All posts by Tech Liberty

Guest Post: Hacking, Data, and You

The following is a guest post from someone who has established to us that they have good reason to remain anonymous.

Update: The NZITF has released some guidelines for coordinated disclosure in NZ.


Deliberately hacking into a system like this is a criminal offence.”

Judith Collins is not alone in taking the view that any use of a computer that retrieves more than it should is a criminal act. Each time another government agency is publicly mocked for yet another failure to handle information security competently, the outcry is always directed towards the “evildoers” who found the hole and exploited it.

Information security is not a trivial matter, it’s not easy and it’s very rare that any organisation actually has the in-house skills needed to deal with the multitude of new ways systems can be attacked. Worse, as was illustrated in the breach of MSD’s network, management do not pay attention to the possible damage even when the risks are plainly pointed out to them.

Hacking

It is worth noting that “hacking” is a term often thrown around in the media or by the public for acts which barely extend beyond the normal usage of a system. “Hacking’ is, if we believe the way the term is used, literally any unintended use of a system no matter how trivial or obvious. A significant part of my job is to imagine how people can attack systems, and to weigh up the likelihood of those attacks being successful. I am, in part, a hacker by those terms.

Faced with any system, my first instinct is to poke it and notice the details most people do not – it’s my job to notice and reason about those details. Most geeks will do it somewhat instinctively, not because they’re “evil” as much as certain people want to make us out to be, but just because it’s there and it’s interesting. Given an “open file” dialogue box they’re going to see what else they can open, just like happened at MSD.

What is then done with the knowledge is where things get harder to define.

Whisteblowing

Whistleblowing is a dangerous business. The whistleblower becomes part of the story, with their motives and character questioned both in the media and by politicians and civil servants desperate to distract attention from their own failings. For some people it can be the end of their career.

It should not be taken lightly. You will note this story is published under a pseudonym, I won’t be putting my name out there to be dragged into the wrath of an embarrassed Minister’s rage. My objective as a whistleblower may have been to get a security hole fixed so that others can’t exploit it, but that won’t matter once it’s a media story.

Equally, if you are blowing the whistle, you had better be sure your own actions were honourable and can be demonstrated to be so. You should expect any and all of your interaction with the organisation will now be released/leaked for public consumption. But how should you disclose the vulnerability in such a way that it gets fixed and your name doesn’t get dragged through the mud?

What do we want?

We need to decide what the desired outcome is. Do we want information to be secure and for people who discover flaws to feel comfortable in disclosing them so security can be improved? Or do we want people to be too scared to speak up, so that those flaws live on to be discovered and traded on the black market?

It is in society’s interests that systems and information are well protected. We should expect that promises given to keep information secure are met, and that disclosures of holes aren’t responded to with yet another series of excuses and blame shifting. You might not feel that a breach of any given system affects you, but if breaches are covered up there is very little incentive to fix them.

Good disclosure

What can organisations do to encourage good disclosure? The first is to have the right attitude to information security. There are simple steps that any organisation can take to ensure vulnerabilities discovered by the public are handled properly.

  • Make it obvious where people should report any vulnerabilities that they find. This is no different from any other emergency contact details or a feedback point in a website.
  • A clear, public, policy on vulnerability disclosure. What steps will be taken with a claim of a vulnerability, how should information obtained be handled, and so forth. This is as much about ensuring you have processes internally as it is about making it safer for people to disclose to you.
  • Ensure vulnerability reports are reviewed by staff who are capable of giving them expert consideration. You don’t want a half-garbled explanation trying to be handled by people without the depth of experience to see the problem and to speak the same language.

This, however, leads us to the thornier issue of what responsible disclosure and handling looks like. What does ethical hacking, if there is such a thing, actually consist of? There are no hard and fast rules about what is acceptable.

Even within the IT security field there is significant debate on whether organisations should be notified privately or whether ‘full [public] disclosure’ is the only way to get real change in security practices. And if you do go the private route, how long do you persist with it before you give up and go public?

