Tag Archives: Snowden

With Politicians Like These, Who Needs Terrorists?

The text on the cover says: "Love is stronger than hate."

The text on the cover says: “Love is stronger than hate.”

Last week, on the 7th of January 2015, the satirical magazine Charlie Hebdo‘s office in Paris was attacked by Islamic fundamentalists. Charlie Hebdo is a French satirical magazine featuring jokes, cartoons, reports etcetera. that is stridently anti-conformist in nature. They make fun of politics, Judaism, Christianity and Islam and all other institutions. Like all of us they have every right to freedom of expression. But alas, fundamentalists did not agree, and opted to violently attack their office in Paris with assault rifles and rocket propelled grenades, leaving 12 people killed and 11 wounded. This was a terrible attack, and my heart goes out to the families and their colleagues and friends who have lost their loved ones.

After the attack, there was (rightly so) worldwide condemnation and the sentence “Je suis Charlie,” French for “I am Charlie,” became the slogan of millions. What I am afraid of however, is not the terrorists who perpetrate these attacks. What frightens me more, is the almost automatic response by politicians who immediately see reasons to implement ever more oppressive legislation, building the surveillance state. After all, the goal of terrorism is to change society by violent means. If we allow them to, the terrorists have already won. Their objective is completed by our own fear.

Hypocrites At The March

When I was watching footage of the march in Paris for freedom of expression I saw that a lot of government leaders were present, most of whom severely obstructed freedom of expression and freedom of the press in their home countries. Now they were were at the march, claiming the moral high ground and claiming to be the guardians of press freedom.

Here’s an overview of some of the leaders present at the march and what they did in relation to restricting press freedom in their own countries, courtesy of Daniel Wickham, who made this list and published it on his Twitter feed:

Politicians like the ones mentioned above, but also the likes of May (UK Home Secretary), Opstelten (the Netherlands’ Justice Minister) and many others are jumping on the bandwagon again to implement new oppressive laws limiting freedom of expression and the civil and human rights of their peoples. With leaders like these, who needs terrorists? Our leaders will happily implement legislation that will severely curtail our freedoms and civil liberties instead of handling the aftermath of tragic events like these as grown-ups. It would be better if they viewed participating in the march as a starting point to start improving the situation in the areas of freedom of expression and freedom of the press at home.

The Political Consequences Of Terrorist Attacks

What frightens me is the fact that people like Andrew Parker, head of MI5, the kind of person who normally never makes headlines, is given all the space he needed to explain to us “why we need them,” to put it in the words of High Chancellor Adam Sutler, the dictator from the film “V for Vendetta,” which is set in a near-future British dystopia. UK Chancellor George Osborne immediately said in response to the piece by Andrew Parker that MI5 will get an extra £100 million in funding for combating Islamic fundamentalism. David Cameron has confirmed this.

Politicians are using the tragic events in Paris as a way to demand more surveillance powers for the intelligence community in a brazen attempt to curtail our civil liberties in a similar way to what happened after the 9/11 attacks.

All the familiar rhetoric is used again, how it’s a “terrible reminder of the intentions of those who wish us harm,” how the threat level in Britain worsened and Islamic extremist groups in Syria and Iraq are trying to attack the UK, how the intelligence community needs more money to gather intelligence on these people, how our travel movements must be severely restricted and logged, the need for increased security at border checks, a European PNR (Passenger Name Record) (which, incidentally would mean the end of Schengen, one of the core founding principles on which the EU was founded — freedom of movement). The list goes on and on.

A trend can be seen here. UK Home Secretary Theresa May wants to ban extremist speech, and ban people deemed extremist from publicly speaking at universities and other venues. The problem with that is that the definition of extremist is very vague, and certainly up for debate. Is vehemently disagreeing with the government’s current course in a non-violent way extremist? I fear that May thinks that would fit the definition. This would severely curtail freedom of speech both on the internet and in real life, since there are many people who disagree with government policies, and are able to put forward their arguments in a constructive manner.

Before we can even begin to implement laws like these we need to discuss what extremism means, what vague concepts like “national security” mean. There are no clear definitions for these terms at this point, while the legislation that is being put into place since 9/11 is using these vague notions intentionally, giving the security apparatus way too much leeway to abuse their powers as they see fit.

I read that Cameron wants to ban all encrypted communications, since these cannot be decrypted by the intelligence community. This would mean that banks, corporations and individuals would leave themselves vulnerable to all kinds of security vulnerabilities, including identity theft among others, vulnerabilities which cryptographic technologies are meant to solve.

Cryptography is the practice of techniques for secure communication in the presence of adversaries. Without cryptography, you couldn’t communicate securely with your bank, or with companies that handle your data. You also couldn’t communicate securely with various government agencies, or health care institutions, etcetera. All these institutions and corporations handle sensitive information about your life that you wouldn’t want unauthorised people to have access to.  This discussion about banning cryptography strongly reminds me of the Crypto Wars of the 1990s.

Making technologies like these illegal only serves to hurt the security of law-abiding citizens. Criminals, like the people who committed the attacks at Charlie Hebdo, wouldn’t be deterred by it. They are already breaking the law anyway, so why worry? But for people who want to comply with the law, this is a serious barrier, and restricting cryptography only hurts our societies’ security.

Norwegians’ Response to Breivik

Instead of panicking, which is what these politicians are doing right now, we should instead treat this situation with much more sanity. Look for instance to how the Norwegians have handled the massacre of 77 people in Oslo and on the Norwegian island of Utøya by Anders Behring Breivik on July 22nd, 2011.

Breivik attacked the Norwegian government district in Oslo, and then subsequently went to Utøya, where a large Labour Party gathering was taking place. He murdered 77 people in total.

The response by the Norwegians was however, very different from what you would expect had the attack taken place in the UK, the US or The Netherlands, for instance. In these countries, the reaction would be the way it is now, with the government ever limiting civil liberties in an effort to build the surveillance state, taking away our liberties in a fit of fear. The Norwegians however, urged that Norway continued its tradition of openness and tolerance. Memorial services were held, the victims were mourned, and live went on. Breivik got a fair trial and is now serving his time in prison. This is the way to deal with crises like this.

Is Mass Surveillance Effective?

