Top Gillard IT security czar has never heard of Tor

23

shrug

news One of the top public servants involved in advising on national Australian cyber-security policy has admitted the division she helps lead was “not familiar” with the decade-old Tor software frequently used by activists and those seeking secure communications to protect their anonymity when using the Internet.

Tor is a package of free software and an associated network on the Internet which routes Internet traffic through a large set of complex network nodes online, encrypting and decrypting the communicated data along the way multiple times. The process, reminiscent of the layers of an onion for which the Tor project (‘The Onion Router’) was named, is complex and has the net effect of blocking the communicated Internet data from being eavesdropped on by law enforcement or other organisations. It was first developed in 2002 and has become popular in the decade since.

In May Greens Communications Spokesperson, Senator Scott Ludlam, filed a Freedom of Information request with the Department of Foreign Affairs and trade, seeking any documents pertaining to the Tor Project, which oversees development of the Tor system, and two individuals associated with the project — developer Jacob Appelbaum and project founder Roger Dingledine.

Ludlam’s interest in any documents associated with the Tor Project and the pair stems from the fact that both have recently visited Australia — Appelbaum most recently in January 2012, and Dingledine in May 2010.

In a letter to Ludlam on 28 May, DFAT wrote that it had failed to identify any documents relevant to Ludlam’s Freedom of Information Request. However, it did highlight a previously released cable in January 2012 from Australia’s Embassy in Washington to the department in Canberra that noted that the US Department of Justice had subpoenaed social networking site Twitter for information relating to Appelbaum, as part of a wider search relating to Wikileaks founder Julian Assange and suspected Wikileaks leaker Bradley Manning.

Ludlam subsequently questioned bureaucrats from the Department of Prime Minister and Cabinet earlier this week on the issue, in budget Estimates hearings. A partial transcript, supplied by the Greens, is available online here in Doc format.

“I have submitted to the department an FOI request to discover in a bit of detail what the department’s attitude is to Australian citizens protecting their privacy through the use of encryption software called Tor,” Ludlam asked departmental bureaucrat Sachi Wimmer on the occasion. “Are you familiar with that service?”

“We are not familiar with it,” Wimmer replied. “We have actually referred that FOI request to the [Australian Federal Police] because we have no record of ever being involved in it.” Ludlam followed up with the question: “But you are not familiar with the service?” “Not,” replied Wimmer.

Wimmer’s position is first assistant secretary, of the Cyber Policy and Homeland Security Division within the National Security and International Policy Group of the Department of Prime Minister and Cabinet. The bureaucrat works alongside Allan McKinnon, who was appointed to the position of Deputy National Security Advisor in this division on 1 June 2012, with the additional title of National Security Chief Information Officer/Cyber-Policy Coordinator.

McKinnon’s role was set up, in the words of the department’s web site, “to provide strategic direction and coordination for information sharing across the national security community.

“The role of the Cyber Policy Coordinator (CPC) is to coordinate the whole-of-government approach to cyber policies and activities. The CPC provides strategic leadership and coordination on matters of cyber policy and strategies across the entire cyber ‘spectrum’, from online consumer protection to cyber defence. The Cyber Policy Group (CPG) is the primary forum for whole-of-government leadership and coordination across the full-spectrum of cyber policy issues,” the department’s site further states.

“To assist in coordinating the Commonwealth’s cyber policy agenda, the Department of the Prime Minister and Cabinet assumed responsibility for cyber security policy in December 2011 (previously held by the Attorney-General’s Department), as part of a broader reshuffle of portfolio responsibilities.”

Wimmer’s answer, in this context, is significant, because it appears to demonstrate a certain naivity on the part of one of the Federal Government’s top cybersecurity coordination branches when it comes to commonly used tools for evading Internet surveillance.

It also appears that Wimmer has little experience in the field of cybersecurity. A biography of the public servant published prior to her current appointment noted that Wimmer previously led the Homeland and Border Security division within the Department of the Prime Minister and Cabinet, which appears not to have dealt extensively with matters of IT security. Prior to that role and another similar role in the department, Wimmer worked in the Australian Customs and Border Protection Service and the departments of Agriculture, Fisheries and Forestry and Environment and Heritage. Wimmer holds tertiary qualifications in science, environmental law and public administration.

