integrity

The second day of Internetdagarna (22/10-08) was spent in the Security track as well, except for the last seminar where I switched to the society track.

The first seminar was “Pålitlig e-post / Anti-spam” which translates to “Reliable e-mail / Anti-spam”. The moderator for this seminar was Jörgen Eriksson from .SE.

First speaker out was Amar Andersson from TeliaSonera and he spoke about “Spam-protection that undermine their own goals”. I can honestly say that I did not follow this good enough as I was very tired this first seminar and I kind of regret it now. However, the main problem presented by him was the lack of coordination and standards in anti-spam prevention methods. He mentioned blacklisting in general and the DUL-blacklist in particular, hostname “naming” (reverse lookups which results in a name conatining either “static” or “dynamic”) and how to make sure your e-mails got delivered in this day and age where the requirements for delivery can vary quite much from server to server (correct HELO/EHLO messages, correct reverse lookups, SPF and other DNS related issues).

Next speaker up was Bengt Carlsson from Blekinge Tekniska Högskola that just announced a new project between .SE and BTH. The project name was “säker e-post hantering bland illsinnad programvara” which translates to “Secure e-mail management amongst bad software”.

After this Rickard Bondesson from Linköpings Universitet took the stage to present his research on DKIM, DKIM-milter and DNSSEC implementations. This was a quite long and very informative presentation which stepped through his research in a comprehensive way under the following bullets; Forged e-mail, Prevention of forged e-mail, DKIM, Reliability within DNS, Implementation, Tests, Statistics, Experiences.

After this there was a small moderated panel debate on the topic of Reliable e-mail.

The next seminar was “Parasitekonomin på Internet” which (roughly) translates to “The parasitic economy on the internet”. Stefan Görling from KTH moderated and had one presentation, and the other speakers were two representatives from Lavasoft (you know, the guys behind Ad-Aware) and Martin Boldt (IT-security researcher from BTH).

Görling started out by picking at affiliate systems and the easy of exploiting these services for profit and he worked out from a site that supposedly uses this format in a legit way. He did not go into the malware point-of-view very much but he touched the subject when talking about “mis-spelled domain names default pages” which contain only affiliate links.

The guys (they were two) from Lavasoft then held their presentation which more or less detailed the different types of spyware they had included during the year, and also gave a strange remark saying the TeliaSonera was gaining money from the malware circulating on the internet (as they’re an ISP, they supposedly make profit when having their bandwidth used… hrrm…). This little remark came back to bite them in the ass when a (quite upset) TeliaSonera security employee demanded that they would take that statement back during the Q & A at the end of the session.

Following this Martin Boldt from BTH that discussed reputation systems and automatic EULA analysis. He had researched these areas and they were at this moment involved in creating web browser plugins and applications to enable users to share their thoughts and score on specific applications (binary files). See their project website at www.softwareputation.com for more information. He also noted that this project is still in Alpha stage. The ideas they’re having kind of looks like Panda Security’s Collective Intelligence, except it is user generated not automatic.

When it came to EULA analyzing they’ve taken a harder route than SpywareGuide’s EULA analyzer and they used many different bayesian and similar algorithms in order to define if an EULA is “good” or “bad” with a high level of success. Ideas for the future was to make this automatically integrated into system so that any EULA boxes could be automatically read and scored.

After this there was a Q&A session and Lavasoft’s statements was quite heavily scrutinized both by the TeliaSonera employee and Netnod’s CEO Kurt-Erik Lindqvist (I think it was him but I only heard the voice, so don’t quote me on this). It seems like Lavasoft’s statement was just illustrating and that they based their assumptions on an US ISP that had misbehaved and in some ways had profited on bad software.

Here I switched room and joined the “Infrastructure and society”-line of seminars. The one I was interested in was “Integritet och övervakning” which translates to “Integrity and surveillance”.