The problem with more surveillance legislation is the fact that it isn’t even certain that it would work. The effectiveness of the current (already quite oppressive) surveillance legislation has never been put to the test. Never was a research published that definitively said that, yes, storing all our communications in dragnet surveillance has stopped this many terrorist attacks and is a valuable contribution to society.

In fact, even the White House has released a review of the National Security Agency’s spy programmes in December 2013, months after the first revelations by Edward Snowden, and this report offered 46 recommendations for reform. The conclusion of the report was predictable, namely that even though the surveillance programmes have gone too far, that they should stay in place. But this report has undermined the NSA’s claims that the collection of meta-data and mass surveillance on billions of people is a necessary tool to combat terrorism.

The report says on page 104, and I quote:

“Our review suggests that the information contributed to terrorist investigations by the use of Section 215 telephony meta-data was not essential to preventing attacks and could readily have been obtained in a timely manner using conventional Section 215 orders.”

And shortly after Edward Snowden’s revelations about the existence of some of these programmes were published, former director of the NSA Keith Alexander testified to the Senate in defence of his agency’s surveillance programmes. He claimed that dozens of terrorist attacks were stopped because of the mass surveillance, both at home and abroad. This claim was also made by President Obama, who said that it was “over 50.” Often, 54 is the exact number quoted. Alexander’s claim was challenged by Senators Ron Wyden (D-OR) and Mark Udall (D-CO), who said that they “had not seen any evidence showing that the NSA’s dragnet collection of Americans’ phone records has produced any valuable intelligence.” The claim that the warrant-less global dragnet surveillance has stopped anywhere near that number of terrorist attacks is questionable to say the least, and much more likely entirely false.

More oppressive dragnet surveillance measures aren’t helping with making the intelligence community any more efficient at their job. In fact, the more intelligence gets scooped up in these dragnet surveillance programmes, the less likely it becomes that a terror plot is discovered before it occurs, so that these may be stopped in time. More data needs to be analysed, and there’s only so much automatic algorithms can do when tasked with filtering out the non-important stuff. In the end, the intel needs to be assessed by analysts in order to determine their value and if necessary act upon it. There is also the problem with false positives, as people get automatically flagged because their behaviour fits certain patterns programmed into the filtering software. This may lead to all sorts of consequences for the people involved, despite the fact that they have broken no laws.

Politicians can be a far greater danger to society than a bunch of Islamic terrorists. Because unlike the terrorists, politicians have the power to enact and change legislation, both for better and for worse. When we are being governed by fear, the terrorists have already won.

The objective of terrorism is not the act itself. It is to try and change society by violent means. If we allow them to change it, by implementing ever more oppressive mass surveillance legislation (in violation of Article 8 of the European Convention on Human Rights (ECHR)), or legislation that restricts the principles of freedom of the press and freedom of speech, enshrined in Article 10 of the ECHR, freedom of assembly and association enshrined in Article 11, or of freedom of movement which is one of the basic tenets on which the European Union was founded, the terrorists have already won.

Let’s use our brains and think before we act.

Regin: The Trojan Horse From GCHQ

In 2010, Belgacom, the Belgian telecommunications company was hacked. This attack was discovered in September 2013, and has been going on for years. We know that this attack is the work of Western intelligence, more specifically, GCHQ, thanks to documents from Edward Snowden. This operation was called Operation Socialist. Now, however, we know a little bit more about how exactly this attack was done, and by what means. Internet connections from employees of Belgacom were sent to a fake LinkedIn page that was used to infect their computers with malware, called “implants” in GCHQ parlance. Now we know that Regin is the name given to the highly complex malware that seems to have been used during Operation Socialist.

Projekt 28Symantec recently reported on this malware (the full technical paper (PDF) can be found here), and it’s behaviour is highly complex. It is able to adapt to very specific missions and the authors have made tremendous effort to make it hard to detect. The malware is able to adapt and change, and since most of anti-virus detection relies on heuristics, or specific fingerprints of known malware, Regin was able to fool anti-virus software and stay undetected. However, Symantec put two and two together and has now revealed some of Regin’s inner workings.

fig3-countriesThe infections have ranged from telecoms and internet backbones (20% of infections), to hospitality (hotels, etc.), energy, the airlines, and research sectors but the vast majority of infections has been of private individuals or small businesses (48%). Also, the countries targeted are diverse, but the vast majority of attacks is directed against the Russian Federation (28%) and Saudi Arabia (24%).

The Regin malware works very much like a framework, which the attackers can use to inject various types of code, called “payloads” to do very specific things like capturing screen-shots, taking control of your mouse, stealing passwords, monitoring your network traffic and recovering files. Several Remote Access Trojans (also known as RATs) have been found, although even more complex payloads have also been found in the wild, like a Microsoft IIS web server traffic monitor (this makes it easy to spy on who visits a certain website etcetera). Another example of a highly complex payload that has been found is malware to sniff administration panels of mobile cellphone base station controllers.

How Regin Works

As mentioned above, Regin works as a modular framework, where the attackers can turn on/off certain elements and load specific code, called a “payload,” to create a Regin version that is specifically suited to a specific mission. Note that it is not certain whether all payloads have been discovered, and that there may be more than the ones specified in the report.

fig2-sectorsRegin does not appear to target any specific industrial sector, but infections have been found across the board, but mostly in telecom and private individuals and small businesses. Currently, it is not known what infection vectors can possibly be used to infect a specific target with the Regin malware, but one could for instance think of tricking the target into clicking on a certain link in an e-mail, visiting spoof websites, or maybe through a vulnerable application installed on the victim’s computer, which can be used to infect the target with Regin. In one instance, according to the Symantec report, a victim was infected through Yahoo! Instant Messenger. During Operation Socialist, GCHQ used a fake LinkedIn page to trick Belgacom engineers into installing the malware. So one can expect infection to take place along those lines, but other possibilities may of course exist.


The various stages of Regin.

Regin has six stages in its architecture, called Stage 0 to Stage 5 in the Symantec report. First, a dropper trojan horse will install the malware on the target’s computer (Stage 0), then it loads several drivers (Stage 1 and 2), loads compression, encryption, networking, and EVFS (encrypted file container) code (Stage 3), then it loads the encrypted file container and loads some additional kernel drivers, plus the payloads (Stage 4), and in the final stage (Stage 5) it loads the main payload and the necessary data files for it to operate.

