Turkish incursion into Northern Syria against Kurdish forces sparks tension at Hart House

Students protest U of T’s invitation of Turkish ambassador

Turkish incursion into Northern Syria against Kurdish forces sparks tension at Hart House

On October 10, protestors demonstrated outside Hart House against the invitation of Turkish Ambassador to Canada Kerim Uras to an event titled “Toronto-Turkey Alliance: Research and Trade Workshop.”

The protest was in opposition to Turkey’s recent military offensive into Northern Syria against the Kurdish-led forces called the People’s Protection Units (YPG), the leader of the military arm of the Syrian Democratic Forces (SDF). The YPG controls swathes of territory in northeastern Syria and have been instrumental to the US in its fight against Islamic State of Iraq and the Levant.

A day prior to the event, Foreign Affairs Minister Chrystia Freeland tweeted, “Canada firmly condemns Turkey’s military incursion into Syria today.” An October 8 report by Genocide Watch noted, “Turkey’s aggression into neighboring states threatens the long-term security of all Kurdish, Christian, and Yezidi populations in the region. Turkey’s intention is genocide.”

Protesting the event

Along with the Turkish ambassador, other speakers at the event included U of T professors from the Departments of Near and Middle Eastern Civilizations and Earth Sciences, as well as several professors from Turkish universities. Kurdish PhD student Sardar Saadi sent a letter to Ted Sargent, U of T’s Vice-President, International, asking him to cancel the event. “I am dismayed that my own university ignores these atrocities and plan to collaborate with the Turkish government, particularly at the time that Kurdish people are being bombed and displaced while the talk on ‘research and trade’ is taking place,” wrote Saadi.

Saadi wrote in an email to The Varsity that the protestors “managed to shut down the event,” but that Sargent continued with the event in private. “This is such a shame and as a member of this community for more than 6 years, I am ashamed of my university and incredibly furious and disappointed.”

“The event continued in a different format and in a different location because of safety concerns,” wrote Sargent in a email to The Varsity. He noted that the goal of the event was “academic collaboration and fostering connections between U of T and Turkish researchers in areas such as geophysics, archeology and nanotechnology.”

“Such discussions are in keeping with our commitment to academic freedom and free speech,” remarked Sargent.

Salam Alsaadi, a representative from the Syrian Solidarity Collective at U of T, wrote, “We strongly condemn invitations to all officials of any despotic regime in the region not only Turkish officials.”

The situation in Turkey and Syria

The Kurdish people are the world’s largest stateless ethnic group spread across Turkey, Syria, Iraq, and Iran, making up roughly a fifth of Turkey’s population. Turkey considers the YPG to be a terrorist group, as it links the YPG to the Kurdistan Workers’ Party (PKK). The PKK, a political and military organization based in Turkey that pushes for Kurdish autonomy, has been in armed conflict against the Turkish forces.

Following a sharp policy shift by US President Donald Trump, US troops withdrew from YPG territory. This prompted Turkish President Recep Tayyip Erdoğan to begin an offensive in order to establish a “safe zone” across the country’s border, free of Kurdish fighters.

On October 27, the SDF announced that it would be withdrawing from the Turkey-Syria border in accordance with a deal between Turkey and Syria, negotiated by Russia, amidst an unsuccessful ceasefire.

The Toronto Turkish Consulate General did not respond to The Varsity’s request for comment.

Spyware company introduces unprecedented human rights policy

U of T’s Citizen Lab researcher likens NSO Group’s reforms to “tokenism”

Spyware company introduces unprecedented human rights policy

Controversial Israel-based spyware company, NSO Group, has introduced a new human rights policy to complement its business practices — an unparalleled measure for the global spyware industry.

While NSO Group says the policy “embeds relevant human rights protections throughout [its] business and governance systems,” critics, including Amnesty International and U of T’s The Citizen Lab at the Munk School, have argued otherwise.

