Tag Archives: Motherboard

The RCMP Are Being Investigated Over Controversial Spy Tech - Motherboard 20160413

Canada’s federal police force is being investigated by the country’s top privacy watchdog for its use of a controversial mass surveillance device.

A spokesperson from the Office of the Privacy Commissioner of Canada (OPC) confirmed to Motherboard that it has opened an investigation into the Royal Canadian Mounted Police’s use of IMSI catchers, or “StingRays.” These devices are essentially fake cell phone towers that force phones in the vicinity to connect and reveal identifying information.

The use of such devices has been the topic of much heated discussion and public debate in the US. The Florida Supreme Court ruled that the warrantless use of StingRays by police is unconstitutional in 2014. StingRays are controversial because they target devices within a certain area, and thus risk violating the privacy of innocents.

A leaked email from Correctional Services Canada last year indicated that an unnamed, StingRay-like device was installed in an Ontario prison to monitor inmate communications, but also caught innocent people outside the facility in the dragnet.

“These are fundamentally tools of mass surveillance,” said David Christopher of OpenMedia, the organization that filed the privacy complaint that spurred OPC’s investigation.

Canadian police have been extraordinarily unforthcoming when it comes to the use of IMSI catchers, or StingRays.

Last month, seven men accused in a Quebec court case relating to a mafia slaying pleaded guilty, but not before the RCMP was forced to reveal in open court that they had used a so-called “mobile device identifier”—the RCMP’s term for IMSI catchers—in the course of their investigation. The end of the case meant that the RCMP will reveal no more information about its use of IMSI catchers in court.

"The RCMP will continue cooperating with the Privacy Commissioner on this matter," an RCMP spokesperson wrote me in an email.

In British Columbia, Vancouver police are embroiled in a public battle to keep the details of their use of IMSI catchers secret.

An OPC report on the RCMP’s use of the technology, however, may finally shed some much-needed light on the police’s use of a highly controversial and potentially privacy-destroying surveillance device.

“In order to have a debate, we first need to get the facts on the table,” Christopher said.

Can You Be Arrested for Running a Tor Exit Node In Canada? - Motherboard 20150925

Can You Be Arrested for Running a Tor Exit Node In Canada? - Motherboard 20150925

In some parts of the world, running a Tor node—a computer that makes up part of the dark web’s backbone—can make you a target for law enforcement. This is because traffic routed through a node could just as easily come from journalists, activists, or drug-slinging criminals, and there’s often no way to trace illegal activity beyond an exit node.

In Canada, however, running a Tor exit node out of your own home is essentially uncharted water, legally speaking. Should Canadian Tor node operators be worried about getting a knock on the door from the police?

“It’s not well understood or well defined,” said David Fraser, a lawyer specializing in internet law and partner at law firm McInnes Cooper, told me over the phone. “But if someone were to come to me and say, ‘I want to run an industrial-scale exit node,’ or if a library came to me and said the same thing, among the things I would tell them is that it’s not going to be smooth sailing.”

The problem is that the dark web isn’t just for humanitarians, of course, and child pornography and drugs are trafficked on the Tor network as well. In the US, the FBI has raided the homes of people operating exit nodes—computers through which encrypted, anonymous Tor traffic is finally routed back into the wider web—and the Department of Homeland Security isn’t above bullying libraries into shutting down their own nodes.

Nevertheless, although still a potentially risky proposition, civil rights groups such as the Electronic Frontier Foundation insist that running a Tor exit node in the US is totally legal.

Kate Kraus, a Tor Project spokesperson, told me that people have been running nodes in Canada for years, and a search on the Tor Project’s compass web service reveals that there are 29 exit nodes currently running in Canada. One of those nodes is operated out of the University of Waterloo by Ian Goldberg, a cryptography researcher and lead developer of the OTR protocol for encrypted messaging.

Goldberg says he configures his node so that it doesn’t connect to certain ports that might be used for shady business like executing DDoS attacks. Even so, he occasionally receives letters of complaint, often having to do with intrusion detection systems that have picked up some suspicious traffic passing through his node, but never from the cops.

“What I do is just explain what the purpose of Tor is,” Goldberg said. “I say, yes, people do bad things with Tor, but generally the people who do bad things on the internet have lots of ways to do them, What Tor does is allow the people who do not want to do bad things—who are not going to use a botnet or compromise others’ computers—it allows them to have privacy online.”