The malware seems to be aimed primarily against computers running the Microsoft Windows operating system, as all of the files discussed in the Symantec report are highly Windows-specific. But there may be payloads out there which target GNU/Linux or OS X computers. The full extent of the malware has not been fully revealed, and it will be interesting to find out more about the exact capabilities of this malware. The capabilities mentioned in the report are already vast and can be used to spy on people’s computers for extended periods of time, but I’m sure that there must be more payloads out there, I’m certain that we’ve only scratched the surface of what is possible.

Regin is a highly-complex threat to computers around the world, and seems to be specifically suited towards large-scale data collection and intelligence gathering campaigns. The development would have required significant investments of time, money and resources, and might very well have taken a few years. Some components of Regin were traced back all the way to 2003.

Western Intelligence Origins?

In recent years, various governments, like the Chinese government, and the Russian government, have been implicated in various hacking attempts and attacks on Western infrastructure. In the article linked here, the FBI accuses the Russians of hacking for the purpose of economic espionage. However, Western governments also engage in digital warfare and espionage, not just for national security purposes (which is a term that has never been defined legally), but they also engage in economic espionage. In the early 1990s, as part of the ECHELON programme, the NSA intercepted communications between Airbus and the Saudi Arabian national airline. They were negotiating contracts with the Saudis, and the NSA passed information on to Boeing which was able to deliver a more competitive proposal, and due to this development, Airbus lost the $6 billion dollar contract to Boeing. This has been confirmed in the European Parliament Report on ECHELON from 2001. Regin also very clearly demonstrates that Western intelligence agencies are deeply involved in digital espionage and digital warfare.

Due to the highly-complex nature of the malware, and the significant amount of effort and time required to develop, test and deploy the Regin malware, together with the highly-specific nature of the various payloads and the modularity of the system, it is highly likely that a state actor was behind the Regin malware. Also, significant effort went into making the system very stealthy and hard for anti-virus software to detect. It was carefully engineered to circumvent anti-virus software’s heuristic detection algorithms and furthermore, some effort was put into making the Regin malware difficult to fingerprint (due to its modular nature)

Furthermore, when looking at the recently discovered attacks, and more especially where the victims are geographically located, it seems that the vast majority of attacks were aimed against the Russian Federation, and Saudi Arabia.

According to The Intercept and Ronald Prins from Dutch security company Fox-IT, there is no doubt that GCHQ and NSA are behind the Regin malware. Der Spiegel revealed that NSA malware had infected the computer networks of the European Union. That might very well been the same malware.


symantic_virus_discovery.siA similar case of state-sponsored malware appeared in June 2010. In the case of Stuxnet, a disproportionate amount of Iranian industrial site were targeted. According to Symantec, which has published various reports on Stuxnet, Stuxnet was used in one instance to change the speed of about 1,000 gas-spinning centrifuges at the Iranian nuclear power plant at Natanz, thereby sabotaging the research done by Iranian scientists. This covert manipulation could have caused an explosion at this nuclear facility.

Given the fact that Israel and the United States are very much against Iran developing nuclear power for peaceful purposes, thinking Iran is developing nuclear weapons instead of power plants, together with Stuxnet’s purpose to attack industrial sites, amongst those, nuclear sites in Iran, strongly indicates that the US and/or Israeli governments are behind the Stuxnet malware. Both of these countries have the capabilities to develop it, and in fact, they started to think about this project way back in 2005, when the earliest variants of Stuxnet were created.

Dangers of State-Sponsored Malware

The dangers of this state-sponsored malware is of course that should it be discovered, it may very well prompt the companies, individuals or states that the surveillance is targeted against to take countermeasures, leading to a digital arms race. This may subsequently lead to war, especially when a nation’s critical infrastructure is targeted.

The dangers of states creating malware like this and letting it out in the wild is that it compromises not only security, but also our very safety. Security gets compromised when bugs are left unsolved and back doors built in to let the spies in, and let malware do its work. This affects the safety of all of us. Government back doors and malware is not guaranteed to be used only by governments. Others can get a hold of the malware as well, and security vulnerabilities can be used by others than just spies. Think criminals who are after credit card details, or steal identities which are subsequently used for nefarious purposes.

Governments hacking other nations’ critical infrastructure would constitute an act of war I think. Nowadays every nation worth its salt has set up a digital warfare branch, where exploits are bought, malware developed and deployed. Once you start causing millions of Euros worth of damage to other nations’ infrastructure, you are on a slippery slope. Other countries may “hack back” and this will inevitably lead to a digital arms race, the damage of which does not only affect government computers and infrastructure, but also citizens’ computers and systems, corporations, and in some cases, even our lives. The US attack on Iran’s nuclear installations with the Stuxnet malware was incredibly dangerous and could have caused severe accidents to happen. Think of what would happen had a nuclear meltdown occurred. But nuclear installations are not the only ones, there’s other facilities as well which may come under attacks, hospitals for instance.

Using malware to attack and hack other countries’ infrastructure is incredibly dangerous and can only lead to more problems. Nothing has ever been solved by it. It will cause a shady exploits market to flourish which will mean that less and less critical exploits get fixed. Clearly, these are worth a lot of money, and many people that were previously pointing out vulnerabilities and supplying patches to software vendors are now selling these security vulnerabilities off on the black market.

Security vulnerabilities need to be addressed across the board, so that all of us can be safer, instead of the spooks using software bugs, vulnerabilities and back doors against us, and deliberately leaving open gaping holes for criminals to use as well.

Country X: The Country That Shall Not Be Named

On Monday, 19 May 2014, Glenn Greenwald published his report entitled Data Pirates of the Caribbean: The NSA is recording every cell call in the Bahamas, in which he reported about the NSA SOMALGET program, which is part of the larger MYSTIC program. MYSTIC has been used to intercept the communications of several countries, namely the Bahamas, Mexico, Kenya, the Phillipines, and thanks to Wikileaks we now know that the final country, redacted in Glenn Greenwalds original report on these programs, was Afghanistan.

