Hacking Team: Silence On The Wire

Sometimes, what isn’t told is more important then what actually is.

None of the Italian mainstream primetime talk shows, usually very fast in arrange a panel of “experts” to help Joe Sixpacks’ audience understanding what’s the fuss, spent a single second with the Hacking Team case. And the news already lost its momentum on the newspapers.

Next week, nobody will ever remember what happened and in a couple of months everything will be back to business as usual…

My Two Cents on the Hacking Team Hack

What happened to Hacking Team neither is the first nor will be the last time a security company that lives by the sword, dies by the sword. Neither this is the first nor will be the last time that huge quantity of critical data are made available through the Internet.

So, to some extent, there is actually nothing new under the sun in the fact itself. This is why – putting aside the legal issues involved – I can hardly understand all the rants aimed at Hacking Team.

It is interesting, though, analyze the “claims” that some “expert” did about the story. To make my points, instead of talking about someone in particular, I’d rather refer in general to the accusations made against HT, so:

  1. Hacking Team has been “unethical”. A company is just supposed to be legally compliant. Ethic is a horse of different colours: it’s a personal thing, is relative and – thank to the French Revolution – is not mixed with laws. As soon as Hacking Team didn’t break any law by selling its stuff, it can’t be blamed because “money doesn’t smell”.
  2. Hacking Team sold its technology to human-rights bashing countries. While I’m in the digital rights world since 1994, I wasn’t aware that there were so much human-rights (keybord) warriors… Anyway, as soon a state has a seat in UN, and the sell is compliant to international laws and treaties (such as the Wassenaar Agreement), doing business with it shouldn’t raise any concern (as international weapon dealers are well aware of.)
  3. Hacking Team has jeopardized investigations and covert activities all around the world. No, the investigation have been jeopardized by the choice made by governments of “going private” instead of developing in house its intelligence-gathering tools, and by the lack of a “Plan B” in case things – as just happened – screwed up. In particular, is rather curious that nobody checked the fact that the HT’slicense was associated to the customer identity in clear, instead of using a nickname or a cipher.
  4. There will soon be a “black” Hacking Team’s software clone that will be used against the “good guys”. This malware is far from being the “only kid in town” and the Internet is full of brilliant (rogue) programmers able to build a “HT-like” software. So this statement is just a nonsense.
  5. The are hints suggesting that Hacking Team’s malware has been exploited to plant fake evidence in the targeted computer. So what? Blackmailing is a standard tool-of-the-trade in the intelligence world and the way this is done is irrelevant. And to shut down the disturbing voice of a political opponent it’s easier to frame him with conventional means (drugs, sex) that are cheaper while very effective, then using a costly and complex to manage application.
  6. Hacking Teams’s software is untraceable and now can and will be used without control. No, HT malware is not invincible and while it is able to fly under the antivirus’ radars, it doesn’t mean that there are no defense. Guess how you can reduce its’ might? Use pure text emails, don’t click links and attachments, check your machines and data-traffic for odd behaviours… In other words, stop using  wisthle&bell operating systems and fancy features and go back to basics. Ain’t no fancy, but is safer.
  7. Hacking Team helped intelligence agencies to gain access to everybody’s computer. Again, so what? Are intelligence agencies around the world supposed to play bridge, instead? As much as I dislike the fact, I cannot but pragmatically accept that the powers-that-be can do whatever they want, without actual accountability. They call it “democracy”.

Post Scriptum: Though I met David Vincenzetti about eighteen years ago at the Department of Computer Science in the Milan University and a couple of times in the following years, I never worked with or for him.

 

Does the French Intelligence Actually Have Such Big Gaps?

A significant part of the aftermath of an event is the so called “post mortem”: a thorough analysis of  what went right, what wrong and why.

While “post-mortem” is a common practice within complex organizations and helps detecting flaws to be fixed or positive actions to be standardized, it must not be confused with the “rolling-barrell” attitude of putting the load of a (ex-post proven wrong) choice on somebody else’s shoulders.

As everybody outside the intelligence’s  “inner circle” should, I neither claim to own the knowledge nor the expertise to assess the work’s quality and the assumed weakness of the French security system. But what I can say – relying upon my criminal trial lawyer experience – is that is always easier to find an explanation for something that happened once it happened, while it is very hard to “foresee” an event.

This is to say that once you know where to look for, the needle in the haystack is fairly easy to find. Or, put in other words, those who came late always look smarter than those who were there earlier: they already know where not to look at.

Whether the French intelligence services did a mistake or not, then, is of poor importance. Mistakes happens (much too) often and it wouldn’t be a surprise to discover that in the Charlie Hebdo massacre mistakes have been done.

But the best we can do is to learn from it, instead of publicly blaming people in the line of fire just for the sake of looking “smart”.

The Italian Home Affair Minister To Call For Another Internet Crackdown

In the aftermath of the Charlie Hebdo massacre, as a way to improve the “safety” of the citizen, the Italian Home Ministry Affair, Alfano (a right-winger)  called for:

  • a “registration” of “dangerous” websites,
  • a further enhancement of the ISPs duty to block access to
    (terrorism-related) Internet resources,
  • an exception to the data-protection regulation, to allow the law
    enforcement agencies to easily access “sensitive” data.

This is an exploitation of the recurring rhetorical locus: “enhance safety needs the fundamental rights to be weakened”.
It is easy to answer with an often quoted statement by Benjamin Franklin:

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

But this is not the point.

From a “terrorism” fighting point of view, what Alfano is calling for is simply useless.

If the target is to gather as much information as possible to prevent new attacks, blacklisting websites obviously doesn’t help. It neither stops terrorists from talking each-other, nor allows to spot upcoming threats.

