The Security Offences (Special Measures) Act 2012 and it’s new amendment. that wonderful piece of legislation meant to repeal the archaic and ‘draconian’ ISA may turn out to be even more archaic and draconian than the ISA it was meant to replace.

While much of the legal fanfare has been focusing on the detention without trial sections of the bill, as a tech blogger, I wanted to focus on the technical aspects of it. Specifically let’s focus on how the new law would allow the government to eavesdrop onto your internet communication without the authorization of any Judge or Judicial oversight. Now while, the public prosecutor, or Attorney General in this country isn’t specifically part of the government–he (or she) is appointed by the Yang Di Pertuan Agong on the ‘advice’ of the Prime Minister.

The sections of the bill that focus on the interception of communication is both all-encompassing and far-reaching, giving far too much power to the Public Prosecutor to intercept your private conversations and web surfing habits, which is a gross invasion of privacy.

Power to intercept Communications

On top of this, the Public Prosecutor has the legal authority to compel an ISP to intercept and retain any communication you performed for an unspecified amount of time. Which could be forever.

Basically he can begin to ask Maxis or Unifi for the list of websites you visit, and your detailed online communications,  access to your emails, your friend list on facebook, your tweets and even your online files. Not even your online porn stash will be free from the prying eyes of the Public Prosecutor (not that I have one though…just saying, I know a friend who does).

All this without ever having to go to a Judge for judicial oversight. More importantly, anything collected in this way is deemed admissible as evidence in court, and no one will have to explain how the evidence was obtained. For all you know they could have placed webcams in your home, but they would would never have to explain this in court.

What’s worse is that a Police Superintendent is granted similar powers when “immediate action is required leaving no moment of deliberation”.

We all understand the need for the Police and Public Prosecutors to do their job well, and they require tools to catch the bad guys. However, this grants them way too much power with regards to their ability to invade the privacy of personal citizens. I don’t want the Public Prosecutor or a curious Police Superintendent snooping on my internet conversations, and yet the new Special offences act allows them to do that–legally!

[box icon=“chat”]In the early days of public computing, researchers who discovered vulnerabilities would quietly tell the product vendors so as to not also alert hackers. But all too often, the vendors would ignore the researchers. Because the vulnerability was not public, there was no urgency to fix it. Fixes might go into the next product release. Researchers, tired of this, started publishing the existence of vulnerabilities but not the details. Vendors, in response, tried to muzzle the researchers. They threatened them with lawsuits and belittled them in the press, calling the vulnerabilities only theoretical and not practical. The response from the researchers was predictable: They started publishing full details, and sometimes even code, demonstrating the vulnerabilities they found. This was called “full disclosure” and is the primary reason vendors now patch vulnerabilities quickly (9). Faced with published vulnerabilities that they could not pretend did not exist and that the hackers could use, they started building internal procedures to quickly issue patches. If you use Microsoft Windows, you know about “patch Tuesday,” the once-a-month automatic download and installation of security patches.

MyNic is the organization responsible for managing the .my Top Level Domain, which means every website address that ends with a .my is under their administration. These centralized control centers act as giant targets for hackers, but for the most part, they’re protected better than Fort Knox–or they should be.

Yesterday, a hacker going by the name Tiger-M@te successfully manage to hijack the .my addresses of popular websites belonging to Google, Microsoft, Dell and even Kaspersky (an Anti-Virus company). Instead of being presented with the usual webpage, visitors who entered urls like www.google.my, or www.skype.my were redirected to a static page with the word HACKED emblazoned in big red letters.

[box icon=“chat”] I don’t think the US government should use operating systems made in China for the same reason that most governments shouldn’t use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.

-Richard Matthew Stallman founder of Free Software Foundation (Techbytes interview)

In what appears to be open-season on the NSA and Tech Companies, Bloomberg has joined in with a report of their own, implicating that Microsoft provides US  intelligence agencies with information about bugs in its popular software before it publicly releases a fix. In other words, Microsoft grants special access to the likes of the NSA to poke around in the nearly 1 Billion users of Microsoft software via newly discovered bugs—long before Microsoft report it to the public and eventually patch the bug.

