Dec 112015
 

Technews World – December 11th, 2015

 

fbi james comey

 

FBI Director James Comey on Wednesday told members of a U.S. Senate committee that high-tech companies may need to adopt a new business model regarding encryption in order to get on the same page with law enforcement.

“Encryption is getting in the way of our ability to have court orders effective to gather information we need in our most important work,” he told the Senate Judiciary Committee.  “There are lots of folks who’ve said over the last year or so we’re going to break the Internet or we’ll have unacceptable insecurity if we try to get to a place where court orders are complied with,” he said. “I actually think it’s not a technical issue.”

Companies are designing their products so court orders can’t be complied with, Comey said. “I’m not questioning their motivations. The question we should ask is, Should they change their business model?”

No Backdoors

That new model presumably would allow companies to unscramble the data on a user’s phone or other device if a court ordered them to do so.  “There are plenty of folks who make good phones and are able to unlock them in response to a court order,” Comey said. “In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.”

“Backdoors” into encrypted data need not be part of this new business model, he added.  “People also, I think, better understand today the government doesn’t want a backdoor,” Comey said. “The government hopes to get to a place where if a judge issues an order, the company figures out how to supply that information to the judge and figures out on its own what would be the best way to do that,” he continued.

“The government shouldn’t be telling people how to operate their systems,” Comey added.

Competitive Advantage

To some minds, however, he is indeed telling companies how to run their businesses.  “What Director Comey is asking for is for people to stop using encryption,” Matthew Green, a professor specializing in cryptography at Johns Hopkins University, told TechNewsWorld.

“He wants companies to stop offering good security for their customers,” Bruce Schneier, CTO of Resilient Systems and a fellow at Harvard’s Berkman Center for Internet and Society, told TechNewsWorld.  Good security for customer data has become a competitive issue for many American companies since Edward Snowden revealed the massive snooping efforts of some U.S. government agencies.

“The competitors to Apple, Google, Microsoft and some other companies are claiming they can protect data from U.S. eavesdroppers,” said Leo Taddeo, chief security officer of Cryptzone.  “If you’re trying to sell in Europe and you’re an American company, it makes you more appealing if you can say, ‘Your data can’t be retrieved by the U.S. government because, even if we wanted to, our technology doesn’t allow us or them to see your data,” he told TechNewsWorld.

“As a result, there’s no distinction between us and a local company that’s storing your data,” continued Taddeo, former special agent in charge of the special operations/cyber division of the FBI’s New York Office.

Tiered Encryption

It’s unnecessary for everyone to have unbreakable encryption, he argued. “The idea that every single person out there has to have unbreakable encryption just because spies and cybercriminals are going after banks and credit card companies is ridiculous,” Taddeo said.

“You can give the banks and credit card companies very powerful encryption technology, and you can maintain reasonable encryption on individual phones,” he explained.  Nevertheless, watering down encryption would have a negative impact on U.S. companies. “There would be a lot of lost revenue,” said Ryan Hagemann, a technology and civil liberties policy analyst at the Niskanen Center.

However, the ramifications of weaker encryption reach beyond the bottom line of domestic companies. “It’s pretty startling how much of the online economy depends on encryption as a way of fomenting trust between users online,” Hagemann told TechNewsWorld.

Benefits Outweigh Costs

“It’s not only online retailers. Literally every commercial transaction that is done these days is some way or another going to depend on encryption because of the digital economy we now live in,” he continued.  “If we were to weaken encryption, I think it would have pretty serious consequences for the global economy,” Hagemann added.

With terrorist acts making headlines, though, is strong encryption something even free societies can afford to continue to cultivate?  “Sometimes technologies that benefit society will also be used by those who wish to do us harm, but we always have to compare the cost and the benefits,” Hagemann said.

“If we’re looking at the costs associated with weakening encryption or getting rid of it altogether versus the benefits of strong encryption,” he said, “I think it’s pretty clear that the benefits outweigh the costs by many, many orders of magnitude.”

Dec 112015
 

Techworm – December 11th, 2015

 

hackerz hacking

 

All the while we read about hacking groups like Impact Team, NullCrew, Anonymous, Lizard squad etc who conduct hacking operations on their own but we seldom get to hear about hacking groups who are sponsored by governments across the world. These state sponsored hacking groups are doubly dangerous as they have top notch resources and technologies at their disposal by virtue of being state sponsored.

Today we look at the top nine such state sponsored hacking groups who wreak havoc on the Internet :

1. Tailored Access Operations – Sponsor NSA, USA

Active since at least 1998, the Office of Tailored Access Operations is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). A document leaked by former NSA contractor Edward Snowden describing the unit’s work says TAO has software templates allowing it to break into commonly used hardware like routers and switches.

With 600 employees gathering information around the world, their motto is “Your data is our data, your equipment is our equipment – anytime, any place, by any legal means.”

2. Sofacy Group – APT28 – Pawn Storm – Sponsor Russia

Believed to have ties to the Russian Government and said to have been operational from 2007, the group is known to target government, military, and security organizations. Characterised as an advanced persistent threat, the group employs spear phishing attacks, using malware to gain control of systems via a command and control infrastructure.

The group is said to have had involvement in the TV5Monde cyber attack and the six-month long attack on the German parliament that began in December 2014.

 

hackerz hacking

 

3. Bureau 121 – Sponsor North Korea

Bureau 121 is a North Korean cyberwarfare agency, which is part of the General Bureau of Reconnaissance of North Korea’s military. According to American authorities, Bureau 121 was created in 1998, with the agency coming to public attention following the Sony hack.

Bureau 121 has been blamed for the cyber breach, but North Korea has rejected this accusation. It is thought that many of the agency’s activities are directed at South Korea and, Prior to the Sony hack, reports emerged that 30,000 PCs in South Korea had been attacked.

4. Unit 61398 / Comment Crew /Putter Panda – Sponsor China

Putter Panda is the name of bad actor responsible for a series of cyber espionage operations originating in Shanghai, with security experts linking its operation to the activity of the People’s Liberation Army 3rd General Staff Department 12th Bureau Unit 61486.

The group has been operating since at least 2007 and appears very interested in research companies in the space and satellite industry, experts at CrowdStrike have collected evidence of a numerous attacks against these industries.

