Aftermath

Disclaimer

I won’t speak about everything we’ve discussed, for people lives are at stakes. Also, as usual when things are done with orgs, I mostly spoke with people, not the entire organisation. And, since they’re not robots, their view does not reflect the view of everyone behind the AFP name.

I had a lunch meeting

Yeah, again. But this time with different kind of people. After the discussion via different media I had with AFP (my views and part of theirs are here), we came to the conclusion that we need to talk with a cold head.

So, they invited me for a lunch. It’s perfect if you want to keep it short in fact, and usually people are more available.

So, there was three of them: one field journalist who works in Middle East, the head editor in social media and one of their IT guy, specialized in security. All of them are nice and interesting people and they do understand the issue with Skype.

AFP is an old lady

AFP is an old lady, crippled with habits and prejudices. And things will move, but they won’t move fast. I know there are people who thinks it will be to slow, but I’d rather have them starting a real reflection about protecting their sources, even if it takes years, than moving without thinking it through.

Also, a lot of people there are not understanding the problematics around new media and internet. AFP have offices in a lot of places with issues about freedom of communication (China, Lebanon, etc.) and they had done it for years (they worked in USSR for instance) and so, they’re quite aware of the problematics about protecting their sources.

It’s an old lady, and like every old lady, they’re experimented and, sometimes, a bit arrogant toward the youngest. But who doesn’t?

AFP is an information system

Like every corporation. But when you manage information system, you must be aware that you can only manage the information inside your system. I cannot manage information coming from your blog, I can do it only from mine.

Same goes for AFP, they can do whatever they want to protect information, once it has reached one of their entry point (which is basically reporters and journalists on the field). They cannot do a lot of things about information coming from the outside.

So, for the part that’s inside AFP, they do use VPN, and they’ve blacklisted Skype from their networks. They have strong security and encryption measure to protect the data received by a journalist, once it has been gathered.

The issue with gathering information

The problem is when they need to get in touch with people. Or, in fact, when people want to get in touch with them. According to their experience, it started in Libya. Rebels there wanted to have their voice heard so they began Skyping everyone (from Reuters to AFP, going through each international media they were able to reach).

The opponents were using Skype on their own because it is convenient. It’s installed every where and it works without question (which is, for me, a sufficient reason to not use it) and the AFP’s arguments is that, if they want information, they have to accept Skype’s call.

What can be done

First, they have, I think, a good approach of security, trying to have a process around that, to define simple good practices and tips that can be used easily.

Second, I told them that they should run their own free services for people outside the AFP to reach them. Like deploying SIP or ZRTP servers, etc. And to define them as the default entry point for external people (on the contact page for instance).

Third, they need to find a way to open a secure channel over insecure ones. It’s not that easy, and it needs cooperations from the people on the field. Basically, if an opponent reach them and can have a short contact to give all the information they want to transmit, it’s OK. A 30s phone call will take several minutes or hours to be detected and analysed. If not, they should use it to define a different way of communication. Whatever it is.

The thing is, it’ll be viral. If opponents get on the habits of using unusual channel to communicate, they will do it with all their contacts. It will spread and then, other agencies will do the same thing, slightly enforcing those habits.

Fourth, we will stay in touch for other events like #Jhack, for them to share their experiences and for hackers to try to learn them fun way to protect themselves and sources.

Fifth, they shoudl avoid using trademark as protocol name. They contact people by VOIP, not Skype. It is an information that have nothing to do with journalism.

Conclusion

We, has hackers, must keep an eye on those old organisations. And, instead of slapping them hard, we should try to show them a different way they could explore by themselves.

I won’t work with AFP, for I have no time for that, and they have competent security people. But I will stay in touch with those people I met, sharing experiences and working around issue we can meet.


Stupid journalists are killing people

Stop killing people, stop using Skype!

A journalists friend of mine pointed me to a news flash from AFP – REF: 29578 DVBP 729 GLN20 (4) AFP (295) , if it means something to you – in which they killed someone. Or, if it’s not the case, he will be killed soon.