Initially I wrote about PRISM and how a lot of people felt it was a tool to intercept communication in flight to companies like Google and Facebook, however slightly more details have emerged to debunk that claim.

However, it’s of paramount importance that we understand what people are saying. No one is denying that communications aren’t being intercepted on their way to Google, Facebook or Apple, instead what they are denying is that the capability to perform that interception and storage is under purview of another program called Upstream, and that analyst like Edward Snowden at the NSA were encouraged to use both PRISM and UPSTREAM.

What the crudely drawn powerpoint on the left is trying to describe is the distinct-ness of the programs and how each program would complement (rather than replace) the other.

The release of this particular slide was done shortly after the initial news broke to, in the interests of aiding the debate over how Prism works. 

The Guardian have intentionally redacted some of the program names from the slide, presumably in an effort to milk this story dry for all that it’s worth, but probably also to keep the momentum of the debate just in case people move on. However, in their own words the slide:

details different methods of data collection under the FISA Amendment Act of 2008 (which was renewed in December 2012). It clearly distinguishes Prism, which involves data collection from servers, as distinct from four different programs involving data collection from “fiber cables and infrastructure as data flows past”.

The of course points to separate approaches, one where information is accessed directly from the servers their stored in (data at rest), and one where information is collected while in transit (data in transit).

This distinction resonated with me, simply because I read about this a couple of months back when another wanted man name Kim Schmitz was making the news instead of one Edward Snowden.

As Edward Snowden begins to look for more ‘accommodating’ countries who wouldn’t mind playing host to a man that currently is more wanted than Osama bin Laden, Saddam Hussein and Kim Kardashian combined, more details slowly begin to emerge about PRISM, painting an ever clearer picture of the extent of the program both Stateside and abroad. Each individual piece of information that filters continues to sharpen the image we have on just what the NSA has (and probably still IS) been surveilling.

However, we also need to acknowledge a separate project called Tempora, which is the British equivalent of PRISM–or since we don’t know the full details of PRISM–we can at least infer that both Tempora and PRISM share the same objectives, which was to spy on internet communications of netizens throughout the world. As of last year, the British had finished attaching probes to 200 fibre-optic cables each with a capacity of 10 gigabits per second. Which would have granted them access to 21.6 petabytes  of data on a daily basis. This we are told is just the half-way point!

Basically the British government through the Government Communications Headquarters (GCHQ) was accessing a vast majority of data flowing into and out of its borders, most of which probably didn’t originate in the UK and was merely transiting through it. The GCHQ is itself a pseudo-military agency which traces its roots back to World War 1, when communications jamming involved shooting carrier pigeons. Which means that a military organization is looking at private citizen data of not just UK citizens, but possibly Europeans, Japanese and even Malaysians, as the internet traffic we use on a daily basis route through Europe and UK before finally landing on the US East Coast.

The interesting though, is that Project Tempora is based in the UK, while PRISM is based in the US, and while local regulations prevent local agencies like GCHQ and the NSA to spy on their own citizens within their own borders, it is physically impossible for a person to be both in the UK and the US at the same time–damn laws of physics….. Which essentially means that between Tempora and PRISM, both the UK and US government can spy on the whole world, and that’s probably what they’re doing.

The UK is a favourite landing spot for all those undersea cables that transverse the atlantic, carrying internet traffic between Europe and the US, and if you’re wire-tapping the lines between the UK and the US, it’s almost a certainty that you’re tapping nearly all of Europe. Which would explain why the Germans aren’t too happy about the recent revelations of Project Tempora, and have sent a list of questions to the British Embassy in Berlin. If I were the German chancellor I’d be very interested in the details of the project, primarily around why it’s named after a Japanese delicacy–oh wait that’s Tem-PU-ra.