MYSTICSOMALGET can be used to take in the entire audio stream (not just metadata) of all the calls in an entire country, and store this information for (at least) 30 days. This is capability the NSA developed, and was published by The Washington Post in March this year.

Why the Censorship?

The question however, is why Glenn Greenwald chose to censor the name of Afghanistan out of his report. He claims it has been done to protect lives, but I honestly can’t for the life of me figure out why lives would be at risk when it is revealed to the Afghani’s that their country is one of the most heavily surveilled on the planet? This information is not exactly a secret. Why is this knowledge that’s OK for the Bahamians to possess, but not the Afghani’s? The US effectively colonized Afghanistan and it seems that everyone with at least half a brain can figure out that calling someone in Afghanistan might have a very high risk of being recorded and analysed by NSA. Now we know for certain that the probability of this happening is 1.

Whistleblowers risk their lives and livelihoods to bring to the public’s attention, information that they deem to be in the gravest public interest. Now, whistleblowers carefully consider which information to publish and/or hand out to journalists, and in the case of intelligence whistleblowers, they are clearly more expert than most journalists when it comes to security and sensing which information has to be kept from the public in the interest of safety of lives and which information can be published in the public interest. After all, they have been doing exactly that for most of their professional lives, in a security-related context.

Now, it seems that Greenwald acts as a sort of filter between the information Edward Snowden gave him for publication, and the actual information the public is getting. Greenwald is sitting on an absolute treasure-trove of information and is clearly cherry picking which information to publish and which information to withhold. By what criteria I wonder? Spreading out the publication of data however, is a good strategy, given that about a year has passed since the first disclosures, and it’s still very much in the media, which is clearly a very good thing. I don’t think that would have happened if all the information was dumped at once.

But on the other hand: Snowden has risked his life and left his comfortable life on Hawaii behind him to make this information public, a very brave thing to do, and certainly not a decision to take lightly, and has personally selected Greenwald to receive this information. And here is a journalist who is openly cherry-picking and censoring the information given to him, already preselected by Snowden, and thereby withholding potentially critical information from the public?

So I would hereby like to ask: By what criteria is Greenwald selecting information for publication? Why the need to interfere with the whistleblower’s judgement regarding the information, who is clearly more expert at assessing the security-related issues surrounding publication?

Annie Machon, whistleblower and former MI5, has also done an interview on RT about this Afghanistan-censoring business of Greenwald, whistleblowers deserve full coverage. Do watch. Whistleblowers risk their lives to keep the public informed of government and corporate wrongdoing. They need our support.

Update: Mensoh has also written a good article (titled: The Deception) about Greenwald’s actions, also in relation to SOMALGET and other releases. A highly recommended read.

Gave Privacy By Design Talk At eth0

eth0I gave my talk about privacy by design last Saturday at eth0 2014 winter edition, a small hacker get-together which was organised in Lievelde, The Netherlands this year. eth0 organizes conferences that aim at bringing people with different computer-related interests together. They organise two events per year, one during winter. I’ve previously given a very similar talk at the OHM2013 hacker conference which was held in August 2013.


Here’s the footage of my talk:

Quick Synopsis

I talked about privacy by design, and what I did with relation to Annie Machon‘s site and recently, the Sam Adams Associates for Integrity in Intelligence site. The talk consists of 2 parts, in the first part I explained what we’re up against, and in the second part I explained the 2 sites in a more specific case study.

I talked about the revelations about the NSA, GCHQ and other intelligence agencies, about the revelations in December, which were explained eloquently by Jacob Applebaum at 30C3 in Hamburg in December. Then I moved on to the threats to website visitors, how profiles are being built up and sold, browser fingerprinting. The second part consists of the case studies of both Annie Machon’s website, and the Sam Adams Associates’ website.

I’ve mentioned the Sam Adams Associates for Integrity in Intelligence, for whom I had the honour to make their website so they could have a more public space where they could share things relating to the Sam Adams Award with the world, and also to provide a nice overview of previous laureates and what their stories are.

Swiss FlagOne of the things both sites have in common is the hosting on a Swiss domain, which provides for a safer haven where content may be hosted safely without fear of being taken down by the U.S. authorities. The U.S. claims jurisdiction on the average .com, .net, .org domains etc. and there have been cases where these have been brought down because it hosted content the U.S. government did not agree with. Case in point: Richard O’Dwyer, a U.K. citizen, was threatened with extradition to the United States for being the man behind TVShacks, which was a website that provided links to copyrighted content. MegaUpload, the file locker company started by Kim Dotcom, was given the same treatment, where if you would visit their domain, you were served an image from the FBI telling you the domain had been seized.

Privacy in danger, but there’s light at end of the tunnel

Note: This article is also available in Portuguese, translated by Anders Bateva.

Last week I read an article about the plan by the National Police of the Netherlands to connect all CCTV cameras to the national camera network which is operated by the police. SurveillanceThe upper echelon of the Dutch police is currently secretly writing their policy document entitled Sensing, in which the definite plans will be written out in further detail. It would be interesting to know the contents of this secret report, since I’m pretty sure all the standard, same old arguments about why this should be implemented will be brought to the table again. They will probably say that it’ll prevent crime and deter hoodlums, etcetera. We’ve read the arguments for it again and again, but fact of the matter is that more cameras doesn’t mean less crime, CCTV cameras have never stopped criminals from committing a crime, they are ineffective, and it’s an invasion to our privacy, especially when it’s all connected into a single, nation-wide network, recording all our movements. It’s the Panopticon! This then gets stored indefinitely, because governments the world over only remember the ‘delete’ command (‘rm -rf’ if you will) when it’s in their interest to delete stuff. All other stuff (like these camera images, but also information stored by our various intelligence agencies, financial information, the sites you visit, your e-mail, call records, medical records, etcetera) never gets deleted. That’s why the NSA is building their new data-bunker in Bluffdale, Utah, to create more storage space so they get to keep storing all kinds of data about our lives that goes over a wire. And our intelligence agencies are all in on it. Dutch Home Office Minister Ronald Plasterk had a bit of a row with parliament, with MPs being angry about a tiny parliamentary technicality, namely that Plasterk lied to them, claiming the NSA collected metadata on 1.8 million phone calls in the Netherlands, while it was in fact our own intelligence service, the AIVD, doing it. The sad thing of our political system is that they put all the focus on this tiny parliamentary technicality, when they totally forget about the big picture, namely that 1.8 million phone calls were being tapped, and that we should do something about this. 1.8 million is an enormous number for a country of 17 million people. Even more scary is that the parliamentary commission which is supposed to provide oversight over the intelligence community, the Commisie van Toezicht op de Inlichtingen- en Veiligheidsdiensten (CTIVD), also known as Commissie Stiekem, had no knowledge about this, and didn’t know that this was even happening. So much for oversight. The problem with oversight over intelligence agencies is that because of the very nature of these agencies they keep their information a secret, and they can lie to our elected representatives with impunity, and there’s no way to check until someone brave enough to blow the whistle steps forward.

