Archive for the ‘surveillance’ Category
Remember that thumbsucker I did on the Great Firewall? Well, here’s some data, via this post (thanks, Jamie). It seems that Fang Binxing, China’s Chief Bellhead, boss of the Beijing University of Post & Telecoms, and king of the great firewall, really is in trouble due to his special relationship with Bo Xilai. He briefly came up on the web to threaten to sue a Japanese newspaper which thinks he was detained for investigation. Then, the former head of Google in China (who obviously isn’t neutral in this) prodded him, and he denied having the power to block the offending story.
The FT, meanwhile, thinks Zhou Yongkang, the head of the security establishment, is on the out. That shouldn’t be overstated because he’s due to retire, but he has been doing a rubber chicken circuit of second-division official appearances, and his key responsibilities have been taken over by others.
Fang is supposedly being replaced by Yan Wangjia, CEO of Beijing Venustech, who was responsible for engineering the Great Firewall. Her company’s Web site is convincing on that score. Here’s the announcement that they got the contract to provide China Mobile with a 10 gigabit DPI system:
Recently, Venustech successfully won the bid for centralized firewall procurement project of China Mobile in 2009 with its 10G high-end models of Venusense UTM, thus becoming the first company of its kind to supply high-end security gateway to telecom operators.
It is said this centralized firewall procurement project is the world’s largest single project of high-end 10G security gateway procurement ever implemented, drawing together most of world-renowned communication equipment vendors and information security vendors such as Huawei and Juniper. Through the rigorous test by China Mobile, Venusense UTM stood out, making Venustech the only Chinese information security vendor in this bid.
Looking around, it sounds like they are the hardware vendor of the Great Firewall, specialising in firewall, intrusion detection, and deep-packet inspection kit for the governmental, educational, and enterprise sectors “and of course the carriers”. Well, who else needs a 10Gbps and horizontally scaling DPI box but a carrier? Note the careful afterthought there. Also, note that they’re the only people in the world who don’t think Cisco is a leading network equipment vendor.
Well, this is interesting, both on the Bo Xilai story and also on the general theme of the state of the art in contemporary authoritarianism. It looks like a major part of the case is about BXL’s electronic surveillance of Chongqing and specifically of top national-level Chinese officials:
One political analyst with senior-level ties, citing information obtained from a colonel he recently dined with, said Mr. Bo had tried to tap the phones of virtually all high-ranking leaders who visited Chongqing in recent years, including Zhou Yongkang, the law-and-order czar who was said to have backed Mr. Bo as his potential successor. “Bo wanted to be extremely clear about what leaders’ attitudes toward him were,” the analyst said.
That’s Zhou Yongkang as in the head of the whole Chinese internal security structure, cops, spooks, and all. Bo’s police chief (and future sort-of defector) Wang Lijun is described as being “a tapping freak”, addicted to the productivity and hence apparent power of electronic intelligence. Not only that, Wang eventually began tapping Bo, who was also tapping the CDIC feds who came down to keep an eye on him.
The practicalities are, as always, interesting.
The architect was Mr. Wang, a nationally decorated crime fighter who had worked under Mr. Bo in the northeast province of Liaoning. Together they installed “a comprehensive package bugging system covering telecommunications to the Internet,” according to the government media official.
One of several noted cybersecurity experts they enlisted was Fang Binxing, president of Beijing University of Posts and Telecommunications, who is often called the father of China’s “Great Firewall,” the nation’s vast Internet censorship system.
It’s worth pointing out that the provincial networks belonging to China Mobile, China Telecom etc. are usually organised as companies in their own right, and they often have their own AS numbers, and indeed they often contract for substantial network development projects with Western vendors (Nokia Siemens recently had a big mobile network contract in Sichuan, notably) on their own right.
Anyway, Fang’s involvement is very interesting indeed. He is responsible for the state-of-the-art authoritarian solution to the Internet. This is not just, or even primarily, a question of blacklisting websites or turning off the Internet. The Great Firewall’s detailed design, as the Cambridge Computer Lab found out a while ago, is specifically intended to be a semi-permeable membrane. Rather like Hadrian’s Wall, it is more about the gates through it than the wall itself, and the defences point in both directions.
