Whistleblowing and Internal Monitoring/Investigations

Many thanks again to the Faculty of Law at the University of Hong Kong for hosting my presentation on “Whistleblowing & Internal Monitoring/Investigations” yesterday. It was a really interactive and responsive class. The scheduled three hours was barely enough to cover what I estimated to be an hour plus presentation thanks to all the interesting questions and my sincere apologies to the class for rushing through the latter parts of the slides.

One question at the end of the session, what’s the take-away on the topic.

With and without a poison-pen letter from a whistleblower, a pre-transaction reputation/investigative due diligence should always be conducted ahead of all other types of due diligence. This is not a biased opinion but one proven by real life experience from many past cases whereby some serious and damaging red flags on reputation issues/risks could potentially kill a transaction no matter how good the counterparties emerged in the legal, financial and other due diligence – although in some situations clients took advantage of the negative findings to re-negotiate terms for the pending transaction. Information is power!

In a post-transaction external/internal investigation especially one potentially heading to the courts, with and without a poison-pen letter, it is critical to conduct public records research first as the findings could be documented evidence legally admissible in courts that can help the lawyers and clients win the case. If the public records search turns out futile (a likely scenario in non-transparent and opaque jurisdictions), the findings from intelligence becomes pivotal.

I shared with the class an example of a typical court case whereby the client wins if we can prove two people A & B collaborated on a fraud scheme. No surprise they denied even knowing each other. A barrister once told me how he often receives surveillance photos of A & B say having coffee together as evidence – and how he can easily lose the case with such weak evidence. The best evidence is to prove the two have a long history of relationship – they attended the same school (public records), they were past business partners (public records), their companies were sued (public records), they commented on each other’s FaceBook (could be public records), etc. In the absence of any/sufficient public records evidence, findings from intelligence gathering can potentially turn into public records and important evidence. Consider:

– They not only attended the same school but same class, same computer club and even went on a school camping trip to Nepal when they were 10. The latter are findings from intelligence gathering
as they may be difficult to find in public records but the sources could provide photos as proof.

– They were in the same WhatsApp & WeChat groups? A source from the group could provide a screenshot of group members as proof.

– They were neighbors when they were young? This could be difficult to prove in public records because they don’t own the properties then but if there’s a lead they were neighbors, a search on their parents names could lead to documented proof.

Hence the importance of intelligence gathering. And thinking out of the box.

Shhhcretly Exclusive: Edward Snowden’s Warning Cry

Shhhcretly is pleased to have the exclusive rights to release the English version of this coverage on Edward Snowden.

This original article was first published 1 December 2018 in German in the Austrian newspaper Der Standard, which reserves the publishing rights.

Shhhcretly would like to thank Der Standard and Steffen Arora for their kind permission to share the translated piece exclusively on this blog.

(Above) Photo credit: Lindsay Mills 2018.

 

Edward Snowden’s warning cry
By Steffen Arora
Der Standard, 1st December 2018

Former CIA contractor Edward Snowden’s revelations shone a light on the western world’s surveillance practices. But he, and those who helped him, are paying a high price. He talks to Der Standard about the need to fight on.

“This is retaliation.” In an interview with Der Standard, Edward Snowden spoke in no uncertain terms about the authorities’ treatment of the people who saved his life. In June 2013, the former US intelligence services contractor became a hounded whistleblower after he exposed the extent to which the US and its allies carry out global surveillance of the internet and digital communications, regardless of suspicious activity. He made these revelations from Hong Kong, never expecting that the moment they were published, he would become the world’s most wanted man.

It was the same moment that Robert Tibbo’s telephone rang. The Canadian had made a name for himself in the city as a dedicated human rights lawyer. He fought for the rights of asylum seekers living a pariah existence in Hong Kong – with next to no chance of their status being recognized and leading a decent life there. Tibbo saw Snowden as another refugee who needed help. To hide him from his pursuers, Tibbo found shelter for Snowden with some of his other clients; asylum seekers from Sri Lanka and the Philippines.

“They were warm, welcoming and kind. When I had fallen to the bottom of the world, they helped me up without giving a damn about who I was,” Snowden says. In the current political climate, loaded with the fear of outsiders, Snowden holds the refugees’ actions in even higher regard. “Their example, their humanity, it gave me a reason to keep fighting.”

Refugees and their lawyer under pressure

Not only Snowden, but also those who helped him, are now paying a high price for their actions. The US continues to accuse Snowden of spying and demand his extradition – and President Donald Trump would like to see him executed. Meanwhile, the seven refugees and their lawyer Mr. Tibbo are under pressure from the Hong Kong authorities.

In 2018, it is no longer an exception that human rights lawyers like Tibbo become the object of persecution themselves, says Manfred Nowak, Austrian human rights lawyer and former United Nations Special Rapporteur on Torture. Not only lawyers, but also journalists and activists from NGOs are being increasingly targeted, he says, even murdered, as records such as Russia’s show. “Human rights have not been in a crisis like this since the end of the Second World War,” Nowak says.

For Snowden’s helpers, the situation has deteriorated to the extent that this week, Tibbo turned for help to a selection of media outlets including the New York Times, Paris Match and Der Standard. He himself was forced to leave Hong Kong under diplomatic protection. He had to leave the seven refugees behind.

Effectively in exile, he continues working for his clients, who are living in constant fear of deportation. No country wants to take them in. Even Canada, which showed willingness to do so back in 2016, appears to have retreated in the face of pressure from abroad.

“Death by delay” is how lawyers such as Pascal Paradis from the NGO Lawyers Without Borders, which has been working on the case, describes this process. Snowden himself, fleeing US authorities, was left stranded in Moscow. Since then he has faced accusations that he is a Russian spy.

In fact he was aiming for Latin America, he says. “The Department of State failed to cancel my passport in time to keep me from leaving Hong Kong. But once they realized I was in the air en route to Latin America, they made public announcements to put every government around the world on notice that they intended to block my freedom of movement.”

No asylum in Austria

When he landed in Moscow for a stopover, he was stuck and could not travel further. All of his asylum applications in Europe were rejected, including by Austria. “This more than anything else is what prevents me from leaving Russia,” Snowden says in response to his critics. “If major powers of Europe can be induced by this or that secret promise to be violators of the asylum right rather than its guarantor, you can’t help but question the whole system. If you can’t count on a right now, can you count on a law?”

Manfred Nowak also sees this danger. “Democracy as a form of government is increasingly coming under pressure, as we can see in the US, Great Britain, Hungary, Poland or Italy. These countries are governed by populists, who came to power through democratic channels, but are now attacking democracy.” Nowak sees Brazil’s new president, Jair Bolsonaro, as a particularly stark example of a fascist being voted in to lead a democracy.

Nowak stresses the importance of learning from history: Free elections have destroyed democracies time and time again. “Strident democracies” urgently need to defend themselves against “pseudo- democracies,” he says, pointing to leaders such as Trump, Viktor Orban and Bolsonaro.

The western world is currently experiencing a backlash, meaning human rights defenders must go on the offensive, Nowak says. “Everyone must do their bit,” he warns emphatically. “Otherwise it could be too late.”

Nowak sees this backlash in Austria too, where the center-right and far-right are governing in coalition. “Measures are being taken which are being seen, and therefore criticized, as restrictions on the constitutional state, democracy and human rights.”

“There’s a machine behind it”

Snowden sees the refugees’ treatment and his own as telling. “You can’t look at something like this without getting a sense that the mask has dropped, and behind all the pretense of civility and process we like to believe governs our little day to day, there’s a machine behind it that would burn everything we love to the ground without a tear if it meant making a problem go away.”

Snowden is convinced it’s no coincidence that those who helped him are now being targeted. “They’re worried about the example of these families, the symbol their moral choice represents. Anybody can look at this situation and see at a glance who is right and who is wrong.”

But if the “big governments” manage to rewrite this story with an unhappy ending for those involved, they will also succeed in changing the positive message of his work with a single blow, Snowden warns. He says he does not know how far state institutions would go to achieve this, “but they’ve already gone too far.”

Human rights lawyer Nowak has first-hand experience of the conditions in Hong Kong, where the seven migrants are currently stuck. He trained lawyers there; Tibbo was one of his students.

Nowak says he knew the Hong Kong Bar Association, which is putting the Canadian lawyer under pressure and sabotaging his mandate for the refugees, as an “independent institution.” He can only assume the bar’s current treatment of Tibbo is a result of “enormous pressure from outside.”

Snowden has called on his supporters not to give up on the fight for a free world. And above all the fight for those who helped him. “Take a look at the world. Before long, we’ll all feel like refugees.”

NOTE: Documents evidencing the Hong Kong Bar Association egregious treatment of Mr Tibbo can be found in the Der Standard article as embedded PDFs: https://www.derstandard.at/story/2000092725390/pressure-mounts-on-edward-snowdens-lawyer-robert-tibbo?ref=article

Shhh… The Matrix, With Mozilla

This is really terrific news for the privacy conscious and open source community – Mozilla is joining the Matrix, the new protocol for open, decentralized, encrypted communication.

The Matrix protocol aims to create a global decentralized encrypted real-time communications network that provides an open platform similar to the Web.

One general (and major) appeal of Matrix is that it works seamlessly between different service providers by supporting what is known as “bridging messages” from different chat applications into the “Matrix rooms”. These bridges currently include popular communications apps like WhatsApp, WeChat, Telegram, Signal, Skype, Facebook Messenger, etc. In laymen’s terms, you can add your favorite communications apps to Matrix for better (and ultimate) privacy protection.

The Matrix community, admittedly still in its infancy but with huge potential, is understandably thrilled in welcoming onboard Mozilla, the “champions of the open web, open standards, not to mention open source”. The Matrix protocol is currently using the “riot.im” interface, which is hindering its appeal to the masses. Hence the introduction of Mozilla will be crucial for its development.

If anyone asks what is the safest way to communicate, or which is the safest communications apps these days – like “Is Telegram still safe?” – the Matrix protocol is probably the answer going forward.

Shhh… Duncan Campbell – Global Spying Program ECHELON & the Decades-long Cosy NSA-GCHQ Relationship

(Above) Photo Credit: The Intercept

DuncanCampbell-ABCcase

Above photo: From left to right Duncan Campbell, Crispin Aubrey and John Berry in the ‘ABC’ case (Source: The Intercept – ANL/Re/REX Shutterstock)

The Register: Special Report Duncan Campbell has spent decades unmasking Britain’s super-secretive GCHQ, its spying programmes, and its cosy relationship with America’s NSA. Today, he retells his life’s work exposing the government’s over-reaching surveillance, and reveals documents from the leaked Snowden files confirming the history of the fearsome ECHELON intercept project. This story is also published simultaneously today by The Intercept, as is – at long last – Duncan’s Register Christmas Lecture from last year.

Find out more on this insightful article printed by The Intercept and The Register.

Shhh… Spies Vs Silicon Valley

Check out the following Guardian article:

Spies helped build Silicon Valley. Now the tables are turning

David Cameron wants US tech sector companies to do more to fight terrorism. But they’ve grown too powerful to listen

Gordon Corera
Wednesday 29 July 2015

If you want to understand how modern British and American intelligence services operate, you could do worse than visit the new exhibition that opens at Bletchley Park this week. It tells the story of code-breaking in the first world war, which paved the way not just for the better-known success story of world war two, but also GCHQ and the NSA’s modern day bulk interception.

A century ago, just as today, intelligence services and network providers used to enjoy a symbiotic relationship. Britain, for example, exploited its dominance of the telegraph system to spy after its companies had built an imperial web of cables that wrapped itself around the world. Britain’s first offensive act of the conflict was to cut Germany’s own undersea cables and install “secret censors” in British company offices around the world that looked out for enemy communications. A staggering 80m cable messages were subject to “censorship” during the war.

