Viewport width =
surveillance
October 4, 2015 | by  | in Features |
Share on FacebookShare on Google+Pin on PinterestTweet about this on Twitter

Hack Like Nobody’s Watching

I really want to be a futurist. I want my jetpack, my Minority Report holo-screen and my Iron Man suit. As a glutton for knowledge, I relish the opportunity to wake up and effectively download everything that I missed while I was sleeping into my head, all before breakfast. And I’m not alone in this.

But since I have researched this article, I’ve been feeling a lot of that certain sickly feeling you get as a human when something is so far beyond your current comprehension that your mind struggles to handle it. “Present shock”, I believe it’s dubbed. Simply put, that post-apocalyptic dystopian future you all read about is here all around you, and the revelation hasn’t caught up to us yet.

Ever since intelligence community martyr and recent Twitter user Edward Snowden leaked classified documents from the NSA, we’ve suddenly become aware of the extent to which intelligence agencies can keep tabs on all of our online actions. Their tentacles extend beyond their own shores and legal jurisdictions, shaking hands with every intelligence community the world over including our own, all in the name of stopping the spectre of terrorism. Snowden’s actions are one of those world-shattering revelations that cannot be undone, to the point where “post-Snowden” has probably replaced “post-9/11” as the historical yardstick du jour in the Western world. And now I’ve been tasked to draw a roadmap of where we are and where we’re heading.

To begin at the beginning: like your microwave and your canned food, your computer, phone and your internet are all trickled down from military technology. The first “modern” computer was the one Turing and company created to break the Enigma code during World War II. So for a start, years of having personal computers has led to us kind of forgetting how and why they came about, and we shouldn’t really be surprised when we learn how intelligence agencies are spying on us. Because really, they were there first, they will always do it better, and we get the after-results neatly stamped with a fruit logo (this will be important later). 

“Post-Snowden” has probably replaced “post-9/11” as the historical yardstick du jour in the Western world.

The current purpose of intelligence ops is the collection of “metadata”. Metadata is “data about data”. It includes phone calls and emails of people on a network, the time they were sent, the location they were sent to and from, and who receives them. The NSA then put that metadata through patterns analysis programs to track the movements of people through their devices, expressly for the identification and elimination of terrorists. What puts this firmly in dystopic Big Brother territory is that they’re spying on everyone as opposed to a select suspicious few, and this is where people begin to freak out about their privacy being invaded. The reason metadata, as opposed to content, is collected is that as our technology currently stands, it can’t read the content of a message for shit, especially since a computer has no understanding of tone or nuance in speech. So instead, everything is collected as a “better safe than sorry” measure. As Snowden revealed, this is what the NSA has been collecting and scouring through for the past few years, and they’re only getting better at it as they invent new and better programs, like PRISM. Even scarier is the fact that the NSA “deputises” companies that profit off such data, like Google and Yahoo, to access the data from their customers and spread a wider net over, well, the ‘net.

The NSA is the head of an all-seeing Legion of Doom known as the “Five Eyes”, which is made up of intelligence agencies from the USA, the UK, Canada, Australia and New Zealand. When the NSA hits a point where their activities might be considered illegal, like spying on other countries, they cosy up to their allied and friendly nations and incentivise them to do their surveillance for them. It’s considered better in the long run to cosy up with the US, even though our history since the 80s has been less than amiable, after that time when the USA was all “hey babe, do you mind if I leave this nuclear submarines up in your waters?”, and we were all “yeah, we’re not really into that, can’t we just cuddle?” and the US was having none of that so we told them to fuck off, and our relationship status went from “ally” to “friend”. Complicating this is the fact that our major economic ties are with China, the US’s current economic and “cyber-warfare” enemy. And being a friendly ex, New Zealand helps out however it can. The vox populi has prodded the government to unfriend its way out of the alliance, but as former US intelligence advisor Pat Buchanan puts it, it would be “like trying to get out of the mafia”. And what a racket it is.

Snowden has referred to Five Eyes as a “supra-national intelligence organisation that doesn’t answer to the known laws of its own countries”, using the existing ties and infrastructure left over from the Cold War to establish a new circle of eyes around the world, with each country’s “eye” focused on its own spread of communications. Our “eye” is the GCSB (Government Communications Security Bureau), and our communications intelligence base is located at Waihopai Station, an intelligence communications hub near Blenheim. In 2009, it was upgraded to go “full take” in the pursuit of collecting metadata rather than simply listening out for potentially incriminating calls or emails. After this data is collected, it’s then shunted off to the NSA for storage and analysis, and everyone else in the Five Eyes does the same.

