Interfering with mass surveillance

When IT security professionals talk about methods to tap someone’s communications, they use the term “(attack) vector”. Strong encryption is by definition not breakable, so the only available points of attack lie before encryption is applied, or after the cypherdata has been decrypted. There’s no use “tapping the wire” (like Tempora). You’ll typically want to tap the applications at either end which provide the encryption.

The German “BKA Bundestrojaner” proposed to do this in a way similar to the CDC’s good old BackOrifice, which basically hooked into your webcam, sound card and keyboard as well as providing FTP-style access to storage devices. However getting that software onto the target computer is a challenge. You need to break in, or trick the target user to download and install your software. It requires a targeted effort.

Mass surveillance of encrypted communication requires a massive number of computer systems to be compromised. Take Skype, for example. Let’s assume that its protocol is unbreakable, and Microsoft refuses to allow direct access (as they claim). That leaves two vectors: either a generalized trojan like the Bundestrojaner that is tricky to get onto target computers. Or a modified version of the Skype software, disguised as an update. At its core, it’s the ideal trojan. It’s been done before, e.g. Hushmail served modified updates to some of their clients at the request of Canadian authorities. But let’s assume Microsoft doesn’t cooperate by allowing their Skype updates to be “spiked”. Their cooperation isn’t required if you have the cooperation of internet providers, because you can simply re-route requests for updates from Microsoft servers so that the bugged update is downloaded from a malware server instead, without the target knowing. This can be done for a massive number of users, and it’s not just theory. It’s been common practice in China and the countries of Northern Africa, where governments have served up “localized” versions of communications software like Skype to all users in those countries’ networks.

That’s where Tor and VPNs come in. They can’t prevent this from happening, but they do provide an extra layer of distance between yourself and your internet provider. If all communications leaving your wall socket are encrypted and anonymized, there’s not much they can do. They’d have to infiltrate your VPN end point, or a significant number of the Tor exit servers. While that is possible, it seems more like a theoretical possibility.

Use a VPN, or use Tor all the time if possible. It’s not paranoia: providers like Comcast have in the past swapped out web content, replacing it with their own notifications and advertisements. Mobile data providers do a lot of meddling to police the applications that are being used; it’s not beyond them to substitute data you’ve requested.

Put some distance, a layer of anonymity between yourself and your internet provider.

A thought on the surveillance leaks

Did Eastern Germans protest and revolt against the leadership of the DDR because they were sick of the state’s total surveillance and control, or because they desired higher income and material consumption? Despite the popular narrative, I really do believe the latter is what motivated the masses. But that’s because I have a cynical outlook.

The narrative is probably right too. Average citizens would never have dared to protest without a solid number of idealists leading by example and providing moral justification.

For those idealists, the recent leaks regarding Western state security services’ mass monitoring capabilities must have had a particularly nasty taste. Imagine risking your life, throwing yourself into the arms of the Free West only to discover that the West does the surveillance thing too.

Total, cradle-to-grave state control? No. But total surveillance? Absolutely. At first glance that isn’t completely true: there are laws putting strict limits on the surveillance of conventional communications media like mail in envelopes and telephone calls. Unfettered surveillance is limited to newfangled network-based communications. But if you think about it, the new media provide much more complete, more unfiltered insight into people’s lives than phone calls or letters. People write letters expecting they’ll be read (if only by the intended recipient). They don’t have that on their mind when they enter search terms, and in fact I think people do have an expectation of privacy when they do their online research (“breast cancer”? “alcoholics anonymous”? “gambling support group”?). The same goes for documents or for calendar appointments stored on the web. All of this stuff is replacing the old, protected methods of communication.

Probably the main reason the Stasi went to the trouble to install bugs and wiretaps was to catch information their victim’s wouldn’t have put in a letter (even assuming it wouldn’t be opened). Tapping the cloud delivers an awful lot of that stuff, from many areas of life. So the type of unregulated access our security services have claimed for themselves in absence of existing regulation is actually pretty disturbing. I think it’s more problematic than a phone wiretap, and almost as intrusive as the surveillance of Eastern Germany.