Goldberg told me he’s not worried about facing legal repercussions, but Toronto police spokesperson Allyson Douglas-Cook told me, after consulting with the cyber crime division, that the Toronto police have investigated Tor exit node operators in the past. Although she would not share specific details of the cases, Douglas-Cook said the police are chiefly interested in cases involving child pornography and ransom.

While the EFF and ACLU in the US are vocal in their support for Tor operators, there aren’t as many groups in Canada taking it up as an issue, and certainly not at the same scale. Tor is not openly discussed by law enforcement or civil liberties organizations north of the border, and when I emailed the Canadian Civil Liberties Association for comment, I was told they had “nothing” to add.

Without a strong human rights body to support the people who may be risking jail to operate a node on the Tor network, small internet service providers have picked up the slack. Ontario-based independent company Teksavvy, for example, is decidedly Tor-friendly.

“It’s not illegal to run a Tor exit node,” said Bram Abramson, chief legal and regulatory officer at Teksavvy. “It’s not illegal to allow people to do things anonymously as a general principle. A lot of it has to do with how you’re using it and positioning it, and how much you know about who’s using it.”

Service providers like Teksavvy in Canada are important for operators to keep running their nodes without interruption; when an ISP doesn’t quite understand what Tor is or what it’s used for besides illegal activity, providers may shut down a node automatically. The Tor Project recommends that node operators tell their ISP they are running a node so they can have some support.

“The majority of our exits that have been shut down are not in Canada,” Jeremy Hiebert, a member of privacy advocacy group Coldhak, which operates several Tor nodes, wrote me in an email. “In Canada we have been able to position ourselves with small ISPs who understand what Tor is and what it does for humanity.”

For now, at least, it seems like being a Tor exit node operator in Canada is all clear skies and smooth seas, save for the occasional letter of complaint. At least, that’s how the node operators I spoke to saw it.

But without clear protections for node operators when it comes to things like copyright—there’s no Canadian equivalent for the “safe harbor” provision in the US’s Digital Millennium Copyright Act, Fraser said, although a 2004 supreme court decision could be interpreted as such—and considering that the cops are keeping a close eye on Tor, it may only be a matter of time before Canadian node operators face scrutiny similar to those abroad.

Countries that Use Tor Most Are Either Highly Repressive or Highly Liberal - Motherboard 20160406

Countries that Use Tor Most Are Either Highly Repressive or Highly Liberal - Motherboard 20160406

You might assume that people in the most oppressive regimes wouldn’t use the Tor anonymity network because of severe restrictions on technology or communication. On the other hand, you might think that people in the most liberal settings would have no immediate need for Tor. A new paper shows that Tor usage is in fact highest at both these tips of the political spectrum, peaking in the most oppressed and the most free countries around the world.

“There is evidence to suggest that at extreme levels of repression, Tor does provide a useful tool to people in those circumstances to do things that they otherwise would not be able to do,” Eric Jardine, research fellow at the Centre for International Governance Innovation (CIGI), a Canadian think-tank, told Motherboard in a phone call. Jardine is the author of the new paper, recently published in peer-reviewed journal New Media & Society.

Jardine analysed data from 157 countries, stretching from 2011 to 2013. That information included a rating for a country's political repression, derived from assessments made by US-based research group Freedom House, and metrics for Tor usage, sourced from the Tor Project's own figures.

"Controlling for other relevant factors, political repression does drive usage of the Tor network"
Jardine included data for use of both Tor relays, which are nodes of the network users typically route their traffic through, and bridges, which are essentially non-public relays designed to be used in censorship-heavy countries that might block access to normal relays. He also considered a country's internet penetration rate, intellectual property rights regime, wealth, secondary education levels, and openness to foreign influences.

“The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network,” Jardine writes.

Bridges had the strongest association with political repression. “Moving from a country like Burkina Faso (political repression equals 8) to a country like Uzbekistan (political repression equals 14) results in an increase of around 212.58 Tor bridge users per 100,000 Internet users per year,” the paper reads.

There was also a “statistically significant” relationship between a regime's political context and the use of Tor overall, Jardine adds.

This graph shows use of specifically Tor bridges (not relays) according to political repression. Image: Eric Jardine/New Media & Society
Interestingly, however, it's not just harsh regimes that have a higher Tor usage. Countries on the lower end of the political repression spectrum also showed significant use. It was countries in the middle, ranked neither as strictly authoritarian regimes or free democracies, that had the lowest number of people connecting to Tor.

