Redaction vs CTRL-C CTRL-V
User error is ever the bane of security. It has plagued the digital world since the first user taped their password to their monitor, an event likely to have occurred shortly after the first passwords were given out. While the existence of user error continues its endless march, the form it takes mutates as technology advances. Recently, the Department of Homeland Security mistakenly released a manual on its screening procedures (user error 1) and failure to properly redact certain sections (user error 2). The internet, in its vast never sleeping glory, found this document and scattered it to the four winds to preserve it against censorship. (As a side note, I often speak of the internet metaphorically as if it were a living entity. I feel it better captures the internet’s essence that we are each but parts of a larger metaphorical mental organism.)
The document can be found at cryptome.org and on wikileaks.org.
The mistake was a fairly simple one, and a common governmental gaff. In redacting the document, the reviewer simply placed black boxes over the offending text without “burning in” the redaction. “Burning in” is a process of re-rendering the post-script data so instead of rendering a block of text with a black bar on top of it (e.g. layered) it renders just the black bar. The layered rendering they released can then have the redaction box deleted or the data simply cut and pasted out of the document.
Respondus LockDown Browser
The Respondus LockDown Browser is an application designed to “lock down” a system for the duration of an exam. It claims to display a full screen browser that cannot be minimized, prevents task switching, stops “over 400 screen capture, messaging, screen-sharing and network monitoring applications” from running, blocks external links to avoid compromising the “locked testing environment”, and so forth. The application is intended to (1) stop students from accessing external material while taking the exam, (2) stop students from recording the examination quesitons, and (3) stop students from communicating with others – all in an effort to stop cheating.
I learned about this application over the weekend when an online exam for a class I am taking this semester required its use. I was quite annoyed to learn it did not have a linux client and relied on Internet Explorer. Using linux as my primary OS, I naturally loaded it into a VMWare copy of Windows XP only to discover it refuses to run in a virtual machine. Not wanting to go all the way to campus to take the exam, I fired up IDAPro and decided to take a look at the VM detection mechanisms – needless to say I was unimpressed.
Disturbing Trends Across the Pond
Two convicted for refusal to decrypt data
Since October 2007 when the refusal to disclose decryption keys was made criminal in the UK, the buzz around the smallish digital forensics research community has been alarm. Security researcher, by definition always on the lookout for failings in a system, immediately proposed a situation in which encrypted data is present on a system for which the user did not have the decryption key thus creating a crime through ignorance, not of the law but of the key. As reported by the Register in the above link, two individuals have been convicted under this ridiculous law.
ACTA Treaty
If pressed, I would name the ACTA treaty and Network Neutrality as the two most threatening issues of the day with regard to the Internet. The ACTA treaty has, until recently, been under super secret negotiations hidden from public scrutiny. There have been a number of leaks, and finally an official release of a treaty draft a few days ago. The treaty is titled as an “Anti-Counterfeiting Trade Agreement” , but it, at minimum, shares equal space with combating so-called Internet ‘piracy’. Section 2.18(3) is particularly interesting and pertinent in the same context as DMCA and Network Neutrality issues.
Section 4: [Special Measures Related to Technological Enforcement of Intellectual Property in the Digital Environment]
ARTICLE 2.18 [ENFORCEMENT PROCEDURES IN THE DIGITAL ENVIRONMENT] 45
[...]
Without prejudice to the rights, limitations, exceptions, or defenses to [[ patent, industrial design, trademark and][copyright or related rights]][intellectual property rights] infringement available under its law, including with respect to the issue of exhaustion of rights, each Party [confirms that] [shall provide for] [civil remedies as well as limitations, exceptions, or defenses with respect to the application of such remedies, are available in its legal system in cases of third party liability[ 47 ][or liability for those who authorize infringement, or both] for [[patent, industrial design, trademark and][copyright or related rights]][intellectual property rights] infringement. 48
[...]
Each Party recognizes that some persons 49 use the services of third parties, including online service providers,[ 50 ] for engaging in [ patent, industrial design and trademark,] copyright or related rights infringement.
[...]
50
[For purposes of this Article, online service provider and provider mean a provider of online services or network access, or the operators of facilities therefore, and includes an entity offering the transmission, routing, or providing of connections for digital online communications, between or among points specified by a user, of material of the user’s choosing, without modification to the content of the material as sent or received.]
The Electronic Frontier Foundation released a preliminary legal analysis of the treaty draft, noting:
“ACTA contains various provisions requiring countries to impose liability on intermediaries for their users’ behavior (Article 2.18(3)). This would apply to Internet intermediaries, but also to intermediaries such as libraries and educational institutions, which frequently provide Internet access to their customers and users.” – eff.org
Continue reading →