Unlike a theoretical exploit against a system these are breaches which involve real data. That becomes much harder to make set of ethical guidelines about because fundamentally it’s a criminal act. And as we started out this post with, there are no end of people who will attempt to convict you for it. For that reason you had better have a lawyer and I should note that none of this post is intended as legal advice.

Take too much data, or exploit the system too often and your intent will be read as a criminal act. How much is “too much” is not easily identified either. Limiting the amount of information copied and limiting how often the breach is exploited may help.

“Responsible disclosure” states that at a minimum the organisation should be notified and given a chance to correct the problem, before public or “full” disclosure takes place. The point is that organisations who value information security will have good policies and clear contact points to deal with breaches and those organisations should be rewarded for doing so. The outcome is what everyone wants, better information security.

Disclosing to journalists or competitors is much less ethical if the original organisation has not been contacted. This is less true if they have been and they have dismissed the breach or failed to respond in an adequate time. Again, there are no hard rules about how long that should be. But in either case, this is a path that is almost certainly going to result in questions about your intent.

Extending the Protected Disclosures Act?

This is not a new problem. The law already recognises that there are times when people have a duty to breach an obligation they may have, and offers legal protection when they do so. The Protected Disclosures Act 1990 allows employees and other people inside an organisation to blow the whistle provided they act in accordance with a specific set of rules.

Perhaps it is time we had an IT vulnerability disclosure law that applies to people who are not employees. It would outline rules to follow when disclosing a vulnerability, and would provide legal protection as long as those rules were followed. The outcome would be that more holes can be discovered and fixed, thus improving the security of all our information.

What outcome do we want. Do we want vulnerabilities fixed, or points to be scored? I want my information secure, and I don’t care how that breach is discovered. I just want it fixed, and for all organisations to take information security seriously.

Are some Copyright Infringement notices invalid?

One of the outstanding issues of the changes to the Copyright Act has been whether rights holders would issue notices that comply with the law. Since our regulations outline a number of detailed requirements for notices, rights holders cannot simply pass on whatever they send in other countries.

The first few issued notices are starting to leak out and it appears that they do not comply.

An Orcon user posted to the 3strikes forum copies of the notices they received. Comparing the information provided on those notices to the law and regulations, we noted the following problems:

  • There is no description of the type of work as per 14(1) of the Copyright Act. (Regulations 4(2)c(iii).)
  • The nature of the breach (as described by 15(1) of the Copyright Act) is not specified. (Regulations 4(2)c(iv).) The notice only says a breach has taken place, not the nature of it.
  • The date and time given on the first notice is not specified to the second. (Regulations, 4(2)c(v).)
  • The file sharing application or network is not specified. (Regulations, 4(2)c(vi).)
  • The notice number does not include information that identifies the type of notice or the IPAP that sent it. (Regulations 5(2)(b) & (c).)

These details matter because the account holder needs to understand what they are accused of so that they can properly defend themselves.

Account suspension

We are also deeply concerned that the notice makes the claim that your Internet connection can be suspended by the District Court for up to six months. This part of the law has not yet been activated, and it is alarming that notices are already misleading users on possible penalties. Orcon should not be making such claims.

Concluding questions

The notices as posted do not comply with the requirements of the law and regulations.

Does this mean that they are invalid and can be challenged (or ignored) as such?

Will the Copyright Tribunal accept them as valid or not?

Does this mean that all notices sent through Orcon are invalid?

Filesharing: What does the law cover?

As is often the case with new laws there is not always a clear understanding of how it will be applied when it gets to real cases in court. Previously we’ve talked about the definition of an IPAP in the Copyright (Infringing File Sharing) Act, and now we’re going to look into the definition of “file sharing”.