When a computer within it tries to initiate a TCP connection to one outside that is classified as dodgy, the Firewall sends an RST message back to kill the connection. This permits much higher performance than the DNS-based blacklisting typical of, say, the UAE.
It also means that it’s possible to ignore the RST and look through the firewall by using your own firewall utility (specifically, set something like iptables to drop any RSTs for connections in states other than ESTABLISHED before a suitable time has elapsed). However, it would be a fair guess that any traffic doing this is logged and analysed more deeply.
Further, there is a substantial human infrastructure linking the media/PR/propaganda system, the police system, and the Ministry of the Information Industry. This uses tools such as moderation on big Web forums, direct recruitment, harassment, or persuasion of important influencers, the development of alternative opposition voices, and the use of regime loyalist trolls (the famous wumaodang).
The firewall, like Hadrian’s Wall or the original Great Wall, also has an economic function. This acts as a protectionist subsidy to Chinese Internet start-ups and a tariff barrier to companies outside it. Hence the appearance of some really big companies that basically provide clones of Twitter et al. Because the clones are inside the firewall, they are amenable to management and moderation.
And none of this detracts from the genuine intention of the people at 31 Jin-rong Street, the China Telecom HQ, to wire up the whole place. Iran’s surprisingly important role providing broadband to Afghanistan and diversionary links to the Gulf reminds us that providing connectivity can be a powerful policy tool and one that you can use at the same time as informational repression.
So, Fang’s achievement is basically a package of technical and human security measures that let whoever is in charge of them command the context Web users experience.
Last autumn, several of the Chinese web startups were subjected to the combined honour and menace of a visit from top securocrats. Tencent, the owner of QQ and the biggest of the lot, got Zhou Yongkang in person. In hindsight, this will have been around the time the CDIC landed in Chongqing.
So, where am I going with this? Clearly, there was serious disquiet that somebody was usurping the right to control the wires. Even more disquieting, the surveillance establishment in Fang’s person seemed to be cooperating with him. And the systems he set up worked just as well for someone increasingly seen as a dangerous rebel as they did for the central government. (In fact, the people who like to complain about Huawei equipment in the West have it the wrong way round. It’s not some sort of secret backdoor they should be worrying about: it’s the official stuff.)
I do wonder, depending on what happens to Fang (he’s still vanished, but his Weibo feed has started updating again), if we might not see a relaxation of the firewall, which the pundits will consider “reform”. In fact it will be no such thing, rather a cranking up of internal chaos to facilitate a crackdown on opposition.
It looks like Daniel Davies’ plan to classify the world into people who file their accounts with Companies House on time, and people who don’t, may be less eccentric than it seems. News International missed, and asked for an extension. Obviously a dodgy lot of bastards. Anyway, check this quote out.
Coincidentally, News International’s company secretary of many years standing, Mrs Carla Stone, has resigned. A filing to Companies House, dated yesterday, stated that her appointment had been terminated. However, I understand that she left the company in February and her formal employment contract ends later this month.
Stone, a fellow of the Chartered Institute of Secretaries, held 212 company directorships in all, almost all of which are subsidiaries of News International and related companies.
You’ve got to like the “coincidentally”, which I take to mean “it is no such thing but we’ve not finished the story yet”. Anyway. The dump of directorships is here, providing an interesting insight into the structure of News International. Am I right in thinking that “Deptford Cargo Handling Services Ltd.” will be the company that owned the Wapping site?
Meanwhile, a colleague of mine asked me an Android question, which I misunderstood as being a question about USSD (you know – like *#06# to get your mobile phone IMEI number, but also including things like *21*some-phone-number# to divert all your calls). As a result, I ended up over here and learned that the network password “tends to be 1919”, which is very interesting in context and might explain a lot. Bonus: this ETSI pdf actually contains something which is otherwise quite annoying to find, a complete and categorised list of the code numbers.
Well, speak of the devil. Peter Foster makes his appearance in the Murdoch scandal and fingers the Sun directly.
He said he then received an email from a Dublin-based private investigator calling himself ”Autarch”, who told Mr Foster he tapped into his mother’s phone in December 2002.
That month, The Sun published the ”Foster tapes”, which featured transcripts of Mr Foster talking about selling the story of his links with Tony Blair’s wife, Cherie. Yesterday, Mr Foster said he had since had a Skype conversation with the investigator in Dublin, in which Autarch described how he tapped into Mr Foster’s mother’s phone.
