Monthly Archives: May 2014

Leading young people into crime and misery

The documentary about drones by Tonje Schei, which is available on the web page of Swedish television until the 10 June, shows how young people can be led into very serious crime by their government. The high rates of alcoholism, drug abuse, imprisonment and suicide among veterans should come as no surprise.

Police trojans must be fought

This is a translation of Tomas Djurling’s recent article in Computer Sweden:

The wish of the police to use trojans to solve certain crimes will cause more harm than good, and the method has no place in a state of justice. This is claimed by security expert Tomas Djurling.

Police want to plant trojans in suspects’ computers in order to curb crime. I can well imagine that they have the desire. But have they thought through the full implications of this approach? To have this opportunity could perhaps solve some crimes, but there are so many downsides to this coin.

The German police have had the opportunity for a long time. The name of the trojan there is “Bundes Trojans or State Trojans”. The German hacker group Chaos Computer Club, CCC, discovered the trojan in October 2011. According CCC there were major security flaws in the trojan. Among other things, it lacked authentication, which meant that computers that had the trojan installed became very vulnerable on the internet. The trojan’s communication was not encrypted, which meant that information sent over the internet could be easily intercepted.

You may well find that it does not do any harm if the “crooks” have flaws in their computers, but there are several very large downsides of this for police and prosecutors. How is evidence evaluated in subsequent criminal investigations and court proceedings, if it appears that the police have opened up a suspected computer on the internet, available for anyone to use based on their purposes?

Then also anyone can “plant” information in the computers that have police trojan installed. The use of trojans for the police would probably make it much more difficult for police and prosecutors to solve crimes in a legally secure manner, which is expected of a state of justice.

The statistics of solved crimes would likely be worse. What lawyer would not miss the opportunity to challenge the evidence presented in these trials?

Other challenges are:

All those who turned out to be innocent, and were hacked with information losses, missed business or bankrupcy as a result by the trojan installed by the police. How are they protected?

What happens to the installed trojans that do not lead to investigation and trial? Should they be uninstalled hidden? What if the uninstallation fails, will it then be left or will the police do home visits, in order to uninstall the trojan on site with the previously suspected criminal?

Relatives of suspects or criminals may get hurt or violated in many situations.

The information collected by the police must be stored and handled in a secure manner throughout the investigation process. When a large and very important part of the process is done by computers connected to the internet, this process cannot be guaranteed to be secure.

How should the government protect these people’s privacy or replace the individual people or companies that get into trouble? No trojan or other software can be guaranteed to be secure over time.

This type of method is better suited in dictatorships than in western democracies. Apart from the purely legal, technical and investigative aspects, this will jeopardize the confidence in the administration of justice and ultimately in the entire state power. A trust that needs to be strengthened, not undermined.

If police and prosecutors would be able to use this method, they risk the rule of law for all in society. Hardly anyone would want that.

Companies that stand up against crime and abuses

In our series of blog posts on the relationship between companies and governments, we will this time look at companies that stand up against crime and abuses.

One well-known example lately is the US company Lavabit. When Lavabit was forced to participate in what they and many others believe to be criminal activities, the founder decided to instead shut down the company’s operations. However, the government’s abuse of power goes even further than destroying the company, because the founder Ladar Levison is obviously under a so-called gag order, so he cannot say much about what happened. Despite this, he tries to say as much as he can.

Newspapers and other media also often stand up against crime and abuses, by publishing information about it. It is their job to do that, and a very important job. How can democracy work, if ordinary citizens are withheld information about government-related crime and abuse of power? It can’t, of course. Therefore it is very disturbing that even media can secretly be issued a gag order, be infiltrated or be censored, even in countries often viewed as democracies, such as Israel.

When governments try to destroy companies like these, they are actually be attacking the foundation of democracy. We owe a tribute to all who stand up against that.

Companies fail to take action

Sadly, many companies remain totally silent regarding government-related crime and fail to take action against it, even when they may be victims. One example appears to be the business-oriented social networking service LinkedIn. In 2013 it was revealed that the British GCHQ has set up fake LinkedIn pages to insert malware on users’ computers, which caused me to send LinkedIn the following e-mail (the e-mail address below was the only address to them I could find):

Från: Sven Ruin [mailto:sven.ruin@teroc.se]
Skickat: den 26 februari 2014 10:40
Till: ‘press@linkedin.com’
Ämne: Security risks
Prioritet: Hög

Dear LinkedIn team,

As a user of LinkedIn, I have been very surprised that I have not heard anything from you regarding the security risks related to LinkedIn, which were revealed last year (see for example www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html). I would have expected you to for example warn your users and take legal action against suspected government agencies. Since you seem to do nothing about this, I’m now considering to delete my LinkedIn account and recommend others to do the same. However, I first want to ask if you have done anything about this that I have missed or if you are about to take action?

My hope is that you want to take a clear stand against the alleged government crime, to insert malware on users computers and abuse the name of LinkedIn in this process.

I would be very thankful for your reply. Please be aware that I’m planning to post this conversation on a public website, because I think this is a valid concern for many.

Best regards,

Sven Ruin

TEROC AB
Odensvi Barksta 20
SE-73193 Köping
Sweden
Tel: +46-221-60160, +46-70-2298678 (mobile)
E-mail: sven.ruin@teroc.se
Website: www.teroc.se

Now it is May 2014, and I have still not seen any response from LinkedIn on this topic, so I’m deleting my LinkedIn account. I recommend all users of LinkedIn to consider this too.

Read more about how the USA and Sweden are also involved this type of computer crimes.