I’ve almost been fascinated by the fact, that our money in the bank these days are secured not by steel doors or armed guards, but rather by cryptography and the encryption keys that enable them. To put it in the simplest form  your money in the bank is protected by a number–that’s what an encryption key essentially is. A long binary number of 1’s and 0’s that protects your life savings…

Most (if not all) of your ‘secure’ internet communications is protected by something call SSL, or its successor, TLS. SSL is the stuff of legend, initially invented by Netscape to encrypt internet communications, SSL is now used by nearly everyone online. You see it when you login to your bank account on Maybank or CIMB, when you log into a online store like the ones run by Digi and Maxis even when you do your Tax filings on e-Filing LHDN website.

However, just like every standard in IT, SSL and TLS act as frameworks, and different websites could implement these frameworks slightly differently, usually based on the customer segmentation or the amount of security required. Each implementation could vary from one to another and yet still remain compliant to the ‘standard’, we wouldn’t need consultants if it were otherwise.

The problem is, that just because some website use TLS or SSL, doesn’t mean it’s secure–all it means is that the website is now using a standard, but could have implemented the standard poorly, making it vulnerable to attack, and possibly leaking out your data (some of which might be very very sensitive).

The best way to think about is to go back the number analogy, and assume that the amount of security you get from encryption is determined by the length of the number. So a 10 digit number is less secure than a 100 digit number–and a 1 digit number is less secure than both of them. In security jargon, we call this the key length, and it’s quite a common criteria used to determine the security of a given SSL/TLS implementation. This of course is just one of the criteria to determine how secure the the implementation is.

Basically it’s not enough to check if a website is using SSL or not, it’s more important to figure out how well the encryption is implemented by the website. Of course, this is beyond the scope of most people, no one has the time or inclination to perform a security audit on their banks website, although it is in their best interest to do so. Usually that green lock icon at the bottom of the screen helps me sleep well at night–but it shouldn’t, it’s a good start, but not a guarantee of security.

Fortunately, there’s a really quick and dirty way, to determine how secure the SSL/TLS implementation of a website is. Head on over to SSLLabs.com and enter the url of the website you want to evaluate and the perform a really good audit of the site in real-time, measuring things like key-length and SSL versions, up to the certificate authenticity.

So armed with SSLLabs.com, I decided to just quickly perform a quick check of the most popular secure websites in Malaysia to see if these websites were offering the security their users deserved. Checking out the most popular forum in Malaysia, two telco companies, two banks, one government agency and a news portal, the good news is that 3 out of 7 got straight A’s on their test–the bad news is that the other 4 got F’s–and it’s possible to get E by the way…so an ‘F’ is what most people call an epic failure.

There’s a controversy brewing in the land of the free, one that will have implications for Americans, but also Malaysians and nearly every citizen of the world. We may look back at the moment Mr. Snowden leaked controversial (and ugly) slides about a program called ‘PRISM’ as the start of a pivotal moment in internet history, a moment where we either begun a massive campaign to prevent illegal and unethical government wiretaps or a moment where we let governments turn the internet into a police state.

So let's recap what happened.

There isn’t a person I know that doesn’t have either an iPad, Facebook account or Gmail address. Even my dad who vehemently refused to have a Facebook account, eventually succumbed to the social pressure but that was much after I setup his company email with Google Apps. So to say that the US Government had access to private details of nearly every single person in the world is not a stretch.

So what is PRISM really?

So is it possible that the NSA has a backdoor to Google without Google knowing about it? Turns out it’s not as far-fetched as it seems.

Steve Gibson, a security guru with his own show on TwitTv seems to think so. He’s put together some high level analysis of the story, taking into account other similar stories and suggest that the NSA has a wire-tap on the entire world. A communications intercept targeting the likes of Google and Facebook, but one that the tech companies could be blissfully ignorant of. A wiretap strategically placed at the front door of Google, Facebook, Microsoft and Apple–that collects and stores every data packet passing into and out of their servers.

But communications intercepts don’t work–because the data is usually encrypted…isn’t it?

In most parts the communications that people like you and me use to connect to Google is encrypted, and we’re secure in the knowledge that our data in transit is protected from prying eyes by a minimum 128-bit encryption–that’s encryption that probably won’t be broken for another 20 years.