NSO Group’s track record

NSO Group is a cyber-intelligence company that sells technologies for monitoring communications of various targets. Earlier this year, it was partially acquired by Novalpina Capital LLP, a private equity fund based out of the United Kingdom.

According to its website, NSO maintains that it sells its technology to governments because “terrorists, drug traffickers, pedophiles, and other criminals have access to advanced technology and are harder to monitor, track, and capture than ever before.”

However, the company has also faced backlash for its practices. Research conducted at U of T’s Citizen Lab — an interdisciplinary research organization exploring digital surveillance, censorship, and cyberattacks — has discovered that NSO Group’s spyware, Pegasus, was used to target activists, journalists, and members of civil society in countries such as Mexico, Saudi Arabia, and the United Arab Emirates.

Most recently, in May, reports surfaced that NSO software was used to allegedly spy on a lawyer through a vulnerability in WhatsApp. The lawyer — who remains anonymous due to fears for their safety — was involved in a civil lawsuit against NSO.

In June, David Kaye, the United Nations’ Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, called for a freeze on selling and using spyware until “human rights-compliant regulatory frameworks are in place.”

In his announcement, Kaye said, “The private surveillance industry is a free-for-all.”

Following Kaye’s call, researchers at Citizen Lab released a statement about the harmful consequences of the commercial spyware industry.

“In light of the concerns raised by the Special Rapporteur reports, companies like Novalpina Capital LLP… must take responsibility for the harms caused by the surveillance technology manufactured and sold by NSO Group,” wrote the researchers.

“Such a step would mean respecting international human rights treaties and, as a starting point, complying with the moratorium demanded by the Special Rapporteurs.”

A new policy

NSO Group’s new policy, announced on September 10, is intended to align the company’s practices with the United Nations Guiding Principles on Business and Human Rights. The aim is to help the company identify possible risks for human rights abuses and work to prevent misuse of its products.

When the company announced the new policy, co-founder and CEO of NSO Group Shalev Hulio said that the policy “publicly affirms our unequivocal respect for human rights and our commitment to mitigate the risk of misuse.”

“With this new Human Rights Policy and governance framework, we are proud to further enhance our compliance system to such a degree that we will become the first company in the cyber industry to be aligned with the Guiding Principles,” he added.

Alongside the human rights policy, NSO also announced a new External Whistleblower Policy and three new senior advisors.

The advisors — United States Governor Tom Ridge, former French Ambassador to the United States Gèrard Araud, and former Assistant Secretary at the United States’ Department of Homeland Security Juliette Kayyem — are set to support the company in its partnerships with governments.

The response

In the wake of the policy announcement, advocates and researchers have grappled with the question: can spyware and human rights work in tandem?

In an email to The Varsity, Citizen Lab Senior Legal Advisor Siena Anstis wrote that the policy “does not inspire confidence.”

“It’s easy to put words to paper, but we still have no real information on how the company will be transparent regarding its business practices or what types of oversight and accountability structures are in place to ensure real implementation of the ‘human rights policy,’” Anstis wrote.

“Without transparency or accountability, the policy is meaningless.”

When asked if NSO’s human rights policy would spark similar policies in the industry, Anstis wrote that “it’s hard to predict whether other companies in this industry are going to follow suit.”

However, she noted that “it certainly wouldn’t be challenging for other spyware companies to engage in the same level of tokenism.”

In a public proclamation, Deputy Director of Amnesty Technology Danna Ingleton also criticized NSO Group in response to the policy.

“The company needs to demonstrate [that this reformed policy] is more than an attempt to whitewash its tarnished reputation,” she said. “It doesn’t get to pick and choose when it should respect human rights — all companies have this responsibility anyway.”

Ingleton called for more government regulation for the spyware industry.

“Governments also need to act,” she said. “There needs to be tougher legal requirements on respecting human rights for the spyware industry, which time and time again has trampled on the rights to privacy, freedom of opinion and expression.”