Why? First, they used his full name in the text, and the city where he lives. This is, in essence, like putting a target on his forehead and waiting for snipers, tanks and/or mortars to kill him.

But worse, they used the infamous malware named Skype to contact him. Besides the huge privacy issue related to using something that has been ‘accidentaly’ deployed in the last Windows Update, it is of public knowledge that Skype is used as a trojan to identify and hunt activists in Syria. The EFF posted about it, kaspersky, posted about it, even the original writer of the tool used inside Skype to deploy the Remote Access Tool has wrote about it along iwth a removal tool.

So, journalists now knows, for month, that it is dangerous to use Skype. It is also dangerous to use closed and proprietary software. A lot of people are telling this for months now and even make propositions to use alternative, free and decentralized systems, because it is the only way to enforce some bits of privacy.

You are a fucking idiot AFP

So, enough with the polite arguments. Each and every time someone uses Skype, Twitter, Facebook, MSN, Gmail or any other widespread and centralized system (it includes relying only on one XMPP servers, or status.net one) they’re putting their sources in danger.

So, fuckers, YOU HAVE TO STOP THIS. Get your fingers out of you ass. Just think and do your jobs. You’re destroying everything that people are trying to do by being a lazy asshole full of selfishness and thinking without brains.

Stop that or I’ll go after your family and smash them with Apple hardware (since it appears they can be used only to slap someone).

You knew that Skype is dangerous. But you did that call. And you put the name. You’ve killed the person who trusted you, you’re not better than the ones that are killing people in the street.

Addendum

It appears that the interview is exploited among various flash news, you can find one here (without going through a paywall)

Also, people might want to know what are the risks. Since it appears some are lazy enough tonot use seeks I’ve done a quick search and found all of those:

It took me 20 seconds to find those. Also, if you’re looking for ways to communicate, there is two links I recommend:

Replies

Ok, so @afpfr did reply me. Nice of them. Here are their tweets (they also replied to Telecomix and Ju).

Basically they wanted me to contact them first, and then they said that their contact had no issue with the publication of its identity, adding that this identity is a pseudonym.

So, I do not think getting private on this issue will have them answering anything and changing their habits. Also, if it’s a pseudonyms, it is to make the sources unidentifiable. So, why writing down the pseudonym? And if their contact always use this pseudonym, the mukhabarats can get after him, arresting people to torture them and to make a link between his ID and his pseudo.

Also, I have no personal issue with the AFP. I have one with each and every person that will put someone in danger, because they are too lazy to think and use free software.

Moar Replies

Yeah, I know. But AFP did a long reply and I think it’s interesting. You’ll find the text in FR here and I think it is interesting.

First they did a long reply, which means, we got their attentions. And it also means they’re concerned about it. So, I’ll do a point to point reply, translating the text on the go. Because I do think that things can change.

Lots of internaut were flaming against the AFP, on the second of July, accusing them to put in danger the life of a Syrian opposition member.

Telling that the rage was overrated does not change the fact that you did put his life in danger.

In a flash news from Beyrouth, titled « Homs is still under fire, some injured people are amputated (militants) » and published Monday at 08:50 AM GMT, a militant from the bombed Syrian town gives us his testimony :

"A lot of district in Homs are still besieged and it’s very hard for us to bring food and drugs in" Khaled al-Tellawy told AFP, a militant from Homs contacted by Skype.

Dozen of people, on Twitter and in blog posts, were outraged, sometimes in harsh and insulting terms, because of the fact that the AFP were namely quoting this Syrian opposition member. They also criticized the AFP of using Skype, a communication system that some judge unsafe regarding the terms of use. The syrian government is suspected of having create some malware that grants him the possibility of easily locating militants when they use Skype.

Ok, I do accept that I’ve missed the pseudonym part (but then, having a pseudo or ‘one guy’ is the same). But, when you’re saying that some people thinks that Skype is unsure, you’re missing the point.