In recent decades the US has enjoyed a similar ability to spy on the world thanks to its role in building the internet – what the NSA called “home field advantage”. This worked via two channels. The first was fibre-optic cables passing through either American or British territory, allowing intelligence agencies to install the modern equivalent of secret censors: computerised black boxes that could filter data to look for emails based on “selectors”. The second channel was Silicon Valley – which had thrived thanks to massive Pentagon and NSA subsidies. People around the world sent their communications and stored their data with American companies, whose business model often involved collecting, analysing and monetising that data. This attracted spies like bears to honey. And so Prism was born – requiring the companies themselves to run selectors across their own data. 45,000 selectors were running in 2012. Put together with cable-tapping, this meant that nearly 90,000 people around the world were being spied on.

Building the internet allowed the US to export its values, import other countries’ information through spying and make a lot of money for American corporations along the way. But the relationships have fractured. The Snowden disclosures were one reason – exposure led tech companies to back away from quiet cooperation and make privacy a selling point (even competing with each other as seen in Apple’s CEO blast against Google recently).

At the same time, Isis’s use of social media has increased the state’s desire to get more from these companies, leading to growing tension. It was notable that David Cameron’s speech on extremism last week singled out tech companies for criticism. When their commercial models are built around tracking our likes and dislikes, why do they say it’s too difficult to help when it comes to the fight against terrorism, the prime minister asked.

A big problem for the spies is that during the first world war the cable companies that helped Britain knew who was boss. Today it is more complex. An angry Mark Zuckerberg of Facebook told President Obama that his administration “blew it” when it tried to defend Prism by saying it was only used to spy on foreigners. After all, most of Facebook and Silicon Valley’s customers are foreigners.

The British government criticised Facebook for not spotting private messages from one of the men who went on to kill Lee Rigby. This is the kind of thing Cameron wants the companies to do more on. But whose job is it to spy? The companies are nervous of signing up to a system in which it is their job to scan their customers’ data and proactively report suspicious content, effectively outsourcing the act of spying (and not just the collection of data) to the private sector. Such a deal, tech companies fear, could set a dangerous precedent: if you help Britain when it comes to national security, what do you do when China or Russia come knocking?

On his first day as director of GCHQ, Robert Hannigan launched a volley against Silicon Valley, accusing it of acting as “command and control” for groups like Isis. But since then, the tone has been more conciliatory. What Hannigan may have realised is that companies have the upper hand, partly because the data is with US companies that are subject to US laws. To avoid the Russia and China issue, they assert their co-operation is voluntary and there is not much the British state can do about it.

It was notable that in his speech, Cameron didn’t threaten new legislation. Why? Because he knows that power relations between governments and corporations have shifted since the first world war: modern tech firms are too big to be pushed around.

If they have a vulnerability, it’s their dependence on customers: verbal volleys from politicians and spies are a sign that the real battleground is now public opinion. Companies are gambling that focusing on privacy will win them the trust of the public, while governments in London and Washington are hoping that talking about terrorism will pressure companies to cooperate more. Who wins this tug of war may depend on events that neither party can control, including the prevalence of terrorist attacks. Whatever the case, the old alliance between Silicon Valley and the spies is no more.

Shhh… Hacked By Your Cyber-security Firm?

(Above) Photo credit: Hacked.com

Do you still have faith in cyber-security firms – recall the recent story about the Hacking Team?

Consider this: A Cyber-security firm known as Tiversa scams potential and ex-clients into memberships by hacking into their servers as a scare tactic to increase profits for Tiversa. Tiversa was brought before the Washington D.C. courthouse in May to explain their scam.

Shhh… FBI, DEA & US Army Bought Italian Spyware

Find out more from The Intercept article below:

Leaked Documents Show FBI, DEA and U.S. Army Buying Italian Spyware

By Cora Currier and Morgan Marquis-Boire @coracurrier@headhntr

The FBI, Drug Enforcement Administration and U.S. Army have all bought controversial software that allows users to take remote control of suspects’ computers, recording their calls, emails, keystrokes and even activating their cameras, according to internal documents hacked from the software’s Italian manufacturer.

The company, Hacking Team, has also been aggressively marketing the software to other U.S. law enforcement and intelligence agencies, demonstrating their products to district attorneys in New York, San Bernardino, California, and Maricopa, Arizona; and multi-agency task forces like the Metropolitan Bureau of Investigation in Florida and California’s Regional Enforcement Allied Computer Team. The company was also in conversation with various other agencies, including the CIA, the Pentagon’s Criminal Investigative Service, the New York Police Department, and Immigrations and Customs Enforcement.

The revelations come from hundreds of gigabytes of company information, including emails and financial records, which were released online Sunday night and analyzed by The Intercept. Milan-based Hacking Team is one of a handful of companies that sell off-the-shelf spyware for hundreds of thousands of euros — a price point accessible to smaller countries and large police forces. Hacking Team has drawn fire from human rights and privacy activists who contend that the company’s aggressive malware, known as Remote Control System, or RCS, is being sold to countries that deploy it against activists, political opponents and journalists.

Even in the U.S., where the software would presumably be used only with a judge’s approval, the tactic is still controversial. Just last month, Sen. Chuck Grassley, R-Iowa, wrote to the director of the FBI asking for “more specific information about the FBI’s current use of spyware,” in order for the Senate Judiciary Committee to evaluate “serious privacy concerns.”

The leaked emails show that the FBI has been using Hacking Team’s software since 2011, apparently for the secretive Remote Operations Unit. It’s long been reported that the FBI has deployed malware in investigations, but details on the agency’s efforts are thin, with the tactic only surfacing rarely in court cases — such as one instance last year when the FBI spoofed an Associated Press article to get a target to click on a link. The FBI reportedly develops its own malware and also buys pre-packaged products, but the relationship with Hacking Team has not been previously confirmed.

Hacking Team’s spokesperson, Eric Rabe, said in a statement that “we do not disclose the names or locations of our clients” and “we cannot comment on the validity of documents purportedly from our company.”

The director of the Metropolitan Bureau of Investigation in Florida told The Intercept that it “does not have plans to purchase any product from Hacking Team.” The Manhattan District Attorney’s office said, “It would be an overstatement to say that our office is planning to purchase this type of software. This company is one of several in the industry whom we’ve requested meetings with in order to keep pace with rapid technological advancements in the private sector.”

The CIA declined to comment, and ICE said it “does not discuss law enforcement tools and techniques.” (The Intercept will update this story if other agencies named in the documents respond to requests for comment.)

The leaked emails show that U.S. agencies worried about the legality and perception of Hacking Team’s tools.

Hacking Team refers to its U.S. clients by code names. The FBI unit is “Phoebe” (initially “f-client,” but one employee complained “it sounds like an antivirus),” the DEA is “Katie,” and the CIA, which appears to have sampled, but not bought Remote Control System, is “Marianne.”

In 2011, a representative of the DEA’s Office of Investigative Technology told Hacking Team that its budget request for Remote Control System had been denied because it was considered “too controversial,” according to an email. “We are working on the foreign angle,” the DEA said, according to Hacking Team’s U.S. account manager.

“I imagine Katie [DEA] is referring to the fact that they as the DEA could buy RCS for other countries (Colombia) where it’s less problematic to use it,” an employee replied in Italian.

The purchase did go through in 2012, and it appears to have been used mainly in conjunction with Colombian law enforcement. As one email explained, “Katie will be administrator of the system, while the locals will be collecting the data. They are saying if this works out, they will bring it to other countries around the world. Already they are speaking of El Salvador and Chile.”

Robotec, a company that manages Hacking Team’s sales to several Latin American countries, also mentions clients in Colombia using DEA funding.

Local police in the U.S. also had their worries. Florida law enforcement told Hacking Team this year that the software could create legal problems without the ability to have “‘minimization’ of the calls and messages — (ie. deleting portions which are not relevant to the search.)”

In 2013, San Bernardino’s district attorney wanted to go to a judge to obtain a warrant targeting a “known bad guy” even for a trial run of the software. “If the systems [sic] proves itself in this live trial, and the judge is convinced of both its value and proper protection of privacy, they would then move into the purchase phase,” one of Hacking Team’s U.S. business partners, from the security giant SS8, explained.

“One of the concerns of this segment is that the HT product is ‘too powerful,’” Fred D’Alessio, who sits on the board of SS8 and is identified on LinkedIn as a senior advisor to Hacking Team, wrote about local agencies. “They have also said, their biggest challenge is ‘getting the lawyers and the District Attorneys to agree on what they can do legally.”

Hacking Team’s FBI contacts worried that the spread of Hacking Team software around the country could cause word to get out (as has happened with technology like Stingrays, the devices that police use to track cell phone location.) “If San Bernardino gets exposed, they might also expose Phoebe,” Hacking Team’s U.S. point man, Alex Velasco, wrote in September 2013.

The FBI’s use of Hacking Team’s software also informs the public debate about the growing use of encryption to protect Internet communications. FBI and other top U.S. law enforcement officials have been calling for a law that would provide for a “backdoor” into commercial encryption technologies — something privacy advocates and many cybersecurity researchers see as a undermining Internet security.

Hacking Team claims that its software offers a way around encryption, obviating the need for a backdoor. Vincenzetti regularly sends out articles about the encryption debate to his email list with a plug for Remote Control System. Last February, he wrote that law enforcement and security agencies could use “technologies to ACCESS THE DATA they need IN CLEARTEXT, BEFORE it gets encrypted by the device and sent to the network and AFTER it is received from the network and decrypted by the device itself. Actually THIS IS precisely WHAT WE DO.”

The Buyers

The push into the local district attorney market, for which the company considered San Bernardino a pilot, appears to have been facilitated by SS8, a massive California-based security company that markets to law enforcement agencies in the United States and abroad. (Rabe denied that SS8 is working with Hacking Team, despite emails between the companies.) The local market could be lucrative: a budget for the district attorney in New York that Hacking Team proposed in April totaled $760,000 in upfront license fees, and another $382,000 in services and maintenance.

“As with so many other surveillance technologies that were originally created for the military and intelligence community, they eventually trickle down to local law enforcement who start using them without seeking the approval of legislators — and, in many cases, keeping the courts in the dark too,” said Christopher Soghoian, principal technologist of the American Civil Liberties Union.

The DEA, FBI and Army bought Hacking Team’s software through a company called Cicom, which for several years served as a middleman for Hacking Team’s U.S. business. The DEA and Army contracts to buy Remote Control System through Cicom were first revealed by the advocacy group Privacy International this spring. Reporters noted that Cicom shared the same corporate address in the United States as Hacking Team, but when asked about the connection by Ars Technica, Hacking Team’s U.S. spokesperson Eric Rabe said, “I cannot confirm any relationship between the company Cicom and Hacking Team.”

Alex Velasco, Cicom’s general manager, has in fact been a consultant under contract to represent Hacking Team to clients in North America since 2012, company emails show. The relationship ended in March, after Hacking Team accused Velasco of scheming to market competing products, according to an internal investigation commissioned by Hacking Team. Velasco declined to comment to The Intercept on the allegations, because he is in legal proceedings with Hacking Team.

Hacking Team was also in talks in 2014 with the FBI’s National Domestic Communications Assistance Center, a secretive unit formed in 2012 and focused on interception technologies. Velasco claims in an email that the group came to them after Citizen Lab, a research group at the University of Toronto focused on Internet technology and human rights, published a highly critical report on Hacking Team’s global sales. “If anything good came out of the Citizen lab articles is that it brought them to contact us to see if it was true,” he wrote. “Thank you Citizen Lab!!”

