Posts by Graeme Edgeler
Last ←Newer Page 1 2 3 4 5 Older→ First
-
Legal Beagle: Cameron Slater: computer hacker?, in reply to Sacha,
And Slater has been back in court this week.
The more interesting question is whether it means Nicky Hager gets prosecuted. Police originally investigated him, but determined that a charge of receiving couldn't apply because of the Dixon case, as computer files aren't property. From that point, they investigated him as a possible witness only.
Now that the Supreme Court says computer files can be property, the reason that police have given for abandoning their investigation into Nicky has gone.
-
Legal Beagle: Crowdsourcing Project Cortex, in reply to Mark Foster,
But I wanted to flag that many of the items ripped out of website terms-of-use etc from various agencies, will be generic references to IDS/IPS type behaviors that are likely already-in-place, and likely also have nothing to do with Cortex, so assumptions should not be made.
Oh yes. Operating on the assumption that both Una Jagose, and the writers of terms and conditions on Government websites are telling the truth, we can only rule out agencies, we can't rule them in.
I have tried to be careful when reporting my findings (premised, as they are, on participants meaning what they say), and have been saying that while some organisations can be ruled out as being protected by Cortex, based on their public advice, those who are ruled in are only possibly protected by Cortex.
-
Legal Beagle: Crowdsourcing Project Cortex, in reply to Mark Foster,
I fear paranoia does us a disservice.
I don't particularly care that an email I have sent the DPMC might be monitored by the GCSB computers systems, or even seen by GCSB employees.
My point is that they have said we would be told if something like this was happening, and they have yet to tell us. If Una Jagose hadn't given a speech and an interview in which she said we would be told about monitoring for cyber defence purposes, I wouldn't be here talking about this.
If the Government wants the benefit of being able to claim openness in some aspect of the surveillance state, the very least they can do is be as open as they have said they will be.
-
Legal Beagle: Crowdsourcing Project Cortex, in reply to Bill Eaton,
I think Ben is right and there are no keys under this lamp post.
I am not really trying to find out what Cortex does with this blog post. I'm mostly trying to hold (to the extent a blog post and some tweets can) the GCSB and others to account for the things they say.
They have said that Cortex will not monitor my emails unless I am told in some way that particular emails may be subject to that monitoring.
If this claim is true, I want to see that advice.
-
Legal Beagle: Crowdsourcing Project Cortex, in reply to BenWilson,
There’s other possibilities. DPMC haven’t got around to it. There is a disclaimer that says:
The alerting of those who are in contact with your computer systems to the possibility of cyber defence monitoring is supposedly a pre-condition to use of Cortex by an agency. If DPMC haven't got around to alerting users yet, then my same three options apply:
they aren't protected by cortex
they have misled someone in order to be protected by cortex
contra claims by Jagose, advise is not necessary to be involved in cortexI'll note that I'm not talking about protecting the website. I'm mostly talking about email. They way that the system was described, it was anti-malware protection, because eg malware can be a security risk. I suppose it is possible that DPMC has protection from malware excluding that which might come via attachments to emails, but that seems a pretty big hole, and is not far removed from the first of my options.
-
Legal Beagle: Crowdsourcing Project Cortex, in reply to BenWilson,
Um…presumably you’re all joking? Because:
In terms and conditions of use, for example.
According to Jagose's speech, an organisation obtaining the capability must consent to receiving it – and ... advise those who interact with their computer systems (staff, customers) that their communications may be accessed for cyber security purposes...
Now, I am a person who has interacted with DPMC computer systems, I have sent emails to the DPMC, and I have used the content submission forms on the DPMC website. If they have informed me that my interactions with their systems may be accessed for cyber security services, I have missed it. If they are going to do this, there aren't many options: it could be in their terms and conditions; it could be in their privacy policy, it could be a note on the page of the form you fill in to submit a query, but it has to be somewhere. And it's in none of those places.
If such advice isn't somewhere where I, as a person who has interacted with their computer systems, can see it, I have having difficulty seeing how they can have met the pre-condition for access to Cortex. They are required to advise those who may interact with their computer systems that their communications may be accessed for cyber security purposes.
Now, with some organisations, there is a lack of clarity because the terms may be silent, and maybe they've got Cortex, and just haven't said. But many of the agencies I've looked at aren't in that position. For example, with the DPMC, we're not just dealing with silence. The DPMC have a privacy policy in which they state that they do not disclose personal information voluntarily provided to them with any third parties. Use of Cortex in the way described by Jagose in her interview with Patrick Gower on The Nation is inconsistent with that.
Now, is it possible that either Jagose was misleading us, or the DPMC is misleading us in its privacy statement? Of course. How would I know? But whether this blog post is pointing out the absurdity of Cortex not protecting the DPMC, or if it is pointing out that the DPMC etc. are lying by providing a privacy statement which forswears use of Cortex, or if it is pointing out that Jagose is wrong when she described the pre-conditions of the use of Cortex, I'm pretty happy with it, because those seem to be the only options.
You're right that I'm not going to be able to use this process to know which one of those three options is correct, but that one of them is true is noteworthy enough.
-
Legal Beagle: Crowdsourcing Project Cortex, in reply to steve black,
compare that to the phrasing we’ve seen so far
may be subject to monitoring.
then the sites found so far are failing to say what use the monitoring is for. What happened to the “for cyber defence purposes” guys?
They are indeed. I wonder if there is any agency that is as explicit as Ms Jagose implied they need to be as a precondition to receiving cyber protection services from the GCSB as part of Cortex? My guess, is probably not.
-
And more:
there is language sufficient to fulfil the precondition about disclosure of monitoring at the National Infrastructure Unit within treasury, but not Treasury itself.
And the Energy Safety unit within Worksafe NZ says "WorkSafe New Zealand systems to which this website connects and related equipment may be subject to monitoring." However, Worksafe NZ, disagrees, carrying no language capable of fulfilling the disclosure pre-condition, as does the Ministry of Business, Innovation and Employment of which both are a part.
-
Find one, and then Google does your work for you!
Two further possible Cortex-protectees:
The Charities Service!
And
The New Zealand Debt Management Office!Similar language appears in the Privacy Statement on the website of The Maori Land Court which says "The Ministry of Justice systems to which this web site connects and related equipment may be subject to monitoring." However, the Ministry of Justice website states, however, that the monitoring done is Google Analytics.
-
Found one!
While the Ministry of Defence has not met the preconditions for protection by Cortex, the New Zealand Defence Force has something. It doesn’t mention monitoring for cyber defence in particular, but I guess we can’t be too picky:
The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.
As have the New Zealand Army:
The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.
The Royal New Zealand Navy systems to which this web site connects and related equipment may be subject to monitoring.
And the Royal New Zealand Air Force:
The New Zealand Defence Force systems to which this web site connects and related equipment may be subject to monitoring.
Along with both the Cadet Forces and Veterans Affairs.