Sunday 14 July 2013

What if Microsoft is telling the truth 

about Skype?

Snowden’s NSA documents appear to be genuine. So, it’s likely that PRISM is increasingly monitoring Skype audio and video data. Additionally, Microsoft will have worked for many months with the FBI and NSA which now enables PRISM to access Skype sessions without the need for separate governmental authorization.

Considering that the NSA cooperates with other Security Agencies worldwide this is worrying for environmental activists as they likely subjected to government scrutiny of their digital communications. Because activists usually have fairly limited resources (time, money, knowledge) to implement adequate security measures this can seriously endanger the success of environmental activities. Good security measures are therefore needed in order to minimize or even prevent government listening in when activists communicate and cooperate with each other using off-the-shelf, easy to use digital collaboration tools like Skype.

Microsoft denial

Microsoft on the other hand vehemently denies it gives authorities direct access to its Skype product. Their statement is; “To be clear, Microsoft does not provide any government with blanket or direct access to SkyDrive,, Skype or any Microsoft product."

On its law enforcement webpage, Microsoft argues that it has no legal obligation to enable its Skype product for wire tapping. “The U.S. law, Communications Assistance for Law Enforcement Act, does not apply to any of Microsoft’s services, including Skype”. Instead; “Luxembourg and EU law apply to Skype. Law enforcement requests for Skype records are processed through Luxembourg in the same manner now as before the Microsoft acquisition.”. 
This would mean that, with regard to providing customer data, the “European Data Retention legislation” will apply which only covers “non-content” data, i.e. meta-data. Any request to hand over VoIP content data will, from a pure legal perspective be rejected with regard to Skype since, also in Europe VoIP applications are not legally required to be wire tap-able. In several countries, including the USA, requests to change the law in this respect are currently being discussed. The only content data Microsoft is legally obliged to hand over when it accepts an official governmental request is related to data stored in the Skype user account i.e. profile details and most likely the user's password hash. 

So, if Snowden's NSA documents point to the NSA having free access to Skype voice and video but Microsoft denies that they provide such direct access, somebody is apparently lying. In most public media the overall picture is that we should not trust Microsoft. The general opinion is that the company does provide a hidden backdoor into its Skype product and/or that it has provided decryption possibilities to the NSA. 

An alternative scenario

Just for arguments sake I thought it would be interesting to try to identify a scenario in which nobody is lying. So, lets say that Microsoft is telling the truth. They do not provide any government, blanket or direct access to their products, there is no hidden backdoor in Skype and they did not hand over any kind of encryption key to the NSA. What scenario can we come up with the? Well, such a scenario might be more scary than one would expect.

Although Microsoft engineers seem to have helped the FBI/NSA to tap into the Skype application we have not (yet) seen any detail on how this access is technically done. It is generally known however that the NSA employs highly skilled hackers and it would not be a crime for Microsoft to provide consulting services to the NSA in order to help them to hack into its products, including the Windows Operating System.

By doing this, Microsoft does not give direct access. It merely provides consulting services which could also have been provided by other, specialized companies. But, Microsoft will be much more effective as they clearly know all the intricate, technical details of their own software. By providing these consulting services Microsoft will not hand over any front door keys. Instead, Microsoft consultants can help NSA hackers to more effectively find various ways to compromise the Windows Operating System, to quickly identify new vulnerabilities that, while still unknown to the public can be exploited (zero day), even temporarily (window of opportunity). New vulnerabilities are appearing all the time so this is not a one off thing. It is already publicly known that Microsoft (as well as other firms) “provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix”. And finally, but now I am stretching it, Microsoft might even provide the NSA sight of (some of) its not publicly available internal source code which could make identifying new vulnerabilities even easier and more effective.

Such early warning knowledge accompanied with high quality consulting could result in an ongoing stream of dedicated Trojans, Worms, zero day exploits, and possibly also a very effective Rootkit that no scanners, not even Microsoft’s own would be able to detect. A consulting service would not be illegal, commercially defend-able (others are doing it to) and also not contradict Microsoft’s statement regarding not providing direct access to their products, because they don’t. 

