The relationship between surveillance and censorship

Spying ProgramIn the online world, surveillance and censorship are two sides of the same coin, you can’t have one without the other.

When the government moots a ‘blogger registration’ act , we automatically infer it to be part of a wider censorship initiative, an attempt to control the narrative by subtlety telling bloggers “we know who you are, so watch what you say”.

We intuitively get that putting a whole community under surveillance is a bid to control expression within that community, and if someone was even ‘potentially’ watching you–your behavior would change.

But the internet has made the connection between surveillance and censorship work in reverse, not only does surveillance lead to censorship,  but censorship leads to surveillance as well. Continue reading

Singapore Historical PSI Readings in Excel

Haze MalaysiaEvery now an again, I brush off the dust from an old laptop I have in the corner, and boot-up a couple of forgotten python scripts.

One of those scripts would scrap the DOE Malaysia website for API readings in Malaysia, unfortunately, those damn fools at the DOE now only publish 7-day data, and completely wipe off anything older–for some unknown reason.

I even contacted my ‘insider’ over at MDEC to help out, since she’s leading the open data initiative, but I’ve not had any response. So I’ve stopped work on the collating Malaysian API readings–for now. I suppose I could create a schedule job to scrape the website on a frequent basis, but that’s not something I’m interested in at the moment.

But on a lighter note, I did modify the script to scrape data from the Singapore National Environmental Agency–and here’s the latest PSI readings that go all the way back to April 2014, right up to yesterday (23-Mar-2016). This modification was part of my work last year to compare the PSI values that Singapore was reporting against the API values in Malaysia, (there was a wide discrepancy, check out my report here)

As usual they come in lovely csv files (separated by colons instead of commas, use the text to columns function in Excel to break them apart), and the full python script is fully available on my github page here.

All stuff produced on keithRozario.com is released under creative commons 4.0 (Attribution), which basically means who can use it for whatever you like–feel free, and don’t worry about the government either, nobody holds ‘copyright’ to facts like PSI readings (I don’t know why people often ask me this), and the Singapore government does make this freely available, but not in a easy to crunch csv file.

So without further delay, here’s the CSV files”

Singapore-PSI-Readings (click to download)

Enjoy.

P.S If this work has helped you in any way, would you mind leaving a comment below, helps me keep track of which of my crazy projects actually bring value to the wider community. Check out some climate change findings, based on my previous API reading work here.

TL;DR

For the truly un-initiated, here’s the Google Sheets version of the Singapore readings. They had to be in individual sheets, because together they exceeded the cell-limit in Google Sheets. All in all, it’s 17,000+ data points per region, so enjoy at your own risk 🙂

Central , West , East,  South, North

Security vs. Liberty : Sometimes it’s security and liberty

A public service announcement from our good friends at the FBI, warns that motor vehicles are increasingly vulnerable to remote exploits, which in the wake of the bad-ass research from Chris Valasek and Charlie Miller shouldn’t be shocking.

What struck me, is that the security advice the FBI is offering drivers was identical to the advice cybersecurity experts have been giving to–well just about everyone. As more of your car intertwines with software to provide things like automatic wipers, ABS and even bluetooth audio, the more it becomes susceptible to cyber attacks we traditionally associated with software on servers rather four-wheeled auto-mobiles.

So it would seem obvious that a car with more software bells and whistle would be less secure than a simple ‘hardware only’ car, and from one point of view that’s true.

But should you rush out to buy a 10 year old Honda Civic with no connectivity to the outside world?

It depends.

If you’re buying the car for your family and the you’re more likely to be in a road accident than you are to be hacked by guys like Charlie Miller–you’re better off buying a newer car with modern safety features even if it makes you susceptible to certain attacks. You certainly wouldn’t want to be in an accident in a car without airbags, or crumple zones built to protect passengers.

Compromising security in the name of safety isn’t something people are comfortable doing, but you never deal with absolutes here.

Security is always a compromise,  sometimes you give up convenience, sometimes you give up money, in some cases you even give up safety. Buying a newer car presents a bigger attack surface for ‘hackers’ to target you, but buying an older car presents a bigger risk for when you get into an accident, and because accidents are more likely than hacks, the choice seems straightforward.

However, before we begin to balance security vs. something else, we need to define the term security–and that’s not a straightforward process.

The definition of what is secure, begs the question–secure from what? You need to identify your attacker and their methods, before you can secure your defences. Going back to the car example, a newer car with more connectivity to the internet might be susceptible to hackers like Charlie Miller, but could also have shatter-proof windows which may offer better protections from parang wielding car jackers. Which of those two attackers are you more likely to encounter?