It’s not clear from Hacking Team emails what Army component bought an RCS system in 2011, but it was based at Fort Meade and apparently sat unused for years. According to a 2013 email from Velasco, “they purchased a system right before they got their budget cut…They were never given permission to pull an internet line to their office to install the system. (ridiculous but true!)”

Hacking Team was in the midst of negotiations for a new FBI contract from Cicom after Velasco’s firing, but the agency decided to go with another vendor due to budget timing issues, according to an email from Phillipe Vinci, Hacking Team’s vice president for business development. Besides, the product was “seen as a ‘nice to have’ by FBI,” but “they confessed they were using it for low level types of investigations. For critical operations, they were using another platform,” wrote Vinci. He said the FBI wanted more ability to go after users of Tor, the anonymizing web browser; those users accounted for 60 percent of its targets.

But Hacking Team appeared determined to continue its conquest of the U.S. market.

“There will be a process to have ‘HT Usa Inc.’ accredited,” wrote operations manager Daniele Milan. He pledged to stay in touch with the FBI, marketing new features, and identifying problems “to resolve for them (in exchange for $$$).”

While Hacking Team’s emails reveal the company to be stringent about selling only to governments, the company officials appear to worry less about how its technology is used once it gets to those customers. Responding to concerns raised by the district attorney of New York in 2013, Hacking Team’s chief operating officer Giancarlo Russo wrote that “all the consideration regarding the ‘legal framework’ cannot be addressed by us.”

Instead, he was more concerned about local customers’ ability to use the product effectively. “If you buy a Ferrari… they can teach you how to drive. They cannot grant you will be the winner of the race,” he wrote to his colleagues in English. “If Beretta sell you a gun, the most peculiar and sophisticated one, they can teach how to use it. They can not grant you are going to shoot your target properly on the field.”

–– Sheelagh McNeill contributed research to this report.

Shhh… Snowden Supports Apple’s Public Stance On Privacy

Edward Snowden Supports Apple’s Public Stance On Privacy

by Josh Constine (@joshconstine)

Edward Snowden says we should support Apple’s newly emphasized commitment to privacy rather than a business model driven by personal data collection, whether or not Tim Cook is being genuine. Snowden spoke over video conference during the Challenge.rs conference in Barcelona today.

I asked Snowden his thoughts on Cook’s recent acceptance speech for an Electronic Privacy Information Center award, saying:

CEO Tim Cook recently took a stand on privacy and Apple’s business, saying “some of the most prominent and successful companies have built their businesses by lulling their customers into complacency about their personal information. They’re gobbling up everything they can learn about you and trying to monetize it. We think that’s wrong. And it’s not the kind of company that Apple wants to be.”

Do you think Cook’s perspective genuine and honest, and how do you think it will play out long-term with regards to it hurting or helping Apple’s business, or whether Apple will keep this promise to privacy?

Snowden responded:

I think in the current situation, it doesn’t matter if he’s being honest or dishonest. What really matters is that he’s obviously got a commercial incentive to differentiate himself from competitors like Google. But if he does that, if he directs Apple’s business model to be different, to say “we’re not in the business of collecting and selling information. We’re in the business of creating and selling devices that are superior”, then that’s a good thing for privacy. That’s a good thing for customers.

And we should support vendors who are willing to innovate. Who are willing to take positions like that, and go “You know, just because it’s popular to collect everybody’s information and resell it..to advertisers and whatever, it’s going to serve our reputation, it’s going to serve our relationship with our customers, and it’s going to serve society better. If instead we just align ourselves with our customers and what they really want, if we can outcompete people on the value of our products without needing to subsidize that by information that we’ve basically stolen from our customers, that’s absolutely something that should be supported. And regardless of whether it’s honest or dishonest, for the moment, now, that’s something we should support, that’s something we should incentivize, and it’s actually something we should emulate.

And if that position comes to be reversed in the future, I think that should be a much bigger hammer that comes against Apple because then that’s a betrayal of trust, that’s a betrayal of a promise to its customers. But I would like to think that based on the leadership that Tim Cook has shown on this position so far, he’s spoken very passionately about private issues, that we’re going to see that continue and he’ll keep those promises.

It’s reasonable to wonder how much of Cook’s chest-beating on privacy is philosophy and how much is marketing. Since the iCloud celebrity photo hack last year, we’ve written about how Apple needs to be more transparent about security and privacy. Snowden seems to agree it could benefit the company as well as society.

Apple’s steps in that direction through press releases and public appearances by Cook have been positively received. They resonate especially well with the public in contrast to other tech giants like Google and Facebook that are aggressively collecting private personal data, and the widespread security breaches of big brands.

Yet while people frequently say privacy is important to them, their unwillingness to stray from products that rely on mining their data seems to suggest otherwise. We’re just at the start of the age of personalized computing, and those that embrace it may get an advantage in the market.

Apple is experimenting with ways to personalize with privacy in mind. Its new Proactive update to Siri scans your email to remind you about events, but only does this on your device rather than copying your data to its servers for processing. To keep up while remaining true to its ideals, Apple will need more creative solutions like this to deliver convenience without being creepy.

Shhh… The Internet of Things – Google's New Patent for a Creepy Wi-fi Connected Toy

Google snooping on your web browsing or email may now be the least of your worries.

Late last week, it became known that Google has filed its creepiest patents yet – for a toy that can control other Wi-fi connected devices. Well for starters, just imagine this: If that toy senses you’re looking at it, it will rotate its head and look back at you…

Shhh… Spy Game: The Thais, the Israelis & the Wiretapping Devices

Perhaps the Thai army (see story below) felt insulted being left out of the spy game…?

ThaiArmy


Army interrupts Israeli demonstration of wiretapping devices to Special Branch Bureau

May 8, 2015 12:24 pm

BANGKOK: A group of soldiers today raided the meeting room of the Special Branch Bureau and detained nine Israeli technicians and staff while they were demonstrating electronic wire tapping devices to special branch police.

But after the interruption of the planned demonstration by soldiers from the Second Calvary Division of the First Army Region, Royal Thai Police commissioner Pol Gen Somyot Phumphanmuang came out to defend the demonstration saying it was merely a misunderstanding caused by misinformation.

The commissioner said the Royal Thai Police and the Special Branch Bureau have been allocated budget from the government to procure wiretapping devices for use.

He said an Israeli supplier has approached the Royal Thai Police and scheduled today to demonstrate its devices.

However he said as the Army has learned of the Israeli approach, it then asked the firm to explain whether these electronic devices have been granted import permission legitimately or not.

He said the soldiers then invited the Israeli technicians and staff to their office for clarification and to display import documents.

He said the Israeli firm has insisted all its devices have been imported for demonstration legally.

Pol Gen Somyot said an Army colonel had phoned him saying he suspected some devices might be illegally smuggled into the country and sought his permission to interrupt the demonstration.

The commissioner recalled he immediately rang the First Army Region commander and the commander of the Second Calvary Division and also explained to the Israeli technicians of the Army’s request and the firm agreed to cooperate.

Pol Gen Somyot added it happened because of misunderstanding and he would ask the firm to return again for demonstration.

Shhh… Spy On Spies – A New Breed of Spies

Here’s an interesting story:


Meet the privacy activists who spy on the surveillance industry

by Daniel Rivero | April 6, 2015

LONDON– On the second floor of a narrow brick building in the London Borough of Islington, Edin Omanovic is busy creating a fake company. He is playing with the invented company’s business cards in a graphic design program, darkening the reds, bolding the blacks, and testing fonts to strike the right tone: informational, ambiguous, no bells and whistles. In a separate window, a barren website is starting to take shape. Omanovic, a tall, slender Bosnian-born, Scottish-raised Londonite gives the company a fake address that forwards to his real office, and plops in a red and black company logo he just created. The privacy activist doesn’t plan to scam anyone out of money, though he does want to learn their secrets. Ultimately, he hopes that the business cards combined with a suit and a close-cropped haircut will grant him access to a surveillance industry trade show, a privilege usually restricted to government officials and law enforcement agencies.

Once he’s infiltrated the trade show, he’ll pose as an industry insider, chatting up company representatives, swapping business cards, and picking up shiny brochures that advertise the invasive capabilities of bleeding-edge surveillance technology. Few of the features are ever marketed or revealed openly to the general public, and if the group didn’t go through the pains of going undercover, it wouldn’t know the lengths to which law enforcement and the intelligence community are going to keep tabs on their citizens.

“I don’t know when we’ll get to use this [company], but we need a lot of these to do our research,” Omanovic tells me. (He asked Fusion not to reveal the name of the company in order to not blow its cover.)

The strange tactic– hacking into an expo in order to come into close proximity with government hackers and monitors– is a regular part of operations at Privacy International, a London-based anti-surveillance advocacy group founded 25 years ago. Omanovic is one of a few activists for the group who goes undercover to collect the surveillance promotional documents.

“At last count we had about 1,400 files,” Matt Rice, PI’s Scottish-born advocacy officer says while sifting through a file cabinet full of the brochures. “[The files] help us understand what these companies are capable of, and what’s being sold around the world,” he says. The brochures vary in scope and claims. Some showcase cell site simulators, commonly called Stingrays, which allow police to intercept cell phone activity within a certain area. Others provide details about Finfisher– surveillance software that is marketed exclusively to governments, which allows officials to put spyware on a target’s home computer or mobile device to watch their Skype calls, Facebook and email activity.

The technology buyers at these conferences are the usual suspects — the Federal Bureau of Investigation (FBI), the UK’s Government Communications Headquarters (GCHQ), and the Australian Secret Intelligence Service– but also representatives of repressive regimes —Bahrain, Sudan, pre-revolutionary Libya– as the group has revealed in attendees lists it has surfaced.

At times, companies’ claims can raise eyebrows. One brochure shows a soldier, draped in fatigues, holding a portable device up to the faces of a somber group of Arabs. “Innocent civilian or insurgent?,” the pamphlet asks.

“Not certain?”

“Our systems are.”

The treasure trove of compiled documents was available as an online database, but PI recently took it offline, saying the website had security vulnerabilities that could have compromised information of anyone who wanted to donate to the organization online. They are building a new one. The group hopes that the exposure of what Western companies are selling to foreign governments will help the organization achieve its larger goal: ending the sale of hardware and software to governments that use it to monitor their populations in ways that violate basic privacy rights.

The group acknowledges that it might seem they are taking an extremist position when it comes to privacy, but “we’re not against surveillance,” Michael Rispoli, head of PI’s communications, tells me. “Governments need to keep people safe, whether it’s from criminals or terrorists or what it may be, but surveillance needs to be done in accordance with human rights, and in accordance with the rule of law.”

The group is waging its fight in courtrooms. In February of last year, it filed a criminal complaint to the UK’s National Cyber Crime Unit of the National Crime Agency, asking it to investigate British technology allegedly used repeatedly by the Ethiopian government to intercept the communications of an Ethiopian national. Even after Tadesse Kersmo applied for– and was granted– asylum in the UK on the basis of being a political refugee, the Ethiopian government kept electronically spying on him, the group says, using technology from British firm Gamma International. The group currently has six lawsuits in action, mostly taking on large, yet opaque surveillance companies and the British government. Gamma International did not respond to Fusion’s request for comment on the lawsuit, which alleges that exporting the software to Ethiopian authorities means the company assisted in illegal electronic spying.

“The irony that he was given refugee status here, while a British company is facilitating intrusions into his basic right to privacy isn’t just ironic, it’s wrong,” Rispoli says. “It’s so obvious that there should be laws in place to prevent it.”