This House Would Call Edward Snowden A Hero: 212 yay, 171 nay

Edward SnowdenMeanwhile, at an Oxford Union debate last week in Oxford, United Kingdom, the Union passed a motion to call Edward Snowden a hero by 212 votes against 171. It was a lively debate, both from the members of the proposition and the members of the opposition, and I have to side with the proposition, because without people like Snowden, who has given up his previous comfortable life on Hawaii to blow the whistle, the world would have never known about the crimes of the spies. Eventually there comes a point where you’re asked to forget about it! so many times and about such egregious crimes that you can no longer look at yourself in the mirror any more, and something has to be done, the people need to be informed. During the debate I heard the opposition say that Snowden “violated his oath”. This is an argument that popped up again and again in various articles I’ve read in which people vilified Snowden. In fact, he didn’t swear an oath to secrecy, no-one does. He swore an oath to the Constitution of the United States; to uphold the Constitution. He hasn’t violated the Constitution; the U.S. government and the NSA in particular violated it. Yes spies spy, that’s not surprising, but they claim all is done in the name of national security, when it is in fact often corporate espionage that these intelligence agencies engage in. It’s about making sure the lucrative contract goes to Boeing instead of to Airbus; it has nothing to do with national security, but more with corporate profits. And there’s no meaningful oversight whatsoever: these people lie with impunity. That alone is already endangering our very democracies, having people with absolute power without any form of effective oversight is very detrimental and damaging to our very democracies and free societies. Snowden mentioned that whilst working at Booz Allen Hamilton, he had the power to tap everyone, including the President of the United States. And he wasn’t the only one with that kind of security clearance either. In the United States, almost 5 million people have a security clearance, with more than 1.4 million people having access to TOP SECRET documents. Imagine what kind of information the intelligence community has about the private life of the President and his family, and how a less honest person might use that. It would be easy to blackmail the President into doing the spooks’ bidding! And in the United States, more and more tasks that used to be done by government exclusively (like intelligence), is now being done by companies like Booz Allen Hamilton, or Academi (which I like to call: the company previously known as Blackwater USA). This is a very scary development because these companies have profit as their basic motivation. They do not have our best interests at heart. Lord Acton wrote in 1887:

“Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad men, even when they exercise influence and not authority, still more when you super-add the tendency or the certainty of corruption by authority. There is no worse heresy than that the office sanctifies the holder of it.”

Chelsea Manning Receives Sam Adams Award 2014

Also at the Oxford Union last week, the Sam Adams Associates for Integrity in Intelligence awarded Chelsea Manning their award for the year 2014, meant for people who display extraordinary integrity in intelligence. The group and award was named after Sam Adams, a CIA intelligence analyst, who in 1967 discovered that there were far more Communist forces under arms in Vietnam, roughly twice the number U.S. command in Saigon would admit to. This intelligence revealed that the Pentagon was vastly under-reporting the number of enemy forces. But I digress.. Collateral MurderChelsea Manning revealed, by releasing the Collateral Murder video to WikiLeaks, that U.S. forces were committing war crimes. This showed the crew of a U.S. Apache attack helicopter firing away at unarmed civilians, Reuters journalists, and a father who was bringing his children to school and stopped his van to help one of the Reuters journalists who tried to drag himself onto the curb, heavily wounded. The U.S. forces were yelling like it was some sort of snuff video game, it’s absolutely horrific, and these people should be brought to trial and charged with war crimes and crimes against humanity. Because that’s what it is. Chelsea Manning displayed extraordinary courage in releasing these documents, and rightly deserves this award. Meanwhile, I’m looking forward to the day the U.S. government and the crew of the Apache helicopter in question, are indicted for multiple counts of war crimes and crimes against humanity. At which point the United States will invoke the American Service-Members’ Protection Act (also known as the The Hague Invasion Act). But that’s another story.

Economic Consequences of NSA Surveillance

Note: This article is also available in Portuguese, translated by Anders Bateva.

(Note: A version of this article also got published on Consortium News) In the last 6 months or so, Edward Snowden, former NSA contractor, came forward with revelations about the NSA, disclosing quite a few of the agency’s surveillance programs, and revealing that the agency has the most blatant disrespect for civil rights and spies on everything and everyone, all over the world, in a Pokémon-style “Gotta catch ’em all!” fashion. The actions of the NSA are also having a real effect on the United States economy. Let’s talk about the economic consequences the NSA’s surveillance programs will have on the United States economy, and, more specifically, its tech industry. The actions of the US administration, and more specifically what the NSA is doing with their surveillance programs, are having a big impact on the US economy, especially in Silicon Valley. Why would I store my data on servers in the United States, where this data is easily accessible by the NSA, among others, if I can just as easily store it in Europe or some other, more secure place?