“There are no terrorists in the Cook Islands,” says Cook Island politician Norman George. “We are peace-loving Christians—to spy on us is frankly, bad manners.”

According to documents leaked by Snowden and picked up by the New Zealand Herald, we’ve been spying on many Pacific Island Nations, including Fiji, the Solomon Islands, Samoa, Vanuatu and Kiribati. Naturally, they’re a bit miffed that we’ve been monitoring them, especially since we really have no reason to (with the noted exception of Fiji, because, well, coups). But fortunately for us, miffed is about the extent of it. “There are no terrorists in the Cook Islands,” says Cook Island politician Norman George. “We are peace-loving Christians—to spy on us is frankly, bad manners.” How sweet.

So if you’re not rocking in a fetal position on the floor by now, then I suspect you may be somewhat familiar with all of this (and, y’know, read the news). The fascinating thing about it all of this Spy vs Spy business is that prior to Snowden, if you said that the government was spying on everybody and taking tabs on their calls, people would have assumed you were a tin-foil hat wearing kook. But for those in the hacking and cybersecurity community, this is also old news, akin to the sky being blue and Vista being crap.

HACK JOBS

As a security tester in New Zealand, Adam Boileau is in an interesting position. Having cut his teeth hacking through a spare dial-up phone line in their youth, he break people’s tech for a living professionally—a occupation that only around thirty people in New Zealand can do professionally. Unlike the job market today, where one embarrassing Facebook photo could get you fired from your job, all the bulletin boards and networks that Adam and others like him hacked upon growing up have since evaporated and all the technology he hacked on has since become obsolete.

It’s an enviable tabula rasa of a personal history; coupled with the fact that since everything from our phones to our cars has a computer in it, his type of knowledge of how to navigate our rapidly technologised world is a valued commodity. Prior to meeting him, my only real knowledge of hacking and breaking technology as a concept was from Mr. Robot, which was frighteningly accurate enough that it pulled my head out of the sand (and got me to change all my passwords). As we spoke about the state of our dystopian cyberpunk future-present, I realised just how exclusive that knowledge truly is.

“Those of us who break [tech] for fun in the old days and now for fat cash and conference jaunts and all our trappings of commercial success, we get paid good money for it,” Boileau says. “But that kind of mindset isn’t one that a lot of people have, so we end up in a situation where we have a society that’s built on technology, which is kind of thinly spackled over everything else, without a real understanding of how it actually works.”

As the world around us grows increasingly more technologised, our understanding of how it all really works is dwindling, and it’s up to those who “speak Nerd” to keep people—like MPs writing cybercrime legislation—from fucking it all up.

“The laws are bizarre,” Boileau tells me. “Even my job is questionably legal in some respects, the sort of concept of possession of computer hacking tools for supply, you can have small amounts for personal use but you can’t make them available for commercial supply. Very weird things where we’re legislating by analogy to other things.

“If you look at Kiwicon, the hacker conference I organise, the theme is ‘cyberwar’. The reason is ‘cyber-’ is a prefix meaning ‘a shitty metaphor is going to follow’. Every time you see ‘cyberwar’ or ‘cyberhacking’ or whatever, it means that someone doesn’t understand what cyber is.”

The general rule of signals comms technology is that military technology filters down to law enforcement and then to the civilian. Just as we’ve inherited our computers from the ones used to crack the Enigma code, every advancement in surveillance is trickling down, if you have the desire, the patience and the cash to buy all the parts.

That technological trickle-down is a trajectory Boileau finds concerning. “We’ve got to ask ourselves: all the stuff that Snowden says the NSA is doing right now, what are we going to do when punk kids are doing it?”

Boileau was adjacent to the virus-writing scene of the late 80s, one that thrived at Victoria University. We have the distinction of being the birthplace to one of the first computer viruses ever written, the STONED virus. When a floppy disc (ask your parents) was inserted into a computer, it had a one in eight to one in 14 chance of infecting the computer, upon which the phrase “Your PC is now Stoned! Legalise Marijuana!” would appear on your screen. (Writers note: if it hasn’t since been upgraded to “error 420: file not found”, that is an opportunity sorely missed.) Other “punk kids” in those days would write their own viruses, then write the anti-viral software countering it and sell it to pay their tuition.