PI says it has uncovered other questionable business relationships between oppressive regimes and technology companies based in other Western countries. An investigative report the group put out a few months ago on surveillance in Central Asia said that British and Swiss companies, along with Israeli and Israeli-American companies with close ties to the Israeli military, are providing surveillance infrastructure and technical support to countries like Turkmenistan and Uzbekistan– some of the worst-ranking countries in the world when it comes to freedom of speech, according to Freedom House. Only North Korea ranks lower than them.

PI says it used confidential sources, whose accounts have been corroborated, to reach those conclusions.

Not only are these companies complicit in human rights violations, the Central Asia report alleges, but they know they are. Fusion reached out to the companies named in the report, NICE Systems (Israel), Verint Israel (U.S./ Israel), Gamma (UK), or Dreamlab (Switzerland), and none have responded to repeated requests for comment.

The report is a “blueprint” for the future of the organization’s output, says Rice, the advocacy officer. “It’s the first time we’ve done something that really looks at the infrastructure, the laws, and putting it all together to get a view on how the system actually works in a country, or even a whole region,” says Rice.

“What we can do is take that [report], and have specific findings and testimonials to present to companies, to different bodies and parliamentarians, and say this is why we need these things addressed,” adds Omanovic, the researcher and fake company designer.

The tactic is starting to show signs of progress, he says. One afternoon, Omanovic was huddled over a table in the back room, taking part in what looked like an intense conference call. “European Commission,” he says afterwards. The Commission has been looking at surveillance exports since it was revealed that Egypt, Tunisia, and Bahrain were using European tech to crack down on protesters during the Arab Spring, he added. Now, PI is consulting with some members, and together they “hope to bring in a regulation specifically on this subject by year’s end.”

***

Privacy International has come a long way from the “sterile bar of an anonymous business hotel in Luxembourg,” where founder Simon Davies, then a lone wolf privacy campaigner, hosted its first meeting with a handful of people 25 years ago. In a blog post commemorating that anniversary, Davies (who left the organization about five years ago) described the general state of privacy advocacy when that first meeting was held:

“Those were strange times. Privacy was an arcane subject that was on very few radar screens. The Internet had barely emerged, digital telephony was just beginning, the NSA was just a conspiracy theory and email was almost non-existent (we called it electronic mail back then). We communicated by fax machines, snail mail – and through actual real face to face meetings that you travelled thousands of miles to attend.”

Immediately, there were disagreements about the scope of issues the organization should focus on, as detailed in the group’s first report, filed in 1991. Some of the group’s 120-odd loosely affiliated members and advisors wanted the organization to focus on small privacy flare-ups; others wanted it to take on huge, international privacy policies, from “transborder data flows” to medical research. Disputes arose as to what “privacy” actually meant at the time. It took years for the group to narrow down the scope of its mandate to something manageable and coherent.

Gus Hosein, current executive director, describes the 90’s as a time when the organization “just knew that it was fighting against something.” He became part of the loose collective in 1996, three days after moving to the UK from New Haven, Connecticut, thanks to a chance encounter with Davies at the London Economics School. For the first thirteen years he worked with PI, he says, the group’s headquarters was the school pub.

They were fighting then some of the same battles that are back in the news cycle today, such as the U.S. government wanting to ban encryption, calling it a tool for criminals to hide their communications from law enforcement. “[We were] fighting against the Clinton Administration and its cryptography policy, fighting against new intersections of law, or proposals in countries X, Y and Z, and almost every day you would find something to fight around,” he says.

Just as privacy issues stemming from the dot com boom were starting to stabilize, 9/11 happened. That’s when Hosein says “the shit hit the fan.”

In the immediate wake of that tragedy, Washington pushed through the Patriot Act and the Aviation and Transportation Security Act, setting an international precedent of invasive pat-downs and extensive monitoring in the name of anti-terrorism. Hosein, being an American, followed the laws closely, and the group started issuing criticism of what it considered unreasonable searches. In the UK, a public debate about issuing national identification cards sprung up. PI fought it vehemently.

“All of a sudden we’re being called upon to respond to core policy-making in Western governments, so whereas policy and surveillance were often left to some tech expert within the Department of Justice or whatever, now it had gone to mainstream policy,” he says. “We were overwhelmed because we were still just a ragtag bunch of people trying to fight fights without funding, and we were taking on the might of the executive arm of government.”

The era was marked by a collective struggle to catch up. “I don’t think anyone had any real successes in that era,” Hosein says.

But around 2008, the group’s advocacy work in India, Thailand and the Philippines started to gain the attention of donors, and the team decided it was time to organize. The three staff members then started the formal process of becoming a charity, after being registered as a corporation for ten years. By the time it got its first office in 2011 (around the time its founder, Davies, walked away to pursue other ventures) the Arab Spring was dominating international headlines.

“With the Arab Spring and the rise of attention to human rights and technology, that’s when PI actually started to realize our vision, and become an organization that could grow,” Hosein says. “Four years ago we had three employees, and now we have 16 people,” he says with a hint of pride.

***

“This is a real vindication for [Edward] Snowden,” Eric King, PI’s deputy director says about one of the organization’s recent legal victories over the UK’s foremost digital spy agency, known as the Government Communications Headquarters or GCHQ.

PI used the documents made public by Snowden to get the British court that oversees GCHQ to determine that all intelligence sharing between GCHQ and the National Security Administration (NSA) was illegal up until December 2014. Ironically, the court went on to say that the sharing was only illegal because of lack of public disclosure of the program. Now that details of the program were made public thanks to the lawsuit, the court said, the operation is now legal and GCHQ can keep doing what it was doing.

“It’s like they’re creating the law on the fly,” King says. “[The UK government] is knowingly breaking the law and then retroactively justifying themselves. Even though we got the court to admit this whole program was illegal, the things they’re saying now are wholly inadequate to protect our privacy in this country.”

Nevertheless, it was a “highly significant ruling,” says Elizabeth Knight, Legal Director of fellow UK-based civil liberties organization Open Rights Group. “It was the first time the [courts have] found the UK’s intelligence services to be in breach of human rights law,” she says. “The ruling is a welcome first step towards demonstrating that the UK government’s surveillance practices breach human rights law.”

In an email, a GCHQ spokesperson downplayed the significance of the ruling, saying that PI only won the case in one respect: on a “transparency issue,” rather than on the substance of the data sharing program. “The rulings re-affirm that the processes and safeguards within these regimes were fully adequate at all times, so we have not therefore needed to make any changes to policy or practice as a result of the judgement,” the spokesperson says.

Before coming on board four years ago, King, a 25-year old Wales native, worked at Reprieve, a non-profit that provides legal support to prisoners. Some of its clients are at Guantanamo Bay and other off-the-grid prisons, something that made him mindful of security concerns when the group was communicating with clients. King worried that every time he made a call to his clients, they were being monitored. “No one could answer those questions, and that’s what got me going on this,” says King.

Right now, he tells me, most of the group’s legal actions have to do with fighting the “Five Eyes”– the nickname given to the intertwined intelligence networks of the UK, Canada, the US, Australia and New Zealand. One of the campaigns, stemming from the lawsuit against GCHQ that established a need for transparency, is asking GCHQ to confirm if the agency illegally collected information about the people who signed a “Did the GCHQ Illegally Spy On You?” petition. So far, 10,000 people have signed up to be told whether their communications or online activity were collected by the UK spy agency when it conducted mass surveillance of the Internet. If a court actually forces GCHQ to confirm whether those individuals were spied on, PI will then ask that all retrieved data be deleted from the database.

“It’s such an important campaign not only because people have the right to know, but it’s going to bring it home to people and politicians that regular, everyday people are caught up in this international scandal,” King says. “You don’t even have to be British to be caught up in it. People all over the world are being tracked in that program.”

Eerke Boiten, a senior lecturer at the interdisciplinary Cyber Security Centre at the University of Kent, says that considering recent legal victories, he can’t write off the effort, even if he would have dismissed it just a year ago.

“We have now finally seen some breakthroughs in transparency in response to Snowden, and the sense that intelligence oversight needs an overhaul is increasing,” he wrote in an email to me. “So although the [British government] will do its best to shore up the GCHQ legal position to ensure it doesn’t need to respond to this, their job will be harder than before.”

“Privacy International have a recent record of pushing the right legal buttons,” he says. “They may win again.”

A GCHQ spokesperson says that the agency will “of course comply with any direction or order” a court might give it, stemming from the campaign.

King is also the head of PI’s research arm– organizing in-depth investigations into national surveillance ecosystems, in tandem with partner groups in countries around the world. The partners hail from places as disparate as Kenya and Mexico. One recently released report features testimonials from people who reported being heavily surveilled in Morocco. Another coming out of Colombia will be more of an “exposé,” with previously unreported details on surveillance in that country, he says.

And then there’s the stuff that King pioneered: the method of sneaking into industry conferences by using a shadow company. He developed the technique Omanovic is using. King can’t go to the conferences undercover anymore because his face is now too well known. When asked why he started sneaking into the shows, he says: “Law enforcement doesn’t like talking about [surveillance]. Governments don’t talk about it. And for the most part our engagement with companies is limited to when we sue them,” he laughs.

When it comes to the surveillance field, you would be hard pressed to find a company that does exactly what it says it does, King tells me. So when he or someone else at PI sets up a fake company, they expect to get about as much scrutiny as the next ambiguous, potentially official organization that lines up behind them.

Collectively, PI has been blacklisted and been led out of a few conferences over the past four years they have been doing this, he estimates.

“If we have to navigate some spooky places to get what we need, then that’s what we’ll do,” he says. Sometimes you have to walk through a dark room to turn on a light. Privacy International sees a world with a lot of dark rooms.

“Being shadowy is acceptable in this world.”

Shhh… The "Secret" App – Parents Should Beware How Kids Are Keeping & Sharing Secrets Through Anonymous Posts that Aren't Really Anonymous

This is one app all parents should be aware of. The Secrets app is the cyberspace where kids make their confessions and share their best kept secrets and the nightmare is, their supposedly anonymous postings were highly vulnerable after all.

Shhh… The Why's, How's and What's of Hacks into Health Insurance Companies Like Anthem and Premera

It should come as no surprise that health insurance companies store lots, lots more sensitive and personal information about their clients than banks and credit card companies and it certainly doesn’t help when they were not taking cybersecurity seriously, as the recent hacks on Anthem and Premera (article below) have highlighted.

And what’s going to happen to these clients following the (Anthem and Premera) hacks? Watch the video clips below.

The disturbing truth behind the Premera, Anthem attacks

March 24, 2015 | By Dan Bowman

As details continue to emerge following the recent hack attacks on payers Anthem and Premera–in which information for close to 90 million consumers combined may have been put at risk–perhaps the most disturbing revelation of all is that, in both instances, neither entity appears to truly take security seriously.

Premera, for instance, knew three weeks prior to the initial penetration of its systems in May 2014 that network security issues loomed large. A report sent by the U.S. Office of Personnel Management’s Office of Inspector General detailed several vulnerabilities, including a lack of timely patch implementations and insecure server configurations.

The findings were so bad, they prompted OPM to warn Premera, “failiure to promptly install important updates increases the risk that vulnerabilities will not be remediated and sensitive data could be breached.” In addition, OPM told the Mountlake Terrace, Washington-based insurer that failure to remove outdated software would increase the risk of a successful malicious attack on its information systems.

“Promptly” to Premera apparently meant eight months down the road. And one month after its self-imposed Dec. 31, 2014, deadline to resolve its issues, guess what the payer found?

Just imagine how much damage could have been spared had Premera acted with more haste.

In Anthem’s case, negligence continues to persist. The nation’s second-largest payer has refused to allow a federal watchdog agency to perform vulnerability scans and compliance tests on its systems in the wake of its massive hack attack. It also prevented auditors from adequately testing whether it appropriately secured its computer information systems during a 2013 audit, citing corporate policy prohibiting external entities from connecting to the Anthem network.