The text of the Act defines “file sharing” in Section 122A(1) as:

file sharing is where—

  • “(a) material is uploaded via, or downloaded from, the Internet using an application or network that enables the simultaneous sharing of material between multiple users; and
  • “(b) uploading and downloading may, but need not, occur at the same time

Much of the Internet is designed in a way that content is simultaneously shared between multiple users, so does the new law apply only to peer to peer (P2P) filesharing or does it apply to any kind of sharing of content between people?

MED’s Answer

InternetNZ put this question to the Ministry of Economic Development who responded that by their interpretation it only covers P2P sharing. While this is useful, the view of the MED is not the only one taken into account by the courts.

Parliament

Hansard, the official record of Parliament, is also used as a reference when courts need to understand the intent of a piece of legislation. The question of what is included was asked during the debate for the second reading of the bill:

JACINDA ARDERN: I would like to request the Minister, given that Hansard will be used as a record going forward in the way that this billis applied in practical terms, to give the Committee his view of the definition of “file sharing”, how he sees that definition being applied once this legislation is enacted and becomes law. For instance, does he believe that it includes an attachment to an email? How far does his view of this definition go? I think clarification from the Ministerwould be helpful for this debate.

Speaking for the Government, Hon Dr Nick Smith replied:

Hon Dr NICK SMITH (Minister for the Environment): I will also respond to the question from Jacinda Ardern about where in this bill the definition of file sharing is. It is quite simply set out in clause 7 of Part 1. That clause sets out quite clearly the definition of file sharing, and I further say that, yes, that definition does include an attachment that involves the sharing of files.

This appears to clearly state that the definition is not solely limited to P2P networks, but covers any method of sharing files, whether that be streaming, email, private or public locker sites, or any other method yet to be discovered.

Select Committee

Rick Shera has helpfully pointed out the following from the Select Committee’s report:

We recommend that the definition of file sharing in section 122A(1) be amended by including reference to downloading or uploading material using networks or applications that allow material to be shared among multiple users. This would avoid inadvertently capturing activities such as emailing or downloading that did not involve file sharing; if such activities breached copyright, they would be actionable under existing provisions in the Copyright Act.

Conclusion

With MED believing one thing and the politicians who passed the law believing another, what is the truth of the matter? The answer is that we cannot know until it is tested in court (or clarified by a law change).

Submission: Copyright (Infringing File Sharing) Act Regulations

Tech  Liberty has made a submission to the Ministry of Economic Development on their discussion document for the regulations surrounding the Copyright (Infringing File Sharing) Act recently passed into law.

Our submission argues that ISPs are being increasingly put into a difficult position of escalating compliance costs imposed by regulations such as this, while having a very limited ability to prevent the behaviour creating those costs. We believe ISPs should not be involved in any way shape or form in determining what end users can and cannot do with the Internet.

The submission also addresses the re-opening of debate around the division of costs, as the discussion document has again raised the possibility that ISPs will bear significant setup and on-going costs in handling these notices. We also note that information provided to those being accused of infringing copyright should be full and complete, and sufficient to assist account holders in identifying the root source of the claim of infringement.

Full submission: Tech Liberty Submission on Copyright Infringing Filesharing Act Regulations [PDF].

Still guilt on accusation: Copyright and section 122MA

Section 122MA of the revised Copyright (Infringing File Sharing) Amendment Bill sets out an alarming presumption: an allegation is proof of wrong doing.

While many have made the comparison to traffic tickets (where guilt is assumed but can be challenged), we pointed out in an earlier article why this is unreasonable, with Police and media companies being held to very different standards of behaviour.

The law, to be passed under urgency today, has been modified but how much difference does this make? Compare the two versions:
Continue reading Still guilt on accusation: Copyright and section 122MA

Is this what the DIA filter looks like?

What we’re seeing

thread over on gpforums.co.nz has discussed problems Telecom users have had accessing content delivered by various CDNs (content delivery networks – used by many sites to handle video streaming).

