Our new Prime Minister

Mark Rutte (VVD) will be the new dutch Prime Minister. At least for a little while before this government falls. Now I disagree with him on many many things, not the least of which is his cooperation with Geert Wilders to create a right-wing government that will probably take the Netherlands back to the fucking stone-ages when it comes to compassion, solidarity, privacy and civil rights while going all-out on fear and repression. But I have to say that watching him speak at a press conference yesterday was a relief in one sense. We, finally, after 8 years of Jan Peter Balkenende, will again have a Prime Minister that has the gift of language. One that can speak whole sentences. It’s right-wing drivel alright, but at least it will be something that either resembles an answer or a refusal to answer. I think from now on, large political parties must be obliged to have at least one person on staff with the rudimentary social skills that make it seem like he or she has been around other people in the past decade. At this point, I wouldn’t even be surprised if our new PM spoke english.

Please note that I probably won’t ever vote for him just because he can speak whole sentences, and I’m not saying you should either. But I had to share this sense of relief. We finally have a Prime Minister that I can just vehemently disagree with instead of feeling ashamed that I come from the same country.

Audio Zoom

It scares me, and yet I want to play with it. Finally there’s this Norwegian company called Squarehead Technology that has built what I have long wanted to see. A system with tons of microphones that can do time-of-arrival based beam-forming on audio. What that means is they can pick up sound originating from any point in a noisy space while canceling out sounds originating from anywhere else. And their system can even do that after the fact. So all you need to do is set to it record in a large space, and then you can tune in to any private conversation, even after the fact. Some intelligence agencies must have had this for many years, and others will be their biggest customers. (They seem to be aiming at broadcast companies and conference venues themselves.)

I am half expecting this company to be bought by In-Q-Tel (the CIA’s venture capital arm) or some other shady outfit soon, but I have taken the liberty of asking them to come demonstrate it at this year’s CCC Congress nonetheless.

India to get paper trail

Looks like our research may have killed black-box voting for a billion people… Yay!

For months and months, the Election Commission of India (ECI) has held their black-box voting machines (called EVMs in India) to be untamperable. When that really didn’t work anymore (and they tried long after everyone could see they were lying), they did the same thing authorities did in the Netherlands and Germany: they claimed they were unhackable because they were stored very securely and certainly no insider would ever dream of comitting fraud. It appears that this second line of defense has now also fallen.

Yesterday there was a meeting of all the national political parties in India, and it appears the ECI has finally given in: they are now looking at alternatives where the voter sees his/her vote on a piece of paper which can be counted by hand. Here, they also did that, which was just a first step to having the machines scrapped. It’s going to be interesting to see whether the Indian government thinks they can drag on the existing solution until something new is ready. (They tried that here, didn’t work.)

Too early to cry victory, but certainly another big step forward. Now the charges against Hari Prasad, the man who spent time in jail for daring to notice that the emperor had no clothes on, need to be dropped (TODAY GENTLEMEN!) and Hari needs to be fully rehabilitated. Then a strict deadline for scrapping black-box voting needs to be imposed. Then the details of any new voting system need to be worked out. There is already talk of allowing a hand-count only if a judge permits it, which is of course far too restrictive.

For further details alsocheck out Narasimha Rao’s blog at indianevm.com.

Casualties of perpetual war

“With two wars, multiple crises abroad and growing terrorism activity at home, the nation’s top security officials do not sleep in peace.”

Yesterday brought us the wonderful news that the US government will attempt to make all communication on the internet tappable. From the New York Times article:

Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.

[…]

In recent months, officials from the F.B.I., the Justice Department, the National Security Agency, the White House and other agencies have been meeting to develop a proposed solution.

[…]

  • Communications services that encrypt messages must have a way to unscramble them.
  • Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
  • Developers of software that enables peer-to-peer communication must redesign their service to allow interception.
  • Communications services that encrypt messages must have a way to unscramble them.
  • Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
  • Developers of software that enables peer-to-peer communication must redesign their service to allow interception.