Corporate policy is all well and good, but it’s not going to mean squat to a consumer two years from now when Anthem’s complimentary credit monitoring wears off and the hackers begin wading through the treasure trove of stolen information. As one of those consumers, it would be nice to hear Anthem take the advice Shaun Greene, chief operating officer of Salt Lake City-based Arches Health Plan, who told my colleague Brian Eastwood last month that payers should hire third parties to conduct HIPAA risk assessments.

“That way, you avoid internal posturing and receive objective feedback,” Greene said.

Following last summer’s massive Community Health Systems breach–and on the heels of other high-profile cybersecurity attacks–it appeared earlier this year that the healthcare industry was finally starting to truly prioritize information protection.

That’s not to say that the majority of the industry doesn’t take such matters seriously. But it’s disappointing to see that some of its biggest players seem to feel differently. – Dan (@Dan_Bowman and @FierceHealthIT)

Shhh… The USB-C Makes those new MacBooks More Vulnerable

You may want to think twice about the new MacBook.

Apple may have ideas about its newly introduced USB-C but widely reported vulnerabilities of USB devices amplify big troubles ahead, as the following article explains.

MacBookAir-USB-c2

The NSA Is Going to Love These USB-C Charging Cables

Mario Aguilar
3/17/15 12:35pm

Thanks to Apple’s new MacBook and Google’s new Chromebook Pixel, USB-C has arrived. A single flavor of cable for all your charging and connectivity needs? Hell yes. But that convenience doesn’t come without a cost; our computers will be more vulnerable than ever to malware attacks, from hackers and surveillance agencies alike.

The trouble with USB-C stems from the fact that the USB standard isn’t very secure. Last year, researchers wrote a piece of malware called BadUSB which attaches to your computer using USB devices like phone chargers or thumb drives. Once connected, the malware basically takes over a computer imperceptibly. The scariest part is that the malware is written directly to the USB controller chip’s firmware, which means that it’s virtually undetectable and so far, unfixable.

Before USB-C, there was a way to keep yourself somewhat safe. As long as you kept tabs on your cables, and never stuck random USB sticks into your computer, you could theoretically keep it clean. But as The Verge points out, the BadUSB vulnerability still hasn’t been fixed in USB-C, and now the insecure port is the slot where you connect your power supply. Heck, it’s shaping up to be the slot where you connect everything. You have no choice but to use it every day. Think about how often you’ve borrowed a stranger’s power cable to get charged up. Asking for a charge from a stranger is like having unprotected sex with someone you picked up at the club.

What the Verge fails to mention however, is that it’s potentially much worse than that. If everyone is using the same power charger, it’s not just renegade hackers posing as creative professionals in coffee shops that you need to worry about. With USB-C, the surveillance establishment suddenly has a huge incentive to figure out how to sneak a compromised cable into your power hole.

It might seem alarmist and paranoid to suggest that the NSA would try to sneak a backdoor into charging cables through manufacturers, except that the agency has been busted trying exactly this kind of scheme. Last year, it was revealed that the NSA paid security firm RSA $10 million to leave a backdoor in their encryption unpatched. There’s no telling if or when or how the NSA might try to accomplish something similar with USB-C cables, but it stands to reason they would try.

We live in a world where we plug in with abandon, and USB-C’s flexibility is designed to make plugging in easier than ever. Imagine never needing to guess whether or not your aunt’s house will have a charger for your phone. USB-C could become so common that this isn’t even a question. Of course she has one! With that ubiquity and convenience comes a risk that the tech could become exploited—not just by criminals, but also by the government’s data siphoning machine.

Shhh… Department of the Internet: How the Government Has Taken Over Our Lives

It’s mid-week… thought I should share something light for a change: an alternative comic look into privacy and the government takeover of the internet in our daily lives.

Shhh… What Can You Do If Airport Checkpoints Demand for Your Smartphone Password?

Ever wonder if this could happen to you? A Canadian man was charged for not revealing the password of his smartphone when requested by airport’s border officials.

I wrote in an earlier column about how spies cope with airport security checkpoints but what can you do if you anticipate this (see article below) could happen to you at the airport?

I reckon at the very least, reset the password to your phone before you reached the checkpoint. If your phone has an external SD card, transfer all your files to the card before you remove and replace it with a spare and ideally empty SD card – hide the files-loaded SD card deep inside your hand-carry bag. And bingo if you have a spare or expired SIM card…

You have then done the best you could to preserve your privacy. Good luck.

Quebec resident Alain Philippon to fight charge for not giving up phone password at airport

Whether border officials can force you to provide password hasn’t been tested in Canadian courts

By Jack Julian, CBC News Posted: Mar 04, 2015 9:32 PM AT Last Updated: Mar 05, 2015 2:05 PM AT

A Quebec man charged with obstructing border officials by refusing to give up his smartphone password says he will fight the charge.

The case has raised a new legal question in Canada, a law professor says.

Alain Philippon, 38, of Ste-Anne-des-Plaines, Que., refused to divulge his cellphone password to Canada Border Services Agency during a customs search Monday night at Halifax Stanfield International Airport.

Philippon had arrived in Halifax on a flight from Puerto Plata in the Dominican Republic. He’s been charged under section 153.1 (b) of the Customs Act for hindering or preventing border officers from performing their role under the act.

According to the CBSA, the minimum fine for the offence is $1,000, with a maximum fine of $25,000 and the possibility of a year in jail.

Philippon did not want to be interviewed but said he intends to fight the charge since he considers the information on his phone to be “personal.”

The CBSA wouldn’t say why Philippon was selected for a smartphone search.

In an email, a border services spokesperson wrote, “Officers are trained in examination, investigative and questioning techniques. To divulge our approach may render our techniques ineffective. Officers are trained to look for indicators of deception and use a risk management approach in determining which goods may warrant a closer look.”​

Rob Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University, said that under Canadian law, travellers crossing the Canadian border have a reduced expectation of privacy.

He said border officials have wide-ranging powers to search travellers and their belongings.

“Under the Customs Act, customs officers are allowed to inspect things that you have, that you’re bringing into the country,” he told CBC News. “The term used in the act is ‘goods,’ but that certainly extends to your cellphone, to your tablet, to your computer, pretty much anything you have.”

Philippon has been released on bail, and will return to court in Dartmouth on May 12 for election and plea.


Not tested yet in court

Currie said the issue of whether a traveller must reveal a password to an electronic device at the border hasn’t been tested by a court.

“This is a question that has not been litigated in Canada, whether they can actually demand you to hand over your password to allow them to unlock the device,” he said. “[It’s] one thing for them to inspect it, another thing for them to compel you to help them.”

Currie said the obstruction case hinges on that distinction.

“[It’s] a very interesting one to watch.”

Shhh… Fujitsu Can Detect Faces in Blurred Security Videos

Above photo credit: http://background-kid.com/blurred-people-background.html

Great, now there’s a new technology to get true clear pictures out of blurred CCTV images just when we learned last week that there are gadgets to hide one’s identity from the prying eyes of facial recognition programs like the FBI’s US$1 billion futuristic facial recognition program – the Next Generation Identification (NGI) System.

Fujitsu, the Japanese multinational information technology equipment and services company, recently said it has invented a new, first of its kind image-processing technology that can detect people from low-resolution imagery and track people in security camera footage, even when the images are heavily blurred to protect privacy. See full story below.

Sad to say, this is probably the easiest, effective and most feasible solution:

FaceMask

Fujitsu tech can track heavily blurred people in security videos

By Tim Hornyak
IDG News Service | March 6, 2015

Fujitsu has developed image-processing technology that can be used to track people in security camera footage, even when the images are heavily blurred to protect their privacy.

Fujitsu Laboratories said its technology is the first of its kind that can detect people from low-resolution imagery in which faces are indistinguishable.

Detecting the movements of people could be useful for retail design, reducing pedestrian congestion in crowded urban areas or improving evacuation routes for emergencies, it said.

Fujitsu used computer-vision algorithms to analyze the imagery and identify the rough shapes, such as heads and torsos, that remain even if the image is heavily pixelated. The system can pick out multiple people in a frame, even if they overlap.

Using multiple camera sources, it can then determine if two given targets are the same person by focusing on the distinctive colors of a person’s clothing.

An indoor test of the system was able to track the paths of 80 percent of test subjects, according to the company. Further details of the trial were not immediately available.

“The technology could be used by a business owner when planning the layout of their next restaurant/shop,” a Fujitsu spokesman said via email. “It would also be used by the operators of a large sporting event during times of heavy foot traffic.”

People-tracking know-how has raised privacy concerns in Japan. Last year, the National Institute of Information and Communications Technology (NICT) was forced to delay and scale down a large, long-term face-recognition study it was planning to carry out at Osaka Station, one of the country’s busiest rail hubs.

The Fujitsu research is being presented to a conference of the Information Processing Society of Japan being held at Tohoku University in northern Japan. The company hopes to improve the accuracy of the system with an aim to commercializing it in the year ending March 31, 2016.

Fujitsu has also been developing retail-oriented technology such as sensors that follow a person’s gaze as he or she looks over merchandise as well as LED lights that can beam product information for smartphones.

Shhh… Security Experts Not Convinced By Gemalto's Swift "Thorough" Investigations into NSA-GCHQ SIM Card Hacks

Gemalto, the world’s largest SIM cards manufacturer that The Intercept reported last week to be hacked by the NSA and GCHQ, putting at risk some two billion SIM cards used in cellphones across the world, has somehow and somewhat concluded its findings after a “thorough” internal investigations in just six days, with assurance that its encryption keys are safe and admitted that the French-Dutch company believes the US and British spy agencies were behind a “particularly sophisticated intrusion” of its internal computer networks, back four-five years ago.

In The Intercept follow-up report (please see further below):

“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union.

Or consider this (below – Source: https://www.youtube.com/watch?v=z0amvXr8BUk )

SIM-Gemalto2

So, time to decide for yourself if you’re convinced and also think of solutions like encrypted communications – and do check out the video clips below:

Gemalto Doesn’t Know What It Doesn’t Know
By Jeremy Scahill
@jeremyscahill

Gemalto, the French-Dutch digital security giant, confirmed that it believes American and British spies were behind a “particularly sophisticated intrusion” of its internal computer networks, as reported by The Intercept last week.

This morning, the company tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.

Gemalto, which is the largest manufacturer of SIM cards in the world, launched an internal investigation after The Intercept six days ago revealed that the NSA and its British counterpart GCHQ hacked the company and cyberstalked its employees. In the secret documents, provided by NSA whistleblower Edward Snowden, the intelligence agencies described a successful effort to obtain secret encryption keys used to protect hundreds of millions of mobile devices across the globe.

The company was eager to address the claims that its systems and encryption keys had been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit to its market capitalization. The stock only partially recovered in the following days.

After the brief investigation, Gemalto now says that the NSA and GCHQ operations in 2010-2011 would not allow the intelligence agencies to spy on 3G and 4G networks, and that theft would have been rare after 2010, when it deployed a “secure transfer system.” The company also said the spy agency hacks only affected “the outer parts of our networks — our office networks — which are in contact with the outside world.”

Security experts and cryptography specialists immediately challenged Gemalto’s claim to have done a “thorough” investigation into the state-sponsored attack in just six days, saying the company was greatly underestimating the abilities of the NSA and GCHQ to penetrate its systems without leaving detectable traces.

“Gemalto learned about this five-year-old hack by GCHQ when the The Intercept called them up for a comment last week. That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the American Civil Liberties Union. He adds that Gemalto remains “a high-profile target for intelligence agencies.”

Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute, said, “This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.”