Network traces showed a large amount of packet loss and the path taken by the data looked a bit unusual.

This appears to be the first sign of a site being either adversely affected or actually blocked by the DIA filter. We’ve also had confirmation of other ISPs (Internet service providers) believed to be using the filter having access blocked.

What we believe is happening

The filter works by creating alternative routes to particular network IP addresses and passing them onto the participating ISPs. Traffic to those IP addresses is then passed to the DIA and checked by the filter to see whether it is going to the blocked site or another site on the same IP address. If it is going to a blocked site, the user is redirected to www.dce.net.nz, or else it allowed through the DIA’s ISP and out onto the Internet. (Read more in our Filtering Frequently Asked Questions article.)

Inspection of the traces shows that the traffic is going through an ISP with a relationship with the Department. The address 124.150.165.62 in the traces is from that ISP. The traffic is then going out through a link that the ISP has to Australia.

This ISP’s link to the Internet appears to be either under considerable pressure or is simply broken. The level of traffic being dropped by it (as reported by users and our own investigation) is likely to be degrading access significantly to any site hosted – but not actually blocked – by any IP address the DIA is wanting to inspect.

What does this mean?

The site in question hosts anime (animated video from Japan and other countries). While we believe that some anime work has been found objectionable in New Zealand, we cannot find any reference to this site being banned by the Chief Censor.

Even if one video at the site has been blocked by the DIA, this blocking appears to be generally degrading performance to other material on that site or any other site hosted by the same content delivery network.

The Department has repeatedly denied access to the filter list in the expectation that hiding the list will prevent people from accessing it. As this story illustrates, it’s not difficult to uncover the filter given the effects it has on an IP address being filtered/intercepted.

We’re very interested in hearing from anyone else having difficulties accessing a site where 124.150.165.62 appears in a traceroute to the site. We’re particularly interested in legal content being degraded by passing through the DIA’s filter.

Account holder liability vs IPAP

One of the major changes in the Copyright (Infringing File Sharing) Amendment Bill was the replacement of ISPs with something new called an IPAP. The reasoning appeared to be that it was unclear when the obligation to maintain mappings of IP addresses to users (i.e. one of the duties of an ISP) kicked in. The new definition added various exclusions and inclusions that determined whether you were an IPAP or an account holder.

What this hid from view was that if you weren’t an IPAP, then you must be an account holder. And, as an account holder, you became liable for everything done through that account. In fact, it’s easier to think about the implications of the bill this way:

Whoever is named as holding the last publically identifable address is liable for all infringement attributed to that address.

You can only escape this liability (and become an IPAP with all of their obligations) if you meet all of the following tests:

  1. Provide any form of digital communications to someone else
  2. Allocate an IP address to that person or organisation
  3. Bill the person or organisation
  4. Are primarily in the business of providing such services
  5. Are providing your services to fixed users on a continual basis, not on a transient basis

Approaching it from this point of view makes it easier to see what obligations and exposures you have.

Who is liable?

A public library providing Internet access terminals fails to meet points 4 and 5. This means they are liable for all infringement by anyone who uses their terminals.

An airport that provides free wireless Internet access to passing travellers fails to meet points 3, 4 and 5. They are liable for any copyright infringement by anyone passing through the terminal using their wifi.

I have a server from a hosting provider to that I pay for. Since the hosting providers meets all of points 1 through 5, they have the obligations of an IPAP, and must forward notices to me. I am liable for any infringement made through my server, for example, after the server is hacked into and software installed on it without my knowledge.

If you share an internet connection with your flatmates and your name in on the account? You don’t meet point 4, so you are liable for any infringement by your flatmates.

As the law is currently written, can any business or person risk giving Internet access to someone else?

Copyright infringement notices aren’t traffic tickets

One of the notable changes in the latest revisions of the Copyright (Infringing File Sharing) Bill is the addition of section 122MA. This section states that infringement notices issued by media companies against individuals are conclusive evidence to prove wrong-doing.

