Victor Clark

This week's HotW comes to us courtesy of the US House of Representatives: FISA Section 702. This bill extends the US intelligence community's legal ability to collect, store, and search our internet activity and digital communications through 2024, all without any pesky warrants. Under this policy, anyone who connects to the internet is suspected of "cybercrime" by default.

Bleeping Computer shines a light on some of the troubling expansions in the bill:

Under the new bill, FISA Section 702 will now allow the NSA to collect electronic communications of US citizens if they mention certain terms, and not necessarily if they communicate with non-US citizens via email or an online chat.

Furthermore, even if the bill says the FBI must obtain a warrant before searching the NSA database for data on US citizens, a warrant is not necessary if the FBI brands the situation a national security emergency, a term considered too broad and easy to bypass by EFF and ACLU experts.

The "I-have-nothing-to-hide" camp will continue trying to defend this policy and rolling their eyes at the Fourth Amendment, but the chilling effect of mass surveillance like this has been quantified already.

This policy has the potential to be against a wide swath of society, the ACLU confirms:

If you are a journalist talking about North Korea, a businessman expressing thoughts about the global economy, or an ordinary person discussing the Trump border wall proposal, your conversation could be considered “foreign intelligence” under the law’s broad definition.

The broad scope of this bill combined with the chilling effect of mass surveillance yields a tools that could easily erode freedoms of both speech and press.

However, there is a confusing wrinkle: recent reports claim the intelligence community's efforts against cybercrime rings are trival compared to previous years. Either these surveillance powers go unused or recent targets don't fall under the "cybercrime ring" category.

Make no mistake, this broad surveillance policy will continue be used widely early and often. It is frustrating to have a single policy that undermines the entire security industry. This bill poses the greatest risk to digital rights since the Rule 41 renewal.

This disaster of a policy, now bill S 139, could go to a Senate vote as soon a Jan 16, a day after MLK Jr Day in the US -- ironic since Dr. King serves as a cautionary tale against unchecked surveillance.

One of my new year’s resolutions is to produce more content on this blog. To that end, I’m introducing a new feature — Hack of the Week. No, not that new person you met who is full of themselves and bad at everything; rather, an exploit, vulnerability or breach that occurred recently. To kick it off, let’s start with a doozy — the two-headed beast known as Meltdown and Spectre, both cache side channel attacks. Both share their own website, a decent indicator of cybersecurity celebrity these days. There are many excellent accounts out there of these two hacks; the short version is that they both impact nearly every computer manufactured since the mid 90s — yes, including the one you’re using at them moment, most likely — and give an attacker access to data in memory. The good news is that there is a fix; the bad news is the trade-off is the fix may potentially slow down our devices.

Meltdown and Spectre were publicly disclosed on Jan 3. Although a few different research groups discovered the vulnerabilities at some point in the past year. If you are reading this, you’re almost guaranteed to be at risk. But since this is a hardware exploit, unless you gave someone else access to your device, either in person or through a file download, your device should be okay (unless you run Javascript willy-nilly, some advice on that here). Vendors have provided patches by now, so as always — patch early, patch often and update your browser and extensions. Now that you’ve taken steps to harden your device, the real risk is any website you visit and your data stored there.

The threat model is slightly different on the web. While various companies' websites have their own chunk of cyberspace, the servers that host these websites may live on the same hardware. A report last year by ZDNet cites a single cloud provider claimed roughly a third of the cloud market share, at the time. So while your banking website and healthcare provider probably don’t live on the same hardware and no doubt have strong security teams, it could be possible that one of their neighbors fell victim to Meltdown or Spectre. So, If your personal device is a stand alone-house, the websites you visit are different rooms in an apartment building… and who knows if there’s a creeper in one of those other units.

The good news is that cloud providers are incentivized to patch their systems to keep their systems updated, including patches for Meltdown and Spectre. And the major players are doing exactly that. The downside is slower machines, as ZDNet reports. The secret for cloud-hosted websites and services won’t slow down necessarily — companies running their websites on cloud providers have two options to mitigate performance loss: 1) host on faster (and more expensive) machines or 2) add additional machines. The question becomes who picks up the additional costs for those solutions.

Patching systems and provisioning heftier systems is short-term solution. Since these are hardware vulnerabilities, long term will require a complete processor chip redesign and physical system upgrade — by no means a quick turn or cheap solution.

An exciting start to 2018.

Site search

Categories

Tags

Posts by date