And thats not even all the dreams of dramatically expanded power for one day. Also yesterday, The Washington Post wrote about a new proposal to put all the bank transfers in and out of the US in a centralized database:

The Obama administration wants to require U.S. banks to report all electronic money transfers into and out of the country, a dramatic expansion in efforts to counter terrorist financing and money laundering.

[…]

“By establishing a centralized database, this regulatory plan will greatly assist law enforcement in detecting and ferreting out transnational organized crime, multinational drug cartels, terrorist financing and international tax evasion,”

[…]

“It’s presumed that the information will be valuable in anti-terrorism activity,” he said. “We’re told, ‘Trust us. Once we get the data, we’ll determine what’s legal or not.’ “

We must be due for another major terrorist attack soon.

Hari is out of jail!

Earlier this year, I worked on a scientific study showing that the Electronic Voting Machines used in India weren’t secure. My co-author Hari Prasad was arrested a week ago, on charges of having had possession of a real voting machine and refusing to say where it came from.

At a little past noon, I received an e-mail saying Hari has been granted bail and is no longer in jail. Alex Halderman and I just spoke to Hari as he was preparing to fly home from Mumbai to Hyderabad. He is tired after a week in jail, he needs some rest, but he is very happy to be free and his spirit is very much unbroken. The judge that released him apparently did his homework and has said that the government has no case, and that Hari deserves a reward, not jail.

This all follows rather bizarre developments yesterday during which newspapers, among which the Times of India, reported that the government was apparently looking into our research work as some kind of “plot to destabilize the country”.

NEW DELHI: Is the arrested activist, who showed that an Electronic Voting Machine (EVM) can be tampered with, a mere tool in the hands of some corporate rivals who want to make a clone of the equipment which has a huge demand in countries across Africa and South America?

Or, is he, who got technical help from three foreigners, a part of some larger conspiracy to discredit India’s election process?
With these sneaking suspicions in mind, the intelligence agencies — both IB and R&AW — have set into motion their network to check the backgrounds of Hari Prasad, who was arrested in Hyderabad in the EVM theft case last Saturday, and his foreign contacts.
Suspecting that the instrument might have been smuggled out possibly to an European country, a top official on Thursday said there could be a larger “conspiracy angle” to discredit the country’s election process and this was being probed “thoroughly” after Prasad’s arrest.
“There seems to be a bigger picture than what it looked like initially. We are conducting a through probe to find out who was actually behind it, why it has been done and whether there is a conspiracy to discredit India’s election process,” the official said.
Sources said the investigators have found that two Americans and one Dutch national had helped Prasad, technical coordinator of VeTA ( Citizens for Verifiability, Transparency and Accountability in Elections), to show how the machine can be tampered with.
The Union home ministry is constantly monitoring the development and giving regular directions to the investigators and intelligence agencies asking for all the details.

Based on my experiences in the Netherlands, I really did not expect for us to be named honorary citizens of India, at least not right away. But the above is really rather insane. You don’t need to be a rocket scientist to see that this story is way, way, way too easy to discredit for anyone with brief access to Google. At this point I speculate that this claim by the government has caused more people, many of whom initially inclined to believe the government, to investigate the matter. After reading up, most of these people probably realized that the government’s story is complete and utter bullshit.

We’ll have to see what public opinion in India does over the next months, but I have hopes that this dramatic overreach by the government will be part of the cause the current EVMs to be ditched. And even more than that I am so happy that Hari is on his way to his wife and kids.

If you are following this, you probably also want to read Freedom to Tinker, if you weren’t yet.

Hari is in jail :(

Hari Prasad

Last winter I was in India to research electronic voting machines there. I was part of a team with Hari Prasad from India and some people from his company NetIndia and Prof. Alex Halderman from the US with some of his students. We had access to a voting machine and we proved that electronic voting machines (called EVMs in India) are just as insecure there as they are anywhere else. Which is not all that surprising, except the Election Commission of India was making a whole brouhaha out of their machines being somehow “untamperable” and “perfect”.

It’s a pretty clear-cut case as these things go. We showed that it was possible to hack the machines in a variety of ways and that there were fundamental problems with transparency revolving, yet again, around unpublished software (that in this particular case cannot be audited, at all, by anyone !). We made a video and we wrote a scientific paper that will be presented at the CCS conference this fall. So we were right and they were wrong. Yet another case of the emperor wearing no clothes.