No secure alternatives

This scenario is as scary as Microsoft merely building in hidden backdoors. Such consulting services simply give the NSA all the knowledge to increase its ability to very effectively hack into the Windows Operating System and compromise any application that is installed on it. This will also bypass encryption. According to Edward Snowden this is actually happening; “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." It is interesting to note that also Microsoft points into this direction on its law enforcement page regarding the security of Skype "In addition, the end points of a communication are vulnerable to access by third parties such as criminals or governments".

Environmental activists are generally, and should be worried about government scrutiny of their digital communications. They must however realize that, no matter which communication and collaboration application they choose and despite all encryption they add on top, these measures can be bypassed. Under the above scenario, Skype would be as secure or insecure as any other encrypted communication tool. So, because of the recent PRISM upheaval, ditching Skype and moving to another communication/collaboration tool might not make a difference. It is not a secretly hidden backdoor in Skype we should be worried about, it is the security of the whole environment including the underlying operating system that matters and governments hacking into it. No application, neither closed nor open source will be able to withstand the invasive power of highly professional, continuous research for zero day exploits, dedicated Trojans or highly professional Rootkits targeted at the underlying operating system.

So, if Microsoft is telling the truth in its statement about the security and privacy of Skype, we should be worried as much as if it was a lie. No communication and collaboration application will be safe. By merely focusing on the end user application, we might be looking into the wrong direction.

The solution

What should environmental activists, who are worried about government scrutiny do? If your communications must be secure, make sure, very sure that the operating system you are running your communication/collaboration application on can be trusted. If the operating system has been used for a while, e.g for browsing the internet, receiving email you should consider it to be insufficiently secure for highly sensitive communications. This will be fairly similar for both closed and open source operating systems plus applications as both have potential (zero day) vulnerabilities that can be found and exploited. No matter how many Anti Virus scanners you are running, targeted and/or yet unknown Trojans will not be picked up. Secondly, use good security practice and only install applications you know you can trust, always use strong passwords and be very vigilant when receiving all kinds of digital external communications.
For sensitive communication, activists must make sure they have a freshly installed machine which has not been connected to the internet before, which is fully patched before going online (preferably use local copies of the original update files) and where the hardware platform (e.g. laptop) has been under personal control all the time. Al these measures are effective however up to the point where we can trust the integrity of the applications that we install.

And what if it turns out that, despite its strong denial Microsoft has been lying? What if this company actively builds hidden backdoors into its software in order to enable spying by governments? If this is so then we should realize that, logically, in many jurisdictions this will not be different for other big corporations like e.g. Apple, IBM, HP, Intel, AMD, Samsung, Blackberry, LenovoHuawei, etc. Notice these vendors provide both software and hardware? If we cannot trust these firms because they collude with their governments, then we must be very afraid because, even with only open source software solutions there will be nowhere to hide.

Monday 8 July 2013

Stop agricultural warfare

As a father of three young children I want my kids to be able to eat good quality food, not only now but also in the future. Nevertheless, the risk of decreasing food quality and availability in the near future is eminent. Our current agricultural system is under pressure of being unable to deliver sufficient food in the years to come and it does not always provide the quality that my wife and I desire for our children. Why is this?

oil in agriculture
Our industrial agricultural system is simply unsustainable. Energy, mainly oil, required to produce agricultural products is used in enormous quantities. Oil to run machines that work the land and power trucks, ships and even airplanes to transport agricultural produce from central production locations to our stores. And also the production of fertilizer and pesticides is extremely oil gobbling. As a result, in order to yield 1 calorie of food we have to spend 10 calories of energy.

Since it is no secret that oil is a finite natural resource out we will need to fundamentally change the way we do agriculture. An energy efficient replacement for this dominant energy source does not yet exist.