5. Hidden Lynx – Sponsor China

Dubbed Hidden Lynx by Symantec, the professional hackers for hire were dubbed best of breed by Symantec following various targeted attacks or Advanced Persistent Threats (APTs). Given the breadth and number of targets and regions involved, we infer that this group is most likely a professional hacker-for-hire operation that are contracted by clients to provide information.

They steal on demand, whatever their clients are interested in, hence the wide variety and range of targets. The group are assumed to have extensive hacking expertise, up to 100 people in the group and enough time and effort to carry out attacks on a large and varied scale.

6. Tarh Andishan – Sponsor Iran

In 2009, Iran was left with a badly compromised and diminished computer infrastructure after the widely publicized Stuxnet worm attack. Iran responded by elevating its hacking capabilities from simple website defacement to full-blown cyber warfare. Thus, a state-sponsored hacker group dubbed “Tarh Andishan” (“Thinkers” or “Innovators” in Farsi) was born.

The group gained prominence with “Operation Cleaver,” a campaign that has been active since around 2012 and has targeted at least 50 organizations throughout the world in the military, commercial, educational, environmental, energy, and aerospace fields. Chillingly, they have also targeted major airlines and in some cases even gained “complete access” to airline gates and control systems, “potentially allowing them to spoof gate credentials.”

Cyber security firm Cylance, who has yet to reach a conclusion as to the group’s long-term goals, released an early report on Tarh Andishan (which represents only a fraction of the group’s activities) because of fears that Operation Cleaver already poses a “grave risk to the physical safety of the world.”

 

windows hacker

Who uses Windows to hack from? WTF? Ghetto….

7. Dragonfly / Energetic Bear – Sponsor Eastern Europe

A group that Symantec calls “the Dragonfly gang” and other security firms have called “Energetic Bear” has been operating out of Eastern Europe and targeting mostly energy companies since around 2011. Before that, it was targeting airline and defense sectors, usually in the US and Canada. Symantec says that the hacker group “bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.” It was first discovered by the Russian-based security firm Kaspersky Labs.Dragonfly uses remote access Trojans (RATs) such as their own Backdoor.

Oldrea and Trojan.Karagany malware tools to spy on energy industry targets, although the methods could also be used for industrial sabotage. The malware is usually attached to phishing e-mails, although the hackers have recently upgraded to “watering hole” methods of targeting: compromising sites that a target is known to frequent. The targets are then sent on a series of redirects until Oldrea or Karagany can be introduced into a victim’s system. In the later stages of their campaign, they even managed to infect legitimate software, which would be downloaded and installed as usual along with unwanted malware.

8. Ajax Security Team / Flying Kitten
Iran

Ajax started out in 2010 as a group of “hacktivists” and website defacers from Iran, but they went from activism to cyber espionage and outing of political dissidents. They deny being state sponsored, but many believe that they were hired by the Iranian government—an increasingly common pattern where a group gains the attention of a government through its public activities in order to gain state sponsorship.

Ajax came to the attention of security firms and groups like CrowdStrike when a series of mistakes (one of which gave investigators a member’s real e-mail address) exposed attempts to target the US defense industry and Iranian dissidents. The firm FireEye believes that Ajax was responsible for “Operation Saffron Rose”—a series of phishing attacks and attempts to spoof Microsoft Outlook Web Access and VPN pages in order to gain information and credentials within the US defense industry. The group also exposed dissidents by luring them in with corrupt anti-censorship tools.

9. Axiom

A coalition of security-related groups including Bit9, Microsoft, Symantec, ThreatConnect, Volexity, and others have identified another dangerous group, which they have dubbed “Axiom.” The group specializes in corporate espionage and targeting of political dissidents, and it may have been behind the 2010 attack on Google. Axiom is believed to come out of China, but no one has yet been able to identify where in mainland China the group operates.

A report from the coalition stated that Axiom’s activities overlapped with “the area of responsibility” attributed to the Chinese government’s intelligence agencies, a judgment also supported by an FBI flash released to Infragard.

 

Dec 112015
 

Defense Systems – December 10th, 2015

Information Security

 

One of the problems facing government and military officials regarding the cyber domain is that its very nature tips the balance in favor of less capable actors while simultaneously augmenting the capabilities of powerful nation states such as China and Russia, and, for that matter, the United States.

“[Y]ou can spend a little bit of money and a little bit of time and exploit some of our weaknesses, and cause us to have to spend a lot of money, a lot of time,” Defense Department CIO Terry Halvorsen said in September about the imbalance of cyberspace.

“[Adversaries] continue to evolve and we’ve seen a number of our threat actors that they realize it’s a low cost, if you will, to get into this space and they’re using that to their advantage,” Col. Robert Cole, director of the Air Forces Cyber Forward, said last week at an event hosted by AFCEA’s northern Virginia chapter.

Even President Obama has warned of the threat non-state groups pose in cyberspace. “[A]s the Internet erases the distance between countries, we see growing efforts by terrorists to poison the minds of people like the Boston Marathon bombers and the San Bernardino killers,” he said in a prime time address from the Oval Office on Dec. 6.

 

Encryption is American

However, the current capabilities of terrorist organizations and non-state actors in cyberspace has proved more of an annoyance rather than a destructive threat. James Lewis, senior fellow and program director at the Center for Strategic and International Studies, contends that cyber attacks by non-state groups do not presently pose a threat as it “takes a large, well-resourced, and time-intensive effort to use cyber tools for major disruption or physical damage,” he wrote in a recent report.

But although non-state actors such as ISIS, al Qaeda and their sympathizers may be cyber lightweights compared to the likes of China and Russia, they are pouring more time, attention and resources into cyberspace to further their objectives.

“Cyber warfare is a natural arena for al Qaeda. It allows a small number of covert and dispersed individuals to inflict disproportionate damage on a much stronger adversary,” states a recent report published by the American Enterprise Institute’s Critical Threat’s project titled “Al Qaeda Electronic: A Sleeping Dog.” The report did note that, despite this natural operating space, al-Qaeda does not possess an advanced cyber warfare capability, either for attacking high-priority targets in the West or recruiting new members. The only collective claiming any affiliation with the group is the nascent al-Qaeda Electronic, or AQE, which was announced in January 2015. Any actual affiliation with al-Qaeda’s core organization is unclear.