In its statement, Gemalto asserted:

“While the intrusions described above were serious, sophisticated attacks, nothing was detected in other parts of our network. No breaches were found in the infrastructure running our SIM activity or in other parts of the secure network which manage our other products such as banking cards, ID cards or electronic passports. Each of these networks is isolated from one another and they are not connected to external networks.

It is extremely difficult to remotely attack a large number of SIM cards on an individual basis. This fact, combined with the complex architecture of our networks explains why the intelligence services instead, chose to target the data as it was transmitted between suppliers and mobile operators as explained in the documents.”

But security and encryption experts told The Intercept that Gemalto’s statements about its investigation contained a significant error about cellphone technology. The company also made sweeping, overly-optimistic statements about the security and stability of Gemalto’s networks, and dramatically underplayed the significance of the NSA-GCHQ targeting of the company and its employees. “Their ‘investigation’ seem to have consisted of asking their security team which attacks they detected over the past few years. That isn’t much of an investigation, and it certainly won’t reveal successful nation-state attacks,” says the ACLU’s Soghoian.

Security expert Ronald Prins, co-founder of the Dutch firm Fox IT, told The Intercept, “A true forensic investigation in such a complex environment is not possible in this time frame.”

“A damage assessment is more what this looks like,” he added.

In a written presentation of its findings, Gemalto claims that “in the case of an eventual key theft, the intelligence services would only be able to spy on communications on second generation 2G mobile networks. 3G and 4G networks are not vulnerable.” Gemalto also referred to its own “custom algorithms” and other, unspecified additional security mechanisms on top of the 3G and 4G standards.

Green, the Johns Hopkins cryptography specialist, said Gemalto’s claims are flatly incorrect.

“No encryption mechanism stands up to key theft,” Green says, “which means Gemalto is either convinced that the additional keys could not also have been stolen or they’re saying that their mechanisms have some proprietary ‘secret sauce’ and that GCHQ, backed by the resources of NSA, could not have reverse engineered them. That’s a deeply worrying statement.”

“I think you could make that statement against some gang of Internet hackers,” Green adds. “But you don’t get to make it against nation state adversaries. It simply doesn’t have a place in the conversation. They are saying that NSA/GCHQ could not have breached those technologies due to ‘additional encryption’ mechanisms that they don’t specify, and yet here we have evidence that GCHQ and NSA were actively compromising encryption keys.”

In a press conference today in Paris, Gemalto’s CEO, Olivier Piou, said his company will not take legal action against the NSA and GCHQ. “It’s difficult to prove our conclusions legally, so we’re not going to take legal action,” he said. “The history of going after a state shows it is costly, lengthy and rather arbitrary.”

There has been significant commercial pressure and political attention placed on Gemalto since The Intercept’s report. Wireless network providers on multiple continents demanded answers and some, like Deutsche Telekom, took immediate action to change their encryption algorithms on Gemalto-supplied SIM cards. The Australian Privacy Commissioner has launched an investigation and several members of the European Union parliament and Dutch parliament have asked individual governments to launch investigations. German opposition lawmakers say they are initiating a probe into the hack as well.

On Wednesday, Gerard Schouw, a member of the Dutch parliament, submitted formal questions about the Gemalto hack and the findings of the company’s internal investigation to the interior minister. “Will the Minister address this matter with the Ambassadors of the United States and the United Kingdom? If not, why is the Minister not prepared to do so? If so, when will the Minister do this?” Schouw asked. “How does the Minister assess the claim by Gemalto that the attack could only lead to wiretapping 2G-network connections, and that 3G and 4G-type networks are not susceptible to this kind of hacks?”

China Mobile, which uses Gemalto SIM cards, has more wireless network customers than any company in the world. This week it announced it was investigating the breach and the Chinese government said it was “concerned” about the Gemalto hack. “We are opposed to any country attempting to use information technology products to conduct cyber surveillance,” Foreign Ministry spokesman Hong Lei said. “This not only harms the interests of consumers but also undermines users’ confidence.” He did not mention that China itself engages in widespread, state-sponsored hacking.

While Gemalto is clearly trying to calm its investors and customers, security experts say the company’s statements appear intended to reassure the public about the company’s security rather than to demonstrate that it is taking the breach seriously.

The documents published by The Intercept relate to hacks done in 2010 and 2011. The idea that spy agencies are no longer targeting the company — and its competitors — with more sophisticated intrusions, according to Soghoian, is ridiculous. “Gemalto is as much of an interesting target in 2015 as they were in 2010. Gemalto’s security team may want to keep looking, not just for GCHQ and NSA, but also, for the Chinese, Russians and Israelis too,” he said.

Green, the Johns Hopkins cryptographer, says this hack should be “a wake-up call that manufacturers are considered valuable targets by intelligence agencies. There’s a lot of effort in here to minimize and deny the impact of some old attacks, but who cares about old attacks? What I would like to see is some indication that they’re taking this seriously going forward, that they’re hardening their systems and closing any loopholes — because loopholes clearly existed. That would make me enormously more confident than this response.”

Green says that the Gemalto hack evidences a disturbing trend that is on the rise: the targeting of innocent employees of tech firms and the companies themselves. (The same tactic was used by GCHQ in its attack on Belgian telecommunications company Belgacom.)

“Once upon a time we might have believed that corporations like this were not considered valid targets for intelligence agencies, that GCHQ would not go after system administrators and corporations in allied nations. All of those assumptions are out the window, so now we’re in this new environment, where everyone is a valid target,” he says. “In computer security, we talk about ‘threat models,’ which is a way to determine who your adversary is, and what their capabilities are. This news means everyone has to change their threat model.”

Additional reporting by Ryan Gallagher. Josh Begley contributed to this report.

Shhh… Doll Hack? New Wi-fi Connected "Hello Barbie" Risks Inviting Pedophiles Into the Barbie World

Barbie-HelloBarbie3

The newly announced internet-connected “Hello Barbie” (see video clip below) may be every girls’ dream but every parents’ nightmare.

The first-ever conversational doll (developed by ToyTalk in partnership with Mattel) will chat with the kids, record their conversations and transmit the recorded data to servers to be analyzed… and yes, risk being hacked and abused by pedophiles.

Think about it, it has all the hacking ingredients for any tech savvy blokes: wi-fi connection, speech-recognition software, phone apps (for kids?!), two-way conversations with kids and cloud storage.

Not convinced? Consider this: these capabilities mean these Barbies can also eavesdrop and record any conversation within the four-walls. Not much difference from the internet-connected spying Samsung smart TV.

“It wouldn’t take much for a malicious individual to intercept either the wi-fi communications from the phone or tablet, or connect to the doll over Bluetooth directly. These problems aren’t difficult to solve; the manufacturer needs to check the phone application carefully to make sure it’s secure. They also need to check that any information sent by the doll to their online systems is protected,” reportedly according to Ken Munro, a security researcher at Pen Test Partners, who has previously warned about the vulnerabilities in another doll called Cayla which uses speech-recognition and Google’s translation tools.

Shhh… Solutions to NSA & GCHQ Hacks into SIM Cards to Eavesdrop on Mobile Phones Worldwide?

Glenn-pg97

This news originally from The Intercept, based on leaked files from Edward Snowden, shouldn’t come as a surprise as the NSA had been on a mission to Collect It All (Chapter 3) according to Glenn Greenwald’s book “No Place to Hide” (see above).

High time to seriously (re)consider encrypted communications like encrypted calls and messaging apps (despite efforts to ban encryption by Obama and Cameron)?

Shhh… Pre-installed Superfish Malware Leaves Lenovo Computers Vulnerable to Man-in-the-Middle Attacks

I’m a self-confessed hardcore fan of the good old IBM Thinkpad laptops but I’ve shied away from the black box ever since the Lenovo acquisition in 2005. And this (see video clips below) is one of those reasons. My tilt these days is towards those laptops with no parts made in China

Shhh… Simple Solutions to NSA's Embedded Spyware in Hard Drives

This may be bad news but it’s not the end of the world. There’s no need to push the panic button.

You may have read that the NSA have reportedly inserted spyware on the hard drives made by top manufacturers like Western Digital, Seagate, Toshiba, Samsung, etc – ie. the hard drives in literally every computers in the world. This global surveillance exercise, discovered by Moscow-based security software Kaspersky Lab, mainly targeted “government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activist” mainly in countries like Iran, Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria.

Now even if you’re not within that circumscribed range of victims, the fact remains that every computers can be compromised. But there are ways to circumvent the risks – you can never eliminate such risks but you can always minimize the impacts.

As I have pointed out in my public lectures, there are some simple tricks to protect your data (and your life if you’re an entrepreneur because your data is everything to your livelihood) even if you’re not an IT geek. One good practice is to never store a single file or doc, apart from the software and operating system, on your computer hard disk. And I’m not suggesting using the cloud given the well publicized risks. I meant storing your files on an external encrypted hard disk.

And together with several other simple tricks that I’ve shared publicly (for example, consider how you connect your devices online, when you should connect/disconnect the external hard drives to the computer…), there are indeed ways to protect your computers and data.

Shhh… Spy Alert: Your Smart TV Watches You – Just Like Your Computer

This is really nothing new but I’m posting it because similar “news” resurfaced again the past week.

Let’s not forget smart TV are essentially becoming more like computers. And yes, they can watch you and your loved ones discreetly without your knowledge.

If you’ve already bought one, the easy solution is to cover the webcam with a duct tape unless you need to use it.

Shhh… US in Long Battle As China Request Source Code From Western Technology Companies

This spat on intrusive rules is going to be a huge long battle.

The US is voicing opposition to Chinese rules that foreign vendors hand over the source code if they were to supply computer equipments to Chinese banks – which could expand to other sectors as the matter is “part of a wider review”.

Other measures to comply with include the setting up of research and development centers in China and building “ports” for Chinese officials to manage and monitor the data processed by their hardware.

Submitting to these “intrusive rules” for a slice of the huge Chinese markets also means alienating the rest of the world – as complying with these rules means creating backdoors, adopting Chinese encryption algorithms and disclosing sensitive intellectual property.

Find out more from this video:

US-China Spat on Intrusive Rules – And Actual Intrusions

Speaking of “intrusive rules” (see BBC report far below) and “actual intrusions” in China, the latter I have expanded recently in two articles – one on Apple yesterday and the other on VPN blocks last week – and merged in this new column I’m also pasting right below.

The long and short of it, it’s espionage made easy. Period.


Apple Lets Down Its Asia Users

Written by Vanson Soo
MON,02 FEBRUARY 2015

Knuckling under to China on security inspections

If you are a die-hard fan of Apple products and if you, your company or business have anything to do with mainland China, recent developments involving the US tech giant can be construed as bad news, with deeper implications than what was generally thought and reported.

First, about Apple.

I have always liked the beauty and elegance of Apple products. I have owned two Mac laptops and an iPhone but I have shunned them as anyone deeply conscious and concerned about privacy and security should do. Edward Snowden, for example, who laid bare extensive snooping by the US National Security Agency, recently said he had never used the iPhone given the existence of secret surveillance spyware hidden in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices including iPhones, iPads and Mac computers. The move understandably makes business sense to Apple [and its shareholders] as China is just too huge a market to ignore – so the Cupertino-based company [whose market capitalization hit US$683 billion last week, more than double Microsoft’s US$338 billion] realized it simply couldn’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

What Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well documented that Apple users were [and probably still are] known for their cult-like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers.

The company has also denied working with any government agencies to create back doors into its products or servers… So surrendering to security audits wouldn’t?

If only Apple users managed to chuck away their cult mentality and come to their senses about their privacy and security risks, the firm would realize the Google approach, though still not perfect, is a better way of cultivating brand loyalty.