This seminar was moderated by Johan Hallsenius (editor for Computer Sweden) and the debate panel was only populated by pro-Integrity people as none of the invited politicians and FRA-people had turned up even though they were invited. The panel members was Oscar Swartz (debater, writer and blogger), Patrik Fältström (Cisco), Fredrik von Essen (Swedish IT and Telecom Industries) and Daniel Westman (Juridicum, Stockholms University)

The focus of the debate was of course the FRA-law but also dangerous EU-directives and other laws that affect impede personal integrity. It was an interesting debate, but as “the other side” was missing no hard questions could be discussed. I talked briefly to Oscar Swartz before the seminar and he described it as a “non-debate”, as there was only one point of view from all participants (with small diversions). He wrote a post on “Internetdagarna” on his blog in which he breifly mentions this debate.

It was also to hear what Fredrik von Essen from the Swedish IT and Telecom Industries had to say on this issue.

Unfortunately I had to leave before the Q&A session that followed, so I’m looking forward to the sound recording that are to be released here.

Some pictures from this day:

Integrity debate:


Martin Boldt (from BTH):

Photo: Bruno Girin on Flickr.

Monica Horten at IPTegrity.com on the “Data retention directive”:

The proponents were the British Presidency and EU justice ministers, who argued that retained data was needed in the fight against terrorism. The directive was opposed by the Internet industry, who found themselves on the same side as privacy campaigners. The industry raised many technical, business and legal issues, highlighting the high cost of implementation and flaws in the directive’s content - it is written from a voice telephony standpoint and ill-fitting for the Internet industry.

Read the full text, which is an abstract of Monica Horten’s masters dissertation, over at IPTegrity.com.

The “Data retention directive” was passed very quickly in 2006 after 7th July bombings in London. This is a directive that forces ISP’s to store traffic data for future analysis by Governments and others that have that privilege.

This is not part of anything I’ve written about lately but it’s still very actual here in Sweden. The Government is preparing to put it into our legislation soon, as they are required to do so by the European Union.

This is the next fight for us in Sweden after the FRA-law and the Telecoms package so it’s worth mentioning and raising some awareness about.

Update: More information here!

Hello!

Daniel Nyström, daniel.nystrom [A T] icmpecho.com, [phone number]

This has been sent to all Swedish (but in Swedish), Scandinavian and Baltic countries so far. Sending to the rest of Europe tomorrow.

I know that my english is not all that great, in particular when it comes to legal words and strong definitions but I hope it’ll suffice.

Feel free to borrow parts, but again, write in your own words so that it does not get disregarded as a massmail campaign.

You can find the MEPs e-mail add’s HERE!

UPDATE: Links to other blogs writing about the EU Telecoms Package (in english)
- http://this-is-sparta.blogspot.com
- http://nhw.livejournal.com
- http://www.laquadrature.net
- http://www.libertysecurity.org

Photo: saschaaa on Flickr.

The Telecoms Package that has so far been pushed very hard through the European Parliament is now very close to the vote and the time is high for action.

If you haven’t been following the debate, visit the following places and get updated:

IPTegrity.com - The Telecoms Package - (about this organization)

La Quadrature Du Net - The Telecoms Package: Out of the shadows, into the light - (about this organization)

FFII.ORG - Call for action on the Telecom package - (about this organization)

What we all need to do now is to show the MEPs that the citizens of the European Union does not want this kind of legislation.

The best and fastest way to do this is to (1) send an e-mail to your own countrys MEP in your own language and then (2) send one to the other MEPs either in english or their own language if your skills are sufficient.

Do not send mass e-mails over and over again. Those get deleted and is not going to get read!

What we need to do is bring forth our concern over this legislation (the Telecoms package) and our concern that it might mean arbitrary filtering of the internet, abrupt disconnection of alleged file-sharers and restrictions of the information freedom on the internet.

The contact details of all the MEPs can be found HERE!

Another thing that you can do is to sign this petition: Throttle The Package!

So get moving people, let’s keep our internet free and unfiltered!

And always remember,   Your voice counts!

PS. This post was inspired by, and large parts copied from, HAXs call for action (swedish) .DS

…in a chat with the newspaper Expressens readers . The point was that he where going to answer questions and motivate why he voted YES to this disgraceful law.