This might run counter to some people's intuition; wouldn’t liberal democracies have little need for Tor?

“But because it's dual-use, you start to see a different pattern,” Jardine said, meaning that Tor is not just used to circumvent censorship in oppressive regimes, for example. Instead, the technology could be to protect privacy, or for criminal purposes. (It's worth remembering that the study looked at data largely before the fallout of Edward Snowden's June 2013 revelations).

Why Tor usage peaks at the extremes of the political spectrum is less clear. Jardine hypothesises that it may be connected to a country's political need for such tools, such as circumventing censorship, but also the increased opportunity for their use—for example, in the US, Tor can be used easily without major consequence. Finding out the reasons for the trend are, however, beyond the scope of this study.

Tor, and the related technology of hidden services, can polarise discussions, with supporters often refusing to acknowledge criminal applications, and critics ignoring positive aspects. In a debate that is often overshadowed by emotions and feverish media coverage, having empirical data and analysis on the use of anonymity technology can only be beneficial.

The Government Has Used the All Writs Act on Android Phones At Least 9 Times - Motherboard 20160330

The Government Has Used the All Writs Act on Android Phones At Least 9 Times - Motherboard 20160330

The federal government has asked Google for technical assistance to help it break into a locked Android smartphone using the All Writs Act at least nine times, according to publicly available court documents discovered by the American Civil Liberties Union.

The ACLU released the Google court documents along with 54 court cases in which the feds asked Apple for assistance obtaining information from a locked iPhone. The revelations show that many agencies have been using the All Writs Act, a 1789 law that the government says allows it to compel third party companies to help it in criminal investigations.

The law was at the heart of a recent legal battle between the FBI and Apple in San Bernardino, and this is the first time it’s been confirmed that Google has also received these sorts of orders. The FBI and Apple have an ongoing legal battle over the issue in New York.

The cases all appear to be closed, are in seven separate states, and involve the Department of Homeland Security, FBI, Customs and Border Patrol, the Secret Service, and, interestingly, the Bureau of Land Management. Google is believed to have complied with all of the orders, however the company tells Motherboard that none of the cases required the company to write new software for the federal government.

"We carefully scrutinize subpoenas and court orders to make sure they meet both the letter and spirit of the law,” a Google spokesperson told me. “However, we've never received an All Writs Act order like the one Apple recently fought that demands we build new tools that actively compromise our products' security. As our amicus shows, we would strongly object to such an order."

Google, Microsoft, Facebook, and several other major tech companies filed a legal brief in support of Apple in its recently-ended legal battle with the federal government, which said the companies are “united in their view that the government’s order to Apple exceeds the bounds of existing law and, when applied more broadly, will harm Americans’ security in the long run.”

In many of the cases found by the ACLU on publicly available law databases, Google was required to reset the password of an Android smartphone so that the government could gain access. Passcode and password resets of this kind are not possible on iPhones.

Google’s switch to default device encryption happened only with the Marshmallow version of Android, which was released in October but is still not available for many Android phones. Android phones are notoriously slow to get Google’s security and software updates; just 2.3 percent of Android phones are running Marshmallow, according to Google. It’s hard to say for sure, but it seems possible that Google has dealt with fewer of these orders because most of the Android phones out in the wild are likely susceptible to the federal government’s forensic tools.

Google has been asked to assist the Bureau of Land Management in the investigation of an alleged marijuana grow operation in Oregon; the Department of Homeland Security in an investigation of an alleged child pornographer in California; the FBI in the investigation of an alleged cocaine dealer named “Grumpy” in New Mexico; and the Secret Service in an unknown case in North Carolina. It has been asked to reset the passwords or bypass the lock screens of Samsung, Kyocera, Alcatel, and HTC phones, among several other unidentified devices.

“These cases show that the government has an interest in getting this kind of assistance from tech companies in a wide variety of cases,” ACLU attorney Esha Bhandari told me. “The government and law enforcement in general have an interest in using the All Writs Act in a wide variety of investigations, including criminal investigations.”

Court documents for the cases are available here:









Canadian Librarians Must Be Ready to Fight the Feds on Running a Tor Node - Motherboard 20160316

Canadian Librarians Must Be Ready to Fight the Feds on Running a Tor Node - Motherboard 20160316

Political dissidents and cyber criminals alike will soon be sending anonymous internet traffic through a library at Western University in Canada, thanks to a new “node” in the encrypted Tor network operated by staff there—the first to open at a library in the country.