And in case you’re wondering, I use Linux most of the time – and shun the most popular Linux distributions to be on the safe side.a

Now next. And this is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News surfaced in late January that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

The real impact is not merely on domestic residents who were cut off from YouTube, BBC/CNN news and other information sources but resident expatriates, multinationals, foreign embassies and those traveling to China, especially businessmen and executives. Think: Chinese espionage now made easy!

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through it, which effectively shields internet traffic from government filters that have set criteria on what sites can be accessed.

And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

Obama-XiJinping5

29 January 2015 Last updated at 14:35

US tech firms ask China to postpone ‘intrusive’ rules

By Kevin Rawlinson BBC News

US business groups are seeking “urgent discussions” over new Chinese rules requiring foreign firms to hand over source code and other measures.

The groups wrote to senior government officials after the introduction of the cybersecurity regulations at the end of last year.

The US Chamber of Commerce and other groups called the rules “intrusive”.

The regulations initially apply to firms selling products to Chinese banks but are part of a wider review.

“An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice,” the letter read.

The groups said that the rules would force technology sellers to create backdoors for the Chinese government, adopt Chinese encryption algorithms and disclose sensitive intellectual property.

Firms planning to sell computer equipment to Chinese banks would also have to set up research and development centres in the country, get permits for workers servicing technology equipment and build “ports” which enable Chinese officials to manage and monitor data processed by their hardware, Reuters reported.

Source code is the usually tightly guarded series of commands that create programs. For most computing and networking equipment, it would have to be turned over to officials, according to the new regulations.

Tension

In the letter, a copy of which has been seen by the BBC, the groups have asked the Chinese government to delay implementation of the regulations and “grant an opportunity for discussion and dialogue for interested stakeholders with agencies responsible for the initiatives”.

They added: “The domestic purchasing and related requirements proposed recently for China’s banking sector… would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain,” the letter, which was dated 28 January, read.

The letter from the American groups, including the US Chamber of Commerce, AmCham China and 16 others, was addressed to the Central Leading Small Group for Cyberspace Affairs, which is led personally by Chinese President Xi Jinping.

It comes at a time of heightened tension between the USA and China over cybersecurity. In May last year, Beijing denounced US charges against Chinese army officers accused of economic cyber-espionage.

Pressure

It was also alleged that the US National Security Agency spied on Chinese firm Huawei, while the US Senate claimed that the Chinese government broke into the computers of airlines and military contractors.

American tech firms, such as Cisco and Microsoft, are facing increased pressure from Chinese authorities to accept rigorous security checks before their products can be purchased by China’s sprawling, state-run financial institutions.

Beijing has considered its reliance on foreign technology a national security weakness, particularly following former National Security Agency contractor Edward Snowden’s revelations that US spy agencies planted code in American-made software to snoop on overseas targets.

The cyber-space policy group approved a 22-page document in late 2014 that contained the heightened procurement rules for tech vendors, the New York Times reported on Thursday.

From Apple With Love – Granting Chinese Security Audits Leaves More Deep & Profound Implications Than Betrayal of Apple Die-Hards

I always like the beauty and elegance of Apple products (I had 2 Mac laptops and 1 iPhone) but I have to admit I have already shunned them as anyone deeply conscious and concerned about privacy and security should do – Snowden, for example, recently said he never used the iPhone given the existence of secret surveillance spyware in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices like the iPhones, iPads and Mac computers. The move understandably makes business sense to Apple (and its shareholders) as China is just too huge a market to ignore – so the Cupertino-based company (whose market capitalization hit $683 billion last week, more than double Microsoft’s $338 billion) realized it simply can’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

And what Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well-documented Apple users were (and probably still are) well known for their “cult” like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers. The company has also denied working with any government agencies to create back doors into its products or servers… (So surrendering to security audits wouldn’t?)

If only Apple users somewhat managed to chuck away their cult mentality and come to their senses (about their privacy and security risks), the US tech giant would realize the Google approach (though still not the perfect example) is a better way to cultivating brand loyalty (see article below).

And in case you’re wondering, I use laptops with no parts made in China along with Linux most of the time – and shun the most popular Linux distributions to be on the safe side.


Apple’s New Security Concessions to Beijing

By Doug Young | January 27, 2015, 10:13 AM

Apple is deepening its uneasy embrace of Beijing security officials, with word that it has agreed to allow security audits for products that it sells in China. This latest development comes less than a year after Apple took the unusual step of moving some of the user information it collects to China-based servers, which was also aimed at placating security-conscious regulators in Beijing.

Apple’s increasingly close cooperation with Beijing contrasts sharply with Google, whose popular Internet products and services are increasingly being locked out of China as it refuses to play by Beijing’s rules. Other global tech giants are also having to deal with the delicate situation, each taking a slightly different approach to try to protect user privacy while complying with Beijing’s insistence that they make their information available to security-conscious government regulators.

As a relatively neutral observer, I can sympathize with both the Apples and Googles of the world. Companies like Apple have decided that China is simply too large for them to ignore, and thus are taking steps to address Beijing’s security concerns as a condition for access to the huge market. Microsoft has also taken a similar tack, and Facebook is showing it will also be willing to play by such rules with its recent repeated lobbying for a chance to set up a China-based service.

Google has taken a more defiant stance by refusing to compromise user privacy and free speech, with the result that a growing number of its products and services are now blocked in China. The company shuttered its China-based search website in 2010 over a dispute with Beijing on self censorship. Last year many of its global sites and even its Gmail email service also became increasingly difficult to access for users in China.

Apple isn’t being nearly so defiant, and the latest headlines say it has agreed to the audits of its products by the State Internet Information Office. The reports say Apple agreed to the audits when CEO Tim Cook met with State Internet Information Office official Lu Wei during a December trip to the U.S. I previously wrote about Lu’s trip after photos appeared on an official Chinese government website showing him visiting the offices of Facebook, Apple, and also Amazon.

Lu reportedly told Cook that China needs to be sure that Apple’s popular iPhones, iPads, and other products protect user privacy and also don’t compromise national security. Unlike other PC and cellphone makers that simply sell their devices to consumers, Apple actively keeps records of its product users and some of their usage habits and other related information on remote computers.

This latest move looks like an extension of another one last summer, which saw Apple agree to host some of the data from its China-based users on servers based inside the country. That move also looked aimed at calming national security worries from Beijing, since storing such information on China-based computers would make it more accessible to investigators conducting security-related probes.

In an interesting twist to the story, this latest report comes from a state-owned newspaper in Beijing, making it a sort of semi-official disclosure of China’s approach to the matter. That would follow the government’s own announcement of Lu Wei’s December trip, and perhaps shows that Beijing wants to be more open about steps it’s taking to address national security threats like terrorism. That kind of more open attitude could help both domestic and foreign companies to better navigate China’s tricky cyber realm, though it won’t be of much help to defiant companies like Google that are more intent on protecting free speech and user privacy.

Shhh… Obama & Cameron: Here’s How Low-Tech Encrypted Communications Work – With Just a Pen & Paper – Which You Can’t Decrypt

Here’s a video on how to send an encrypted message in a very simple and low-tech way: with a pen and paper.

Beauty of this primitive but effective method is you would have burnt the “keys” and the authorities won’t be able to punch it out of you, even with water-boarding tactics.

But the one potential challenge is the pad of “cypher keys” (see video below) has to be shared securely in advance and used once at best. Alternative: have several of these pads and find a secure way to convey which pad to use for reference.

Wonder what British Prime Minister David Cameron and US President Barack Obama – who were keen to push for a total ban on encryption despite warnings of irreversible damages – have to say about this. The message to them: it’s impossible to ban encrypted communications.

Shhh… How to Register for Kim Dotcom's End-to-End Encrypted Voice Calling Service "MegaChat"

If you’re amongst those wary of (eavesdropping with) Skype and Google Hangouts, this will be great news.

New Zealand-based internet entrepreneur Kim Dotcom, best known for his legendary Megaupload and Mega file sharing services, announced last week the launch of his new and highly anticipated encrypted communication software MegaChat for video calling, messaging and chat. Dubbed a “Skype Killer”, the New Zealand-based service is available in both free and paid version – see video below.

And this is going to be interesting. The Snowden revelations have revealed how Microsoft, which bought Skype, has handed the NSA access to encrypted messages.

Earlier this month, following the Paris attacks, British Prime Minister announced his push to ban encryption altogether and US President Barack Obama has openly voiced support despite warnings of irreversible damages.

Meantime, Kim Dotcom said encrypted video conferencing, email and text chat would also be available later. In any case, here’s a video on how to register and start using MegaChat.

Shhh… Snowden: iPhone has Secret Surveillance Spyware that Can Be Remotely Controlled

The NSA whistleblower Edward Snowden revealed last week that he doesn’t use an iPhone because the Apple device has a secret surveillance spyware controlled by the US intelligence agency.

Obama: Why is Your Blackberry Super-Encrypted & You Want to Ban the World from Using Encryption?

Let’s have a different take on Obama and his endorsement (of Cameron’s drive) to kill encryption.

Obama is not allowed to use an iPhone because it’s “not safe”, the NSA advised him – Edward Snowden has recently said the iPhone was made to remotely track and transmit data about users.

Obama uses a Blackberry because of its reputation for security. But it’s still not safe enough, so his device was further encrypted though experts warned it’s still no absolute guarantee.

So Mr. President, you understand very well the value of encryption and privacy. And you want to ban encryption in the name of national security when you knew very well the terrorists you’re after are very apt at finding alternatives (remember Osama bin Laden?), including using primitive channels like typewriters, paper and pen, etc?

And at the same time, you’re crippling the entire world – companies, individuals and government (what did Merkel tell you?) – with the floodgates thrown open to cyber-criminals and hackers?

Reckon you can see that the equation doesn’t add up?

Shhh… Online Privacy: How to Track & Manage Our Digital Shadow

Photo (above) credit: http://thespecialhead.deviantart.com/art/Shadow-people-304525517

I found this excellent MyShadow website which not only explains what digital shadows mean but also provides a useful tool to check what traces one leaves online – by specifying the hardware and software one uses – and best of all, explores ways to mitigate them.

Have fun cleaning up your digital footprints.

Shadow-myshadowORG
Shadow-myshadowORG2
Shadow-myshadowORG3
Shadow-myshadowORG4

Shhh… Get a New Home Router – 12 Millions Vulnerable to "Misfortune Cookie" Hacks

Here’s one for the (urgent) To Do List, as the following article (below) from threatpost.com explains…

12 Million Home Routers Vulnerable to Takeover

by Michael Mimoso December 18, 2014 , 12:23 pm

More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer.

Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order.

The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely.

In the case of the RomPager vulnerability, an attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.

“We hope this is a game-changing wake-up call,” said Shahar Tal, malware and vulnerability research manager with Check Point. “Certainly in terms of numbers, I don’t remember a vulnerability released that had 12 million endpoints online since maybe Conficker in 2008. This is really, really bad and the incredibly slow update propagation chain makes it worse.”

Tal said the vulnerable code was written in 2002 and given to chipset makers bundled in a software development kit (SDK). This SDK was given to manufacturers who used it when building their respective firmware; ISPs, Tal said, also used the same SDK to prepare custom firmware used in consumer residential devices.

“The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.”

Tal said Check Point conducted Internet scans that show the 12 million devices exposed online in 189 countries. In some of those countries, Tal said, vulnerability rates hover around 10 percent, and in one country half of its Internet users are at risk.

“Even when people become aware of this, I don’t expect updated firmware to be deployed in 189 countries,” Tal said. “This will be with us for months and years to come.”

That means that vulnerable home routers are at risk to remote attacks that put not only Internet traffic at risk, but also other devices on a local network such as printers.

“The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes,” Check Point wrote in an analysis published today. “This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.”