A Positive Investment Climate

To understand the US hegemony when it comes to IT companies and services, it is good to have a look at the history of the investment climate. Why did these companies pop up in the United States? Why wasn’t Google invented in, say, Germany, or Finland? The reason many of these cloud storage services and internet companies popped up in Silicon Valley as opposed to Europe, say, is because of the investment climate in the United States, which made it much easier to start an internet company in the United States. Large institutional investors, venture capitalists, are less likely to invest in a start-up in Europe. Also, bankruptcy laws are much more relaxed in the US as opposed to Europe. Whereas in the US, you can be back on your feet in a year or so after going bankrupt, in Europe, this is generally a much longer process. According to the Economist, it takes a minimum of 2 years in Spain, 6 years in Germany, and a whopping 9 years in France. In my own country, The Netherlands, it takes 3 years to be debt-free again after a bankruptcy, but if you go bankrupt in Paris, good luck, you’ve just ruined your future. This makes it far more risky to try new things and set up shop in Europe, because the consequences if things go bad are so much worse. Unfortunately, this has left us Europeans in the position that we currently don’t really have a European ‘Silicon Valley’, we don’t have a lot of viable, easy to use alternatives, and these desperately need to get developed. We depend too much on American companies right now, and I think it’s good if we diversified more, so that we will get a healthy market with plenty of good alternatives, instead of what we have now, which is a US monopoly on web-mail (Gmail/Hotmail etc.), social networks (Facebook, Twitter, LinkedIn, Foursquare, etc.), internet search (Google), cloud storage (Dropbox, Microsoft, Amazon), and other things. Already, cloud storage providers in Silicon Valley currently see big drops in their revenues because of the disclosures of Snowden. Why would we store our data across the pond? This is the central question and this is having real economic consequences for the United States.

US Cloud Service Providers Face Economic Consequences

US Cloud Service Providers Face Economic Consequences Because Of NSA SurveillanceCloud providers based in the US were experiencing significant profit drops when the NSA revelations were made public. People outside the United States suddenly began to question whether their sensitive data was safe on American soil. All these companies are subject to the  PATRIOT Act, which requires them to hand over any information and data they have on their customers, and they are prohibited by the US government to tell their customers about it. So the conclusion can quite definitively be that no, your data cannot be trusted to stay secure if you send it over to the United States, by using ‘convenient’ cloud services like Dropbox, or Amazon, among others.

This is the critical criterion. It doesn’t matter that the company tells you that they use the most high-end military-grade encryption, it doesn’t matter that they thought of an interesting technical solution to try and circumvent surveillance, it doesn’t matter that they write glowing blog posts solemnly promising not to hand over your data, all that matters is that it is a US company, required to obey US law, and required to hand over your data. Few companies will be able to resist the pressure and forfeit their entire business model to protect your privacy. This is also what strikes me as funny when I read about major US tech companies, like Google, Apple and Microsoft, who found out that their server-to-server connections were being intercepted by NSA. These intra-server connections were not encrypted, sent in the clear, probably on some private fibre optic cable. Of course this could be intercepted given the NSA’s technical competence. So now these companies are trying really hard to sell the story to their overseas customers that their intra-server communications are now fully encrypted. This is a feeble attempt to keep some of their customers from switching to alternatives (of which there are not many, unfortunately), as these companies are still US companies, with offices and infrastructure in the US, and the need to obey the laws over there. So it’s totally irrelevant that these tech companies are now encrypting their intra-server communications, as the US government can simply request the data via other, more official means. But these companies aren’t just promoting irrelevant measures, they actively act against our interests. After the revelations done by Edward Snowden, Facebook is making data hand-offs to US authorities easier (fully automated, without judicial oversight). Facebook is also partnering with police to make protests harder to organise. And still we insist in using its social network. These are instruments of control and surveillance. We’re not their customers, we’re the product being sold. We have a distinct lack of viable alternatives which aren’t based in the US, and it’s important to remember that social networks have a social aspect. It isn’t enough for you to change over to a competitor, you have to convince your friends to switch as well. This is what keeps social networks afloat for so long, because this is indeed very hard to do.

March to Irrelevance

In October 2013, Congress raised the debt ceiling again, which will buy some time until January 2014. Then they will have the exact same problem. The United States is structurally spending more money than they have available, and current US national debt ($17 trillion dollars) can never be repaid. They are pretty much already in default. But since the financial system is based on trust and hearsay, smoke and mirrors, it takes a while for people to face the reality, wake up and smell the coffee. At which point the United States will be an irrelevant relic from the past. Here in Europe, we need to protect our own citizens’ interests, and start developing viable alternatives for the US hegemony, because the US hegemony will be over one day.

Security Measures against Terrorism: Costs v. Benefits

Note: This article is also available in Portuguese, translated by Anders Bateva.

Plasterk in Tweede KamerA few days ago, the Dutch Home Office Minister Ronald Plasterk said in a debate in parliament that he’s apparently OK with the American intelligence community, the NSA among others, to spy on the Netherlands. His reasoning is flawed from the get-go, and went somewhat like this (paraphrased): “I don’t want to say that Dutch citizens may never be spied upon. Because that Dutch citizen can also be a stone-cold terrorist. And it’s good if that terrorist can be found.” Here’s the full quote (in Dutch):

“Ik wil dan ook wel oppassen om in het woordgebruik bijvoorbeeld te zeggen: ja maar, er mag nooit naar Nederlandse burgers worden gekeken. Want die Nederlandse burger kan natuurlijk een keiharde terrorist zijn, en dan zijn we toch blij dat die op een gegeven moment ergens op de rader verschijnt, en dat moet natuurlijk volgens de wetten gebeuren, maar dat die op de radar verschijnt, en dat er vervolgens actie kan worden ondernomen.”

Plasterk later denied saying that, but he did in fact say this during the debate. More evidence can be found here.

Is No Price Too High For Security?

Benjamin Franklin once said something like “They who give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” This quote has been used a lot, but it is applicable here. The question we need to answer is the following: When do security measures stop benefiting the greater good, and infringe on our privacy and liberty, which are values that used to define our very societies? When does the price we have to pay for that little extra security becomes too great? Combating terrorism certainly seems like a very noble goal, and while I do agree that there are some people out there who aim to change our societal structures through violent methods (although one has to note that one man’s terrorist is the other man’s freedom fighter; the definition of the term is a bit in the eye of the beholder), there does come a point where the price we have to pay for a little increase in security becomes too great, compared to the potential benefits.