”He said she was using an analogue telephone which they were able to intercept,” Mr Foster said. Autarch said he discussed the hacking with Sun journalists.
However, this story – at least this version of it – probably isn’t true. It is true that the first-generation analogue mobile phone systems like TACS in the UK and AMPS in the States were unencrypted over the air, and therefore could be trivially intercepted using a scanner. (They were also frequency-division duplex, so you needed to monitor two frequencies at once in order to capture both parties to the call.) It is also true that they were displaced by GSM very quickly indeed, compared to the length of time it is expected to take for the GSM networks to be replaced. In the UK, the last TACS network (O2’s) shut down in December 2000. It took a while longer in the Republic of Ireland, but it was all over by the end of 2001.
So Foster is bullshitting…which wouldn’t be a surprise. Or is he? TACS wasn’t the only analogue system out there. There were also a lot of cordless phones about using a different radio standard. Even the more modern DECT phones are notorious for generating masses of radio noise in the 2.4GHz band where your WiFi lives. It may well be the case that “Autarch” was referring to an analogue cordless phone. Because a lot of these were installed by individual people who bought them off the shelf, there was no guarantee that they would be replaced with newer devices. (Readers of Richard Aldrich’s history of GCHQ will note that his take on the “Squidgygate” tape is that it was probably a cordless intercept.)
This would have required a measure of physical surveillance, but then again so would an attempt to intercept mobile traffic over-the-air as opposed to interfering with voicemail or the lawful intercept system.
The Daily Beast has a further story, which points out that the then editor David Yelland apologised after being censured by the Press Complaints Commission (no wonder he didn’t go further in the Murdoch empire) and makes the point that such an interception was a crime in both the UK and Ireland at the time. They also quote Foster as follows:
According to Foster, the investigator told him that, for four days at the height of Cheriegate, he had been sitting with another detective outside Foster’s mother’s flat in the Dublin suburbs, intercepting and recording the calls to her cordless landline
The Sun hardly made any effort to conceal this – they published what purports to be a transcript, as such.
I thought it might be interesting to establish some timeline information about News International e-mail disclosures and deletions, in the light of this piece in the Torygraph. As we know, the Telegraph is now opposed to the Osborne/Gove Murdoch group in the Tories, so it has no reason to carry water for Murdoch.
31st September 2004 – According to News International Chief Information Officer Paul Cheesborough, NI archived e-mail up to this date was deleted.
2005 – NI solicitor Julian Pike will later say that e-mail exists up to 2005. See 23rd March 2011.
Kickoff – 2006. 1st police inquiry into Glenn Mulcaire and Clive Goodman. Police raid Wapping, only search Goodman’s desk, by agreement with NI management.
29th November 2006 – Goodman and Mulcaire convicted.
“Early” 2007 – 2,500 e-mails disclosed to Harbottle & Lewis in parallel litigation (Goodman’s employment tribunal).
29th May, 2007 – Harbottle & Lewis write to NI, saying they reviewed them and found nothing.
31st September 2007 – E-mail from before this date was meant to be deleted (see January, 2011). NI operates a policy of flushing e-mail every three years, clearly.
December, 2007 – James Murdoch becomes the boss.
2008 – First civil litigation against NI, NI becomes bound to preserve evidence.
April, 2008 – James Murdoch authorises Gordon Taylor’s payoff.
November, 2009 – E-Mail Deletion Policy announced internally.
eliminate in a consistent manner across News International (subject to compliance with legal and regulatory requirements) emails that could be unhelpful in the context of future litigation in which an NI company is a defendant
November, 2009 – reports of frequent outages in the e-mail archive system.
January, 2010 – It is decided to destroy all archive e-mail before this point.
April, 2010 – HCL deletes three data sets. One is a public folder on a production (rather than archive) server “owned by a user who no longer needed the emails”.
May, 2010 – NI exec demands to know if e-mails destroyed.
May, 2010 – 200,000 delivery status notification messages deleted, plus 21,000 messages in an outbox, during recovery from system failure.
June, 2010 – NI solicitor, Julian Pike, will claim, falsely, that all e-mail before this point has been destroyed. See December 2010.