Other issues Ludlam questioned Wimmer and McKinnon on during the Estimates hearing related to the recent revelation that the Australian Securities and Investments Commission is unilaterally blocking websites it considers fraudulent, using the little known Section 313 of the Telecommunications Act, issues surrounding the Government’s response to the Wikileaks organisation, the recent announcement of a new government cybersecurity centre, and cybercrime in general.

opinion/analysis
Am I shocked to find out that the agency which advises Australia’s Prime Minister on ‘cybersecurity’ has no idea what a commonly used Internet anonymity tool like Tor is? No, I’m not. This is precisely the kind of gross technical naivity and ineptitude which Federal Government agencies such as the Attorney-General’s Department, ASIO, ASIC, the AFP, Defence Signals Directorate and others continually demonstrate when it comes to the modern Internet age. It appears to be something unique in the nature of the public service that only rarely are those deeply qualified to hold a post appointed to it. There is no doubt that Wimmer appears to be a highly qualified veteran when it comes to national security policy. However, IT security is a deep, complex and completely separate field, the nuances of which are lost on many.

I suggest Wimmer and her colleagues set some time aside for a rapid refresher course on these kind of modern technologies. If the historical naivity of most politicians themselves with respect to the Internet and other technologies is any indication of what Australia can expect over the next few years when it comes to ‘cybersecurity’ matters, then the office of the Cyber Policy Coordinator will need all the help it can get in educating the political class about modern Internet reality.

23 COMMENTS

  1. And to think, I only just gave up Security…..

    To be fair, I’d suggest that the response is somewhat political (whimsical) in nature to fob off the Senator.

  2. “It appears to be something unique in the nature of the public service that only rarely are those deeply qualified to hold a post appointed to it.”

    Soooo, you’ve never worked for a bank then.

    Or any large corporate for that matter.

    They’re exactly the same.

  3. You would think he would have just Googled it… Maybe that can be the next question.

  4. I’m not even sure a refresher course could help someone understand the ins and outs of TOR and cyber technologies like this – specifically its impact on national security in a wholistic context. If someone doesn’t have a genuine interest in a sector its very difficult to instill in them both the technological groudning and real world implications of these concepts.

  5. Tor does not encrypt and decrypt anything as you say. It merely makes it impossible to follow a connection back to its source. It provides anonymity only, not encryption.

    • From Wikipedia:

      “Onion Routing” refers to the layers of the encryption used. The original data, including its destination, are encrypted and re-encrypted multiple times, and sent through a virtual circuit comprising successive, randomly selected Tor relays. Each relay decrypts a “layer” of encryption to reveal only the next relay in the circuit in order to pass the remaining encrypted data on to it. The final relay decrypts the last layer of encryption and sends the original data, without revealing or even knowing its sender, to the destination. This method reduces the chance of the original data being understood in transit and, more notably, conceals the routing of it.

      http://en.wikipedia.org/wiki/Tor_(anonymity_network)

    • Tor does encrypt traffic passing over the Tor network, but once it gets to an exit node, the TCP packets come out exactly as they were put in.

      This means that if you don’t use HTTPS over Tor, your traffic can be snooped at the exit node and between the exit node and the server. Tor Browser comes with the HTTPS Everywhere plugin, so if a site is able to use TLS/SSL it will, but sadly a large portion of the Internet doesn’t.

      (This is not the case for hidden services on Tor of course – traffic between you and they don’t leave the Tor network).

      The point behind Tor is that nobody can tell who you’re communicating with. Both the source and destination of traffic is kept secret to the entire network (the only exception is that the exit node knows the destination, but nothing else).

      • Imagine if the NSA (or someone similar) were to run a whole datacentre containing just computers running as tor exit nodes. The anonymity of the system would go down very quickly.

        Not saying this is happening, but it’s still a potential flaw in the system.

        • It’s not a flaw – the exit node knows the destination of the traffic, but has no idea who originated it (unless the traffic contains identifying information and you’re not using SSL/TLS).

          As long as traffic passes through one node that is not compromised, the anonymity is preserved. There are correlation attacks (ie. you see 2.5Mb of traffic coming from somebody’s internet and then 2.5Mb of traffic come out an exit node a few ms later – you can guess with some probability that it was the same traffic), but these require you to be able to monitor a large portion of the traffic on the internet and get less effective as the volume of traffic on the network increases.

          Also, it’s not in the interest of the US to try and compromise Tor – they initially funded it so they could be anonymous online for military and intelligence purposes. They had to release it to the public because an anonymity network that only one group uses is totally useless.