 

Cyberninja

Al Qaeda’s “impotence in the cyber realm” can likely be attributed to the lack of experience by its leaders who, the report noted, have spent the majority of the past 25 years operating covertly trying to evade detection by Western governments. (Al Qaeda founder Osama bin Laden also was known to be Internet-averse.) While the group has used technology to communicate with recruits and affiliates, they have more of a defensive mindset – relying on password-protected Internet forums and use of encryption – as opposed to its former affiliate and now primary jihadist rival, ISIS.

ISIS is “changing the landscape of al Qaeda-related cyber activities, however,” the report says. “ISIS is much more offensively oriented, and its declaration of an Islamic State shows its desire to operate in the open rather than the shadows. Its use of information technology follows the same pattern. ISIS relies heavily on social media to communicate among its leaders and to its followers, as well as to attract potential recruits. ISIS is creating competition within the jihadi world in cyberspace as well as in the arts of terrorism and atrocity.”

The report notes that the types of cyber attacks made by non-state actors and less capable groups include defacement of websites, denial of service and data breaches.

ISIS and its sympathizers have recently engaged in similar activities, such as the defacement of the U.S. Central Command’s Twitter page, the collection and dissemination of personal information of members of the armed services and causing a French television station to go off the air. In fact, the capabilities of a member of ISIS’s “CyberCaliphate” drew such ire that he was targeted and killed in an American strike in Syria.

“As far as the terrorist – the evolving of the terrorist threat – they have gone from using the Internet and cyber as a propaganda tool to, I think, just recently this year we saw them not use it just for a tool but also to obtain information to target U.S. government military personnel,” Sean Newell, deputy chief for Cyber, Counterintelligence and Export Control Section at the Justice Department, said Wednesday at an event hosted by the Atlantic Council. “That’s a significant evolution and you can rest assured they don’t want to stop there and they want to keep moving towards greater destructive attacks or cyber-enabled attacks that cause loss of life.”

NSA PC

“Al Qaeda Electronic’s attacks to date have shown little finesse and the group has almost certainly relied heavily on automated vulnerability scanners to find points of penetration,” the report said. “It is unlikely that its program of defacements is merely a distraction for a more menacing operation, such as the covert formation of a botnet, since there is no indication that AQE’s members have the requisite technical skills and the group has not promised to target specific institutional or other large, high-value targets.”

Despite the group’s lack of ability to move past these pesky cyber hits, “AQE’s members are aware of, and on certain occasions have executed, more advanced tactics, and it remains plausible that AQE could move onto targets of greater importance and deploy more powerful software,” the report contends. “The group has expended a considerable amount of effort on organizational formalities, including creating a leadership hierarchy and establishing a separate media outlet.”

Most of AQE’s cyber attempts have been website defacements against low-value targets with occasional  denial of service attacks. The group has yet to attempt an intrusion or attack against a high-traffic or government system. Other non-state groups, such as the Syrian Electronic Army, which forced an Army website offline earlier this year, are considered more capable cyber actors than AQE.

But the report notes that AQE cannot be written off because, first, there is potential given the history and connections its members have shown to become more capable players in cyberspace and, second, because cyberspace affords a low barrier of entry, enabling “five untrained fighters [to] pose a negligible threat in the physical realm but can legitimately target disproportionately large enemies online.”

Dec 102015
 

Defense Systems – December 10th, 2015

 

army jamming system

As potential adversaries adopt the use of unmanned aerial systems, the military is regularly looking for ways to jam their signals. But testing those systems can be tough, because jamming technology that can disrupt radios or GPS signals fall under tight restrictions within the United States, given how they indiscriminately affect unintended targets.

Jammers or transmitters that operate over public airwaves usually must gain approval of military, Federal Communications Commission or the Federal Aviation Administration, which makes training exercises with such devices problematic, often limiting their use to the wee hours of the morning.

The Army is trying to make the use of these devices easier by limiting their power and precisely directing their signals.

 

army jamming system

A small direct-inject jammer tested recently at the National Training Center in California can be programmed to simulate jamming of radio signals that are used for electronic detection during training scenarios, the Army said in a release. These small devices require less power than earlier direct-inject jammers, which makes for a perfect fit for training centers where approval for such electronically denied environments previously was difficult.

The jammer, developed by the Threat Systems Management Office at Redstone Arsenal, Ala., can be installed between the antennae and radio transceiver and programmed to produce various jamming signals.

The emergence of electronic warfare such as that demonstrated by Russia in recent conflicts poses a significant challenge for the military, as it has been operating in what are known as permissive environments for the last 14 years where the use of EW has not been a primary focus.

Dec 102015
 

Hacking Distributed – December 10th, 2015

 

 

 

satoshi nakamoto The tech press was abuzz two days ago with a claim, from reputable journalists at Wired and Gizmodo, that Satoshi Nakamoto was Dr. Craig S. Wright.

I knew Dr. Craig S. Wright. I was one of the 95 people he followed. We had exchanged private messages on Twitter. He had told me his life story, which mixed quasi-academic references with allusions to quasi-legal activities that were clearly meant to discourage further questioning.

Let’s get the preliminaries out of the way. Craig Wright is not Satoshi. Could not have been.

Before him, Dorian was not Satoshi, either — or rather, he was very much Satoshi Nakamoto, the model railroad enthusiast, not the fellow behind Bitcoin.

Since the press has a habit of outing a Satoshi every year, it’s time to raise the level of discourse up a notch, and talk about how to recognize Satoshi in case we encounter him. For it would be a shame if, say, Jesus came back some day, quietly walked among us, and we all passed him by because we didn’t know what a crown of thorns looked like.

How to Recognize Satoshi

satoshi nakamoto

In general, professors typically have a fairly narrow expertise, and uncovering secret identities is not one of them (except, of course, if you work on digital forensics). So I’m not going to claim that I have any special training to recognize Satoshi, but all of us have one particular skill: to be able to size up someone’s technical understanding and characterize where they have technical misconceptions. This is the one skill that all of us absolutely have to master to help students and to respond to questions during lectures.