“We’ve got to ask ourselves: all the stuff that Snowden says the NSA is doing right now, what are we going to do when punk kids are doing it?”

Boileau recounted a recent example from Kiwicon, where a kid had managed to procure an ankle bracelet used for prisoners under house arrest and spoof its signal.

“He did that with a cell network GPS to figure it out and the cell tower to report it in. He ran up a fake cell site with $1000 worth of equipment, he recorded what [the bracelet] normally says and was able to replay it and play a fake broadcast.”

It’s equivalent to looping a security tape when you’re robbing a bank. If a criminal worked out how to do this, they could continue their activities while the cops assume they’re still stewing in their condo.

One of the most frightening potential applications of this is car hacking. Modern cars are essentially computers on wheels, or technically, a network on wheels called a CAN bus, which beams Bluetooth messages all around the parts of your car. Your axles communicate to your steering wheel, your gas pedal and brakes to your engine and your GPS navigation system to a satellite, and so forth. Since a car is broadcasting signals like this, it’s possible to get into that little network and take control of the car remotely. While obscenely difficult to do, it can be done provided you buy all the parts and know what car you are trying to hack. Then you can do anything from unlock the car without a remote key, kill the engine or the headlights, even take control of the steering, potentially all from miles away, provided your wifi is decent. If enough people with motivation got together, they could potentially hack a whole set of cars in a highway and crash them remotely, all without leaving their homes.

As devices producing data and signals that can be intercepted, collected or “sniffed” (using a program that monitors and analyses internet traffic), potentially any of those devices is hackable. Those that can control the computers can control the world, and there’s a constant arms race on both sides of the law over who can control or protect the most territory.

PRIVACY MATTERS

We Millennials are the first generation that has never had anything in the way of traditional “privacy”, what with our need to post, snap and gram our every doing online. All of that is being collected, stored and analysed by the NSA. That’s just a fact. In the general discourse of today’s surveillance state, turning off your phone or not having a Facebook or Google account is not just seen as weird, it’s potentially incriminating. You have to participate or else you face extra-judicial scrutiny.

Five Eyes, under the NSA, are constantly combing through metadata to determine the patterns of terrorists and other criminals. The usual modus operandi for these types to avoid surveillance goes like this: Criminals typically have a personal phone and a “work” phone, usually a prepaid burner phone bought with cash so the purchase isn’t traced through a card, or they buy several to distribute amongst their crew. When in transit or committing a crime, they switch off their easily trackable personal phone and switch on their “work” one, and over time, they replace phones and sim cards frequently to make tracking them more difficult.

Thanks to the advent of metadata, you can easily track a terrorist by determining a pattern through their phone use. An NSA spook can hone in on a certain area and bring up the metadata on all the phones that have been turned off and on in succession, and track people that way over time, even across countries as they line up airport departure and arrival times and determine who they’re meeting and where. Once you can be reasonably sure that you have your terrorist, or network of terrorists, calling the same set of phones or meeting in the same places, that’s the time to call up a drone and put extra-judicial “warheads on foreheads”, so to speak. One case where this runs into trouble is when those patterns line up with persons of lesser interest, like Ahmad Muaffaq Zaidan, a journalist from Islamabad who works for Al Jazeera. Zaidan was put on a terrorist watch-list due to metadata presenting him as working with terrorists, when he was only interviewing them.

One piece of tech that’s trickled down to domestic law enforcement, at least in the States, are Stingray devices. Basically, a Stingray is a fake cell phone tower that simulates the signals of cell phone towers while covertly gathering the messages and signals of all phones in the area. They are effective, but their legality is very weird, to say the least. The companies that make the tech ask the police to sign non-disclosure agreements that to ensure that they don’t disclose how they work. This makes prosecuting cases with Stingray-gathered evidence difficult, and so to counter this, the police massage the details using a technique called “parallel reconstruction” where they claim that their evidence came from a human informant instead. This is also set to happen in the UK and Australia. And if punk kids get a hold of one of these things in the future, then all bets are off.