But not all data flowing into and out of Google is encrypted, some of it flows in plaintext–ripe for any wiretap to pick up. Just like email.

This is what Article 12 of the Universal Declaration of Human Rights says:

• No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

This is what security offences bill in Malaysia says:

(1) Notwithstanding any other written law, the Public Prosecutor, if he considers that it is likely to contain any information relating to the commission of a security offence, may authorize any police officer— (a) to intercept, detain and open any postal article in the course of transmission by post; (b) to intercept any message transmitted or received by any communication; or (c) to intercept or listen to any conversation by any communication.

To me, the phrase ‘if he considers it is likely’ is another way of saying arbitary.

Over the past years we’ve seen a recurrent theme where Government agencies were attempting to curtail internet freedom in the name of ‘keeping the peace’. From Saudi telcos threatening security experts to help them hijack tweets to governments procuring tools like Finspy to spy on their citizens–usually without any warrant or legal oversight. We’ve seen US federal agencies try to legislate mandatory technical backdoors into software and how the Syrian government treats internet access for its Citizens like candy for their children–you only get it if you behave.

In Pakistan, a wholesale blockade of youtube means their citizens are missing not just Gangnam Style, but Gentlemen as well (although that may not necessarily be a bad thing)–and we all know how much censorship and surveillance is going on in China.

A French court is now asking twitter to hand over account details to identify individual users that tweeted anti-semitic messages, both the Dutch and German police are users of spyware from companies that the are deemed ‘corporate enemies of the internet’ by reporters without borders, and while you may agree that courts have a right to curtail hate speech, just ruminate for a moment how one-sided French law is when they aggressively pursue anti-Semitic messages  but forbid Muslims school girls from wearing a hijab to school because it is supposedly a symbol of oppression. These biases point to deep flaws in our belief that freedom of speech can somehow be regulated by governments–the term regulated freedom of speech is an oxymoron to begin with.

This of course doesn’t just affect the ‘bad’  countries, those with lifetime membership cards to the axis of evil, but countries we’d generally consider good guys as well, those we associate with a respect for personal privacy and citizen rights, so that we did end up like this? To truly appreciate where we are we need to go back to how it all starts.

A false sense of Insecurity

The track records of governments has never been good. September 11 was a colossal failure of government intelligence, and it’s usually used an example of why governments should do better. What most people don’t know is that a company called Acxiom had data for 11 hijackers, and provided that data to assist in investigations post 9/11, it turns out had the government agencies used Acxiom, they may have had additional security on the planes that crashed into the WTC. The breadth and depth of the information provided to law enforcement has been kept secret–and in the wake of such attacks nobody bothered to ask whether Acxiom was operating within legal limits of collecting and storing that data–worse still people forget that Acxiom itself was hacked leaking private information of millions of Americans. Yes it may have help thwart the attacks on 9/11, but the Acxiom itself became a target of attack shortly after details of its information bounty were published, there are a lot of people who would pay for that kind of information.

Even with the fundamental problems of the government storing such private information–government agencies throughout the world continue to ramp up security concerns in the hope of scaring people into giving up their freedoms. Closer to home we continuously see the ’threat of sedition’ being used to deny individuals and private citizens their rights. The ‘possibility’ of a repeat of May 13th, is now accepted as a ‘high probability’ even though there is no data to suggest that a repeat is possible let alone probable. Just like courts in France we see a glaring bias in the execution of these sedition laws–and the targets are often pro-opposition rather than pro-government.

The Malaysian government is now being accused of running spyware suites like Finfisher, which incorporates a voyeuristic like ability on the malware owner to spy on the victims. The makers of Finfisher claim their software is only sold to governments–without realizing it’s the governments themselves that are illegally spying on its citizens.

Not since Tom Sawyer tricked his friends to paint his white fence has such levels of deception been seen.

However, the level of deception isn’t what is troubling, it’s the level of apathy among the mainstream society to these revelations that send shivers down my spine. No one from the general public seems perturbed that the very technology that was supposed to advance democracy and free speech in Malaysia is now being used to suppress it.

And we’re not the only ones spying on our citizens…