hard drive, then submitted to DNA to create a tailored password/passphrase set specific to the PC's owner that is then tested to determine the password. (Criminal gangs that employ multiple languages and alphabets - an increasingly common condition of transnational criminal gangs - add additional complexity.)

As DNA may be expanded to larger parts of DHS, I would expect to see a renaissance in deniable cryptography systems such as Rubberhose (apparently not now available) and StegFS as criminals seek a counter response. Consider the case in which:

A spy travelling with a laptop [with traditionally encrypted files] is arrested by a foreign government, detained, and tortured until he gives up the keys to his data… Encrypted filesystems fail against the Rubberhose Attack [because] traditional encrypted filesystems leak information. While the Bad Guy doesn’t know what the encrypted data is, he is able to see that there -is- encrypted data. Thus, he can beat our spy until all encrypted data has been decrypted.

Deniable cryptography allows a captive or defendant that does not wish to disclose the plaintext corresponding to their cyphertext to be able to that there is more than one interpretation of the encrypted data, i.e., an investigator will likely know that encrypted material exists on the drive, but will not know how much as so there is an opportunity to keep the existence of the most essential data hidden. Designed by Julian Assange, co-author of The Underground, Rubberhose is named after the decryption tactic it attempts to defeat: Rubberhose Cryptanalysis, in which suspects are exposed to repeated beatings or torture until their password is surrendered.

Rubberhose was originally conceived [as] a tool for human rights workers who needed to protect sensitive data in the field, particularly lists of activists and details of incidents of abuse… Human rights workers carry vital data on laptops through the most dangerous situations, sometimes being stopped by military patrols who would have no hesitation in torturing a suspect until he or she revealed a passphrase to unlock the data.

In some cases the inquiring governmental agency does not have to be a third world satrap when it comes to demanding access to private encrypted data. (I often tell US nationals that the Patriot Act is modest in terms of many English laws.) The Regulation of Investigatory Powers Act 2000 of the UK (commonly called RIP) allows UK law enforcement agencies:

the right to demand decryption keys from anyone, and it imposes prison sentences on those that refuse to hand them over. The RIP Act also forbids people, under threat of prison, from telling anyone that they have been asked to hand over their key.

Rubberhose thwarted this by allowing a large number of encrypted messages to be stored on the same drive, each encoded with a different password. As the total number of levels is unknown, the captive can surrender one or more levels with some confidence that the arresting entity cannot easily discern that they do not have access to all the data on the drive. Rubberhose had a modular architecture, self-test suite, employed information hiding (both steganography and deniable cryptography), worked with any file system, had freely available source, and supported ciphers such as DES, Blowfish, Twofish and CAST. Rubberhose could deter forensic disk-surface analysis as a portion of disk blocks from file systems would be randomly repositioned on the drive so as to defeat a statistical analysis of the more frequently used "real" file system.

With Rubberhose down, users can look to StegFS (Steganographic File System) for Linux (also here and FAQ):

StegFS looks like a [completely standard Linux file system (ext2)], except that all free blocks are immediately written over with random data when they are deleted [and] a small portion of files are written to random free areas… Additional directories... appear for each security level… Each hidden file belongs to one of 15 security levels. There are also 15 security contexts, each giving access to a subset of all security levels and protected with its own password. Outsiders can see that a drive is StegFS enabled, but cannot see how many layers of encryption there are on the disk. Users can plausibly deny the number of files stored on disk. The installation of the driver can be justified by revealing one lower layer, and denying the existence of any additional layers.

DNA Key to Decoding Human Factor
By Brian Krebs
Washington Post
March 28, 2005

Defending against Rubberhose Attacks
Christopher Soghoian
JHU Systems Seminiar
March 9 2004
SPAR instance scrolled off

StegFS: A Steganographic File System
HweeHwa PANG, Laboratories for Information Technology; Kian-Lee TAN, Xuan ZHOU, , National University of Singapore, Singapore

Hiding Data Accesses in Steganographic File System
Xuan ZHOU, Kian-Lee TAN, National University of Singapore; HweeHwa PANG, Institute for Infocomm Research, Singapore

Warning over e-mail snooping
BBC News
1 June, 2001

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

Staying off the Wall of Sheep and ahead of advancing technology


The Wall of Sheep, originally the Wall of Shame, is a Defcon hacker tradition where attendees sniff traffic on wireless and wired networks for plaintext usernames and passwords, projecting them against a conference wall. In such an environment as a hacker convention, one would think that attendees using the Defcon network would encrypt their logins, but yearly many do not. Much sensitive traffic beyond usernames and passwords are also intercepted. It is sad that the message that "The Wall has shown people the importance of using encryption, not just at Defcon but in all network traffic" does not gain a wider audience.

