Category Archives: Privacy technology

Anonymous communication, data protection

Why so many CCTVs in UK? (again)

Privacy technology, Security economics

I previously blogged about Prof. Martin Gill’s brilliant talk on CCTV at the Institute of Criminology.

I invited him to give it again as a Computer Laboratory seminar. He will do so on Wed 2006-05-17, 14:15. If you are around, do come along—highly recommended, and open to all. Title and abstract follow.

CCTV in the UK: A failure of theory or a failure of practice?

Although CCTV was heralded as something of a silver bullet in the fight against crime (and by two Governments) scholarly research has questioned the extent to which it ‘works’. Martin Gill led the Home Office national evaluation on CCTV and has subsequently conducted more research with CCTV schemes across the country. In this talk he will outline the findings from the national evalaution and assess the views of the public, scheme workers and offenders’ perspectives (including showing film clips of offenders talking at crime scenes) to show just why CCTV has not worked out as many considered. Martin will relate these findings to the current development of a national strategy.

The Internet and Elections: the 2006 Presidential Election in Belarus

Internet censorship, News coverage, Privacy technology

On Thursday, the OpenNet Initiative released their report, to which I contributed, studying Internet Censorship in Belarus during the 2006 Presidential Election there. It even has managed a brief mention in the New York Times.

In summary, we did find suspicious behaviour, particularly in the domain name system (DNS), the area I mainly explored, but no proof of outright filtering. It is rarely advisable to attribute to malice what can just as easily be explained by incompetence, so it is difficult to draw conclusions about what actually happened solely from the technical evidence. However, regardless of whether this was the first instance the ONI has seen of a concerted effort to hide state censorship, or simply an unfortunate coincidence of network problems, it is clear that existing tools for Internet monitoring are not adequate for distinguishing between these cases.

Simply observing that a site is inaccessible from within the country being studied is not enough evidence to demonstrate censorship, because it is also possible that the server or its network connection is down. For this reason, the ONI simultaneously checks from an unrestricted Internet connection. If the site is inaccessible from both connections, it is treated as being down. Censorship is only attributed if the site can be reliably accessed from the unrestricted connection, but not by the in-country testers. This approach has been very successful at analysing previously studied censorship regimes but could not positively identify censorship in Belarus. Here sites were inaccessible (often intermittently) from all Internet connections tried.

Ordinarily this result would be assumed to simply be from network or configuration errors; however the operators of these sites claimed the faults were caused by denial of service (DoS) attacks, hacking attempts or other government orchestrated efforts. Because many of the sites or their domain names were hosted in Belarus, and given the state strangle-hold on communication infrastructure, these claims were plausible, but generating evidence is difficult. On the client side, the coarse results available from the current ONI testing software are insufficient to combat the subtlety of the alleged attacks.

What is needed is more intelligent software, which tries to establish, at the packet level, exactly why a particular connection fails. Network debugging tools exist, but are typically designed for experts, whereas in the anti-censorship scenario the volunteers in the country being studied should not need to care about these details. Instead the software should perform basic analysis before securely sending the low-level diagnostic information back to a central location for further study.

There is also a place for improved software at the server side. In response to reports of DoS and hacking attacks we requested logs from the administrators of the sites in question to substantiate the allegations, but none were forthcoming. A likely and understandable reason is that the operators did not want to risk the privacy of their visitors by releasing such sensitive information. Network diagnostic applications on the server could be adapted to generate evidence of attacks, while protecting the identity of users. Ideally the software would also resist fabrication of evidence, but this might be infeasible to do robustly.

As the relevance of the Internet to politics grows, election monitoring will need to adapt accordingly. This brings new challenges so both the procedures and tools used must change. Whether Belarus was the first example of indirect state censorship seen by the ONI is unclear, but in either case I suspect it will not be the last.

AV-net – a new solution to the Dining Cryptographers Problem

Privacy technology

Last week in the 14th International Workshop on Security Protocols, I presented a talk on the paper: A 2-round Anonymous Veto Protocol (joint work with Piotr Zieliński), which interested some people. The talk was about solving the following crypto puzzle.

In a room where all discussions are public, the Galactic Security Council must decide whether to invade an enemy planet. One delegate wishes to veto the measure, but worries about sanctions from the pro-war faction. This presents a dilemma: how can one anonymously veto the decision?