Skype is a trojan. It’s a free (as in free beer) tool that grants user to communicate using non-standards VoIP protocols. It grants a user to share almost anything via Skype. From text message, to sharing desktop, going by voice and video. It is now a subsidiary of Microsoft. And we all know that Microsoft works with each and every government, for instance in Tunisia.
And the FBI Use Skype as a surveillance tool

Besides, there are documented cases of Skype being used as a trojan in Syria to target activists there, the [EFF][] spotted some of them:

Sammy Ketz, directeur du bureau de l’AFP à Beyrouth où a été rédigée la dépêche, réfute toute accusation d’imprudence.

Sammy Kets, head of the AFP office in Beyrouth where the news was redacted, denies all accusation of carelessness.

« We explicitly asked him the autorization to quote him. He granted us this right, given that Khaled al-Tellawi is, of course, a pseudonym. Tellawi being a Syria area » explained Sammy Kets.

« None of our interlocutors gives us his real name and they choose their pseudonyms by themselves » he add. « It is the militants who are trying to contact us by all means possible and they invites us to join them on Skype. It is, most of the time, their only medium of communication with the outside. It is a wrong trial for an agency who always tried to protect their sources, especially in a conflict as dangerous as in Syria. »

So, why don’t you publish the pseudo of all your sources on each press release? I mean, if it’s so important for a good information, why all the journalists aren’t publishing the name of their sources, even if it’s a pseudonym? I mean, it appear to be a common practice, since AFP is a traditional with good repuation press agency, right? I might missing something, right?

We should asks mediapart and Le Canard Enchaîné to disclose each sources they have also. After all, this is how good journalism is done if I follow your thoughts. AFP, you might be kidding, or on crack to think that.

Also, if someone goes in the middle of a street while a truck is going to smash him. You warn him, you try to push it out of the way, you just don’t let him right in the middle of the road. So, the argument they reach you via Skype is fallacious. You should use this contact to establish a secured communication with them.

« We’re using Skype daily to communicate with Syrian rebels, as we’ve always done before in Libya and to this days and no one else have ever blamed us for that » add Jean-Louis Doublet, AFP chief editor for the Middle East

We’ve already blamed anyone for using Skype, through the @telecomix status.net chan, this blog or through a lot more media (even Richard Stallman warns anyone against Skype at the Jhack second iteration). So, you knew it and you were already blamed for that. But know, you are listening, so you’ll learn (I hope).

And the fact you were doing mistakes before, does not mean they weren’t mistakes.

« Opponents are necessarily concious of the dangers of using Skype. But it’s that or be totally cut of the outside world. In this country, everyone is risking their life » he pursue. « All the media are using Skype to speak to Syrian opposition. Accusing AFP to do it is specious. If someone wanted to forbid us to spread the opposition words they would not do anything else. »

No, opponents are not necessarily aware of the dangers of Skype. But you are. It is your duty, as journalists, to establish secured channel of communication with your informants on the ground. You cannot assume that people are doing what they should, or we won’t have conflict everywhere.

The fact that everyone is doing a mistake, does not make the mistakes the right things to do.

And, well, I do not want to shut any contact with Syria. I just want people to think about the way they’re communicating. Telecomix and the WorldNeighbourgHood have permanent contact with activists on the field, using more secure chan.

With Telecomix, we are trying to make people aware of more secure way of communication. Since 15 months we’re also building communication channels that anyone can use. You do not even have to asks us the permission first.

But yes, it means, you have to think first and act then.


Edited to add the various links at the end (2012/07/02 16:37 Paris time) Edited to add the replies. (2012/07/02 17:39 Paris time) Edited to add the more detailled reply of AFP (2012/07/02 20:22 Paris time)

Companies and hacktivism

Companies and hacktivism

Google’s case

On the 12nd of March, I was at the Cyber-censorship event organized by RWB and sponsored by Google. There was a nice panel after that, with a lot of activists from Belaruss, Egypt, Tunisia and Syria among others. And, well, could not restrain myself, but I’ve expressed some worries about Google, Skype and others companies providing tools used by activists to communicate and about the lack of openness of them.