The chatsessions was open for one hour and all questions where moderated (this is the way these sessions are done with everyone).

What was gained from this session? Well, first of all I now realise the extreme lack of knowledge of the law that he has helped pass, and also that his views on liberalism are far from sound.

Let me entertain you with some of his answers and my views on those (translated to the best of my abilities):

On the question “If you had to choose just one argument for the FRA-law, what would that be?”

To protect swedish citizens from assasination attacks and threats.

OMFG, it’s like Robbie Williams “Let me entertain you”, can’t help but smile a bit at his incompetence. No threats of a that type could be detected by doing mass surveillance of swedish citizens internet traffic. If anyone out there is planning such an attack they would encrypt their communications or just not do it over the internet. And if hey did do it encrypted over the internet, the would use code as others before them has done.

On the question: “What is he biggest misconception among people about he new FRA-law?”

That FRA is going to listen in on or read ordinary citizens e-mails.

That is what the law does Gunnar, it enables FRA to legally use computer systems that intercept and potentially submit any e-mail/traffic for manual inspection. This however is not as big of a problem as the fact that a system exists for this purpose as there should not exist systems designed to interfer with the integrity of swedish citizens! It is breaking our constitution! And this guy is calling himself a liberal…

Moving on.. On the question: “Don’t you think that it is a major breach of integrity that the government can intercept and read our e-mails?”

Yeah, if it was that way, but it’s not going to be like that. There are strong control stations that shall prevent misuse.

OK, still missing the obvious fact that just intercepting the signal from my network card destined to another is illegal in Sweden, Europe and violating UN’s declaration of human rights. How many bureaucratic control stations you set up DOES NOT MATTER. The system exists and will be misused. We have a history of spy-agencies failing to follow the law in Sweden, and this one has breached it several times already, what says they are not running their own agenda? Nothing…

Next one (this is a good one): “How is it possible to call yourself a liberal and at the same time push through a legislation that enables wiretapping of people’s communication without any suspicion of a crime being comitted? That is an impossible equation!”

I do not think so. People has the right to demand from the government that it should prevent attacks and threats against individuals, then it must also be able to carry out surveillance of those that are going to do that.

I’m like a giant questionmark after this one… The people is not demanding this law! No one wants it except the government which forcefully pushed you to vote it through! And what about answering the question? During the last election you were crying “Integrity! Integrity!” all over the place, and now you are actually causing a severe impact on it for the people. Get a grip!

Next question and, this time, unintelligent answer: “Do you have understanding for the critiscism against that you FRA-lovers so far has not been able to present one single realistic threat against Sweden?”

We do not love FRA, do we. This authority/agency only exist because there are threats against our country and our citizens.

Sometimes when viewing chat sessions like this one you feel like screaming. WTF. There are no threats, you have not been able to present one viable current threat to our nation!!! You keep waving the “Terrorism” flag but nothing realistic. No one wants to bomb our pale asses…

And a final little failed rhetorical failure to the question: “In what way do you think that you would be able to detect an “external threat” with the help of this law? It seems rather unrealistic to think that terrorists would write e-mails which would be intercepted by FRA?”

I’m not an expert on the methods. But sure, you could find some strangeness. Do you think we should stop chasing criminals dealing narcotics because they are not always caught?

Gotta love “make the other party the bad guy” argument. Lovely. He must have picked that up from our arrogant Minister of Defense. No but seriously, if he is not an expert and do not understand and needs to make a decision in a question of this importance, shouldn’t he educate himself?? Seriously, it is Sweden’s future we are talking about. We are not living in USA where everyone’s just doing as they’re told.

Ah well.. He’s going to be out of parliament at the next election anyways as he has turned more than half of his party against himself.

But it is seriously disturbing to see and interact with the people that supposedly runs Sweden when they show this much incompetence and arrogance. They are saying the people has not understood the question, but when we ask them to tell us they have nothing except the good ol’ US-imported Terror threats.

God damnit…