Anstis further advocated for tightened regulation in the spyware industry.

“In addition to pushing for reform,” she said, “the public should be calling for more transparency on when and how their governments deploy this technology and the safeguards in place to ensure it is not abused.”

Disclosure: Kaitlyn Simpson previously served as Volume 139 Managing Online Editor of The Varsity, and currently serves on the Board of Directors of Varsity Publications Inc.

Modern computer processors have severe security flaws

Malicious exploits Meltdown and Spectre could abuse speculative execution to steal data

Modern computer processors have severe security flaws

Two bombshell research papers recently revealed a pair of crippling security flaws, called Meltdown and Spectre, that are present in practically every modern computer processor running today.

Meltdown affects almost all manufactured Intel chips and some Arm chips, whereas Spectre likely affects all major brands: Intel, AMD, and Arm. Intel and AMD chips are used in personal computers, while Arm chips are used in smartphones. As a result, most devices are vulnerable.

Both flaws abuse an advanced processor feature known as speculative execution. As your device runs an application, it also looks ahead at decision points in the code, guesses which direction the application is likely to follow, and runs the code preemptively. Modern processors are surprisingly good at guessing in which direction the application will go.

If the application follows the predicted path, valuable processor time is saved, as the results will have already been computed. If not, the results are discarded.

The speculative execution feature does not have an effect on the outcome of an application’s task if it follows a different path than predicted. However, the application can detect that it took slightly longer to perform certain instructions.

From this information, the nature and content of data in a device’s memory can be deduced. For example, JavaScript in your browser could steal saved passwords using this method.

This has implications for institutions like U of T. “If an attacker successfully gets malware on a U of T device, that malware could use these vulnerabilities to steal passwords or keys being used on that device,” said David Lie, a software security expert and professor in the Department of Electrical and Computer Engineering.

The studies’ researchers actually discovered the flaws last year and privately told large technology firms to start preparing for software patches before the release of their findings.

Fortunately, software companies are now rolling out security updates at the operating system (OS) level, which users are highly advised to install in order to protect against these vulnerabilities. Meltdown is reasonably simple to patch in software, although Spectre is much more difficult.

Unfortunately, these OS patches come at the cost of performance. Most programs will be hit with a slight slowdown, with the theoretical worst-case scenario being a 50 per cent reduction. Operations such as disk access may be significantly affected as well.

Older processors, unfortunately, do not have the ability to selectively disable features as specifically as recent models. “There is collateral damage as the patches have to disable… features that are [not at risk] to ensure that the vulnerable features are also disabled,” said Lie. Therefore, older processors will see a more significant slowdown as a result.

U of T’s Enterprise Infrastructure Solutions (EIS), which operates the campus network backbone, also manages servers for cloud computing. EIS informed its users via email that it has “actively taken steps to secure our cloud services.” Most of their servers have already been patched, although “customers will also need to update the OS as soon as possible.”

Aside from certain technology firms, it appears that no other organizations were warned ahead of time. “There was no advance knowledge besides the public release of the information,” said Michael Wiseman, Acting Director of Information Security at U of T.

According to Wiseman, U of T will be following all recommended procedures to fix the security flaws, including installing patches.

While the world is now aware of these vulnerabilities, and organizations are taking the steps to fix them, there remains a lingering fear. Since researchers have been aware of Meltdown and Spectre since last year but only released this information in 2018, it is possible that malicious exploits have taken advantage of these flaws already.

Lie dispelled these fears, noting that although the vulnerabilities are powerful, exploiting them is not easy, nor could it be done quickly. “If an attacker has several vulnerabilities they could use, Meltdown or Spectre may not be the first one they reach for unless the other vulnerabilities have been patched.”

Wiseman agreed, noting that the sophistication of Meltdown and Spectre suggests that it is unlikely that an attack involving these vulnerabilities has occurred as of yet.

“Now that the information is out, we all have to be a bit more concerned,” said Wiseman.