Careless, inefficient, or unaware, these sheep mimic far too many of the general user community who are far less attuned to the threats around them. We like to merge vocation and avocation is tracking the process of technology in an attempt to remain conversant.

Two that caught my eye were BlueSniping (Bluetooth interception) from more than a mile away with homebuilt equipment and the remote physical device fingerprinting and tracking "without the fingerprinted device's known cooperation."

Bluetooth adherents would have you believe that the technology is safe from hackers, but it is not. Defcon 12 (2004) showed a Bluetooth sniper capable of finding and attacking Bluetooth devices from a distance, even detecting devices through building walls, using a 12.9 dBi Yagi antenna attached to a Bluetooth card in a PDA or laptop.

The newer BlueSniper uses a form of Personal Internet Communicator (PIC), a small computer using Intel XScale processors as an embedded Internet appliance, sans display, that is the size of a pack of chewing gum, hence the name Gumstix, that readily harvests Bluetooth devices. The use of a Hyperlink 14.9 dBi Randome directional antenna that is also used for wardriving provides the gain that it key to the unit's range. The Gumstix runs an embedded version of Linux with an MMC flash memory slot to save Bluetooth scaning data:

Since the computer is so small and consumes little power (three AAA batteries provide 6-8 hours of runtime), other interesting Bluetooth scanning devices can be made. You could make a very small handheld Bluetooth sniffer that could be carried in your pocket or perhaps thrown in the bushes outside of a building. This could passively scan for devices until you retrieved it to look at the results.

Others have thought of Gumstix applications:

As a Bluetooth device, I think you could package a board into either a headset or a handset that actually talks to Bluetooth-capable mobile phones and applies heavy encryption to scramble calls. Drug dealers and terrorists would love them, except of course, they'd probably be conspicuous by their encryption. So instead find a way to use the board to do audio steganography, somehow encrypting a real voice conversation into a completely fake conversation. Spy agencies would love/hate them.

At a distance of .75 miles:

It didn't take long for the MAC address of Bluetooth devices to appear on the laptop's screen... The building was .75 miles (a little over 1 km) from our position. As more Bluetooth devices started appearing, John said, "This building is full of Bluetooth! Look we got some Blackberries!" He also explained that, with multiple guns, it would be possible to track a single Bluetooth device as the person walked around.

Given this capability, I find the Bluetooth Special Interest Group's (SIG) Wireless Security briefing to be underwhelming.

Employing no hardware at all, and immediately available for surveillance and forensics applications, adversaries can now achieve device fingerprinting and, in the case of mobile devices, tracking efforts with high reliability. Using only passive and semi-passive techniques that examine minute deviations in TCP timestamps called clock skews, a fingerprinter can consistently identify a physical device even when NAT (Net Address Translation) or a firewall is used, and the fingerprinter is "thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies."

Only a "small amount of data" was required for one or more of the tests to succeed on multiple OS's including Windows XP, Win2K, Mac OS X Panther, Red Hat and Debian Linux, FreeBSD, OpenBSD and Pocket PC 2002. Just as laser printers have been found to have traceable hardware characteristics, your device and its location is now identifiable. One wonders how long it will take for "Possible countermeasures include masking time skews with better random number generation techniques" to enter the marketplace. Too long, I think, for high value targets.

Users that do not pay attention to an attacker's capabilities regardless of what their vendors tell them - such as "Bluetooth devices must be within 10 Meters of each other for the attacks to occur" - will only join the Wall of Sheep.