So how can you be sure that no hackers or spooks are snooping on your calls? Phone privacy is not a feature that can be advertised as easily as you can with a computer. Walk into Vodafone and ask the retail staff which phone has the best cybersecurity, and they’d be at a loss to tell you.

“If they understood this stuff, they’d have a real job,” Boileau says.

But that’s slowly changing, since data is quickly becoming more of a commodity. Apple has made its customers’ data protection a concern, making phones harder to crack using patches and PIN codes—something that has already bristled law enforcement in the States when seizing evidence and trying to get the incriminating data off them. The business model of Google and Facebook is data, and when they’re not selling it to advertisers, they’re doing all they can to archive and protect it.

“If they understood this stuff, they’d have a real job.”

In the case of Russia and Eastern Europe, where the quality of education is high but the opportunity is low, kids with computer science or engineering degrees will go on to become cybercriminals. “Our software writers are the best in the world and that is why our hackers are the best in the world,” says Lieutenant General Boris Miroshnikov of Russia’s police cybercrime division Department K.

Interestingly, while the amount of cybercrime has increased, the number of criminals technically hasn’t. Email invoice fraud and phishing scams have a far greater reach than the fax and snail mail scams that proceeded them, as well as being cheaper to pull off. New Zealand’s main cyber threat comes from China, who routinely employ industrial espionage and are believed to have spied on industrial giant Fonterra. According to Boileau, we don’t know whether Chinese hackers are military-trained or just government-sanctioned citizens, but their efficiency cannot be questioned.

“In many respects the Chinese are ruthless at using cyber and computer hacking and that kind of technique to advance their national interest,” Boileau explains. “They play much more holistically, I think, and much more long game than the West do.”

FIVE EYES BLIND

And so, after that whirlwind tour, we return to where we started, and the question remains: can New Zealand ever leave Five Eyes? Due to its less advanced technology, New Zealand is still pretty far behind in cybercrime, punk kids and overseas hackers notwithstanding. And to the US, we’re still a vital asset in surveillance, and in return for spying on the neighbours, they give us their cool toys. But the whole arrangement is antithetical to everything New Zealanders know about our relationship with the States, since we assumed they stopped bothering with us after the whole nuke thing. As much as we talk a big game about independence from the US and Britain and whoever else, to Boileau the likelihood of leaving Five Eyes is slim to none, partly because of our ties to the international surveillance community.

“I don’t know if that’s really practical,” Boileau says. “If we pull out of our alliance, then we’re going to be very isolated by virtue of having no friends as well as no enemies.”

So simply put, we’re in too deep. But the future is often what we make of it. And if my “present shock” is any indication, the future is now. I asked Boileau what we thought the best case scenario for our tech-world would be going forward.

“[I think] we are in the dystopic cyberpunk future. You read a William Gibson or Neil Stevenson book, we are very much in that time now. We have to look for science fiction for guidance, what kind of weird shit going to happen next.”

Global surveillance may not rest its gaze any time soon, and there may be plenty more Snowdens to follow as the years go on. The best we can do as non-hacking civilians is educate ourselves. So keep both eyes open.

If you want to know more about the hacking community or simply wish to arm yourself for the war ahead, the next Kiwicon conference is coming up on 10 December at the St James Theatre. You can find out more at www.kiwicon.org.

Share on FacebookShare on Google+Pin on PinterestTweet about this on Twitter

About the Author ()

Add Comment

You must be logged in to post a comment.

Recent posts

  1. Work
  2. Editorial—Issue 22, 2016
  3. I, Daniel Blake and the Welfare State
  4. Young Voters: Waking the Sleeping Giants
  5. The Sky Is Falling
  6. Tell us about Talis
  7. Vic group launch their Reclaim-munist Manifesto
  8. Bye Bye Little Karori (in two years time)
  9. Students seize opportunity to rant at Grant
  10. Binge drinking is still a bit bad for you
i-daniel-blake

Editor's Pick

I, Daniel Blake and the Welfare State

: Recently at the NZIFF I was fortunate enough to see Ken Loach’s I, Daniel Blake, this year’s winner of the Palme d’Or at Cannes. By the end of the film nearly everybody seemed to be in mourning and most of the people seated around me were sniffling and wiping their eyes. I,

Viewport width =