Except this emperor lives in India. So this emperor doesn’t simply run home in shame to get dressed. This emperor has his soldiers arrest the scoundrel that dared say he was naked.

Yesterday morning at 05:30, cops from Mumbai came to Hyderabad to arrest Hari Prasad. He was taken to Mumbai by road. My friend and colleague Alex Halderman has written a much more extensive piece on the circumstances. Read it. It includes audio of a phone conversation with Hari as he arrives in Mumbai, still in the car with the cops and miraculously still able to use his cellphone. (It was taken from him moments later.)

All of this makes me pause at the fact in some countries the truth has a much longer road to travel and that people in those countries are exposed to some very real personal risks for speaking out. There are democracies where finding out how the votes are counted is not merely frowned upon but actually dangerous.

The Indian blog IndianEVM.com has documents, commentary and much more updates on what’s going on. Hari showed the people of his country how secure their elections are. He needs to be commended and his technical expertise needs to be drawn upon to help safeguard future elections. He does not belong in jail. Please help spread the word. If you know journalists or other influential people in India, you might want to let them know that this is happening.

Wikileaks…

Many of you will have seen in the news: there is a bit of a ruckus surrounding Wikileaks. As readers of this blog know, late March and beginning of April of this year, I helped Wikileaks release the leaked video that showed a US helicopter crew in Baghdad (apparently mistakenly) firing on Reuters journalists and then (without provocation) on unarmed occupants of a van that is coming to take the wounded.

In more recent developments, Wired has written about the arrest of a soldier in Iraq called Bradley Manning, who is aledged to have told hacker and journalist Adrian Lamo about leaking this video to Wikileaks. According to Lamo, Manning also talked about about leaking a host of other secrets to Wikileaks. Lamo then went to the military, and Manning was arrested. Recent discoveries regarding the background and timeline of that story are an interesting read also.

Right now, there is apparently an international manhunt on for Julian Assange, the founder of Wikileaks. The Pentagon is said to ‘want a word’ regarding publication of any further secret documents that Wikileaks is said to have.

This is a story worth following and there are many many more things to be said. And I would too, except all of it can be much more eloquently said by Glenn Greenwald, Birgitta Jónsdóttir and Daniel Ellsberg in this footage from Democracy Now.

Now because of my involvement in the release of the video, people have begun asking me about these events. Before everyone asks me the same questions, let me note that:

  • I do not know where Julian is. Really. I hope he is safe, and I think the fact that there apparently needs to be worry over his well-being is a freaking outrage.
  • I have helped out Wikileaks with the Iraq video, and I’ve helped Icelandic MP Birgitta Jónsdóttir on the partly Wikileaks-inspired IMMI proposal in Iceland. I consider these to have been worthwhile adventures. However I am not a Wikileaks spokesperson or staff member.
  • Apart from the Iraq video I never had any documents or materials that weren’t public yet.
  • I do not know what’s going to happen next and follow the news sites and tweets with as much anxiety as anyone else. Julian is scheduled to speak in Brussels tomorrow. It starts at 14:30 Brussels time and there will apparently be a live stream. Do note that Julian has skipped earlier appearances citing security concerns.


Update:
It is now Monday June 21st, 16:42 and Julian is indeed on stage in Brussels in a discussion about Freedom of Speech. I watched his opening remarks (it’s a forum setting), but the stream keeps breaking up.

Screw Facebook

I got a little tired of the growing number of pages where I can see which of my friends were already there, with the implication that my friends would also see this when I visited somewhere first. Somehow, whatever privacy option I click on Facebook this remains on. And I don’t like sending unnecessary data to Facebook and then clicking some stupid “please don’t use it” button, anyway.

So… If you have AdBlock Plus or something like that (and you should) you can simply add a filter for the facebook crap (which is in an <iframe>), and all will be good. For now, anyway. In AbBlock Plus, the filter rules are:

|http://www.facebook.com/widgets/*
|http://www.facebook.com/plugins/*

If you do this, the Facebook site itself will still work fine.