Consensus protocols, of the kind that power Bitcoin, have historically been prone to misunderstanding. The nomenclature is not consistent and there is a lot of confusion and disagreement about basic results. For instance, what does FLP imply for Bitcoin? What does the Byzantine Generals Problem actually say? Did someone actually read the papers on BGP or did they read one of its many terrible summaries online? What consistency guarantee does Bitcoin provide? Do miners make progress? What does that imply for reorganizing the last block? And so on. Consensus is a complicated topic — quite a few well-established researchers have gotten their own protocol wrong, and while Satoshi nailed Nakamoto consensus, his writings about its properties and the characterization of other work in the area provide us with a glimpse into his understanding of the world.

These thought patterns and idiosyncrasies form a unique signature, the same way code structure forms a unique signature for developers. We used to catch plagiarism in the classroom by simply printing submitted assignments from two different students, holding them up to light, and noting that, among 400+ submissions, only those two happened to be structured in that particular fashion, embodying those unique beliefs.

Having read Satoshi’s writings, I have a very good idea of his unique mental signature. Sure, it can change over time, but ask anyone in the teaching business and they will rant about how hard it is to affect that kind of change.

So, for some time now, every time I converse with someone new, I have been doing a quick comparison to Satoshi.

Craig is not Satoshi

Needless to say, Craig S. Wright did not fit the bill. The Internet has gone to town on his purported credentials and mile-long Linked-In profile, now wiped. His PhD theses cannot be located, the supercomputer he claims to have built cannot be found, and the support letter from SGI doesn’t read like any other support letter I’ve seen. He is in trouble with the Australian tax authorities, allegedly for having received tax breaks for R&D work that seems not to have taken place. None of this matches what he told me about his background, which was that he was the CTO of an overseas gambling operation.

The Wired story itself pointed out that the entries in his blog that discussed Bitcoin, dated 2008, were inserted in 2013. They contain words like cryptocurrency which were coined in 2010 at the earliest. The PGP keys that were leaked contain references to crypto constructs that were not incorporated into PGP until 2010.

Most importantly, Craig hasn’t thought at all about consensus protocols, and could not have told you much about what makes Nakamoto consensus work. Not only did he lack the content signature, he lacked the content wholesale.

In short, the smell was a mile high. It was clear from my direct PM correspondence with Craig that he was not a protocol or system designer. Perhaps he knew how to set up servers, perhaps a bit more, but this was not Satoshi.

 

satoshi nakamoto

Who, then, is Satoshi?

 

Interestingly, I have come across one person who was a perfect fit. That person had the precise same intellectual signature as Satoshi, someone who could have written, word for word, some of Satoshi’s forum posts.

Is that person Satoshi? Well, most likely, though there is a tiny probability that they are instead an intellectual doppelganger, but what if they are Satoshi?  Do we have the right to make someone who wants to remain a private individual into a public persona? They literally have less rights if we do that.

Is it right to force them to face extortion attempts from the Russian mafia? Everyone known to hold substantial bitcoin, and even those who do not, get extorted by shady characters, and is it fair to place someone under scrutiny from the public, because they did a noteworthy thing that served that very public?

In short, the question of Satoshi’s real identity is flawed and serves only a prurient interest. Responsible journalism ought to serve the public good, not the click count.

Responsible Journalism

I’m suprised that some of the journalists noticed that there were potentially forged portions of the leaked data, and chose to ignore them. Surely, everyone must know how easy it is to forge emails. But, ironically, timestamping services such as the Internet Archive (and also, Bitcoin) are harder to fool. In this case, the Internet Archive seems to have caught the backdated blog posts, which point out a clear attempt to deceive. There’s a big difference between a case that has weak evidence versus a case where the evidence contains forged elements. The latter requires a full explanation of the forger, their relationship to the story, and should put the entire story at risk. You can’t just look past that inexplicable problem and focus on the rest. The story changes the moment a piece of the evidence is forged.

Creation Myths

Every cult and culture needs and deserves a creation myth. Often, the myth itself is kind of blasé: defiant man and woman listen to serpent and steal an apple, wolf leads tribe out of a mountain pass, the sky sleeps with the earth and creates cyclops, giant slays giant and sets the world up for an enormous, no-holds-barred MMA match at the end of the universe, you get the idea. Most of these stories make no sense, and none of them actually matter.

What matters is Satoshi’s actual legacy. Our banking infrastructure is archaic, having been left fallow since the Y2K rewrite. There is very little transparency and auditability in the financial system. There had been precious little innovation in retail banking since 1959 until a few years ago. Even today, banks offer klunky, terrible interfaces to our money.

I’m not going to claim that a virtual currency like Bitcoin is the ultimate solution, or even a contender for a credible solution at the moment. Bitcoin cannot scale to the globe, even with the recent planned improvements, and it has great difficulty on the security front. But there are some novel technical ideas in there that can enrich our global society; some discovered by Satoshi, others by people before him. Responsible media needs to drop the pointless Satoshi manhunt and focus on the technology and its implications. That’s where the real action is.

Dec 102015
 

MIT Tech Review – December 10th, 2015

 

Hacking Team gets hacked

 

“It looked very suspicious,” M says of an anonymous e-mail she and several other journalists received late in 2014. It promised a scoop about a government scandal, but something just didn’t sit right with her. Soon after, strange things started happening on her computer. “I remember clearly not being able to connect via Skype to give an interview about torture,” she says. “There was somehow interference and I had to use someone else’s phone.”

After passing a file attached to the e-mail to security experts, M learned that she and her coworkers had been targeted with Remote Control System (RCS), a sophisticated piece of spying software developed by a small Italian company called Hacking Team. Later, she would find out that it was being used against her by her own government, which likely objected to her reporting. M spoke on condition of anonymity because she fears further reprisals.

M is just one of probably thousands of people who have been hacked with RCS by intelligence and law enforcement agencies that have bought the software. As governments and police departments increase their use of such tools in coming years, there’s reason to think that not only criminals and people who have antagonized an authoritarian government should worry.

After the recent attacks in Paris, figures such as CIA director John Brennan and New York City police commissioner Bill Bratton complained that encryption is neutralizing conventional search and surveillance techniques. That feeling, shared by some European authorities, may deliver a sales boost to RCS, which Hacking Team pitches as a solution to the encryption “problem” because hacking a person’s phone or computer can reveal protected data. And it will help Hacking Team’s competitors. Experts tracking the company say it is just the best-known of many that sell hacking tools that can let even local police use techniques once reserved for national intelligence agencies.