The Google representative that was there answered briefly that

"[He] do not understand the criticism about the lack of openness of Youtube, everyone can access it".

Well, that’s not true. For instance, tehre’s a video posted by Fhimt.com was locally censored for no apparent reason (the story is on reflets.info). And that’s only one case. I’ve got another one of an allegedly leaked video of torture of syrian that is ‘not available’ (but given the numbers of views and other thing, it was available), and while building the TBS I saw that about twenty videos we once got in the past, are not available anymore.

So, yeah, youtube.com is available in most part of the world. But not the content of it, and Google gives no reason of the specifics (except for ‘copyright claims’), they give no guarantee that anything that is available now, will be available tomorrow.

Worst, when reading their terms of use they restrain the avaibility of the contents to the only authorized Google apps (youtube.com being one), that means that, yes TBS is violating the clause 4.C and H of the terms of use:

You agree not to access Content through any technology or means other than the video playback pages of the Service itself, the Embeddable Player, or other explicitly authorized means YouTube may designate.

You agree not to use or launch any automated system, including without limitation, "robots," "spiders," or "offline readers," that accesses the Service in a manner that sends more request messages to the YouTube servers in a given period of time than a human can reasonably produce in the same period by using a conventional on-line web browser. Notwithstanding the foregoing, YouTube grants the operators of public search engines permission to use spiders to copy materials from the site for the sole purpose of and solely to the extent necessary for creating publicly available searchable indices of the materials, but not caches or archives of such materials. YouTube reserves the right to revoke these exceptions either generally or in specific cases. You agree not to collect or harvest any personally identifiable information, including account names, from the Service, nor to use the communication systems provided by the Service (e.g., comments, email) for any commercial solicitation purposes. You agree not to solicit, for commercial purposes, any users of the Service with respect to their Content.

So, it means that, everything that is on youtube is subject to the good will of Google. If they decide for one reason or another that you must not see a content on youtube, then they will destroy it and you have no legal way to make an archive of it. Not without a commercial agreement.

Hence, the youtube services is, indeed, free of charge and accessible. But it is not free at all, because you cannot do a lot of things with it.

I mean, Google could be an amazing archiving tool, they have an insane amount of data at end, and they could archive them, providing to the citizens that content on Google (email, video, docs, search results, whatever) will always be available using, for instance, documented and free standard. But they aren’t and they won’t.

They won’t because, besides what Google can say, they are a company. And the only goal of a company is to earn a big pile of cash. They can have an ethics, they can pretend their going social, whatever. In the end, what will dictates their move is the quantity of money they will have at the end of the month.

That’s why they moved in China, despite the censorship over there. They saw 300 millions people that can use Google, that’s 300 millions people that can be submitted to compartmental analysis to serve theme efficiently targeted advertisement (which is the Google job).

Google is not about freedom of information, so they accepted a partial censorship from China authority. Then, they discovered they where targeted by a huge attack, the Aurora attack, probably commanded by China’s authority to go after some intellectual property of Google, so they went out.

They didn’t move because their tool was censored. They moved because their business was under attack. They’ve done some PR move about the China being uncooperative, violating their property (no shit?) and forcing them to do insane censorship (oh, really? So, you’re not censoring yourselves?) and then they moved to Hong Kong, acting like the good guys.

The good guys will have stay there, will have disobey and will have provided activists there online tool to preserve their anonymity and their security, fighting the laws and regulation of the Chinese government.

The Skype case

Skype is even worse. Even without being now a Microsoft product, Skype is designed on closed and obfuscated protocols that are designed to go through most of the firewall on both side of the call. The utility allow for Desktop Sharing that grants execution on distant host, your address book is stored somewhere, the cryptography is based on secret algorithm not documented anywhere, so it is Security through obscurity which is as bad as no security (even worse, because it gives a false feeling of security).

