You are here

Wikileaks spyfiles

Submitted by ezabi on Tue, 12/06/2011 - 16:02
I learnt about the release of the newest wikileaks (The Spy Files) from Mostafa's tweet

Looking into the documents I found nothing new, most of which were vendor manuals usually accessible to those who ask, some advertising material, and most interesting to me were some whitepapers which I'll come to later.

Working in the information security myself, I wasn't surprised by any of the information contained in these documents, all of that is usually accessible without much pain, and the state of technology in it was no surprise to me either, these capabilities have been there since long and are being used on daily basis by security professionals.

My surprise was however linked to the degree of importance of such information to the degree of them being published on, and the proper justification was provided by Mostafa with further discussion, and I could clearly understand the reason why normal population considers this technology a threat to their rights.
Simply because some countries and authorities are using this technology in ways ethical information security professionals or white hats wouldn't normally do except with the proper legal justifications.
Yes, some governments and authorities use technologies normally destined for individuals and corporate security in order to breach individual's rights, under the title of L.I. or Lawful Interception as they claim, and some technology companies contribute in that, still under the statement of Lawful Interception.
So is technology to blame??
Definitely not, you can't blame a knife maker for people getting killed by vegetable cutting tools..
It's how you use -or abuse- the tool that gets you the blame.

So what really matters here, is that these technologies are like knives, there are rules and regulations already in place in some places on how to use them and how to not use them.
An example I'm aware of; some the technologies cited on the wikileaks page have great capabilities of logging user activity on the network or the internet that traces every single activity to the second, yet in some countries, bodies are required not to log any personally identifiable information otherwise they will be prosecuted under the country's local law. I've witnessed cases where the customer refused to sign the acceptance form of the delivered equipment until he obtained documented evidence that his equipment is not configured to log such information.
Another general example, is that information security professionals are required to handle such personally identifiable or other highly confidential information with proper care, are usually asked to sign non-disclosure agreements, as well as codes of ethics from several certifying bodies
Hence what governs the action here is not only the ethical level of the information user but also the regulations and laws in place.

Now some governments and authorities, specifically in dictatorial systems, ignore this part since they maintain  the role of lawmakers themselves, hence they either ignore having the law in place, or just establish lax laws allowing them to be interpreted as they wish, a well known clause in such laws are those allowing authorities to act as they wish if they deem it necessary to protect the national security
Some technology companies take advantage of this, and find such countries markets as a playground in which they do as they wish, not only helping governments collecting information about people, but also collecting information for themselves to advance their business.
A major antivirus vendor was freely collecting information from users of his free edition to improve his engine's virus detection abilities without any binding rules as to which information he's allowed to collect and which he's not. And when asked about this, his blunt answer was that he does this in countries that don't have laws requiring him to do so.

One last note, was of a very interesting paper found in the leaks discussing what's called lawful interception, I got to understand that this is the word used to beautify the act of spying on users, and calling it lawful since it's backed up by soft laws in place with no protection of individual right or by laws controlled by executive authorities.

So it's still the people's role to protect themselves against such activities, now that information security professionals are supposedly doing their role of raising people's attention towards what's committed against them, they have to resort to their power with the lawmaking bodies in order for them to maintain laws protecting the individual rather than laws protecting a corrupt system.

And again, thanks to those who drew my attention to a matter I took for granted that people were clearly aware of, but I was wrong.
Still I tend to insist that technology is not to blame for people's greed.

Add new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.