What we know about Hacking Team shows that this new approach is fraught with technological, moral, and legal issues getting scant attention even as access to these tools becomes standard. As they become more widely available to law enforcement agencies, abuses are likelier to occur. “Before hacking trickles down from the FBI to state and local law enforcement agencies, we urgently need to debate if and how such surveillance tools should be used,” says Christopher Soghoian, principal technologist at the American Civil Liberties Union.

 

hacking_team

Offensive pivot

Hacking Team was founded in 2003 as a more traditional cybersecurity outfit by CEO David Vincenzetti, who emerged from the 1990s community of encryption experts and enthusiasts that also incubated Julian Assange of Wikileaks. Corporations hired Hacking Team to test their computer networks for weaknesses, with early clients including Deutsche Bank and Barclays.

A few years later, however, Vincenzetti switched the company to focus on offense rather than defense. Hacking Team started selling software that could infiltrate people’s computers and smuggle out their data without their noticing. Its main product became a package called RCS, the software used to target M.

RCS can infect both PCs and mobile devices. It can copy files from your hard drive, listen in on Skype calls and instant messages, read e-mails before they’ve been encrypted, capture passwords typed into a Web browser, and turn on the microphone and camera to watch or listen to you.

The program can infect a device by taking advantage of security flaws in operating systems and other software; Hacking Team either discovers these vulnerabilities itself or pays other companies for knowledge of them. RCS can get onto a computer through a malware-laden e-mail, as in M’s case, or by someone covertly getting physical access to a device. Some customers deploy RCS by installing a device called a Network Injection Appliance at an Internet service provider, which can steer a targeted person’s Web browser to a phony Web page that smuggles RCS onto his or her system. Customers pay Hacking Team for the software and a system of proxies that keep their communications with the software—and their investigations—under wraps. They also get comprehensive technical support. “The value that they’re adding is the training, consultancy, and ease of use that they can offer to any agent who is unfamiliar with computers,” said Edin Omanovic, a research officer at Privacy International, who has tracked the surveillance industry.

The Italian authorities were among the first clients for RCS, and mafia leaders among the first targets. But Hacking Team rapidly expanded beyond its domestic market, promising customers in slick video ads that they would, among other things, be empowered to “overcome encryption and capture relevant data.”

In 2006, Spain’s spying agency, the CNI, signed up, followed two years later by its counterparts in Singapore and Hungary. Before long, Saudi Arabia, Mexico, Egypt, Sudan, Russia, and Kazakhstan had purchased Hacking Team’s tools for their security agencies. The FBI and some other U.S. agencies also bought licenses for RCS. A wide range of local and even university police forces have also asked Hacking Team to demonstrate its tools. E-mails obtained via the Freedom of Information Act by MuckRock show an ordinary sheriff’s office in Florida worrying it couldn’t “survive” without RCS after seeing a demo, although a sale was never made.

Some of Hacking Team’s customers have used RCS in troubling ways. In 2012, the University of Toronto’s Citizen Lab, which investigates how computer security affects human rights, found that Hacking Team software had been used by the United Arab Emirates government to infect the PC of a political dissident and by the Ethiopian government to break into the computers of journalists working in the United States. “We found some fucked-up stuff,” says Claudio Guarnieri, a security researcher who worked with Citizen Lab on a number of its reports.

Many details about Hacking Team and its clients come from documents released after the company was itself hacked this July. An internal spreadsheet, dated May 2015, suggests that 6,550 individual devices—phones or computers—may have been infected with RCS since 2008. In all, the company sold to around 70 different customers, including governments, which provided over 40 million euros (more than $44 million) in revenue.

Having its dirty laundry aired online didn’t seem to pose too much of a problem for Hacking Team’s business, though, and no customers publicly distanced themselves from the company. “Clients have stuck with us, because I think they recognize the value of what we do, and the superiority of the product,” says company spokesman Eric Rabe. (The CEO, Vincenzetti, declined to be interviewed.)

“Even having its dirty laundry aired online didn’t seem to pose too much of a problem for Hacking Team’s business. No customers publicly distanced themselves from the company.”

 

There is a great deal of competition, however, from small hacking shops and large government contractors alike. Gamma International, a company with offices in Germany and the U.K., offers a tool similar to RCS called FinFisher. It has been bought by government agencies and police forces in Australia, Belgium, and Italy. FinFisher was also used by the Bahraini government to target activists, and by the government of Uganda, which Privacy International says used it to blackmail political opponents. Gamma was hacked in 2014 and, like Hacking Team, this year had internal files leaked online but didn’t appear to suffer much. CitizenLab reports that it has gained customers.

Omanovic says that he knows of around 16 companies that sell products similar to Hacking Team’s. Two weeks prior to our interview he had found another firm based in Israel, and two months before that a new one in South Africa. Guarnieri, who worked with Citizen Lab, thinks there are many more. “I think the most important ones, in terms of size of business and customer base, are still to be revealed,” he says. “They haven’t really got much attention, maybe just because they’ve been better at not getting busted.”

 

Unchecked power

In the U.S., use of tools like RCS to access a person’s data are governed by the Fourth Amendment and the rules of criminal procedure, which means the FBI needs a warrant before it can hack your computer. But the U.S. Department of Justice is in the process of tweaking the rules for securing warrants for “remote access” searches in a way that the American Civil Liberties Union and Google have both complained could significantly widen their use.

When police get access to new surveillance technologies, they are often quickly deployed before any sort of oversight is in place to regulate their use. In the United States, the abuse of Stingrays—devices that sweep up information from cell phones in given area—has become common. For example, the sheriff of San Bernadino County, near Los Angeles, deployed them over 300 times without a warrant in the space of less than two years. That problem is only being addressed now, years after it emerged, with the FBI now requiring a warrant to use Stingrays, and efforts underway to force local law enforcement to do the same. It’s easy to imagine a similar pattern of abuse with hacking tools, which are far more powerful and invasive than other surveillance technologies that police currently use.

Soghoian, the ACLU technologist, believes that a public and political discussion about the power of hacking tools and their growing use by authorities is desperately needed. “I think that many Americans would be shocked to learn that the government can take over their webcam (without the indicator light turning on), or remotely activate the microphone in their laptop or phone,” he says.