Observation on language

I see a curious difference between the US and the UK (and their respective satellites) in the way their written language is viewed and treated. Just considering the e-mails of people I interact with at work, I could readily pull up a half-dozen examples showing a US-trained colleague using bad spelling and worse grammar, versus a Commonwealth-trained colleague vividly using a wide spectrum of vocabulary in complete sentences. It’s prejudice, but so far my experience confirms this black-and-white model.

American primary and secondary education aren’t bad, no matter what TV tries to make you believe. There may be differences in emphasis which explain the difference. Maybe one system emphasizes creative writing more than the other, which may have more of a focus on reading comprehension and analysis. Perhaps. It’s all good.

What was new to me in recent years, is a general hostility towards well-formed, “long-winded” writing. It manifests itself not just in work e-mails, and I think it’s at least partially responsible for people’s lack of love for their language. If you see language as a means towards an end, it’s no surprise you use the simplest, shortest words to get your point across to as wide an audience as you can.

There’s pressure everywhere to use words sparingly, and people are not ashamed to ask for bite-sized, pre-digested summaries like “executive summaries” and “elevator speeches” (how I hate that term). I think if an executive doesn’t take the time to understand a complex topic outside of the time he or she has allotted to riding the elevator, it’s probably better not to bother them with it at all.

Have you noticed the rise of the “quick start guide” as an abbreviated addendum to products’ user or installation manuals? What’s that all about? Can’t be bothered to take the five minutes to read the manual? Not that I mind quick-start guides, but I think they’re a symptom of laziness regarding language. Reading is seen as a chore. There are two ways to reduce that chore, and the authors of the user manuals have chosen to reduce the number of words. The better alternative is to improve the quality of writing – though I admit a user manual for a vacuum cleaner does pose a challenge.

At work, I find that people tend to keep their communication short to the point of mangling their language with bullet points and incomplete sentences, but they’re perfectly happy to write long reports. And those reports often do tend to be long-winded, with copy-paste liberally used to copy swathes of text from brochures or technical papers.

To sum it up, I think people here don’t mind reading and writing if it’s an explicit piece of work. A good indicator would probably be “is reading or writing this something that could potentially be billable time in a customer project”.

Such a utilitarian view of language is a bit sad.

Subservience

Consider this text:

Long emails get ignored and filed away. Short emails get read. People see the value without having to get out the reading glasses. A welcome email shouldn’t be a novel.

We used to have a really information packed welcome email for Basecamp. It had everything you’d ever need to know about your Basecamp account. And guess what? We got lots of support emails asking about the things people should have spotted in the welcome email. But they couldn’t see through all the fog we put in their way.

They provided all the necessary information but the customers “couldn’t see through the fog”?! They were too lazy or indifferent to read for their own good, is closer to the truth.

I’ve encountered this servile attitude quite often over the last couple of years, and I think it is harmful. A policy of licking customers’ boots is bad for the customer and worse for your own colleagues and employees.

Customers come and go, but capable colleagues should be retained for the long run. The person who put a lot of thought into that introduction e-mail will feel unfairly put down if her work is described as “fog”. Why should she stay?

Working in multiple contexts

I like this quote from Alex Garcia, who is a photographer at the Chicago Tribune. He’s commenting on the dismissal of the Chicago Sun-Times’ entire photography staff and points out that text-oriented journalists can’t just take over by taking some shots with their smart phones. Doing so they would compromise the quality of their work.

…the best reporters use a different hemisphere of the brain to do their jobs than the best photographers. Visual and spatial thinking in three dimensions is very different than verbal and analytical thinking. Even if you don’t believe that bit of science, the reality is that visual reporting and written reporting will take you to different parts of a scene and hold you there longer. I have never been in a newsroom where you could do someone else’s job and also do yours well. Even when I shoot video and stills on an assignment, with the same camera, both tend to suffer. They require different ways of thinking, involving motion and sound.