Tracking PCs anywhere on the Net
By Renai LeMay
CNet News
Mar 04, 2005

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  


  discuss this article

Vast differences in major flaw handling separate software and manufacturing firms


How different the handling of analysis and subsequent disclosure of security flaws between software and computer makers on the one hand and hardware and industrial vendors on the other. Whereas the software industry too often seeks to muzzle "amateur and professional researchers who have found flaws in their products" to the point of imprisonment via the Digital Millennium Copyright Act (DMCA), hardware vendors tend to work with those investigators who discover faults, if not outright halt production before their customers halt deliveries.

I am equally disturbed that "all the special-interest organizations created by vendors for vendors" such as Microsoft's Organization for Internet Safety are designed to shield said vendors from public censure. I have less patience from governmental entities, especially those from the intel community, that should know that that criminal and terrorist groups are working just as quickly to build a repository of hacks and will employ them when it is financially rewarding or when DDOS or other strike is ordered.

As a heavy software user, what I am about to profess could indeed put me at risk, but it must be said:

  1. Software vendors really have no incentive to repair, possibly even rearchitect, their products so as to quickly resolve these flaws without public disclosure and censure in the marketplace. New products are the tip of a legacy iceberg, but one can start on high traffic avenues as IE.
  2. Software vendors have exported their abrogation of their design responsibility and its subsequent financial and disruptive impacts to users in the public and private sector. It is long past due, for government to begin to hold them accountable in spite the end-use agreements that absolve vendors.

I am well aware of the difficult of reengineering security in after the fact be in software, industrial or corporate process:

The public disclosure of software vulnerabilities originally gained momentum in the early 1990s, because operating system and application makers did not always respond to people who found security holes in their products. By telling the public about the security problems, the researchers ensured that software makers couldn't ignore the issue.

Life is not fair in having the market shift under the vendors' feet, but it has, yet vendors are stalling and government seems too comissive in allowing it. Consider what a manufacturing firm does when a serious fault is found in its product: Interim damage control, generally called containment, i.e., the action which immediately stops the symptom. The usual process is:

  1. Quarantine potential customer dissatisfiers at all points in process.
  2. Implement special 100% inspection or test.
  3. Identify contained shipments.
  4. Confirm effectiveness at customer.

Catastrophic for software vendors, as a flaw will be in all copies, so they attempt enforcing "responsible disclosure" which is little more than a controlled gag order. Their argument is self-serving: Researchers should "delay the announcement of security holes so that manufacturers have time to patch them. That way, people who use flawed products are protected from attack" as if that one researcher is the only one who has found, or will find, the flaw:

We don't feel that we are finding things that are unknown to everyone else. I am not special because I can run a debugger. Others can find--and use--these flaws.

The result has only been longer intervals between discovery and patch, a false sense of security among end-users, and an undeserved security reputation for the vendors.

Nothing new, as a mid-19th century book on locks noted:

Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock [is] not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties.

Give the cracking of the anti-theft Digital Signature Transponder (DST) car key a read. Good design guidance as well as the extension past ignition keys to highway toll payment transponders, physical security access systems, and inventory systems. Without robust encryption, other RFID systems are vulnerable.

Flaw finders go their own way
By Robert Lemos
January 26, 2005

Graduate Cryptographers Unlock Code of 'Thiefproof' Car Key
New York Times
January 29, 2005

Security Analysis of a Cryptographically-Enabled RFID Device
Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo
Johns Hopkins University Information Security Institute, RSA Laboratories
[Draft, 28 Jan 2005]

Gordon Housworth

Cybersecurity Public  Infrastructure Defense Public  


  discuss this article

"Evil twin" WiFi base station cloning enters the wild


Evil twin base station cloning, identified by Internet Security Systems (ISS) in the US in 2002 has now appeared in the wild in the UK, a surprising lag of over two years:

BaseStation Clone (Evil Twin) intercept traffic

An attacker can trick legitimate wireless clients to connect to the attacker’s honeypot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attacker’s honeypot servers. With false login prompts, the user unknowingly can give away sensitive data like passwords.

Never strong on encryption even when properly set up, WiFi hubs are sold in their most permissive TX mode. Base stations can be sniffed by readily available war driving tools and those found open can be exploited passively. Base station cloning goes one step further and overwhelms (jams) the legitimate signal of the sniffed base station with a stronger one, or one closer to the wireless client.