Terrorism is Really Rare

Chances Terrorist Attack One thing we have to understand is that acts of terrorism on the scale of 9/11 or the London public transport bombings on 7/7, awful as they may be, are still very rare indeed. Extremely rare in fact. Even President Obama has said so, although he does have an interesting choice of words. The chance that you’re involved in a traffic accident tomorrow are several orders of magnitude greater than the chance that the next aircraft you are in will end up in a building instead of on the runway. This is also valid for other acts of terrorism, not just the ones involving aircraft. And even the TSA agrees now that terrorists are not plotting against aviation. So why do we still have to cope with all the draconian security measures then, if it’s clear that it didn’t help one bit? You see the same thing happening with CCTV cameras. Governments and corporations put these things up everywhere, but there isn’t the tiniest shred of evidence that these cameras actually help prevent crimes. But still the TSA and their European counterparts continue to tell people to leave their water bottles and baby food and butter knifes at the checkpoint. Bruce Schneier put a lot of thought into this problem, and he said that we currently try to protect against specific movie-like terrorist plots, instead of doing a thorough risk analysis and protect ourselves with more generic measures that may actually work against multiple types of plots. Terrorists bring down aircraft, so we increase security at airports; terrorists used box cutters, so we ban box cutters; someone brought a bomb on board hidden in his shoe, so we’re telling people to take their shoes off. These are all very specific actions taken against these types of movie-like plots. The security measures taken here are way too specific to work against anything other than the movie plot attack. As soon as terrorists modify their plan just one tiny bit, the entire strategy to combat them becomes ineffective. Humans are unfortunately excruciatingly bad at evaluating risks, and if you give them a very specific, movie-like terrorist plot, they will rate the risk from that much higher than it is in reality, because of the specificity of the plot. We humans have evolutionary been conditioned to consider specific threats a greater risk than a more general threat. On Wired, Schneier states:

If you’re a higher-order primate living in the jungle and you’re attacked by a lion, it makes sense that you develop a lifelong fear of lions, or at least fear lions more than another animal you haven’t personally been attacked by.

We are conditioned to think: it happened once, so it’s likely that it’ll happen again. And you see politicians using that knowledge to their advantage. It is insightful to consider that most measures we’ve currently taken against terrorism, would never even be considered had the events of 9/11 not happened.

Moving On..

With regard to the comments made by Mr. Plasterk: I think a lot of politicians still think that the United States is one of the ‘good guys’, when there’s more and more evidence coming out that politically speaking, it is not our ally, and certainly not our friend. They serve their own self-interests, just like any other nation on earth, and it’s important to never forget that. I even heard some politicians say that we should demand that Dutch citizens shall be treated the same as Americans under US law. It is laughable to think that the Americans across the pond will say: “Oh no! We angered the Dutch! Quickly change our laws to treat them the same as we treat Americans before they start re-colonizing New York!” At most, what these politicians will get is a nice letter from the US Embassy in which they solemnly promise that it will never happen again, meanwhile not changing their laws or practices in the US. And the NSA happily continues to trample upon their NATO allies’ rights. And our politicians are apparently very happy to accept that. We have to reconsider our position and alliances after the numerous disclosures of classified documents by whistle-blower Edward Snowden. For what good is a friend who spies on you behind your back? President Roussef of Brazil has taken decisive action by severing ties with the United States and even building new fibre optic cable connections that circumvent United States territory. Where is the outrage in Dutch society? Here, AMS-IX (the Amsterdam Internet Exchange, the second-largest Internet exchange in the world), sets up shop in the US, making it subject to the PATRIOT Act. Have these people been living under a rock these past months? Or are there other, commercial interests at play here? We need to start demanding answers while at the same time strengthening our own privacy protections. Privacy is a human right, nothing more, nothing less. We need to start using it, or risk losing it.

Speaking Truth to Power: Integrity in the Mainstream Media

RT Front page

Yesterday I watched a public discussion (last link in Dutch) on Sargasso between Jeroen Wollaars, NOS reporter, and Arjen Kamphuis, futurist, writer, and co-founder and CTO at Gendo. During his talk at OHM2013 (titled: Futureshock), someone asked Arjen a question that went somewhat like this: “If we cannot trust the mainstream media anymore to supply us with the information we need to act as informed citizens, what is the alternative?” To which Arjen replied that, if you want to be better informed about what happens in the Western world, RT (Russia Today) is pretty good.

Now it is important to be very nuanced here. You probably shouldn’t believe the RT reporting done on stuff that is happening in Russia, as RT is, just like any media organization, selective in the information they broadcast, and probably won’t be objective when it comes to Russia, just like the Western media aren’t objective on Western subjects. But on Western issues, and informing us about all the stuff the Western governments are doing, the RT reporting is very good because unlike the Western mainstream media, the Russians dare to ask the questions that need to be asked. Questions that you won’t hear from the Western mainstream media, and the Dutch media in particular.

So many questions..Collateral Murder

Why are the people who committed war crimes and crimes against humanity in an attack helicopter during the Iraq War under the Bush Administration still allowed to walk free, whereas Chelsea Manning was sentenced to 35 years for simply exposing those very same war crimes? How come Manning was sentenced to 35 years, while Anders Breivik was sentenced to just 21? Isn’t that a bit off? A man who ruthlessly and pointlessly murdered 77 people gets less years in prison than someone who exposed the dirty laundry of the powers that be?

When exactly did Dutch Prime Minister Jan Peter Balkenende know about the contents of the Downing Street Memos? Remember, these were the memos that proved definitively that “facts were being fixed around the policy” and that Governor Bush was set in his ways on provoking a war with Saddam Hussein’s Iraq. His administration claimed that Saddam had WMDs (which was a blatant lie, even then), and they even tried to connect Saddam to Al-Qaeda.

AIVDWhere is the coverage about our own intelligence agencies, like the AIVD, MIVD etc. in relation to the revelations on PRISM? Do they have the same capabilities, do they request data on Dutch citizens from their UK and US partners? What kind of data sharing is done with these inter-agency cooperations? We know the Americans spy on Dutch citizens as well (just like they do on every person on the planet connected to the Internet or phone networks), but where are the critical questions from the media? Where are the tough talk shows and debates that really question a few high-ranking politicians about these very important issues? The Germans have at least asked these questions to their politicians.

What is the underlying reason for the massive nation-wide push for the RFID OV-chipkaart public transport ticket (at the expense of normal paper tickets), the ANPR (automatic number plate recognition) cameras above the nation’s highways (which are also used by police), or the fingerprints on the RFID chip on our passports? The government seems intent on tracking our every move.