Besides the energy challenge, industrial agriculture also creates environmental problems. Large acres of land are used to grow a single type of crop (monoculture) and, in order to compensate for the resulting loss of fertility of the topsoil, farmers are using increasing amounts of fertilizer. Secondly, a monoculture environment is a haven for insects and weeds that are specialized to live from a single type of crop. So farmers must put a lot of effort in keeping pests away from their produce. But farmers have to spray more and more as pests keep on adapting themselves when things change and as a result pests become resistant to pesticides.

There's a war going on

Industrial agriculture can be seen as an oil consuming, constant fight between the farmer and his natural environment. Basically, industrial agriculture is like modern warfare where fertilizer and pesticides are used as the main weapons. A scary thought when we realise that these pesticides are based on the same ingredients as the chemical weapons that were used in the second world war.

In war the military often talk about collateral damage if, e.g. civilians are hurt or even killed during an attack. This is not very different in agricultural warfare as, also we, consumers of agricultural products are exposed to pesticides; sometimes directly from aerial spraying, in case you happen to live nearby farmland or less directly through the chemical runoff from agricultural land which can pollute nearby fields, rivers and ultimately the sea. It is also possible that chemical residues end up in our food which is not very healthy either. So it will be clear that there is a significant amount of collateral damage happening in agricultural warfare.

Where does this bring us? Do we have alternatives? Are we able to feed an increasing global population by doing things differently? If you ask the big corporations you will most likely hear a no. We can only increase yields and ensure continuous productivity within the agricultural system if we rely on technology; i.e. better fertilizers, smarter pesticides and genetically modified crops that are resistant to insects, weeds and also to the pesticides we must use. But, as explained above this is a cat and mouse game; a game that will never end. Undoubtedly this game benefits large corporations which produce high tech agricultural products and can thereby make large profits. But the current way of working is not healthy for us humans, it is not sustainable in the long term and also not ethical, as war is not ethical.

A diverse, decentralized alternative

Can we design a food production system that is at peace with its natural environment, including us humans and which is able to provide enough food for an increasing global population? The answer to this question is; yes we can, although for this to be successful we must be willing to adapt our diet as it will involve choosing products that can be produced locally.

We can largely shift from centralized, simple monocultures to localized, complex and diverse agricultural systems. We can end our warfare based, resource hungry, oil dependent agricultural industry and move to a peaceful, low energy, oil independent agriculture environment. With our extensive knowledge and understanding on how nature works we are able to design agricultural systems that require only a little amount of energy, that do not require the use of pesticides and fertilizer and generate yields which are at least three times higher than the traditional agricultural industry can provide. This approach is called Permaculture.

One important benefit of Permaculture is the ability to produce our food locally, exactly there where it is needed. This significantly reduces the need to transport large quantities of food from central parts of the globe over long distances, thereby greatly reducing the amount of energy needed to ultimately get the food on our table. A small price that we have to pay for this is that, alas, we can no longer eat strawberries in winter. Another significant benefit of Permaculture is that it eradicates the need for artificial fertilizers and pesticides.

Grow your own

More and more people start to realize that our dependence on centralized, industrial agriculture and oil is not only unsustainable in the long run, but it also does not provide the quality of food that we, as humans need. As a result an increasing number of people are turning their own gardens into an edible garden or join forces and collaborate to turn a nearby piece of wasteland into a local food production system. A system that not only feeds many but also creates social cohesion and friendships in a neighbourhood which would not have existed otherwise. And this is a non reversible process. Local food production systems will continue to grow. Not only because people understand there is no alternative but also because it is enjoyable and rewarding. So I invite you to stop supporting the agricultural war and start to grow your own food. Either yourselves in your own garden or together with your neighbours on a nearby plot.

This will ultimately allow us to get away from agricultural warfare and move towards a green peace. A green peace where food production is in harmony with its environment, which has a high enough yield to feed all of us and which is sustainable in such a way that it will keep feeding us forever. This makes me feel more confident that also in the future, my children will have access to sufficient and good quality food.

Video references: