Online Security: Verification and Validation

Standard

An overview of key points for activists to bear in mind for online security, or tactics to bring into play in case of an online incursion by members of anyone’s so-called “Cyber Army” – updated version of my December 2011 post “Battle Hardening Against Cyber Soldiers” for Cyber Security Awareness Month.

cyber-defences-security-370x229

When it comes to online security, your first responsibility is to yourself, and that has never been more clear than now, with the daily diet of revelations about the allegedly massive scale of global government spying and surveillance finally raising awareness. Of at least equal importance, is the need to stay alert to the risks your actions might create for others in your online network. Every time you share, tag, mention or otherwise connect someone else to your content, you are highlighting your relationship in the context of that content. A simple typing error, a hastily copied story, or unbridled haste to share without fact-checking, can alter that context dramatically, and potentially with rather more serious consequences that any of us previously imagined. Increase your personal security first, using the same logic as those flight safety rules about oxygen masks. Here’s a handy article from the New Scientist, about how to try and evade the NSA dragnet, to help you get started.

Being part of an online network means you need to be able to justify each of your online relationships, and pay attention to any unexpected changes. Harsh as it might seem, treat all former contacts, who reappear after an absence, with neutral (not hostile) caution. Accounts do get hacked, and occasionally, people do get recruited to “the other team” or put under pressure to reveal passwords. If you didn’t put a challenge/response protocol* in place with your trusted contact before they dropped off the grid, so you could verify their identity when they reappear at some future point, then you have to assume there is a 50% chance they are not the person you once knew until they can prove themselves to your satisfaction. Similarly, do not feel obliged to “follow back” or accept every friend request unless you feel confident about doing so. Set some standards for yourself about why and how you plan to grow your network. If you are simply feeling insecure, ego-driven, or lonely, be honest with yourself about your motivations, and try to keep them in check so that they don’t compromise your security.

*Establish a challenge/response protocol with your trusted contacts. This is an agreed question you can ask the other person and an agreed response they must give. Like a password reminder.

Tip: Do NOT use any of your existing password reminder Q&A’s

New accounts, especially breathlessly dramatic ones, should also be treated with measured caution. Wait for verification of all news, especially any that will have serious or long-term repercussions. We learned this the hard way when a very plausible fraud appeared on Twitter in the middle of protest and declared that bit.ly shortened links were blocked in Iran. The ensuing panic and last-minute changes caused a lot of people a great deal of unnecessary extra effort, and some of the suggested alternative link shortening sites are no longer operational, meaning that archived content which includes links using these now defunct services are effectively dead.

Breaking News” reports always seem to demand an urgent response, where in fact they should be treated as “unconfirmed news“. As we all know, a lie is halfway around the social network world before the truth has got its pants on. So, as always, wait and verify, verify, verify. Remember that even the most experienced social media users and big name mass media outlets like the BBC, MBC, CNN etc have all been fooled by fake news, or been too quick to rush to headlines without checking facts; at times, they are even revealed to be responsible for it . If you do happen to post a report in good faith, which later turns out to be false, you should be willing to spend at least as much time retracting it and letting everyone know, than the time you spent sharing it.

Mark unconfirmed status updates as UNCONFIRMED or UNCONF. Do not remove text that identifies news as unconfirmed when re-tweeting or re-posting.

did-the-world-s-nastiest-virus-try-to-self-destruct--49a5bfa353Be cautious with private message requests or emails containing sensational news, documents, image, videos etc. asking you to share news. Suggest to whoever sent it that they post it themselves and you (might) share their update. If they claim to be unable to use or create a social network account, suggest they use liveleak.com, where you can share images, documents, videos and post text updated using an alias. Run a search for the information being privately shared with you, to see if it can be verified, or if anyone is posting warnings about it.

Watch out for people re-using images from unrelated events. Use Google or Tin Eye to search for images by url or by uploading them. Try using Storyful’s Multisearch tool to help you verify news and look for more sources. What other tools do you know of? Add the best to your favorites, and share them often.

Check for images having been altered using special analysis tools like Image Metadata Manager or JPEGSnoop or the fotoforensics.com website.

As far as possible, try to stay transparent in your methods and analysis, and let your network help you by reaching out for help verifying reports, checking facts, or translating content.

ISERI Protests 12 Jan 2011 AlJAzeera cameraman hassledFake videos seem to be all the rage these days, while innocent cameramen are being murderedkidnapped or harassed, and citizen journalists – or indeed, anyone carrying a smart phone or camera – face increasing pressure from police and authorities. 