The only strength of Skype is to have a good marketing team, and to be available on whatever platform you can think about (the free of charge thing is the same for all VoIP providers).

One big problem with Skype, is the auto-update thing. It is used a lot to deploy malware, notably in Syria where activists get killed for organized themselves (so, yes, a government using such malware can now the people you’re calling and can arrest you and them, alongside with their friend and families). I’m not saying Skype is collaborating with government, just that a closed proprietary software that will get installed on all the computers, that can install things on his own without warning users, that can get through all firewall and that do things in your back is called a trojan over here.

Worst, now Microsoft bought Skype. And Microsoft have a lot of patents. There is one that need all your attention right now. The patent 2010153809 labelled ‘Legal Intercept‘. So, in short, Microsoft as patented the technology required to give any government the capability to intercept any communication using one of their software. Most of the government now have law to authorize such things. There was law for that in classic-phone system, as long as on GSM, and I always thought it’s legal for them to intercept any communication they need to build a case against you as long as the legal system allow them (and it will). The thing with Skype is, it was supposed to be end to end encrypted, so, mainly, the snoopers cannot have a verbatim of the talk.

With this patent, however, Microsoft is telling that any government can now intercept communication in Skype. So, basically, anyone who have access to the Microsoft tool for lawful intercept can now intercept Skype communication. So, the encryption is now broke and will never be recoverable.

The weird thing is that the Syrian government, for instance, has law that grants him access to spy on its people. With this kind of patent, they do not even need DPI and hackers tobreak it, just to ask Microsoft to give them the key of the system.

Facebook Google, Twitter and the One identity problem

As I saod before, most of the website you use have only one goal: serves you with the data they want you to access (because they’re paid for that), not the one you want. And, for this to be efficient, they need to know you in a lot of details.

They do not care about you having a pseudonym or a real name (except for Facebook). What they do care about is the fact that you must have only one name. They need it, because they wants to track you everywhere you go to build of profile of you they can sell to whoever pays for it (or access their data using more creative way).

For instance, Google has changed their Privacy Policy, requiring that you use only one account for all their services (and that all of those services will share data with all the services). So, youtube will now about what you wrote on gmail and what’s on your blog (if you use blogger).

Facebook, and its ‘like’ button is even worse. If you’ve got a facebook cookie in your browser (which, if you have a facebook account, is the case) and even if you’re disconnected, the simple fact of loading the ‘like’ button (which is a script) will tell it to facebook.

Twitter is now selling your public tweets (and all the informations associated to each tweet, including localisation if it’s active). I still do not understand who will buy something that is already free because it’s public, so I suppose they, in fact, sell analysis and profile that match some criteria to target them with advertisement. Or by selling them to a governmental agency that is willing to pay to watch their citizen. Don’t think it’s not the case, government are spending a huge amount of money on CCTV camera and other way of spying on their people.

So what?

The thing is that those company have product almost in every country, their product is free of charge because the users are the product, but still, you have it every where. They can live with insane traffic, they’re translated in the much common languages, they are easy to use, multi-platform and idiot-proof. And that’s why people uses them to share pictures of their sex life or of their last trip to Vietnam, to share videos of riots and uprising or about clever cats playing on a keyboard, to harass underage girls or to share an amazing animation clip.

Those tools are everywhere because they are big, they’ve made internet popular, they’re in part responsible for the development of those smart-phones and of the eradication of the dumb-phones.

And given that, and the fact that the last websites you will access in case of crisis are Google, Facebook and Twitter while news sites will be closed to protect the government, activists can and will uses them. And some of them will get killed for this, because those website do not provides way of communication that are really anonymous.

Google told they’re making an effort to be as ethical as possible. If they really was, they’ll open the code they use on their servers, they’ll open and disclose their algorithm, they’ll provide way of enjoying fully their services without building a profile.

Surely, they’ll earn less money. But they will still earn some. Plus, some people should have remain alive and free instead of being jailed for having uploaded content on facebook or Google.