Tal said Check Point is not aware of any exploits of this issue, but assumes that researchers and black hats will soon begin pinging Shodan and doing Google searches looking for vulnerable devices.

“This is very easy to exploit once you figure out the program internals,” Tal said. “We are assuming that some researchers will do that in upcoming days and we hope vendors react as fast as possible to get consumers protected.”

Some vendors, which Tal would not name, have already shared beta versions of upgraded firmware with Check Point, and Check Point has confirmed the issue as patched in those cases.

“Everyone is aware that embedded devices are insecure, but we haven’t had one game-changing event that crosses boundaries and makes the industry understand this,” Tal said. “This one is definitely worth the attention and needs fixing.”

Shhh… The WikiLeaks' CIA Travel Guide

I like to share with you the latest WikiLeaks release, “CIA Travel Advice to Operatives”. Its press release is pasted below (click here for the full report).

And I find it appropriate to highlight an earlier column, Spies and the Airport Screening Machine.

Enjoy!

CIA Travel Advice to Operatives – Press Release

Today, 21 December 2014, WikiLeaks releases two classified documents by a previously undisclosed CIA office detailing how to maintain cover while travelling through airports using false ID – including during operations to infiltrate the European Union and the Schengen passport control system. This is the second release within WikiLeaks’ CIA Series, which will continue in the new year.

The two classified documents aim to assist CIA undercover officials to circumvent these systems around the world. They detail border-crossing and visa regulations, the scope and content of electronic systems, border guard protocols and procedures for secondary screenings. The documents show that the CIA has developed an extreme concern over how biometric databases will put CIA clandestine operations at risk – databases other parts of the US government made prevalent post-9/11.

How to Survive Secondary Screening without Blowing your CIA Cover

The CIA manual “Surviving Secondary”, dated 21 September 2011, details what happens in an airport secondary screening in different airports around the world and how to pass as a CIA undercover operative while preserving one’s cover. Among the reasons for why secondary screening would occur are: if the traveller is on a watchlist (noting that watchlists can often contain details of intelligence officials); or is found with contraband; or “because the inspector suspects that something about the traveler is not right”.

The highlighted box titled “The Importance of Maintaining Cover––No Matter What” at the end of the document provides an example of an occasion when a CIA officer was selected for secondary screening at an EU airport. During the screening his baggage was swiped and traces of explosives found. The officer “gave the cover story” to explain the explosives; that he had been in counterterrorism training in Washington, DC. Although he was eventually allowed to continue, this example begs the question: if the training that supposedly explained the explosives was only a cover story, what was a CIA officer really doing passing through an EU airport with traces of explosives on him, and why was he allowed to continue?

The CIA identifies secondary screening as a threat in maintaining cover due to the breadth and depth of the searches, including detailed questioning, searches of personal belongings and electronic databases and collection of biometrics “all of which focus significant scrutiny on an operational traveler”.

The manual provides advice on how best to prepare for and pass such a process: having a “consistent, well-rehearsed, and plausible cover”. It also explains the benefits of preparing an online persona (for example, Linked-In and Twitter) that aligns with the cover identity, and the importance of carrying no electronic devices with accounts that are not for the cover identity, as well as being mentally prepared.

CIA Overview of EU Schengen Border Control

The second document in this release, “Schengen Overview”, is dated January 2012 and details guidelines for border officials in the EU’s Schengen zone and the threats their procedures might pose in exposing the “alias identities of tradecraft-conscious operational travelers”, the CIA terminology for US spies travelling with false ID during a clandestine operation. It outlines how various electronic systems within Schengen work and the risks they pose to clandestine US operatives, including the Schengen Information System (SIS), the European fingerprint database EURODAC (European Dactyloscopie) and FRONTEX (Frontières extérieures) – the EU agency responsible for easing travel between member states while maintaining security.

While Schengen currently does not use a biometric system for people travelling with US documents, if it did this “would increase the identity threat level” and, the report warns, this is likely to come into place in 2015 with the EU’s Entry/Exit System (EES). Currently, the Visa Information System (VIS), operated by a number of Schengen states in certain foreign consular posts, provides the most concern to the CIA as it includes an electronic fingerprint database that aims to expose travellers who are attempting to use multiple and false identities. As use of the VIS system grows it will increase the “identity threat for non-US-documented travelers”, which would narrow the possible false national identities the CIA could issue for undercover operatives.

WikiLeaks’ Editor-in-Chief Julian Assange said: “The CIA has carried out kidnappings from European Union states, including Italy and Sweden, during the Bush administration. These manuals show that under the Obama administration the CIA is still intent on infiltrating European Union borders and conducting clandestine operations in EU member states.”

Both documents are classified and marked NOFORN (preventing allied intelligence liaison officers from reading it). The document detailing advice on maintaining cover through secondary screening also carries the classification ORCON (originator controlled) and specifically allows distribution to Executive Branch Departments/Agencies of the US government with the appropriate clearance, facilitating clandestine operations by the other 16 known US government spy agencies. Both documents were produced by a previously unknown office of the CIA: CHECKPOINT, situated in the Identity Intelligence Center (i2c) within the Directorate of Science and Technology. CHECKPOINT specifically focuses on “providing tailored identity and travel intelligence” including by creating documents such as those published today designed specifically to advise CIA personnel on protecting their identities while travelling undercover.

Shhh… A Feasible Strategy Despite Severe Innate Phone Security (Eavesdropping) Flaws Like SS7

The Washington Post article below once again highlights one approach to mobile phone usage: have many spares, apart from your regular smartphone(s), like good old cellulars and disposable low-value SIM cards. Dispose the SIM card after each use and always switch amongst those cellulars.

It can’t stop eavesdropping but at least the hackers and spies cannot trace you so easily. The approach may sound extreme to most people, so for all practical reasons, it’s best recommended only for those important and confidential conversations.

SpareSimsPhones2

German researchers discover a flaw that could let anyone listen to your cell calls.
By Craig Timberg December 18

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.

“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.

Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)

The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They’ve likely sat on these things and quietly exploited them.”

The GSMA, a global cellular industry group based in London, did not respond to queries seeking comment about the vulnerabilities that Nohl and Engel have found. For the Post’s article in August on location tracking systems that use SS7, GSMA officials acknowledged problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues.

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function — a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Nohl on Wednesday demonstrated the ability to collect and decrypt a text message using the phone of a German senator, who cooperated in the experiment. But Nohl said the process could be automated to allow massive decryption of calls and texts collected across an entire city or a large section of a country, using multiple antennas.

“It’s all automated, at the push of a button,” Nohl said. “It would strike me as a perfect spying capability, to record and decrypt pretty much any network… Any network we have tested, it works.”

Those tests have included more than 20 networks worldwide, including T-Mobile in the United States. The other major U.S. carriers have not been tested, though Nohl and Engel said it’s likely at least some of them have similar vulnerabilities. (Several smartphone-based text messaging systems, such as Apple’s iMessage and Whatsapp, use end-to-end encryption methods that sidestep traditional cellular text systems and likely would defeat the technique described by Nohl and Engel.)

In a statement, T-Mobile said: “T-Mobile remains vigilant in our work with other mobile operators, vendors and standards bodies to promote measures that can detect and prevent these attacks.”

The issue of cell phone interception is particularly sensitive in Germany because of news reports last year, based on documents provided by former NSA contractor Edward Snowden, that a phone belonging to Chancellor Angela Merkel was the subject of NSA surveillance. The techniques of that surveillance have not become public, though Nohl said that the SS7 hacking method that he and Engel discovered is one of several possibilities.

U.S. embassies and consulates in dozens of foreign cities, including Berlin, are outfitted with antennas for collecting cellular signals, according to reports by German magazine Der Spiegel, based on documents released by Snowden. Many cell phone conversations worldwide happen with either no encryption or weak encryption.

The move to 3G networks offers far better encryption and the prospect of private communications, but the hacking techniques revealed by Nohl and Engel undermine that possibility. Carriers can potentially guard their networks against efforts by hackers to collect encryption keys, but it’s unclear how many have done so. One network that operates in Germany, Vodafone, recently began blocking such requests after Nohl reported the problem to the company two weeks ago.

Nohl and Engel also have discovered new ways to track the locations of cell phone users through SS7. The Post story, in August, reported that several companies were offering governments worldwide the ability to find virtually any cell phone user, virtually anywhere in the world, by learning the location of their cell phones through an SS7 function called an “Any Time Interrogation” query.

Some carriers block such requests, and several began doing so after the Post’s report. But the researchers in recent months have found several other techniques that hackers could use to find the locations of callers by using different SS7 queries. All networks must track their customers in order to route calls to the nearest cellular towers, but they are not required to share that information with other networks or foreign governments.

Carriers everywhere must turn over location information and allow eavesdropping of calls when ordered to by government officials in whatever country they are operating in. But the techniques discovered by Nohl and Engel offer the possibility of much broader collection of caller locations and conversations, by anyone with access to SS7 and the required technical skills to send the appropriate queries.

“I doubt we are the first ones in the world who realize how open the SS7 network is,” Engel said.

Secretly eavesdropping on calls and texts would violate laws in many countries, including the United States, except when done with explicit court or other government authorization. Such restrictions likely do little to deter criminals or foreign spies, say surveillance experts, who say that embassies based in Washington likely collect cellular signals.

The researchers also found that it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. The calls transmit a temporary identification number which, by sending SS7 queries, can lead to the discovery of the phone number. That allows location tracking within a certain area, such as near government buildings.

The German senator who cooperated in Nohl’s demonstration of the technology, Thomas Jarzombek of Merkel’s Christian Democratic Union party, said that while many in that nation have been deeply angered by revelations about NSA spying, few are surprised that such intrusions are possible.

“After all the NSA and Snowden things we’ve heard, I guess nobody believes it’s possible to have a truly private conversation on a mobile phone,” he said. “When I really need a confidential conversation, I use a fixed-line” phone.

Life-Saving Gadgets like Bulletproof Bags and Shields for Schools & the Workplace

Photo (above) credit: Alexander Augusteijn

With the recent headlines on fatal shootings by the police, and school massacres in the US earlier, the demand for bulletproof gears may well be on the rise again. And with Christmas round the corner, there’s no better time to show your loved ones you really care about their safety, at school and the workplace.

Perhaps you’re not alien to these products but I thought of sharing anyway, especially my findings on price effective solutions.

But first, here’s the link to a video introduction on one such product. And here’s a demonstration of the gear at work – blocking the bullet.

If it’s convincing, there’s still one operational issue. It takes a good few seconds to convert those ordinary-looking computer bags into a bulletproof shield covering the upper body. And that’s why I thought the next product (picture below) is more practical: it takes just a second to transform the briefcase into a bulletproof wall to shield the entire body when one found himself/herself in a suddenly hostile cross-fire situation.

BulletproofBriefcase-BodyShield

I found online retail stores selling these briefcases at around US$800 apiece.

Subsequently, I also found the China-based OEM manufacturers for these same briefcases. The minimum order quantity (MOQ) is usually quoted at 50, ie. a minimum of 50 pieces per order.

Now for all I know, some manufacturers entertain orders for “one sample” but at a premium, which in this case was US$400 at best.

One manufacturer then offered a “much better price” if I ordered 10 samples instead, at US$250 apiece. And I also asked about the best price for the stated MOQ of 50: US$235 apiece.

Not bad but if only I can convince some buddies to pool in for at least 10 such briefcases.

So I thought the best solution both for the price and practical reasons are the bulletproof panels (picture below).

Bulletblocker-StrikeFace

Besides inserting these panels into the children’s backpacks, one can also insert them into computer bags and briefcases for working adults. The flexibility in use is a big plus. And they cost less than US$100 apiece.