It is unlikely that Congress or its equivalents in other Western nations are about to take up the debate Soghoian wants. After recent attacks by the Islamic State and its sympathizers, interest in empowering intelligence and law enforcement is only increasing. And an attempt to limit the sale of tools like RCS to governments with poor human rights records has already faltered. Late in 2013, an arms control pact signed by the U.S. and 40 other countries, the Wassenaar Arrangement, was updated to restrict the export of surveillance technology to certain governments. But the proposed rules in the U.S. were laid to rest after security researchers protested they were too broad and would restrict vital work needed to keep the Internet secure.

The close relationship between vendors of hacking tools and national intelligence and crime agencies might also confer some immunity to regulation. Internal e-mails from Hacking Team show that it met with military officials after the Italian government halted exports of RCS over human rights concerns. The ban was soon lifted.

Guarnieri worries that we are sleepwalking toward a world in which the sale and use of such tools is taken for granted. “If in 10 years we have 50 Hacking Teams in Italy … sabotaging secure operating systems, finding ways to make security software meaningless, that creates a stack of problems that we’re never going to address because it’s been legitimized,” he says.

We appear to have arrived at a crossroads for surveillance without society being much aware, let alone getting to choose the path taken. That has downsides even for people lucky enough to live in places with good civil rights protections. People like M, targeted by her own government for spreading truths it found inconvenient, can only hope that companies like Hacking Team might show some restraint about who they sell to.

Rabe, the company’s spokesman, suggests that’s the case: “Society has always expected law enforcement to conduct surveillance of suspects in order to keep us all safe from fraud, theft, bodily harm, terrorism, and other crimes,” he said in a statement. “Hacking Team provides tools exclusively to government—to be used with appropriate safeguards—that can bypass the encryption routinely employed by criminals and terrorists to attack us. “

But security researchers aren’t buying it. “I believe that one could start a responsible company that sells intrusion solutions,” says Bill Marczak, a senior research fellow from Citizen Lab. “Would such a company have any customers? I don’t know.”

Dec 072015
 

Senate.Gov – Dec 7th, 2015

 

department of defense

 

In response to the recent growth of cyber-attacks using a type of malicious computer virus known as “ransomware,” Homeland Security and Governmental Affairs Committee Ranking Member Tom Carper (D-Del.) and Chairman Ron Johnson (R-Wis.) sent letters to Attorney General Loretta Lynch and Department of Homeland Security Secretary Jeh Johnson asking for more information about efforts to address the growing threat posed by this new tool used by online criminals.

Ransomware attacks are targeted at a wide range of victims, including individual consumers. After infiltrating a person’s computer, the ransomware virus encrypts a user’s files until a ransom is paid, usually through difficult-to-track online payment methods.  Infected users face the difficult choice of paying the ransom or losing their files forever. State and local government networks have also been targeted by ransomware attacks.

“Cyber-attacks remains one of our nation’s biggest security challenges. As the frequency and severity of cyber-attacks continues to increase, Congress has a responsibility to continue to strengthen our nation’s cybersecurity and encouraging Americans to protect themselves online,” the Senators said. “Only by staying a step ahead of the threat can we ensure the security of our citizens. While much attention is paid to what must be done to bolster the cyber defenses at federal agencies and large businesses, all of us is vulnerable to online scams and emerging dangers like the malicious computer virus known as ‘ransomware.’”

The text of both letters are below and pdfs can be found here and here.

Dear Madam Attorney General:

The threat posed by cyber-attacks remains one of our nation’s biggest security challenges. As the frequency and severity of cyber-attacks continues to increase, Congress has a responsibility to continue to strengthen our nation’s cybersecurity. To address this evolving 21st century threat with a 21st century response, we must equip the federal government with the authorities and resources it needs. Only by staying a step ahead of the threat can we ensure the security of our citizens.

While much must be done to bolster the cyber defenses of our federal agencies, a far larger group, including individual consumers, faces a growing threat from a malicious computer virus known as “ransomware.” After infiltrating a person’s computer, the virus encrypts a user’s files until a ransom is paid, usually in the form of Bitcoin or other difficult-to-track crypto currency. Infected users face the difficult choice of paying the ransom or losing their files forever. The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) estimate that in less than eight months more than 234,000 computers were infected with a specific type of ransomware named “CryptoLocker.” While only about 1.3 percent of victims paid the ransom, the virus has enabled the extortion of approximately $27 million from infected users in two months.

In June 2014, the DOJ, with the assistance of the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center, scored a major victory against ransomware when it announced that U.S. and foreign law enforcement officials successfully disrupted a large network of CryptoLocker-infected computers and seized CryptoLocker’s command-and-control servers. Possession of these servers allowed the development of a decryption tool that enabled CryptoLocker victims to unlock their infected machines.

However, within a month of this disruption, the FBI’s Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, identified a copycat virus named “CryptoWall.” Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.

To understand more about the DOJ’s efforts to address the growing threat of ransomware, we ask that you please provide the following information and materials:

  1. Since 2005, how many victims of ransomware-related crimes have reported complaints to the Internet Crime Complaint Center? What is the total amount of losses reported from ransomware victims? In addition to the Center’s complaint website, does DOJ or FBI use additional resources to track number of ransomware victims?
    Soon after its disruption, CryptoLocker was quickly replaced by similar ransomware programs, like CryptoWall and CryptoDefense. As of December 1, 2015, how many active ransomware-type viruses is the DOJ or FBI tracking?
  1. Both DOJ and DHS, including the United States Computer Emergency Readiness Team (US-CERT) and the United States Secret Service, distribute cyber vulnerability and threat information to individuals, industry, and other stakeholders. How does the FBI share data about ransomware and other cyber threats with DHS? Please describe any joint efforts between DOJ, FBI, and DHS to disseminate cyber threat information.
  1. Does the FBI coordinate with the Federal Trade Commission (FTC) to educate the public about how to mitigate the threat of ransomware? If so, please describe any joint efforts with the FTC.
  1. In testimony before the Senate Committee on Banking, Housing, and Urban Affairs last year, officials from the FBI indicated that that agency’s techniques must evolve to keep pace with increasingly sophisticated botnets. What techniques is DOJ using now to combat botnets, how are those becoming less effective, and what new techniques is DOJ considering to improve its ability to combat botnets in the future?
  1. Despite the successful disruption of CryptoLocker in May 2014, the ransomware scheme’s architect, Evgeniy Mikhaylovich Bogachev, remains at large in Russia. Please describe the challenges of capturing and bringing to justice suspected criminals operating internationally, including in the Russian Federation and other nations.
  1. The disruption of CryptoLocker required coordination between DOJ, DHS, and over a dozen international law enforcement and government entities. How can this coordination be improved? Describe the impediments, if any, to further international law enforcement coordination.
  1. Recent news reports suggest ransomware attackers are also targeting public safety and law enforcement agencies. Have federal, state, or local governments sought DOJ or FBI’s help to remove ransomware from their computers? If so, please describe the nature of any assistance sought, whether agencies have paid ransoms to remove ransomware, and whether DOJ or the FBI was able to decrypt the computer systems.
  1. Do DOJ or its agencies operate or utilize any technology that is or can be leveraged to identify ransomware or ransomware attackers’ command and control servers outside of DOJ? For example, do DOJ or its agencies operate any signature based detection, stateful packet inspection, or deep packet inspection technologies across one or more networks outside of DOJ? If so please describe those technologies, their capabilities and limitations, and their current and planned applications.