Here is my current list of suggestions, ideas and wishes for video checking and verification:

  1. Time and Date – video camera clocks can be changed of course, but we used to encourage activists in Iran or elsewhere to show us that day’s newspaper, social media status updates on a screen, or a live TV broadcast in the background of their video.
  2. Incentifying crowdsourced verification by rewarding the crowd. Not necessarily restricted to financial rewards, there are many different ways to motivate using more humanitarian methods, media coverage, thanking helpers with mentions, gamified social media decals etc – see this video for an example (at 10m42s) : 
    Digital Humanitarians: Patrick Meier at TEDxTraverseCity 2013
  3. Patience. There is often no good reason for the rush to post unverified news. This sense of urgency was more relevant four or five years ago, when mainstream media was thumbing its nose at “irrelevant, pointless” social media and users felt driven to prove their worth and expose the slow-footed traditional press. Now social media has gained almost universal acceptance, we should adjust the idea of competition to be first to break “all” news – at the cost of validity – and only apply it where it adds value, such as disaster relief.
  4. Details. We need to encourage those posting video to take the time to add important details – names, dates, locations, background facts, and tagging – for example, while also blurring faces of vulnerable subjects.
  5. Communication – it’s a 2-way street. We need to understand the importance of leaving comments of encouragement, feedback, guidance. At present, too much video is being posted and consumed in a communication vacuum.
  6. Archiving. Too many videos get pulled offline, and any video exposing serious abuse by authorities is at risk of being censored either formally or informally. There are sites that will save text or image content, but I don’t know of any reliable, consistent, centralised effort to preserve video or audio. It’s left to quick-thinking people to save these items privately.
  7. Translation. Really, this should be first on the list. The lack of organised, consistent volunteer efforts to crowdsource translation beggars belief. If you know anyone who can build an app for this, I have a rough design outline that’s been gathering dust for the past 4 years.
  8. Gratuitous violence and shock tactics are on the increase (and being pushed by Facebook and major news outlets when it suits them) and little good has come of it, if any.  People are being traumatised, becoming immune to it, or turning away. This is very damaging to the prospects of crowdsourced verification, because the gore factor is a deterrent to many potential helpers. I resist sharing the 18+ content being posted as relevant to human rights abuse, in the hope that, if we don’t encourage the trend by reacting, rewarding, or promoting, it will fall out of favour.
  9. We need an open source tool for video that works like JPEG Snoop, to extract information about the video, camera, settings, GPS etc.

Your comments and suggestions are very welcome on these subjects – drop me an email through the contact form or leave a comment below.

Take responsibility for your online safety and security

  • Change to a strong password and keep changing it, if not daily then as often as you can.
  • Scan your computer to check for intrusions, keyloggers, rootkits, malware, and trojans and keep your security software up to date.
  • Make sure that your recovery details for websites like Twitter, FaceBook & blogs etc are accurate and up to date.
  • Protect the email accounts you use to register with websites and services.
  • Use https to access websites and services, so that when you do connect, the information you send is encrypted.
  • Copy and paste login names and passwords rather than type them.
  • Do not store unencrypted user names and passwords on your computer.
  • Protect files on your computer or on external storage devices or removable storage like flash drives, SD cards or USB sticks using encryption, such as TrueCrypt.
  • Use a password on all your devices.

Be alert for apparently innocent requests for information about your own or anyone else’s details, such as location, online activity, other connections, friends or contacts.

Advertisements

Syria’s regime is lying about a cut cable taking out the internet

Standard

Today, 29 November 2012, between 1026 and 1029 (UTC), all traffic from Syria to the rest of the Internet stopped. CloudFlare blog witnessed the drop off:

 

We’ve spent the morning studying the situation to understand what happened. The following graph shows the last several days of traffic coming to CloudFlare’s network from Syria.

Since the beginning of today’s outage, we have received no requests from Syrian IP space. That is a more complete blackout than we’ve seen when other countries have been cut from the Internet (see, for example, Egypt where while most traffic was cut off some requests still trickled out).

The graph above shows two other incidents over the last week. On 25 November 2012 at approximately 0800 UTC we witnessed a 15 minute period during which Syrian traffic was cut to only 13% of normal levels. Again on 27 November 2012 at 0730 UTC, we saw a 15 minute period during which traffic dropped to only 0.2% of normal.

What Happened?

The Syrian Minister of Information is being reported as saying that the government did not disable the Internet, but instead the outage was caused by a cable being cut. Specifically: “It is not true that the state cut the Internet. The terrorists targeted the Internet lines, resulting in some regions being cut off.” From our investigation, that appears unlikely to be the case.

To begin, all connectivity to Syria, not just some regions, has been cut. The exclusive provider of Internet access in Syria is the state-run Syrian Telecommunications Establishment. Their network AS number is AS29386. The following network providers typically provide connectivity from Syria to the rest of the Internet: PCCW and Turk Telekom as the primary providers with Telecom Italia, TATA for additional capacity. When the outage happened, the BGP routes to Syrian IP space were all simultaneously withdrawn from all of Syria’s upstream providers. The effect of this is that networks were unable to route traffic to Syrian IP space, effectively cutting the country off the Internet.