And these are just a handful of questions the Dutch media didn’t bother to ask and issues they didn’t bother to cover.

The problem with the Dutch mainstream media

The Dutch mainstream media are unfortunately excruciatingly bad at journalism. For instance, the whole Manning case is barely on the news here, but whenever the American presidential elections draw near, the whole Dutch mainstream media press corps gets their knickers in a twist in trying to report on the American ‘elections’ in excruciating and nitty-gritty detail.

There are more important things going on in the world than reporting on an election that is principally undemocratic to begin with. After the 2000 presidential election, Governor Bush squatted the White House for 8 years, while Al Gore won the popular vote. It sure was convenient that Bush’s brother Jeb happened to be Governor of Florida when the electoral votes for that state were the deciding factor in who would win the presidency. And there’s stuff like voter suppression and gerrymandering going on in the US as well, which can influence elections quite substantially. But this fixation the Dutch media has with the US elections has always surprised me, given the fact that the coverage is almost on par with our own elections!

The Dutch media stopped asking the critical questions, and are now almost exclusively broadcasting propaganda from Washington. No questions asked, no background stories, no critical analyses, no audi alteram partem. They now mostly copy-paste the press releases from PR departments, and I really miss the critical tone. Most articles are less than 3 paragraphs long.

I will gladly watch the NOS and other Dutch media again (online, for free, not behind a paywall, and using open standards to provide streaming video) when they start being critical of the government which decides on their budget, and start speaking truth to power.

And this is the main reason why I use RT (among others) to keep me updated on the stuff our Western governments are doing. Unlike the Western mainstream media, RT is asking the questions, they currently speak truth to (Western) power. And again, nuance is important: you shouldn’t believe RT too much when it comes to Russia, just like you shouldn’t believe the Western media too much when it comes to the West. It’s both propaganda, one way or the other. The Russians are at least open and frank about where RT gets their money from; in the West they are much more indirect and subtle about these matters. It’s always best to get your news from as many sources as possible, and make your own decisions on who is more likely to tell you the truth.

Life, Liberty and the Pursuit of Snowden

Note: This article is also available in Portuguese, translated by Anders Bateva.

US Declaration of Independence237 years ago, 56 traitors to their King and country signed a document which outlined a new philosophy, that all men are created equal, that they are endowed by their creator with certain unalienable Rights. That among these are Life, Liberty, and the Pursuit of Happiness. This gave birth to a new nation, the United States of America. Funny how your perception can change depending on your viewpoint and background, isn’t it? In 1776, these 56 signatories of the United States Declaration of Independence did something very brave indeed. They took a stand against the Empire on which the sun never sets, the British Empire, because it failed to embody and represent what they believed in: that it should be the task of the government to secure the above rights, and that governments derive their just powers from the consent of the governed. And that whenever the government becomes destructive of these ends, it is the right of the people to alter or abolish it. These men are considered patriots by many Americans, because in defying the King of Great Britain in 1776, they founded the United States of America, a nation once conceived on these noble principles. A nation that sadly no longer adheres to the philosophy laid down it its Declaration of Independence. Had history played out differently, these men could have been tried for high treason and hung, drawn and quartered. These men took a huge personal risk based on what they personally believed in. You have to remember, back in 1776, the British Empire was a superpower, quite similar to the roles the United States, Russia and China play today. But history is written by the victors, as they say.

SnowdenEdward Snowden

Now, Snowden blew the whistle because he recognized the government failed to defend the rights of the people, failed to embody the spirit in which it was founded 237 years ago. This is an incredibly brave thing to do. Just think about it: he had to leave his friends and family and his entire life behind and can probably never visit his friends and family again, because he did what he felt was right: expose the crimes committed by the US government. By many he is now branded a traitor, similar to how those 56 signatories were viewed by a portion of the British people back in the day. I sincerely hope Snowden will stay safe. One of the things that struck me when following the Snowden story, is that the media spin machine is now in full swing, trying to come up with dirt on both Edward Snowden, and the journalist who published the story in the Guardian: Glenn Greenwald. The goal of course, is to slowly make the media shift their focus away from the main story, and onto petty things instead, like the obsession with Snowden’s girlfriend, or whether Greenwald should be charged with a crime or not. The goal of those manipulators behind the scenes is to discredit the source who has been leaking this classified but vitally important information, so that eventually people will start to no longer believe him. By discrediting the whistle blower, they hope to also discredit his story. Don’t they get it? Don’t they get that transparency, and democratic oversight, checks and balances are what any government that claims to be a government of the people, by the people and for the people desperately needs? Precisely those things that it is now sorely lacking. By having informed, intelligent citizens, we increase overall safety and national security. We don’t make our nations any safer by scaring our citizens and beating them into submission. But as of late, the truncheon is used in lieu of conversation more and more…

Meanwhile in Europe…

Here in Europe, we saw politicians finally taking a stand against the NSA PRISM program, but sadly only because it was in their own self-interest to do so. It wasn’t until Snowden released documents proving that the United States had been spying on European diplomats in Washington, New York and Brussels, as was published in Der Spiegel on July 1st, that we finally got some strong language from some European leaders, with François Hollande even threatened to suspend the trade pact talks with the US. This delayed reaction by European politicians seems to send the message to the European citizens that it’s apparently perfectly OK to spy on European citizens (politicians here were awfully quiet when the story broke), as long as the Americans are not spying on our diplomats and politicians. Oh, and if you’ve heard the NSA’s stories about ‘metadata’, and you’re wondering what ‘harmless metadata’ really means, be sure to check out German Green Party Member Malte Spitz’s six months of telephone records mapped on a moving map. It’s quite a humbling experience. 🙂 Update: Since I wrote this article on July 2nd, 2013, things have changed even more dramatically, as long-established diplomatic principles in international law have been grossly violated by denying President Morales’ plane access to French, Spanish, Italian and Portuguese airspace, causing it to have to divert to Vienna when the president was on his way home from a summit in Moscow. Of course, this caused massive anger in Latin America. The real problem we now have in Europe are leaders with rubber knees. We have our brain, and our sovereignty. Let’s start using it.