The text of the letter to DHS is below:

Dear Mr. Secretary:

The threat posed by cyber-attacks remains one of our nation’s biggest security challenges. As the frequency and severity of cyber-attacks continues to increase, Congress has a responsibility to continue to strengthen our nation’s cybersecurity. To address this evolving 21st century threat with a 21st century response, we must equip the federal government with the authorities and resources it needs. Only by staying a step ahead of the threat can we ensure the security of our citizens.

While much must be done to bolster the cyber defenses of our federal agencies, a far larger group, including individual consumers, faces a growing threat from a malicious computer virus known as “ransomware.” After infiltrating a person’s computer, the virus encrypts a user’s files until a ransom is paid, usually in the form of Bitcoin or other difficult-to-track crypto currency. Infected users face the difficult choice of paying the ransom or losing their files forever. The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) estimate that in less than eight months more than 234,000 computers were infected with a specific type of ransomware named “CryptoLocker.” While only about 1.3 percent of victims paid the ransom, the virus has enabled the extortion of approximately $27 million from infected users in two months.

In June 2014, the U.S. Department of Justice (DOJ), with the assistance of other law enforcement agencies and the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center, scored a major victory against ransomware when it announced that U.S. and foreign law enforcement officials successfully disrupted a large network of CryptoLocker-infected computers and seized CryptoLocker’s command-and-control servers. Possession of these servers allowed the development of a decryption tool that enabled victims to unlock their infected machines.

However, within a month of this disruption, the FBI’s Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center, identified a copycat virus named “CryptoWall.” Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million.

To understand more about the DHS’s efforts to address the growing threat of ransomware, we ask that you please provide the following information and materials:

  1. Since 2005, how many victims of ransomware-related crimes have reported to DHS? Does DHS track the total amount of losses reported from ransomware victims?
  1. Soon after its disruption, CryptoLocker was quickly replaced by similar ransomware programs, like CryptoWall and CryptoDefense. As of December 1, 2015, how many active ransomware-type viruses is DHS tracking?
  1. DHS, including the United States Computer Emergency Readiness Team (US-CERT) and the United States Secret Service, distributes cyber vulnerability and threat information to individuals, industry, and other stakeholders. Please describe any joint efforts between DHS, DOJ, and FBI to disseminate cyber threat information.
  1. Does DHS coordinate with the Federal Trade Commission (FTC) to educate the public about how to mitigate the threat of ransomware? If so, please describe any joint efforts with the FTC.
  1. In testimony before the Senate Committee on Banking, Housing, and Urban Affairs last year, officials from the FBI indicated that agencies’ techniques must evolve to keep pace with increasingly sophisticated botnets that can be used to disseminate viruses like ransomware. What techniques is DHS using now to combat botnets, how are those becoming less effective, and what new techniques is DHS considering to improve its ability to combat botnets in the future?
  1. The disruption of CryptoLocker required coordination between DOJ, DHS, and over a dozen international law enforcement and government entities. How can this coordination be improved? Describe the impediments, if any, to further international law enforcement coordination.
  1. Recent news reports suggest ransomware attackers are also targeting public safety and law enforcement agencies. Have state and local governments sought DHS’s help to remove ransomware from their computers? If so, please describe the nature of any assistance sought and whether DHS was able to decrypt the computer systems.
  1. Over the past 12 months, how many instances of ransomware has DHS been made aware of in federal agencies’ computers? In which agencies and on what systems was the ransomware located and what was the result? Is DHS aware of instances in which federal agencies have paid ransoms to remove ransomware?
  1. How are DHS’s EINSTEIN, ALBERT, and Enhanced Cybersecurity Services intrusion detection and prevention systems leveraged to reduce the instances of ransomware on computers at federal agencies, state and local agencies, and critical infrastructure? How can that be improved?
Dec 072015
 

Defense Systems – December 7th, 2015

 

Global Hawk

Global Hawk

 

Operations in the cyber domain may once have been seen as distinct from those in the “real world,” but the two are fast becoming inseparable, converging in the Department of Defense Information Network.

“I think DODIN operations, from the enterprise level all the way down to the rifleman radio, is the most complex, most important operation that DOD conducts,” Maj. Gen. Stephen Fogarty, commander of the Cyber Center of Excellence and Fort Gordon, Ga., said at a recent conference. “We are almost completely dependent upon DODIN operations.”

Several of the most critical components for success in cyber – and for that matter, much of the physical world as well – such as intelligence, surveillance and reconnaissance, precision fires, joint logistics and tele-medicine depend on DODIN operations.

 

Information Security

“We are at a point now where the network is not just an enabling or supporting capability, but is a warfighting capability and a warfighting platform,” Fogarty said. “As we start to move into the offensive realm, with cyber capabilities, it becomes even more important to really recognize that fact.”

As a result, the cyber domain is starting to fall under the purview not of specialized cyber warriors but of the commander. “From the defensive to the offensive, [the commander] is the one responsible for integrating all these capabilities, like he is for fires, combat aviation or logistics,” he continued.

And the shared mission works both ways. Maj. Gen. Charles Flynn, commander of the 25th Infantry Division at Schofield Barracks, Hawaii, said the Army’s cyber warriors must also be knowledgeable in land operations, so they’re able to articulate to commanders the available capabilities. “They need to be able to describe to the commanders what they offer,” Flynn said. “I cannot express to you adequately [enough], if you don’t send your best people out there to talk to division corps, and theater commanders, it will set back your efforts more than you can ever imagine.”