In Canada, the legality of running a Tor node is essentially untested, making the high profile, institutionally-backed node at Western a potential target for the feds.

Tor is touted as a tool for people, such as journalists, to keep their browsing habits safe from spies and police. But more nefarious traffic, such as drug dealing or child pornography, also passes through the network. A small public library in New Hampshire began operating a Tor node last year, and faced pressure from the Department of Homeland Security to shut it down. The library resisted, and the node is still running.

"Frankly, in some ways, I would like to see them try"
“If any intelligence agency or law enforcement tries to intervene again, we will do the same thing that we did in New Hampshire: we will rally community support, we will get our very broad coalition of public interest organizations and luminary individuals, and amazing supporters, to support Western,” said Alison Macrina, director of the Library Freedom Project and adviser to the Tor project at Western.

“Frankly, in some ways, I would like to see them try,” she said.

Traffic going through Tor is encrypted and “hops” through three volunteer nodes—or relays—before reaching the regular web, thus staying relatively anonymous. At the moment, the Western node is running as a middle relay, which means that it operates as one of the three hops in the network, and is blind to the final destination of any traffic.

If the library were to switch its node to an “exit” (where Tor traffic finally enters the regular web), then information about where traffic is going could be known to Western—and that is what law enforcement would likely be interested in, Macrina said. She hopes that Western does make the switch, she added, because institutions are better suited to face legal pressure stemming from running a node than individuals. Staff from the Faculty of Information and Media Studies, the faculty at Western responsible for the node, could not be reached in time for comment.

Watch more from Motherboard: Buying Guns and Drugs on the Dark Net

“It's great news to see more libraries and universities running Tor nodes,” Ian Goldberg, a University of Waterloo professor and inventor of the popular OTR encryption protocol, who operates a Tor exit node at the school, wrote me in an email. Goldberg noted that a middle relay should have no issues, legally, although exit node operators often “get annoyed by people on the Internet contacting them to ask why they are attacking various websites, sending them [copyright] notices for sharing content (in the US), etc.”

Tor use has been raised in at least one criminal case involving child pornography in Canada. Toronto police also told Motherboard last year that the force has investigated people operating Tor exits in the past, particularly in cases involving child pornography. At the time, the Canadian Civil Liberties Association (CCLA) said they had “nothing to add” on the subject.

When asked if the CCLA would support Western staff if Canadian law enforcement pressured them to shut their node down, however, spokesperson Jonah Kanter said, ”In principle we are in favour of tools that protect privacy and will continue to research how Tor nodes can help accomplish that.”

Macrina emphasized that if push came to shove, Western should expect the support of the CCLA and other civil rights organizations in Canada. If the feds come knocking, they may very well need it.

RCMP Wants Facial Recognition 'As an Option' - Motherboard 20160317

RCMP Wants Facial Recognition 'As an Option' - Motherboard 20160317

UPDATE: Two days after we first contacted the RCMP for comment, and one day after this article was posted, Canada’s federal police force has answered some of the questions raised in this story. Their response confirms the reporting below.

“The RCMP does not currently have an approved project plan to implement a facial recognition system,” the statement we received by email states, although the new fingerprint system will “allow the RCMP to implement facial recognition as an option.”

The RCMP does currently maintain a database of facial images voluntarily sent by “police agencies,” but “they are not being used or accessed by the RCMP at this time,” the emailed statement continues. Despite pushing ahead with the procurement process for the technology needed to access such a database, the RCMP spokesperson wrote: “There is currently no policy on the retention of facial images, including purging rules,” and that these questions will be addressed when RCMP policy is “finalized.”

The RCMP statement noted that the law enforcement agency has not consulted the Office of the Privacy Commissioner with regards to this project, but is part of a biometrics working group, along with numerous other national security agencies such as the Canadian Security Intelligence Service and Canada Border Services Agency, created by Defence Research and Development Canada's Centre for Security Science.


The Royal Canadian Mounted Police is aiming to upgrade its automated fingerprint identification system (AFIS), and this time, Canada’s top cops want the system to have facial recognition search capabilities.

Even more concerning, available documents suggest that the plan flies in the face of Canada’s existing privacy guidelines for facial recognition technology.