Some have interpreted this to mean guilt on accusation has made a return back into the bill, after S92A was suspended and finally defeated for doing the exact same thing. In response, it is claimed that this does not re-introduce guilt on accusation, but instead is based on the traffic ticket model, where guilt is presumed unless they are contested.

But traffic tickets are quite different to the claims made by media companies.

  • Traffic tickets are issued by sworn police officers, or by automated systems that are held to rigorous standards. Media companies and their notice sending robots are not held to the same standards and have no statutory obligations or penalities for wrongful claims. The industry has resisted attempts to inspect their automated systems.
  • Police are subject to oversight by their superiors, the Independent Police Complaints Authority and ultimately parliament and the public. They have a responsiblity to be impartial and to act in the public good. Media companies and their agents have no oversight at all and act purely in the interest of their own profits.
  • Tickets issued by officers are unlikely to identify the wrong person, while automated systems have a number of checks and balances to ensure that only solid and provable tickets are issued. Media companies have already engaged in carpet-bombing users with claims that cannot be substantiated, and they rely on ISPs to always identify the correct account holder.

Google noted in their submission on S92A that 37% of the notices received under the DMCA were unable to be substantiated as valid copyright claims, and a whopping 57% were businesses targeting their rivals. Judge David Harvey noted in his submission on S92A that 30% of the copyright claims being heard in New Zealand failed to even establish a rightful copyright claim. Considering this error rate, surely we can’t be proposing to accept untested claims from media companies as conclusive evidence?

We believe that 122MA is trying to allow the Copyright Tribunal to make rulings based “on the papers” where there is no contest being made about the claims. But rather than following a traffic ticket model – making any claim made by a media company conclusive proof – we believe the Tribunal already has sufficient scope and experience to make that determination itself. This is similar to how the Disputes Tribunal works and is a sensible model for handling copyright infringement claims.

Section 122MA should be removed in its entirety.

ACTA: Say hello to statutory damages

Update: After further analysis and discussion with NZ officials we believe that the current draft of the ACTA agreement would allow New Zealand to maintain its current damages scheme as represented by the (c) option in the agreement (additional punitive damages are decided by the judge). This means that New Zealand would not have to adopt a statutory damages regime to comply with ACTA.

Original article follows:


There’s a new ACTA draft leak out, thanks to La Quardature. And does it contain a shocker when comparing the new and last leaked texts.

Continue reading ACTA: Say hello to statutory damages

Trans-Pacific Partnership: An FTA with fangs

In the last few years, New Zealand law governing intellectual property has been in a state of flux driven by the content industry demanding changes to protect their business. No sooner has one set of law changes been debated then another set of the same laws and demands pops up into view. From S92 of the Copyright Act to the ACTA treaty and now to the Trans Pacific Partnership.

The TPP is an existing free trade agreement (FTA) between NZ, Singapore, Brunei and Chile signed in 2005. The TPP allows for more countries to join and the USA, Australia, Vietnam and Peru have all indicated that they are interested. Substantive negotiations began in March.

Of course, the USA has proceeded to reframe the agreement around its usual default template for any FTA – draconian IP protection on behalf of its content industries and limited concessions in all other areas, creating a one-sided arrangement. As Australia experienced in its FTA negotiations with the US, it’s not about a meeting of mutual interests but a game of how much wiggle room can be found on the edge of the US demands.

New Zealand has long sought a free trade deal with the US (our second largest export market). In theory it means that our agricultural exports will have an easier time in a large market, but the powerful US agricultural lobby will limit this while changes to IP law will mean an increase in transfers from NZ users to US owners. However, even if the result is actually a net loss to New Zealanders, an FTA with the US is a “win” politically.

S92. ACTA. TPP. Once again the battle is on to defend our rights as both consumers and producers of IP before our laws are rewritten to suit the US.

More information: