Two new names have been added to the Axis of Espionage. It was revealed that Telstra and PCCW have been collaborating with US intelligence agencies, secretly allowing them access to data going through their networks since 2001.
Geographically, the UK was perhaps fated to end up at one end of the Axis due to its location on the edge of Europe. Hong Kong and Australia are at the other edge of the world and it is now clear that they have played a similar role.
Glancing at the maps one can only wonder when similar revelations will be made of Korea and Japan as both meet the requirements of membership of this exclusive club - being friendly to the US of A and playing host to a lot of intercontinental fiber. Singapore also fits the bill but there is no chance of any scandal making its way to the press there.
Back in the real world, I recently asked the three Thai telcos if they would share high level data as to the number of information requests from government, similar to Microsoft and Google’s transparency reports. AIS and TrueMove never replied (though AIS did ask for a deadline before obviously deciding that they had nothing to gain from replying). Dtac kindly said that it was classified information.
Meanwhile, while the fallout continues from the spying revelations of the NSA and CGQ, one wonders what effect this would have on companies and the myriad of compliance laws they have to navigate.
One example is the weakness of the https protocol. GCHQ was intercepting and storing raw encrypted streams for later decryption. It later was revealed that a weakness in the https protocol meant that once the private key on the server is obtained (either through a court order or more traditional espionage), the stream could be decrypted. Or to be more technical, the server’s forward key can be used to recreate the unique session key and that would be used to decrypt the stream of data and recreate the session.
Such a weakness could not be exploited without the massive interception and data storage capacity that the Axis of Espionage has at its disposal.
I asked a security consultant if https was still considered secure and how the revelations by Edward Snowden had affected his job.
All I got was a shrug and a terse reply. “Everyone’s thinking about it but nobody’s talking about it. If it’s the good guys doing it then I guess it’s ok.”
“But obviously PCI DSS doesn’t allow for transmission of cardholder data over insecure channels and https doesn’t sound very secure when you have the systems GCHQ have,” I continued - only to be met by silence, my friend knowing full well I was fishing for a story here.
But this complacency that backdoors, spying and all are fine if the good guys are doing it is the beginning of a slippery slope.
The first slip is using these fears as a trade weapon, and that has already happened.
On Sunday, I was listening to a program on BBC Radio 4 on how GCHQ had stopped a cyber terrorist attack on the electricity infrastructure on the opening of the Olympic games and how the US had not allowed Huawei into its communication infrastructure because of someone in Beijing had the power to press a red button to shut everything down. Both cases cited classified sources.
Never mind the reports that HP has backdoors in its storage servers or that Microsoft helped the spooks gain real-time access into outlook.com, mainstream media chose instead to rally up the ghosts of a communist era to justify exclusion of Chinese companies from infrastructure projects.
I wonder what the next slip would be.