The AFIS renewal contract is set to run until 2021, according to a 2015 letter of interest, but there is “no planned implementation time” for the facial recognition aspect, according to another letter of interest published on Wednesday. Instead, a successful bidder for the AFIS contract only needs to “support” facial recognition capabilities, should the RCMP decide to implement them.

Despite this ambiguity over when facial recognition will be used, the RCMP has some pretty clear ideas about how it should be used. According to a previously released document, the RCMP would like to store and analyze surveillance and cellphone video, “or other non-controlled, poor-quality sources.” The RCMP also expects that these videos may only contain partial facial images. It’s unclear from where, or how, the RCMP plans on acquiring cellphone video.

"People marching in a demonstration should not be videoed and have their images placed in an RCMP unknown photo database"
According to the document, the RCMP will perform one-to-one searches (using one image to confirm the identity of one suspect), as well as one-to-many searches—fishing expeditions involving large databases of photos. If a photo does not contain an identifiable person, then it should be stored in an “unknown photo database repository,” according to the letter of interest, which the RCMP can later query.

“What is the criteria for adding photos to that database?” Asked lawyer Micheal Vonn, policy director of the British Columbia Civil Liberties Association, who said she isn’t aware of any such RCMP repository. “If they are going to just download all manner of photos and videos into the repository without strict inclusion or exclusion criteria, that is a problem. For example, people marching in a demonstration should not be videoed and have their images placed in an RCMP unknown photo database [to be used as] a repository of suspects.“

Provisions in Bill C-51 that allow for an unprecedented level of information sharing between federal agencies under the aegis of national security, Vonn said, pose additional dangers. “If the RCMP used a national security rationale for commandeering, say, the passport database, it’s got much more photos of Canadians than it would have in their mugshots.”

The RCMP declined to comment within Motherboard’s publishing timeframe, and we will update this article if we hear from them.

Watch more from Motherboard: Inhuman Kind

In a 2013 report prepared by the Office of the Privacy Commissioner of Canada (OPC), the nation’s top privacy watchdog listed several guidelines for facial recognition. Two of them include stipulations to record and store descriptions of biometric data instead of images themselves to ensure they’re not re-analyzed improperly, and to stick to one-to-one searches to minimize the risk of false matches or data breaches. By stating that they wish to maintain a database of images, and perform one-to-many searches, the RCMP appears to be disregarding both of these guidelines.

“We were not specifically aware of this letter of interest,” Tobi Cohen, OPC spokesperson, wrote me in an email. “The issue of facial recognition did come up in a Privacy Impact Assessment (PIA) from the RCMP in relation to body worn video cameras. In our response to the PIA last fall, we indicated that the RCMP would have to update its PIA and assess the privacy risks if it were to apply facial recognition technology to any footage collected. At the time, the RCMP indicated it was not contemplating such a thing.”

“If the RCMP were to use facial recognition in any capacity, we would expect to receive a PIA on the program,” she added.

Facial recognition technology has been used in Canada by passport authorities for years in order to detect fraud, beginning in 2009. That program has been undergoing PIAs since 2004, according to an OPC report, years before it was actually implemented.

Despite shopping around for a company to supply them with facial recognition-ready technology, it appears as though the RCMP is not following the lead of other government agencies in terms of their concern for citizen privacy.

Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police - Motherboard 20160212

Rogers and Alcatel-Lucent Proposed an Encryption Backdoor for Police - Motherboard 20160212

As telecom companies prepare for the day when phone calls are counted in megabytes and not minutes, yet another contentious encryption debate is looming: how to secure subscribers' voice conversations, while balancing law enforcement’s need to eavesdrop when needed.

For Canadian telecom company Rogers and equipment maker Alcatel-Lucent (now Nokia), one option was a so-called backdoor, a secret key of sorts that could decrypt otherwise secure communications, and that theoretically only law enforcement could use.

In 2012, the two companies came up with a lawful interception proposal for a next-generation voice encryption protocol, known as MIKEY-IBAKE. The protocol was designed to protect conversations end-to-end—that is, no one sitting in the middle of a call's network connection could eavesdrop on what was being said.

Unless you were law enforcement, that is. For them, there was an exception, a backdoor. But there’s a problem with this scenario: a backdoor for law enforcement has the potential to be exploited by others, which is why, amongst security professionals, backdoors are so vehemently opposed.