In a technically trivial exploit, the evil twin hotspot is then substituted as a honey pot:

Once an unknowing user has connected to an evil twin, a hacker can intercept transmitted data. Users are invited to log into the evil twin with bogus login prompts and can be lured into passing sensitive data such as user names and passwords.

While users are commonly urged to be attentive when using WiFi-enabled laptops or PDAs when conducting financial transactions or sensitive personal or corporate data, users are often forgetful, or are inattentive when setting up the PC, thus leaving themselves vulnerable. Worse, many users do not know what is valuable to whom, thus they utilize certain services that provide critical data to a collector. (The exploit is so simple that a targeted individual can be surveilled for frequented hotspots and then an evil twin substituted at the appropriate time.

As the traffic of the targeted individual(s) and all collateral innocents are passed along to the intended sites, the victims are none the wiser. Once an unknowing user has connected to an evil twin, a hacker can intercept transmitted data. Users should enable all WiFi security features and install a firewall on the portable device. (Those users with more advanced security connections such as 802.1X authentication or VPN tunnels are not affected.)

I predict that the evil twin exploit will be extended to surreptitiously downloading malware onto vulnerable machines for subsequent exploitation.

The problem or the opportunity, depending on your point of view, will only increase as hotspots expand from today's 50,000 to some 200,000 sites by 2008. (California, for example, will install WiFi links in 85 state parks over the next six months.) Jiwire currently lists the top ten WiFi hotspot nations, in descending order, as the US, UK, Germany, France, Japan, Switzerland, Italy, Spain, Canada, and Australia

The problem will persist until older, vulnerable legacy machines are washed from the user community.

'Evil twin' fear for wireless net
2005/01/20 10:30:20 GMT

Are You Vulnerable?Wireless, Worms and Cyber Threats
David Gerulski, Internet Security Systems

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

New breed of hostile Navaho Talkers, Part 2


Part 1

IRC gained international fame during the 1991 Gulf War, when television and other forms of communication were out in Irak and Kuwait, IRC users gathered on a single line in these countries and gave out reports to the rest of the world. The same was repeated during the Russian Coup in 1993, IRC users in Moscow gave live reports about the unstable situation.

In the absence of TV and radio broadcasts, IRC took regional center stage. (Go here for archives of some of these early 'blog' equivalents. Many have the genuine feel of battlefield dispatches.) "IRC is the net's equivalent of CB radio," but in global real-time, that has grown along with the net, with channels now numbering in the thousands and users in the hundreds of thousands.

Whereas many if not most Western readers now use the Web to navigate the net, specialized communities have long used IRC for its instant one-to-many communication and for its anonymity. Ordinary users have been joined by sexual predators, pedophiles, hackers, crackers, criminals, and terrorists. Personal handles are not identified and the hosting site may be beyond legal reach, in which case any legal challenge for transparency would just see the perp melt away.

Now combine IRC with multiple foreign languages (shifting between them to complicate listening). Languages other than Romance languages are often difficult for machine translation, and we have already noted the US lack of skilled or trustworthy native Arabic translators. Transliteration of various Arabic names into English is maddening, making identification full of false negatives and positives.

One of the terrorists, Abu Abdul Rahman, pretended to send a love message via an Internet chat room to his German girlfriend, who was actually Binalshibh. It contained more code for the attacks:

"The first semester commences in three weeks. Two high schools and two universities. ... This summer will surely be hot ...19 [the eventual number of hijackers] certificates for private education and four exams. Regards to the professor. Goodbye."

Add creative terms:

About three weeks before September 11, targets were assigned to four teams, with three of them bearing a code name: The U.S. Capitol was called "The Faculty of Law;" the Pentagon became "The Faculty of Fine Arts;" and the North Tower of the World Trade Center was code-named by Atta as "The Faculty of Town Planning."

"Two sticks, a dash and a cake with a stick down": two sticks is the number 11, and a dash is a dash and a cake with a stick down is the number 9. And that was September 11, or '11/9' in most parts of the world.

Add religious alliterations and cultural phrasing spanning centuries, tribes, and regions across the Arab world, language and dialects rich in puns, and we have a new breed of Navaho Talkers arrayed against us.