  6. That’s amazing, when it’s so obvious that repeated and devious attempts by the current Canberra regime to monitor and restrict us obviously encourage the use of “HTTP Everywhere” and TOR. With Vidalia and Orbot making TOR so easy to install and switch on and off on a computer or smartphone, I foresee their use increasing to the point where even politicians will become aware of them – at least those smarter than the legendary Senator Luddite.
    Thanks for another good posting, Renai.

  7. Harper Read made a great comment at CeBit yesterday about a Japanese saying … can’t remember it word for word … but the gist of it was “If you want to buy rice you should go to somebody who sells rice”.

    He was making the point that government needs to ensure that it sources expertise directly from people who actually have expert, hands-on, knowledge and skills … engineers. Hence the Obama campaign’s success by recruiting teams of hard-core software engineers from Silicon Valley companies… the rest, as they say, is history …

  8. I have seem state police officers get a 1 day tour of and a info session on TOR
    I’m not talking dectectives in sex crimes or fraud either , I do know a couple of the coppers worked in prosecutions and neighborhood watch area’s
    So someone who is one step up from a beat cop has more of an understanding about TOR than Gillard’s IT security czar
    We are in good shape

  9. I would just like to say I love the image for the article.

    It gives me such a chuckle every time I see it :-)

  10. Yeah, crazy. Kind of like appointing someone to run an enormous civil engineering project who has only ever sold vendor switches before. Oh hang on…

  11. It sounds like a beat up to me. It was secretary who didn’t know what TOR was. Most secretaries I know would give the same answer. She also said it wasn’t her departments remit, and passed it on. That doesn’t mean the entire department doesn’t know what TOR is.

    And then I see this exchange:

    Senator Conroy : … Do you know what date ASIC issued its press release?

    Senator Conroy : I am just saying that it was issued. You said that it was issued much later than it was implemented.

    Senator LUDLAM: It was the quietest press release in history if it was released before people—

    Senator Conroy : I am looking at a press release on the ASIC website from Friday, 22 March. It indicates that ASIC has warned consumers about the activity of a particular website. It warns that they are scammers operating at websites.

    Senator LUDLAM: What date was that?

    ….

    Senator Conroy : … I get the sense that, despite you believing that it was possibly after the event, ASIC had already blocked access to these websites. That is what the press release said. They indicated on 22 March that they are blocking access to these websites.

    The ASIC having issued a press release saying they were going to block Melbourne University over a week before they did so seems like it is newsworthy given the attention it got here.

    And then we have this self serving justification from the department:

    Senator LUDLAM: … When the PM launched the centre, I understand that, there was an estimate derived from Norton that was based on a survey of 500 people. They extrapolated from that that there are 5.4 million victims of cybercrime at a cost of $1.65 billion per annum. In your answer to my question on notice, you blame the AFP for the Prime Minister citing that figure. But you again defended it as a reasonable illustration. I am wondering whether we are really basing an estimate of what cybercrime costs people per year on a single small source of 500 people quoted by a company that makes a profit from protecting people from precisely these sorts of activities?

    Mr McKinnon : As you know, costing the impact of cybercrime is a notoriously difficult activity. In that context, Norton—although clearly they have skin in the game—are a well-known company. It is an estimate that is an indication. But I do not think that anybody claims to be able to do better than that in any jurisdiction.

    Senator LUDLAM: Are you aware of the Essential Research independent polling on the incidence and actual cost of cybercrime, which was based on a sample of around 1,000 people, that showed that the Norton report quite seriously overstated both the extent of cybercrime and its cost?

    5.4 million people (over 1/4 of Australia Adults) were hit by cyber crime, losing $1.6 Billion. I am not sure even “Pants on Fire” covers it.

  12. Richard Sadleir may have been the more appropriate bureaucrat to ask.
    He heads up the “Defence, Intelligence & Information Sharing Division”.
    Sachi Wimmer is more concerned with policy.

  13. Doesn’t suprise really does it? Most people think the “www” internet is all thats out there.

  14. There are different requirement for the head of department to follow, usually more business nature than technical nature.

    Its more like asking the difference between HTTP and HTTPS to any CEO. Not just jargon of encrypted/not encrypted, but more in depth of how PKI is structured. I have no doubt many (even in people working in IT) have very limited knowledge.

    Security is not just tools of trade or technologies based, but whole range of human related policies.
    (like how not to use tools like dropbox for sensitive information, change password regularly, or limit who can access what file, server via online or offline)

    Do you blame CEO of linkedin for not salting their password?
    Do you blame CEO for an employee to misplace their password for twitter?

    This article looks more like a politician bashing than anything useful. =P

Comments are closed.