Think about the gated-guarded communities that have poped up all over Malaysia, sure these neighbourhoods provide security from the opportunistic criminals, like the wandering thief on his motorbike looking for expensive shoes you left outside your home. But they provide almost no extra security from a skilled attacker who employs both patience, knowledge and occasional violence to get the job done. For them, Nepalese guards who wave in everyone at the entrance present little deterrence.

So when we talk about FBI vs. Apple, people tend to conflate it as a case of security vs. privacy or even broader as security vs. liberty. But before we broadly frame this question, we need to define which liberty are we affecting, and what security are we augmenting.

The FBI is an investigative body, charged with investigating federal crimes. If their powers and capabilities are restricted by either technology or law,  they presumably would be less effective in catching criminals. Hence, if Apple designs smartphones that nobody (even the FBI) can’t access, criminals will remain free and our collective security suffers as a result. In other words, unless we give up some personal privacy, we cannot get the security of knowing criminals are behind bars.

But what about other attackers, like cyber-criminals and state sponsored attackers?

The NSA, who have the wholly different task of national security, feel that if Apple designs smartphones that even the FBI can’t access,  it means Russian cyber-criminals and Chinese state sponsored attackers won’t have access as well(or at least have a much harder time gaining access). And since nearly every federal employee carries a smartphone, the collective national security of the country is better protected by protecting the privacy of individual citizens.

Two different attackers result in two different definitions of security.

The latter example actually posits a scenario where liberty and security go hand in hand, where we get more of both simultaneously, win-win.

We also haven’t ventured into the territory where the government is the attacker. For many citizens living in despotic regimes that is a real and present evil. If Apple builds phones that ‘protects’ criminals from the likes of the FBI, those same phones protect journalist and human rights activist from their repressive governments.

It’s another version of collateral freedom, we all use the same internet, and protections we grant ordinary law-abiding citizens are the same protections we grant criminals. But since that are far more good people than evil bad guys, that’s an effective comprimise–it isn’t perfect, but a rational decision to take.

The alternative is to remove the protections from criminals, but at the same time deny them to ordinary citizens as well. That’s just not rational.

I would be disingenuous if I didn’t point out that in some cases we do need to give up liberty for safety. We have to allow police officers to carry out their duties, we grant the government powers to imprison the criminals among us, and we remove the ‘liberty’ parents have when it comes to vaccinating their children–all in the name of security.

The point of this post is stimulate you to think more deeply about the liberties we sometimes sacrifice in the name of security, for example we offer ourselves for groping at airport security for the ‘comfort’ of others, there’s only a tiny miniscule chance that our particular flight were chosen for a terrorist attack, but we think of this as security. Security Bruce Schneier puts it wonderfully:

Security and privacy are not opposite ends of a seesaw; you don’t have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it’s based on identity, and there are limitations to that sort of approach. Since 9/11, two—or maybe three—things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and—possibly—sky marshals. Everything else—all the security measures that affect privacy—is just security theater and a waste of effort.

-Bruce Schneier

That reinforced cockpit door that protects pilots from terrorist also protected Andreas Lubitz when he took the helm of German Wings flight 9525 and crashed it into the french countryside killing himself and all 150 souls board.

Security entirely depends on who your adversary is and how they will carry out their attacks.

TL;DR

I drive a 3rd generation Prius, which has bluetooth audio, so that I can play my podcast from my phone through my car audio. That same audio headset can display the ‘state’ of the hybrid drive train–whether it’s driven by battery or the engine,  so that would mean the CAM bus on my car is exposed to the outside world via a Bluetooth connection. I accept this risk because I enjoy pod-cast too much, and that the Prius was the cheapest NCAP 5-star car I could buy, I compromised security over safety.

Hate Speech is defined by private companies

FirstAmendmentYou don’t have a right to freedom of speech.

Obviously true if you’re Malaysian, but even Americans only enjoy a liberty in freedom of speech and not an absolute right.

The difference is clear, liberties are protections you have from the government, while rights are something you have from everyone.

So if someone threatened your right to live, the government is obligated to intervene and protect that right, because your right to live is a protection you have from everyone, whether it be a common criminal, abusive husband or Ayotollah Khomeini.

On the other hand you only have a liberty in freedom of speech (at least in an American context), which means that the government can’t prevent you from speaking, or penalize you for something you said.

However, the government is under no obligation to ensure your speech gets equal ‘air-time’, a newspaper may decline to publish your article, an auditorium may elect to deny you their roster, and online platforms like Facebook may choose to remove your post–all of which do not violate your freedom of speech, because freedom of speech is protection only from the government (state actors) and not from private entities.