Update, June 21st: as commenters have pointed out, the IFRAME can be in the widgets or in the plugins direcyory, so both should be blocked. I added it above…

Hack In The Box, Amsterdam, 1-2 July

I will be delivering a welcome address at a really cool computer security conference in Amsterdam on Thursday July 1st. The conference is called “Hack In The Box”, which originates from Malaysia and is run by really knowledgeable, nice and friendly people. It’s two days, so July 1st and 2nd. There’s a special hacker community deal, and the program is jam-packed with interesting talks. Check out some of the highlights:

The entire program is here and registration is here.

FreeWDE – FreeBSD with Whole Disk Encryption

FreeWDE is a “minimal install” FreeBSD image that you can write to a USB stick or SD-card. When booted from, FreeWDE will ask some questions and then create an AES-256 encrypted partition on the same device. It will then copy the operating system there. You call tell FreeWDE to additionally install an unencrypted FAT32 (Windows) partition which will make a USB stick or SD-card seem like a normal storage device to Windows or Mac machines. It can hold your camera’s pictures or be used for files that you want to move in and out of an offline encrypted system. You can set sizes for all these partitions as well as for the encrypted swap. You can also opt to mount /tmp and /var/log as tmpfs ramdisks.

Or, in normal language, you boot from a stick or any other device and get a basic unix operating system that is fully encrypted and not any slower than it needs to be. Of course, you’ll still want to use the fastest media you can get hold of, and a bit of processor speed for the crypto doesn’t hurt either. It runs fine on my eeePC 1005PE.

This just installs a basic FreeBSD unix system. It does not include X-Windows, web-browsers, mail clients or whatever else you’d like. You can of course install all that after the encryption is set up. Or compile your own image with everything you need already packaged in it.

Please have a play if you are so inclined, and use the comments to tell me what you think.

Continue reading “FreeWDE – FreeBSD with Whole Disk Encryption”

Hacking India’s Voting Machines

This morning’s events (see previous post) came at a very weird time: 15 minutes before the planned coordinated launch of some interesting research I took part in. Not that I cared even the slightest bit his morning, but the timing actually could not have been much more awkward. I had worked through the night to and we had planned a well coordinated action to publish some interesting research simultaneously over three timezones (at 07:30 CET this morning). That plan thus ended with me in an ambulance, not knowing how much damage my son had incurred. But since everything below was already written, here is what I was supposed to post this morning…

 

It’s great how it really is beginning to dawn on people all over the globe that paperless voting systems have a transparency problem. This last February I was invited to India for 9 days. It was good to get some sunlight, but again I was too busy to see many sights. I first went to Delhi to speak at the launch of a new book that is critical on Electronic Voting Machines (people there all call them EVMs). After that I went to Chennai for another conference. Then I went to Hyderabad and did … absolutely nothing that I was publicly talking about until today.

We spent a number of days hacking and filming an EVM (in various states of undress) that had fallen into precisely the right hands. In what qualifies as some of the crazier days of my life Alex Halderman, Hari Prasad and yours truly were finding ways around armed roadblocks, relocating parts on circuit boards, debugging code with teams in different timezones, testing electronics, meeting with political figures surrounded by guys with machine guns and shooting parts of the video embedded below. All of this against the backdrop of the hurricane of plan-resistant chaos that is India.

Our research proved something which we really never doubted: with some preparation anyone with even momentary access to paperless voting machines can own the country. If it wasn’t fun to do it would be depressing that something that obvious needs proving over and over again. Maybe some day we’ll skip the film and just own the country instead. (Just kidding…) Some parts of India definitely looked worth owning, those rare moments I had time to look.

Anyway: never got to see the Taj Mahal. Then again: when I go to India next time, it will probably still be there. Which is much more than one can say of these EVMs. Have a look for yourself.

The more scientific writeup of all this (and much more) can be found at IndiaEVM.org. And VeTA, a new organization that unites India’s budding election transparency movement, has set up a new website at IndianEVM.com.

Please help spread this story if you can. You know how.