Syria has 4 physical cables that connect it to the rest of the Internet. Three are undersea cables that land in the city of Tartous, Syria. The fourth is an over-land cable through Turkey. In order for a whole-country outage, all four of these cables would have had to been cut simultaneously. That is unlikely to have happened.

Watching the Shutdown Happen

One of our network engineers recorded the following video of network routes being withdrawn. Syrian Telecommunications (AS29386) is represented by the red dot in the middle of the video. The lines represent routes to the Syrian upstream providers.

Beginning at 1026 UTC, routes were withdrawn for PCCW. The routing shifted primarily to Turk Telekom. Routes to Telecom Italia and TATA were also withdrawn, but has less of an impact. Then, at 1029 UTC, routes were withdrawn for Turk Telekom. After that, Syria was effectively cut off from the Internet. (Note that the remaining path that appears to be present in the video is an anomaly. We have confirmed that it is not actually active.)

While we cannot know for sure, our network team estimates that Syria likely has a small number of edge routers. All the edge routers are controlled by Syrian Telecommunications. The systematic way in which routes were withdrawn suggests that this was done through updates in router configurations, not through a physical failure or cable cut.

What Syrians Were Surfing Before the Internet Was Turned Off

The last four sites on CloudFlare that received requests from Syria in the seconds before access was cut were:

  • fotoobook.com – a photo sharing blog
  • aliqtisadi.com – a Syrian news site
  • madinah.com – a Muslim-oriented social network
  • to2.xxx – a porn site (warning: not safe for work)

In other words, traffic from Syrians accessing the Internet in the moments before they were cut off from the rest of the world looks remarkably similar to traffic from any part of the world.

As we have posted about recently, we don’t believe our role is to take sides in political conflicts. However, we do believe it is our mission to build a better Internet where everyone can have a voice and access information. It is therefore deeply troubling to the CloudFlare team when we see an entire nation cut off from the ability to access and report information. Our thoughts are with the Syrian people and we hope connectivity, and peace, will be quickly restored.

Posted by 

.

 

#Iran’s 2009 Election Remembered

Standard

Photo Gallery

Collection of tweets

from 12 June 2009 – 22 Khordad 1388 on the Persian calendar – the date of Iran’s parliamentary election, which erupted in massive protests swiftly followed by a brutal crackdown with the loss of many lives and the arrest, torture and detention of thousands.

— weddady (@weddady) June 12, 2009

— TIME.com (@TIME) June 12, 2009

I’ve re-tweeted the following at the same time today as they were originally posted.

Actual link for Guardian article in Rachel Maddow tweet: http://www.guardian.co.uk/news/blog/2009/jun/12/iran-middleeast

BBC coverage of the protests over election results:

The rise of social media

International media correspondents were quickly expelled from Iran after protests erupted. Citizen media took over, and social media was transformed from an unpopular web wasteland where bored people could read about what – or who – other people were eating, to become the world’s biggest platform for real-time reporting of events. It’s also arguably the world’s biggest platform for propaganda, and a spam magnet sans pareil.

The geeks and nerdy college grads who created today’s most popular social media applications were only too happy to leverage the instant celebrity status bestowed by the media as a result of the massive increase in popularity that the Iran election generated: most if not all are millionaires now. The activists who fuelled that meteoric rise definitely get the raw end of the deal.  Governments all over the world, from the US to the UK, from China to Kuwait, seem to view social media as both an innovative tool to spy on their citizens, and a means to oppress them. These security-obsessed states show a disturbing willingness to prosecute users with extreme sentences, often on spurious evidence but with serious charges such as “endangering national security”. This is testament to the importance of social media in society today.

Meanwhile, application developers make changes that disrupt and inconvenience users without warning, and incidents of arbitrary censorship of user content are fairly commonplace. None of the apps were built with the concept of user security and privacy as paramount, and re-engineering efforts don’t seem to be a priority compared to, say, changing terms of service to increase marketing and monetisation opportunities. As we’ve watched Google’s departure from its “don’t be evil” tag-line with a mixture of alarm and resignation, sites like Twitter have similarly changed course from “it’s your content, you own it” to “it’s your content and although you can’t access it, we’re selling it.” (and will readily censor or surrender it in response to government requests). As an added challenge, there is the growing trend of user credentials being “leaked” and the accompanying rise in incidents of user accounts being “hacked”.

Related content

For fascinating first-hand observations and insight into what it’s like in Iran these days, I recommend Laura Secor’s excellent article in the New Yorker.