Flynn described how cyber liaison officers must understand the broader concepts of warfare and operations – not just technical. Cyber warriors should be able to speak to operational commanders in “doctrinal and simple terms,” Flynn said. “They have to be able to describe what they offer to the commander, or they will be put in what I call the ‘island of misfit toys.’”

The network should also be viewed as a weapons system with bandwidth as a class of supply and data as a munition. This notion was paralleled in a recent report released by the Center for Strategic and International Studies, describing cyber as just another military payload system to augment operations and end goals.

Dec 072015
 

Forbes – Dec 7th, 2015

 

IRS Power To Revoke Passports Signed Into Law

 

The passport provision is now official, as President Obama signed the 5-year infrastructure spending Bill. It adds a new section 7345 to the Internal Revenue Code. It is part of H.R. 22 – Fixing America’s Surface Transportation Act, the “FAST Act.” Why are passport covered in the tax code, you might ask? The title of the new section is “Revocation or Denial of Passport in Case of Certain Tax Delinquencies.” The idea goes back to 2012, when the Government Accountability Office reported on the potential for using the issuance of passports to collect taxes.

It was controversial then, but this time sailed through, slipped into the massive highway funding bill, passed here. The section on passports begins on page 1,113. The joint explanatory statement is here, beginning on page 38. The law says the State Department can revoke, deny or limit passports for anyone the IRS certifies as having a seriously delinquent tax debt in an amount in excess of $50,000. Administrative details are scant. It could mean no new passport and no renewal. It could even mean the State Department will rescind existing passports.

 

IRS Power To Revoke Passports Signed Into Law

The State Department will evidently act when the IRS tells them, and that upsets some people. We think of passports when traveling internationally, but some people may find that passports are required for domestic travel in 2016. That could make the IRS hold even more serious. The list of affected taxpayers will be compiled by the IRS. The IRS will use a threshold of $50,000 of unpaid federal taxes. But this $50,000 figure includes penalties and interest. And as everyone knows, interest and penalties can add up fast.

Notably, if you are contesting a proposed tax bill administratively with the IRS or in court, that should not count. That is not yet a tax debt. There is also an administrative exception, allowing the State Department to issue a passport in an emergency or for humanitarian reasons. But how that will work isn’t clear, nor is the amount of time it will take to get special dispensation. You would still be able to travel if your tax debt is being paid in a timely manner, as under a signed installment agreement. The rules are not limited to criminal tax cases or where the government thinks you are fleeing a tax debt.

In fact, you could have your passport revoked merely because you owe more than $50,000 and the IRS has filed a notice of lien. A $50,000 tax debt including interest and penalties is common, and the IRS files tax liens routinely. It’s the IRS way of putting creditors on notice. The IRS can file a Notice of Federal Tax Lien after the IRS assesses the liability, sends a Notice and Demand for Payment, and you fail to pay in full within 10 days.

 

The right to travel has been recognized as fundamental, both between states and internationally. And although some restrictions have been upheld, it is not clear that this measure will pass the constitutional test if it is challenged. Speaking of challenge, it is not off-topic to mention FATCA, the Foreign Account Tax Compliance Act.

FATCA penalizes foreign banks that don’t hand over American account holders. There are approximately eight million Americans living overseas, many of whom are still reeling from FATCA compliance problems.

Dec 072015
 

ARS Technica – Dec 7th, 2015

 

 

France to ban TOR

According to leaked documents France’s Ministry of Interior is considering two new proposals: a ban on free and shared Wi-Fi connections during a state of emergency, and measures to block Tor being used inside France.

The documents were seen by the French newspaper Le Monde. According to the paper, new bills could be presented to parliament as soon as January 2016. These proposals are presumably in response to the attacks in Paris last month where 130 people were murdered.

France to ban TOR The first proposal, according to Le Monde, would forbid free and shared Wi-Fi during a state of emergency. The new measure is justified by way of a police opinion, saying that it’s tough to track people who use public hotspots.

The second proposal is a little more gnarly: the Ministry of Interior is looking at blocking and/or forbidding the use of Tor completely. Blocking people from using Tor within France is technologically quite complex, but the French government could definitely make it difficult for the average user to find and connect to the Tor network. If the French government needs some help in getting their blockade set up, they could always talk to the only other country in the world known to successfully block Tor: China, with its Great Firewall.

Forbidding the use of Tor through legislative means is another option: France could simply make it illegal for people to access Tor. The difficulty there, though, is in the policing of that new law: the country’s ISPs would have to snoop on its users to find out who is using Tor, and then report back to the police. In the UK, where the new Snooper’s Charter may require ISPs to log the last 12 months of user activity, a lot of resistance is being met.

The main problem with such a ban on Tor is that it wouldn’t achieve a whole lot. Would-be terrorists could still access Tor from outside the country, and if they manage to access Tor from within France I doubt they’re concerned about being arrested for illegal use of the network. There is evidence to suggest that the recent Paris attacks were planned via unencrypted channels, too: the Bataclan “go” message was sent in the clear via SMS.

On the other hand, criminalising and/or blocking Tor might affect many other legitimate users of the network, such as whistleblowers, journalists, and anyone else who wants to surf the Web privately.

The proposal to block Wi-Fi hotspots during a state of emergency is slightly more feasible, and you can see where the French government is coming from—but again, it would be technologically very difficult to implement, and the collateral damage would be huge. Millions of people would have to go without public Wi-Fi access, potentially for weeks at a time.

 

On November 20, a week after the attacks in Paris, France introduced new legislation that extended the current state of emergency to three months. At the same time, new laws were also introduced to make it easier for the Minister of the Interior to block any terrorism-related website, and to dramatically increase police powers for searching seized devices. The French prime minister suggested that they may soon make it illegal to merely visit a terrorism-related website, too.

Come January 2016 we’ll see if the French government actually goes ahead with these new Tor and Wi-Fi blocking measures. Hopefully cooler heads will prevail: France is one of the most powerful and influential Western democracies, but it’s also rapidly becoming one of the most illiberal. If France rolls out its own Great Firewall, it would then be whole lot easier for the UK, Germany, and other neighbouring countries to do the same thing.