And like all liberties and rights, freedom speech is not absolute. Under strict conditions even the US government can impose limits to what they’re citizens can say, or penalize them for things they have said.

In the case of freedom of speech, a liberty defined in their first amendment, those strict conditions are very strict indeed. In order for the government to infringe on the freedom of speech, it must demonstrate a imminent danger that will result in a serious effect.

In other words the government must be able to prove that if the speech were given freedom, there would be an imminent threat of something serious. Both the imminence and seriousness must be proven, failing which the government cannot infringe on that speech. This is indeed a very tall hurdle to climb, and based on my cursory research no case has ever reached this limit. Continue reading

FBI vs. Apple : Everything you need to know part 2

broken-fence

The Apple vs. FBI story has evolved so much in the past weeks, I thought I needed to write a separate post just on the updates. Admittedly, the story is far more complex and nuanced that I initially presumed, and everyone wants to be part of the conversation.

On one side, we have the silicon valley tech geeks, who seem to be unanimously in the corner of Tim Cook and Apple, while on the other  we have the Washington D.C policy makers, who are equally supportive of James Comey and the FBI whom he directs.

But to understand this issue from a fair and balanced perspective, we need to frame the correct question, not just what the issue about, but who is the  issue really focused on.

This isn’t just about the FBI or Apple

Framing this as the FBI vs. Apple or The Government vs. Apple is wrong. This is Law Enforcement vs. Tech Companies.

The FBI is just a part of the The Government, specifically the part tasked with investigating federal crimes.James Comey, FBI director, is genuinely trying to do his job when he uses the All Writs Act to compel Apple to create a version of iOS that would allow them to brute-force the PIN code.

But there are other parts of The Government, like the NSA, who have the wholly different task of national security. To them, if a smartphone, is genuinely secured from FBI, then it’s secured from Russian Cybercriminals and Chinese State Sponsored actors too (probably!).

And because so much data are on smartphones, including the smartphones of federal government employees, the national security interest of America is better protected by having phones that are completely unbreakable, rather than ones the provide exceptional access to law-enforcement. Exceptional being defined as, no one has access except for law enforcement, and perhaps TSA agents, maybe border patrol and coast guard–you can see how slippery a slope ‘exceptional’ can be. Oh and by the way, exceptional doesn’t exist in end-to-end encryption.

Former NSA director, Michael Hayden, has openly said “I disagree with Jim Comey. I actually think end-to-end encryption is good for America”. So it appears the NSA has an interest of national security that competes with the FBIs interest of investigating crimes.

The Government isn’t a single entity with just one interest, rather it is a collection of agencies with sometimes competing objectives, even though they all ultimately serve their citizens.  Experts believe the NSA has the capability to crack the iPhone encryption easily, but are refusing to indulge the FBI, because–well it’s hard to guess why the NSA don’t like the FBI.

Susan Landau,  a member of Cybersecurity hall of fame (yes it does exist), detailed two methods the FBI could hack the iPhone in her testimony to House Judiciary Committee. Both methods involved complicated forensics tools, but would cost a few hundred thousand dollars (cheap!) , and wouldn’t require Apple to write a weakened version of iOS. If the goverment can get into the phone for $100,000 , that would mean it couldn’t compel Apple under the All Writs Act (AWA).

Remember, the FBI buy their spyware from the lowlifes at hacking team, which means they’re about as competent as the MACC and Malaysian PMO, but if Comey and Co. can afford $775,000 on shit from Hacking Team, I’m guessing $100,000 for a proper computer forensics expert isn’t a problem.

But maybe there’s an ulterior motive here, at the very recently concluded Brooklyn iPhone case, Magistrate Judge Orenstein noted that necessity was a pre-requisite for any request made under AWA, and if the FBI have an alternative for a reasonable price, then Apple’s support was not necessary, and hence outside the ambit of the AWA. So maybe the NSA isn’t providing the support to necessitate the NSA.

An this isn’t singularly about the FBI either. The New York A-G is waiting for this case to set precedent before he makes request for the 175 iPhones he’s hoping to unlock for cases that aren’t related to terrorism or ISIS. You can bet he’s not the only A-G waiting for the outcome, and it’s highly unlikely for the Judge to make her ruling so specific that nobody except the FBI could use it as precedent.

But it’s also not just about Apple. The legal precedent set by this case would apply not just to every other iPhone, but possibly every other smartphone, laptop, car or anything else we could squeeze into the definition of a computer. This is about more than Apple, and that’s why the tech companies are lining up in support of Mr. Cook, 32  such companies the last I checked.us vs. them

But now that we’ve framed the ‘who’ , let’s frame the ‘what’. Continue reading