Efforts are now underway to search for statistical patterns in the chatter. Whereas many if not most Western readers now use the Web to navigate the net, specialized communities have long used IRC for its instant one-to-many communication and its anonymity. Ordinary users have been joined by sexual predators, pedophiles, hackers, crackers, criminals, and terrorists.

Using a form of traffic analysis on selected chat rooms, the intent is to isolate "hidden communities":

If, for instance, RatBoi and bowler1 consistently send messages within seconds of each other in a crowded chat room, you could infer that they were speaking to one another amid the "noise" of the chat room.

Knowing who talks to whom is the first step in identifying a network, even if message content is not known, that can addressed with a more manageable volume of higher order attacks and decryption. As message context is examined, one would expect a capture of keywords used by which writer in what order. One would also expect a number of linguistic tools to be tested in order to tease out meaning from associated phrases.

Not an easy task, but a necessary one.

A Tool for Internet Chatroom Surveillance
Ahmet Camtepe, Mukkai S. Krishnamoorthy, and Bulent Yener
Department of Computer Science, RPI, Troy, NY 12180

Ibiblio, "The public's library and digital archives"
Collaboration of the
center for the public domain and unc-ch
Gulf War IRC chats
Note subdirectory for Desert Storm

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  


  discuss this article

"Two sticks, a dash and a cake with a stick down": just the tip of a new breed of hostile Navaho Talkers


Instant Messaging (IM) was not the first instant digital communication. Whereas Substitute terrorist, even criminal, for file-sharing pirate dealt with the leading edge of hostile COTS communication, we should not overlook the low end long used by innocents, criminals, and terrorists alike, Internet Relay Chat (IRC), wrapped in jackets of languages which we have difficulty in translating in any volume, e.g., Arabic, that employ cultural and religious alliterations to further obscure the writer's intentions.

Some history: Chat systems began to rise in 1984, on the Internet's predecessor, ARPANET, quickly coming to the attention of administrators concerned that the original intent of file transfers was being overwhelmed:

Around February of 1985, Henry Nussbacher sent a lengthy letter to every node administrator and technical contact in Bitnet which said "chats represent the most serious threat ever to the future of Bitnet" and that sites should hunt down and destroy any they found in existance.

Surviving, four chat Relays had been linked by June 1985, and matured into BITnet Relay Chat. Inspired by BITNet and early UNIX tools, Jarkko "WiZ" Oikarinen wrote the first IRC client and server at the University of Oulu, Finland in 1988. A Finish network arose, Funet, and was soon connected to the Scandinavian Nordunet. MIT was the first US user and, along with two other schools, launched a transatlantic link. By mid-1990, IRC averaged at 12 users on 38 servers.

IRC was designed from the onset as a means of instant communication via the net (not to be confused with the World Wide Web which also sits on the net), for group (one-to-many) communication in discussion forums called channels, but it also permits one-to-one communication.

A channel is a named group of one or more clients which will all receive messages addressed to that channel. The channel is created implicitly when the first client joins it, and the channel ceases to exist when the last client leaves it. While channel exists, any client can reference the channel using the name of the channel.

The result is a very flexible comm link that can be used on PCs and PDAs alike, the latter allows it to join cellphones in forming a redundant mobile command and control system. (Iraqi cell traffic rises whenever US convoys leave the Green Zone.) PC users generally use mIRC software while Mac users use Ircle. Mobile users have PalmIRC for Palm Pilots and SmartSoft for PocketPCs among others.

Part 2

U.S. Funds Chat-Room Surveillance Study
Associated Press
Posted on Mon, Oct. 11, 2004

CIA pumps capital into linguistics software
By Wilson P. Dizard III
April 9, 2004

Taming the Task of Checking for Terrorists' Names
New York Times
December 30, 2002
Original has scrolled to archive

Al-Jazeera offers accounts of 9/11 planning
September 12, 2002

Gordon Housworth

Cybersecurity Public  InfoT Public  Strategic Risk Public  Terrorism Public  


  discuss this article

Prev 1  2  3  [4]  5  6  7  8  9  Next

You are on page 4

Items 31-40 of 89.

<<  |  May 2020  |  >>
view our rss feed