This veto problem is essentially the same as the Dining Cryptographers Problem first proposed by Chaum in 1988 — how to compute the Boolean-OR securely. However, Chaum’s classic solution, DC-net, assumes unconditionally secure private channels among participants, which don’t exist in our problem setting. Our protocol, Anonymous Veto Network (or AV-net), not only overcomes all the major limitations in DC-net, but also is very efficient in many aspects (probably optimal).

Banks don’t help fight phishing

Banking security, Privacy technology

I recently got an email from Bank of America offering me a pretty good credit card deal. Usually, I chuck those offers away as spam (both electronic and physical) but this time I decided to bite.

The “apply now” button pointed to http://links.em.bankofamerica.com:8083/…, fair enough. I click. But wait… IE6 says…

Certificate warning IE

Firefox provides more info without layers of abstraction…

Certificate warning FF

I clicked “OK” and got to… https://www.mynewcard.com/! (you’ll notice that going there directly redirects to https://mynewcard.bankofamerica.com/, so only when you click “apply” do you get to see mynewcard.com.)

I consequently emailed BofA with my concerns and got this (surprisingly expedient) reply:

“We recognize that any unsolicited e-mail, legitimate or otherwise, is reason for concern. I can assure you that www.mynewcard.com is a legitimate website of Bank of America.”

Well, not much assurance there since I replied to the original email (cardservices@replies.em.bankofamerica.com), but a whois query confirms that mynewcard.com indeed belongs to BofA. What percentage of the population would go beyond clicking that “OK” on the IE warning as just another annoyance? You know the answer.

So, BofA got three things wrong. Firstly, they had links in the body of the email; the argument has been beaten to the ground… don’t educate people to click them. If the bank has great offers, they should have them available when people log into their accounts. Secondly, they messed up on the certificate… it’s for mynewcard.bankofamerica.com, not what appears in the address bar, mynewcard.com. And finally, they used an unfamiliar domain to process the application. Why? I think the answer lies somewhere in the marketing department where they decided that mynewcard.com is cooler sounding than sound security measures and long term good customer training.

Update: Richard mentioned that the rapid response meant that BofA have heard this concern once before. I found this thread [dansanderson.com] discussing mynewcard.com in August 2003! Which adds a fourth thing BofA did wrong: they didn’t fix it!

Chinese website registration

Internet censorship, Legal issues, Privacy technology

The OpenNet Initiative has released a bulletin on China’s website registration policy. This mandates that all non-commercial websites hosted in China be registered with the Ministry of Information Industry (MII), whereas previously this applied only to commercial sites.

Failure to register a site by July 2005 was punishable by a ¥10 000 fine (about €1 000 and 2/3 of an average urban Chinese annual income) as well as removal the website. Sites are required to put their registration number at the center-bottom of the homepage. Failure to comply makes the owner liable for a ¥5 00010 000 fine.

Enforcement is not only by the MII, but also by the hosting ISPs. This is encouraged by a ¥10 000 fine for hosting unregistered content. ISPs are also responsible for cutting off sites in violation of these rules, however IP/port blocks have also been reported, along with the consequent over-blocking of virtual hosts. The MII also operates the “Night Crawler” which searches for sites not displaying a registration number.

Rebecca MacKinnon suggests that this move might shift Chinese bloggers on to commercial sites such as MSN Spaces, Blogbus, Bokee or Sina, which implement their own keyword filtering to prevent themselves being blocked (as Typepad and Blogsome have been). This shifts the cost and accountability of censorship away from the government and to the edges, as has been done for registration enforcement. The remaining bloggers who maintain their own site will be required to register and so are more likely to self-censor.

The registration process is entirely online, and consists of the owner entering personal information (name, address, etc…) as well as the site description, an email address and mobile phone number. The registration request must then be reviewed by the MII and after a few days the owner is notified of the result and given the registration number if successful.

Interestingly, only the mobile phone number and email address are verified by sending a code to them, which ties in well to the compulsory mobile phone registration in December. Criminals in the UK have been known to steal mobile phones to give untraceable communication in the course of committing offences. Perhaps stolen phones will be used in China to produce fraudulent website registrations for people who would like to keep their anonymity?