29th July, 2010 – “How come we still haven’t done the e-mail policy?” i.e. the deletion has not yet happened.
July 2010 – William Lewis joins NI.
4th August, 2010 – “Everyone needs to know e-mail before January 2010 will not be kept” i.e. still not deleted.
6th September, 2010 – Sienna Miller’s lawyers demand that e-mail be preserved.
9th September, 2010 – IT employee says “there is a senior management requirement to delete this data as quickly as possible but it need to be done in commercial boundaries”. i.e. data still there, and contractual issues with the IT outsourcers holding up the process.
September, 2010 – unspecified deletions of “historic” e-mail in connection with system stability problem.
October 2010 – News International papers move. Hard disk drives in NI workstations (not just the NOTW) are replaced and destroyed, but serverside e-mail is backed up at least in part.
December, 2010 – NOTW Scottish Editor Bob Bird tells Sheridan trial that the archived e-mail has been lost en route to HCL in Mumbai. This is entirely false.
December, 2010 – Julian Pike, solicitor for NI from Farrar & Co., tells the High Court that no e-mail exists beyond six months ago. This is also false.
January, 2011 – Paul Cheesbrough, News International IT chief, says archived e-mail back to 31st September 2007 has been destroyed. This is false.
January, 2011 – HCL are asked to destroy a particular database, refer NI to system vendor.
January, 2011 – NI executives demand destruction of 500GB of e-mail held at Essential Computing, Bristol. See 8th July 2011.
January 7th, 2011 – Miller’s lawyers release information about their case to NI in discovery.
January 12th, 2011 – NI managers order a halt to deletion, and give instructions to preserve e-mail.
Later in January, 2011 – 3 e-mails given to police. New police inquiry begins.
February, 2011 – some e-mail is lost in a software upgrade.
March 23, 2011 – “Don’t tell him!” Pike apologises to the High Court, admits that no e-mail has gone missing in India, admits that archives exist back to 2005. Pike blames Tom Crone, who claims that he was misled by another, unnamed NI executive.
June, 2011 – Information Commissioner abandons inquiry into e-mails disappearing from NI. NI had claimed that the data had disappeared en route to India.
July, 2011 – (i.e. in full crisis mode) an NI exec travels to “the company storage facility” and removes 6 boxes of unspecified records regarding themselves (possibly same person who spoke to Crone).
7th July, 2011 – Evening Strangler first reports NI bribes to police.
8th July, 2011 – Key Guardian story. An NI executive, not named but apparently identified by police, demanded the destruction of 500GB of archive e-mail in January 2011, around the time of the resumed police inquiry. First mention of another IT outsourcing company, Essential Computing, in the UK.
Police believe they have identified the executive responsible by following an electronic audit trail. They have also attempted to retrieve the lost data. The Crown Prosecution Service is believed to have been asked whether the executive can be charged with perverting the course of justice.
At the heart of the affair is a data company, Essential Computing, based near Bristol. Staff there have been interviewed by Operation Weeting. One source speculated that this company had compelled NI to admit that the archive existed.
The Guardian understands that Essential Computing has co-operated with police and provided evidence about an alleged attempt by the NI executive to destroy part of the archive while they were working with it. This is said to have happened after the executive discovered that the company retained material of which NI was unaware.
This seems to be a critical moment
10th July, 2011 – William Lewis of NI discovers 2007 e-mail dump to Harbottle & Lewis, finds evidence. Only finds 300 out of 2,500 messages – rest still unaccounted for.
July, 2011 – Management & Standards Committee starts functioning with managers from News Corp outside the UK, cooperating with police.
July, 2011 – New York Post staffers ordered to preserve documents. Probably reflects News Corp strategic decision to cooperate
July, 2011 – some e-mail is deleted by HCL due to inconsistency between systems after a migration.
September 7th, 2011 – HCL representatives tell House of Commons that NI demanded deletion of e-mail on 9 occasions starting in April, 2010.
September 13th, 2011 – A large quantity of e-mail is discovered at News International.
October, 2011 – Computer forensics work begins on supposedly deleted e-mail archives.
December, 2011 – “Data Pool 3” e-mail archive is successfully restored from backup.