"In the US, this has been the debate. Are we going to backdoor communications? We simply haven't had that debate here," said Christopher Parsons, a post-doctoral researcher at the Citizen Lab, which belongs to the University of Toronto’s Munk School for Global Affairs. "It seems as though we have carriers and vendors who are looking for ways to subvert that without bothering to deal with the politicians."

The documents detailing the Rogers and Alcatel-Lucent proposal are related todocuments analyzed last month by Steven Murdoch, a Royal Society University Research Fellow in the Information Security Research Group of University College London. Murdoch’s analysis described an encryption protocol related to MIKEY-IBAKE that had been modified—backdoored—by the UK intelligence agency GCHQ.

An excerpt from one of the documents describing Rogers and Alcatel-Lucent's proposal. Image: Screenshot/3GPP

On the one hand, telecom providers have no choice but to opt for stronger encryption (and, to be clear, this is a good thing). At present, "land-line calls are almost entirely unencrypted, and cellphone calls are also unencrypted except for the radio link between the handset and the phone network," wrote Murdoch, in his recent analysis of GCHQ’s backdoored cellular encryption scheme.

On the other, more widespread use of encryption has drawn the ire of law enforcement. The FBI famously described Apple and Google’s efforts to increase user data protections as making evidence go “dark.” And because various jurisdictions—including Canada and the US—include wiretap provisions as a condition of having access to wireless spectrum, employing protections that also stymie law enforcement isn't so cut and dry.

"These lawful intercept requirements are harming security,” Murdoch said in an interview. “They're preventing the deployment of security in order to facilitate surveillance, and that's not really a debate that's been discussed."

The Rogers and Alcatel-Lucent proposal was introduced during a meeting of the 3rd Generation Partnership Project's lawful interception working group in 2012. The 3GPP is an organization that develops standards that dictate how much of the world's cellular infrastructure works, including 4G and LTE (draft documents of the proposal are available on its website, but the final proposal is not).

At that meeting, which was held in Barcelona, Rogers and Alcatel-Lucent proposed an approach to encryption where, instead of protecting communications using a random number generator the system would use a pre-defined "pseudo-random number generator," or a secret number, that only a telecom provider or network operator would know.

Because all messages would be encrypted using this pre-determined number, anyone that discovered the number could decrypt any message they wanted.

“We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers"

The proposal was described by Parsons and fellow Citizen Lab researcher Andrew Hilts last year, in a report for the the Telecom Transparency Project (Parsons is its founder), but received little notice at the time.

"The Rogers/Alcatel-Lucent solution would let a [telecom service provider] either decrypt traffic in real time or retroactively decrypt traffic that had been encrypted using the [pseudo-random number generator]," the pair wrote in their 2015 report on the telecommunications surveillance. "As such, their proposal would effectively undermine the core security design decisions that were ‘baked’ into MIKEY-IBAKE."

"This should be a public discussion. This shouldn't be something that's buried away in a pretty cloistered standards environment,” said Parsons, who called the proposal “worrying.” Canadian Parliament has yet to engage in the sort of encryption debate currently taking place in the US.

“We're talking about fundamental aspects of how law enforcement interacts with our communications, that the extent to which we can trust the security provided to us by telecommunications providers,” Parsons continued. “And this all comes after Canada has passed numerous legislature that deals with security and surveillance, none of which, to my mind, explicitly clarify whether or not this kind of decryption on the fly would be required."

The encryption protocol proposed by Rogers and Alcatel-Lucent was actually previously rejected by the UK government's spy agency agency GCHQ for being too difficult to eavesdrop on. Instead, GCHQ proposed an alternate standard, MIKEY-SAKKE, which can be more readily intercepted. The UK government has beenpromoting adoption of the standard in both government and commercial products.

MIKEY-IBAKE, meanwhile, does not appear to have been implemented. Leonard Pesheck, a spokesperson for Nokia (which recently purchased Alcatel-Lucent), wrote in an email that "the MIKEY-IBAKE proposal we submitted to 3GPP SAE for standardization was not accepted and we therefore did not pursue product plans."

Rogers spokesperson Jennifer Kett also confirmed the company brought forward the MIKEY-IBAKE proposal, but "ultimately that proposal was not adopted."

"As you can appreciate, in order to best protect our customers and as a condition of our licenses, we don’t publicly disclose our security practices," Kett wrote in an email.

If those practices include backdoors, however, it’s only a matter of time before others disclose them first.

