There is no 'I know what I am doing' trump card in security

Ever since Edward Snowden revealed details of the NSA‘s PRISM program, I had been wanting to write something about it.
While most people in the security community are rather unhappy, if not outraged, about PRISM, a lot of focus has been on the fact that the NSA is apparently evil.
While this may be true, I don’t think this is relevant. Of course, no one wants to be spied upon by an organisation they consider evil. But what I think is relevant here is that even if the people at the NSA are good and well-meaning, mass-surveillance is still very wrong. (As Robert Graham put it: “NSA is wrong, not evil”.)
So, inspired by the Black Hat keynote given by the NSA‘s director gen. Keith Alexander, I wrote a blog post about it:

We have all been there. To continue the product you’re working on, you need to get some extra permission: a port needs to be opened, or perhaps some files need to be uploaded onto a protected system. You ask the IT department for this permission and, much to your frustration, they won’t give it to you until you’ve explained in full detail why you need it, and even then they will have to check with their management.
“But I know what I’m doing. And my manager says it is fine.”

Read the rest of the post at Virus Bulletin.


On Twitter and Censorship

I wrote this post back in 2012 on a blog that I set up for that purpose. I decided to copy it here, because I still think it’s relevant.

I like Twitter.
Not just because I like microblogging — which I think is great — but I like them as a company too. Yesterday’s announcement made me like them a little more. In fact, as it is has been misreported widely and unfairly as ‘Twitter introduces censorship’, it prompted me to finally start this blog.
At a first glance, it doesn’t sound too good: Twitter has given itself the ability to block tweets on a per-country basis. “Censorship!” people have been screaming and that’s what it sounded like to me as well.
But wait, Twitter can already delete tweets when it sees fit to do so. In fact, it has done so in a number of cases when it was required by law. Failing to comply to legal demands to block tweets would mean company could be shut down altogether and its employees could be arrested.
But most of such demands (the US, where Twitter is registered as a company, may be an exception, but I’m not a legal expert) only affect the visibility of the relevant tweets in certain countries. For instance, as Twitter points out, pro-Nazi content is illegal in Germany and France but not in most other countries. Rather than deleting the tweets altogether, Twitter will only withhold them from users in the relevant countries. The announcement thus means that, in fact, there will be less censorship.
But what about repressive regimes? Didn’t Twitter play an essential role in the Arab Spring? And will they now start to block all political tweets from Syria, as no doubt these are illegal under local laws?
I think you have to be very cynical to believe that to be the case. As far as I’m aware, they have never removed any political tweets. And the chances of Twitter opening an office in Damascus — in which case it would have to comply to Syrian laws — seem pretty low, at least under the Assad government. I think it’s much more likely that the Syrian government will block Twitter altogether.
In which case, as in the case of Twitter blocking certain tweets in certain countries, there are many ways around it. In its final days, the Mubarak government in Egypt tried to curtail protests by shutting down the Internet altogether. They failed.
Shouldn’t Twitter just ignore those demands to block content? Yes, they should. But they have to obey the laws, which means they can’t. Within those laws, it seems like they are doing everything they can. They even say they will make it clear when a tweet is withhold from the user and will post all take down notices on Chilling Effects.
Of course, we will have to wait and see how well Twitter lives up to these promises, including the promise to only remove tweets reactively, not pro-actively. I am positive they will though. And until I am proven wrong, I will continue to love and praise Twitter.