In a perfectly normal Jamie Kenny comments thread, weird machines are seen, circling the skies of West Yorkshire. What’s up is that someone has been reading Richard Aldrich’s book on GCHQ (my five-part unread series of posts starts here and refers here).
Basically, the intelligence services maintain various capabilities to acquire electronic intelligence. As well as ground-based and maritime systems, these include the (temporarily reprieved) Nimrod R1s, the Shadow R1 based on the Beechcraft King Air, and a group of three Islander planes which seem to be based in the UK permanently. Aldrich describes these as being used to hoover up mobile phone traffic, and claims that voiceprint data collected in Afghanistan from Taliban radio intercepts is compared to the take in an effort to identify returnees.
However, he also suggests that the interception is of backhaul, rather than access, traffic. This is unlikely to yield much in the UK, as typical cell sites here were originally set up with between a pair and a dozen of E-1 (2Mbps) leased lines depending on planned capacity. For many years, Vodafone was BT’s single biggest customer. More recently, a lot of these have been replaced with fibre-optic cable, usually Gigabit Ethernet, quite often owned by the mobile operator. O2 got some microwave assets in the demerger from BT, so they may have used more. But in general, 3G operators have been pulling fibre since 2005 or thereabouts.
I would therefore tend to guess that it’s the access side. There are good reasons to do it this way – notably, requesting surveillance of someone’s phone via the Regulation of Investigatory Powers Act or alternatively via the alternative Dodgy Ex-Copper Down the Pub route usually requires that you know who you’re looking for quite specifically. That is to say, you need to know an identity that is likely to be in a given phone company’s database. Also, in some use-cases you might want imperfect but live coverage rather than a giant pile of data weeks later.
Listening in to radio doesn’t work like that, and could be done more secretly as well. I’m not particularly convinced by the idea of trying to match “voiceprints” – it sounds a bit Nemesysco, and in this case, the sampled voice would have first gone through whatever radio system the Taliban were using (which will have filtered out or just lost some information, and also added some noise and artefacts) and the target would have been filtered by the voice codec used on their phone, which throws away quite a bit, as well as by the network’s acoustic echo cancellation if the call is inbound. Also, they might be speaking a different language, which may or may not make a difference but won’t help.
Perhaps they have some magic, or perhaps this is a cover story. This happens to be the most difficult case of a speaker identification system – it’s identification rather than verification (so the number of possible alternatives scales with the size of the population), it’s an open set process (no bounds on who could be in either group), and it’s wholly text independent in both samples (no way of knowing what they are going to say, and no reason to think they will say it twice). There are methodologies based on high-level statistical analysis, but these require long-term sampling of a speaker to train the algorithm, which gives you a chicken-and-egg problem – you need to know that you’re listening to the same speaker before you can train the identification system. Of course, other sources of information could be used to achieve that, but this makes it progressively harder to operationalise.
Anyway, doing some background reading, it turns out that a) speech perception is a really interesting topic and b) the problem isn’t so much the quality of the intercept (because speech information is very robust to even deliberate interference) as just the concept of voiceprint identification in general. Out of Google-inspired serendipity, it turns out Language Log has covered this.
In lab conditions with realistic set-ups (i.e. different microphones etc. but not tactical conditions and not primarily with multiple languages), it looks like you could expect an equal-error rate, that is to say the point where the false-negative and false-positive rates are equal, of between 3% and 10%. However, the confidence intervals are sizeable (10 percentage points on an axis of 0-40 for the best performing cross-channel case). Obviously, a 3% false positive rate in an environment where there are very few terrorists is not that useful.
A while ago I noticed that a detailed story in Le Monde about their telecoms-interception-scandal-of-the-week had bizarrely vanished from their archives. It is baaack and I can share it with you! So if you read French and want to know what happens, in operational detail, when a prosecutor orders an illegal trawl of call-detail records to find out if a journalist has spoken to another prosecutor, there you go.
Actually, there is no dog, but they did track down his daughter’s pony.
Following up on the earlier post about IMSI catchers and shopping malls and Hezbollah, I wanted to link to a really excellent piece in Le Monde about mining call-detail records (“fadettes” in French, from “facture détaillée téléphonique”). The URI, here now leads to an annoyingly cutesy 404 page. However, the search function turns it up and even shows it as being free…but the link it returns doesn’t work.