Confirmed: Carnegie Mellon University Attacked Tor, Was Subpoenaed By Fed - Motherboard 20160224

Confirmed: Carnegie Mellon University Attacked Tor, Was Subpoenaed By Fed - Motherboard 20160224

Photo: Wikimedia Commons

Update: Kenneth Walters, a spokesperson from CMU, told Motherboard in an email, "We have nothing to add beyond our Nov. 18 statement." When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

In November, Motherboard reported that a “university-based research institute” provided information to the Federal Bureau of Investigation that led to the identification of criminal suspects on the so-called dark web. Circumstantial evidence pointed to that body being the Software Engineering Institute (SEI) of Carnegie Mellon University (CMU). After a media-storm, CMU published a very carefully worded press release, implying that it had been subpoenaed for the IP addresses it obtained during its research.

Now, both the name of the university and the existence of a subpoena have been confirmed in a recent filing in one of the affected criminal cases.

“The record demonstrates that the defendant's IP address was identified by the Software Engineering Institute (“SEI”) of Carnegie Mellon University (CMU”) [sic] when SEI was conducting research on the Tor network which was funded by the Department of Defense (“DOD”),” an order filed on Tuesday in the case of Brian Farrell reads. Farrell is charged with conspiracy to distribute cocaine, heroin, and methamphetamine due to his alleged role as a staff member of the Silk Road 2.0 dark web marketplace.

“Farrell's IP address was observed when SEI was operating its computers on the Tor network. This information was obtained by law enforcement pursuant to a subpoena served on SEI-CMU,” the filing continues.

Screenshot of filing.

Between January and July 2014, a large number of malicious nodes operated on the Tor network, with the purpose, according to the Tor Project, of deanonymising dark web sites and their users. The attack relied on a set of vulnerabilities in the Tor software—which have since been patched—and according to one source, the technique could unmask new hidden services within two weeks.

This new court document shows that, as many suspected, SEI was indeed behind the attack on Tor.

Evidence has pointed to SEI being behind that attack: SEI researchers Alexander Volynkin and Michael McCord were due to present research at the Black Hat hacking conference in August 2014 on how to unmask the IP addresses of Tor hidden services and their users, before the talk was suddenly canceled without explanation. SEI alsosubmitted a research paper to the 21st ACM Conference on Computer and Communications Security (CCS) in 2014 on unmasking dark web users and sites, although that paper was apparently based on simulations, rather than in-the-wild attacks. That research was funded by Department of Defense contract number FA8721-05-C-0003. (The Tor Project has made an unsubstantiated claim that CMU was paid by the FBI to the tune of at least $1 million to carry out the attack.)

This new court document shows that, as many suspected, SEI was indeed behind the attack on Tor, and that information obtained from that move was accessed by law enforcement via a subpoena, facts that Farrell's defense has been aware of for some time, judging by the latest filing.

When asked how the FBI knew that a Department of Defense research project on Tor was underway, so that the agency could then subpoena for information, Jillian Stickels, a spokesperson for the FBI, told Motherboard in a phone call that “For that specific question, I would ask them [Carnegie Mellon University]. If that information will be released at all, it will probably be released from them.”

The Tor Project did not immediately respond to a request for comment, and neither did CMU, DoJ, or Farrell’s representatives. This story will be updated if we hear back.

Screenshot of filing.

This latest order was in response to a motion to compel discovery filed by Farrell’s defense in January. They have received “basic information” about the Tor attack, as well as the funding and structure relationship between SEI and DOD, according to the order, but have requested other materials too. The motion was denied by the Honorable Richard A. Jones.

Many of the filings are under seal, so it's not clear what exact information Farrell's lawyers have been trying to get hold of, but this latest order provides some indications. The defense has sought more information on the attack, and “disclosures regarding contacts between SEI, the Department of Justice, and federal law enforcement,” the order reads, encompassing periods before and after SEI performed the attack itself, with a particular emphasis on meetings between the DoJ and SEI.

As for why the court ordered that no further details about how SEI operated and collected IP addresses should be provided to the defendant, Jones claimed that IP addresses, and even those of Tor users, are public, and that Tor users lack a reasonable expectation of privacy.

“SEI obtained the defendant’s IP address while he was using the Tor network and SEI was operating nodes on that network, and not by any access to this computer,” the order reads.