If the target is to gather advance information to run “pre-emptive actions”, it is useless to “weaks” the data-protection regulation to ease the law enforcement agencies access to “sensitive” (i.e. political-related) information. Those who need a fast and direct access to such king of information, in fact, are the secret services (whose activities are neither handled nor reported to a magistrate) and not the law enforcement bodies, that can only act, in Italy, AFTER a crime has been committed (having, in this case, full access to everything they need, under the control of the public prosecutor.)

Then, a couple of questions:

  • why does Alfano calls for measures that don’t help fighting terrorism, but allow a crackdown against normal citizens?
  • why the ISPs should be burdened to act as censors and central scrutinizer on behalf of the government?

Child Pornography And Computer Crime Still a Criminal Offense in Italy

Several misinformed Italian blogs are currently claiming that the Renzi-led government just passed a draft-legislative decree making child pornography and computer crimes no more a criminal offense.

This is not true because what the government actually did was setting the principle that as soon as a crime is punished with a jail term up to five years AND the judge thinks that the crime is of “minimum damage” then either the prosecution or the trial must end. To put it different: only “serious crimes” are going to be tried in court.

One may argue over the ethic or legal acceptance of the notion of “petty-vs-serious” difference (as Cicero use to said, what matters – and deserves the maximum punishment – is the act of killing, not the fact that you killed one man or hundred people) but this legislative decree only turns into a law what already happens on a daily basis in the Italian courts: a confession of failure, in other words.

 

The (defunct) Data Retention Directive Still Causes Harm

Notwithstanding the Data Retention Directive has been bashed by the EUCJ Ruling, there is a wide agreement on the fact that its national implementation might still be valid if not in contrast with the main Data Protection Directive.

Just yet, neither the Italian Parliament nor the Data Protection Authority ran the “stress test”, thus leaving ISPs into a void of uncertainty.

Furthermore, the news is new as today, there is a case where the actual providing of Internet access whose contract terminated back in 2010 has been challenged in court by the former customer. Under the Italian Supreme Court jurisprudence, in this case it is the ISP who must provide the evidence that the agreement has been fulfilled. But, guess what? Under the strict (and wrong) interpretation of the Data Retention Directive this ISP deleted the log files and now has problem in supporting its defense.

True, keeping the traffic data for legitimate purposes (such as legal defense) is allowed by the Data Protection Directive.

True, the Data Retention Directive can be interpreted as an exception that doesn’t overrule the Data Protection Directive.

True, an ISP has more than a chance (in theory) to successfully support its choice of keeping the traffic data for legal defense purposes even exceeding the mandatory term seth forth by the DRD.

But all this means fighting an all-round legal battle, explaining to the Court that the traffic data have been legally retained and are, thus, valid evidence, standing against a possible Data Protection Authority investigation, and so on.

To put it short: a waste of time, money and resources, that could be spared if only the Powers-that-be had dedicated a fraction of their time to solve this riddle, instead of toying with this Internet Bill of Right nonsense.

 

Data Protection and Right of Defense. Stating the Obvious

Yet more evidence that Data Protection is not an absolute right. On the contrary, as the Italian Supreme Court decision n. 7783/14 said 1 a few days ago:

the interest to the protection of personal data must step back when confronted by true defense needs and other legally relevant interests, such as the fair and coherent enforcement of the right of defense in court.

  1. Unofficial Translation

The Impact of the Data-Retention ECJ Ruling on the Law Enforcement Activities

From the Law Enforcement perspective, the ECJ ruling that on Apr. 8, 2014 declared invalid the Data Retention Directive didn’t harm its investigation to such a greater extent as somebody has claimed. There are, indeed, other legal tools that can be used to fit the purpose of getting traffic data of interest.

First, ISPs and telco operators might still retain traffic data for other legitimate purposes and for longer periods than the six months “sponsored” by the ECJ. This can happens either with the consent of the customer (for marketing and commercial purposes) or without (in case the traffic data have to be retained to meet under a statutory term (in Italy, ten years) the legal obligation to provide evidence to the tax authorities that the billed services have actually been provided and that the ISP is not involved in a money laundering activity. Thus as soon as some data – though not all the one retained under the now defunct DRD – are available, a prosecutor can always seize it.

Second, the Budapest Convention on cybercrime allows the public authorities to issue a “data-freeze” order to avoid the deletion. Again, this might be a second best solution, but it is currently working and viable.

Third, the national Data Protection Authorities have the power, under the Directive 95/46, to issue orders to “customize” the implementation of this legal instrument so to match the requirements of the ECJ, thus legally keeping alive, though maybe partially, the intrinsic admissibility of the data-retention as such under the current European Data Protection legal framework.

Reverse Engineering of the gray world: Intelligence as a black-box

Back to one of my first love: next March 11 (Rome University La Sapienza) and 20 (Milan University Statale) I have been asked to talk about “Reverse Engineering of the gray world: Intelligence as a black-box” and “Use(less) online Open Source Intelligence”.

Search Engines and the Hypocricy of Filtering

Another step toward the end of the Google’s “we’re just a neutral platform, ain’t nothing to do with those who publish illegal content” defense: according to The Register Google and Microsoft agreed to tweak its algorithms to prevent child-pornography-related searches.

This decision has two downfalls: the first is that in the upcoming trial it will be harder for a search-engine company to pledge innocent against the accusation of direct or contributory infringement since Google and Microsoft made deadly clear that it is actually possible to “handle” the way its engines work. The second is that by targeting the search engine result as a way to counter illegal content only stops the “casual” and final user, while the real criminal will stay free to spread their venom. In other word, focusing on content filter is just a PR stunt to lead Average Joe in believing that the Gov’s are doing fine, so no more “public scandal”  on mainstream media will bother the Powers-that-be.

The criminals thank you all for the gift.