“In order for a prospective user to use the Tor network they must disclose information, including their IP addresses, to unknown individuals running Tor nodes, so that their communications can be directed towards their destinations. Under such a system, an individual would necessarily be disclosing his identifying information to complete strangers,” the order continues.

This line of argument echoes that made in a recent case of FBI mass hacking, where a judge wrote that Tor doesn't give its users complete anonymity because users do have to provide their real IP address to a node of the network at some point. Indeed, in his order, Jones pointed explicitly to this ruling.

In sum, “SEI's identification of the defendant's IP address because of his use of the Tor network did not constitute a search subject to Fourth Amendment scrutiny,” the order reads.

Jones adds that the request for further discovery was made “despite the understanding communicated by the Tor Project that the Tor network has vulnerabilities and that users might not remain anonymous.” When it comes to the other requests made by Farrell's defense, the judge ordered they were irrelevant, overbroad, and that enough information has already been provided.

Farrell's case is far from the only one affected by SEI's attack on Tor.

Earlier this month, Gabriel Peterson-Siler pleaded guilty to one count of possession of child pornography, and another drug case in Ireland indicates it was also swept up in the institutes's actions. In fact, the search warrant issued against Farrell stated thatapproximately 78 IP addresses that accessed the vendor portion of Silk Road 2.0 were obtained. On top of this, the seizure of Silk Road 2.0 was part of the wider Operation Onymous, which ended in the shuttering of around 27 different dark web sites, suggesting that many more criminal suspects, or those already convicted, were likely discovered with the same approach.

GCHQ Director: One Warrant Can Be Used to Hack a Whole Intelligence Agency - Motherboard 20160209

GCHQ Director: One Warrant Can Be Used to Hack a Whole Intelligence Agency - Motherboard 20160209

The UK’s intelligence agencies may soon get their hacking powers on a stronger legal footing. But a new report questions why certain warrants designed to hack multiple computers at once are even necessary, when their more targeted equivalents are arguably just as broad.

On Tuesday, the UK's Intelligence and Security Committee of Parliament published its report on the draft Investigatory Powers Bill, a proposed piece of surveillance legislation. The Committee was told that so-called “targeted” hacking warrants were so broad, that they could be used to gather information on an entire foreign intelligence agency, raising concerns about what “bulk” warrants are designed for.

If passed into law, the bill will force internet service providers to store the browsing history of their customers for 12 months. It will also update how some of the intelligence agencies' use of “equipment interference” (EI)—the UK government's term for hacking—is handled, and introduce the idea of “targeted” and “bulk” EI warrants.

"It is possible that bulk activity might capture data and information about UK persons"

At the moment, equipment interference for the intelligence agencies is governed under the Intelligence Services Act 1994, but the draft Bill is the first time that hacking warrants are being separated into Targeted and Bulk variants.

Only security and intelligence agencies would be able to apply for a bulk EI warrant, not law enforcement, and they could only be used to intentionally target systems abroad, according to a government-issued fact sheet.

“Bulk EI facilitates target discovery, it helps to join up the dots between fragments of information that may be of intelligence interest,” the fact sheet continues, keeping its description of the power incredibly vague. “It is possible that bulk activity might capture data and information about UK persons, for instance if they are associated with a subject of interest.”

But the Intelligence and Security Committee—a body of the government tasked with examining the policy, administration and finances of the UK's intelligence agencies—is concerned that bulk EI warrants are largely superfluous, because targeted warrants are already exceptionally wide in scope.

“Despite the name, a Targeted EI warrant is not limited to an individual piece of equipment, but can relate to all equipment where there is a common link between multiple people, locations or organisations,” the report from the Committee reads.

Robert Hannigan, the director for GCHQ, told the Committee that, hypothetically, a targeted EI warrant could encompass an entire hostile foreign intelligence service.

“It is therefore unclear what a 'bulk' EI warrant is intended to cover, and how it differs from a 'targeted' EI warrant,” the report continues.

Indeed, Hannigan conceded that “the dividing line between a large-scale targeted EI and bulk is not an exact one.” This evidence was provided in an oral session to the Committee in November 26, 2015, but the transcript is not public.

The Committee writes that the intelligence agencies appeared to suggest that the provision for a bulk EI warrant may be desired for “future-proofing,” but no specific examples of what such a warrant might cover were provided by the agencies, despite the very broad and intrusive powers they would provide.

“The Committee is therefore not convinced as to the requirement for [bulk warrants],” the report reads.