Cybersecurity

Thursday Morning: Come on Now [UPDATE]

Come on now,
who do you,
who do you,
who do you,
who do you think you are,
Ha ha ha bless your soul.
You really think you’re in control.

— excerpt, Crazy by Gnarls Barkley

The kids are all #TBT on Twitter — posting throwback material from their youth, which seems like just yesterday to me. I’ve got socks older than most of the stuff they share. But I have fun with it anyhow, like this Gnarls Barkley song. Perfect to sing at the top of your lungs in the office if you can get away with it.

Speaking of crazy…

Deadline today for Volkswagen
A deadline for a “concrete proposal for getting the polluting vehicles off the road” was due last month on March 24th after U.S. District Judge Charles Breyer gave VW a 30-day period to develop this solution.

That deadline was not met; Judge Breyer offered another 30-day extension as he felt progress was made. Today’s that second deadline, and it’s not clear a technical solution fixing the vehicles will be included in the proposal.

Reports suggest a combination of vehicle buy-backs and financial incentives may be offered along with funding for remediation. But no reports indicate development of true clean diesel technology to replace the emissions control units programmed to defeat emissions testing. Note from LAT’s article:

…The agreement would give some owners the choice of having Volkswagen repair their cars or buy them back, but it does not include plans on how to repair the vehicles, according to the person, who asked not to be identified because the deal hadn’t been made public.
[…]
… But some owners of newer models who get just a software fix may receive little. About 325,000 owners of older cars that require more extensive repairs likely will get more, because the repairs could affect mileage and performance.

In other words, some of the emissions test-defeating software may be replaced with software that actually meets emissions tests, but it may make the vehicles much less fuel efficient.

This is the crazy, right here: Barring a surprise announcement today, there is no commercially-viable clean passenger diesel technology. There never was — not even years after the first so-called clean passenger diesel was sold. That’s the fraud at the heart of Dieselgate.

UPDATE — 4:00 P.M. EDT —
At a hearing this morning in San Francisco, VW agreed on a deal to buy back or repair about 480,000 passenger diesel cars. Details have not yet been released and may not be until June 21st when VW is expected to have finished dotting all I’s and crossing all T’s.

The deal appears to cover 2.0L vehicles, but 85,000 VW-, Audi- and Porsche-brand vehicles with 3.0L engines are still up in the air. This may suggest performance and fuel efficiency are still problems with any emission control unit repairs.

The deal will also include some funds for pollution remediation, but details about remediation efforts are also unavailable.

Here’s Bloomberg’s report on VW, and here’s Reuters.

Guess we’ll save the Google-y bits for tomorrow, leave today for Volkswagen.

SS7 and NSA’s Redundant Spying

SS7 countermeasuresOn Sunday, 60 Minutes brought attention to an issue first exposed by researchers some years back: the ease with which people can use the SS7 system that facilitates global mobile phone interoperability to spy on you.

Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?

Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.

60 Minutes was smart in that they got Congressman Ted Lieu to agree to be targeted.

Congressman Lieu didn’t have to do anything to get attacked.

All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?

Karsten Nohl: I’ve been tracking the congressman.

[snip]Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?

Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.

[snip]

Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?

Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.

Sharyn Alfonsi: Makes you angry, why?

Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.

Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu — which means there’s a lot more damage that could be done than just intercepting that one phone call.

So now Lieu is furious — and pushing House Oversight Committee to conduct an investigation into SS7’s vulnerabilities.

Of course, it’s probably best to think of SS7’s vulnerabilities not as a “flaw,” as 60 Minutes describes it, but a feature. The countries that collectively aren’t demanding change are also using this vulnerability to spy on their subjects and adversaries.

But the fact that Lieu — who really is one of the smartest Members of Congress on surveillance issues — is only now copping onto the vulnerabilities with SS7 suggests how stunted our debate over dragnet surveillance was and is. For two years, we debated how to shut down the Section 215 dragnet, which collected a set of phone records that was significantly redundant with what we collected “overseas” — though in fact the telecoms’ production of such records was mixed together until 2009, suggesting for years Section 215 probably served primarily as legal cover, not the actual authorization for the collection method used. We had very credulous journalists talking about what a big gap in cell phone records NSA faced, in part because FISC frowned on letting NSA collect location data domestically. Yet all the while (as some smarter commenters here have said), NSA was surely exploiting SS7 to collect all the cell phone records it needed, including the location data. Members of Congress like Lieu — on neither the House Intelligence (which presumably has been briefed) or the House Judiciary Committees — would probably not get briefed on the degree to which our intelligence community thrives on using SS7’s vulnerabilities.

What I find perhaps most interesting about this new flurry of attention on SS7 is that the researchers behind it were hired by some “international telecoms” to find ways to improve security sometime in advance of December 2014 (when they first presented their work). The original CCC presentation on this vulnerability (see after 40:00) included a general discussion of what cell phone providers could do to increase the security of their users (see above). 60 Minutes noted that some US providers were doing more than others.

The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

Wednesday Morning: Water, Water, Everywhere [UPDATE]

Day after day, day after day,
We stuck, nor breath nor motion;
As idle as a painted ship
Upon a painted ocean.

Water, water, every where,
And all the boards did shrink;
Water, water, every where,
Nor any drop to drink.

— excerpt, The Rime of the Ancient Mariner by Samuel Taylor Coleridge

Felony and misdemeanor charges are expected today in the Flint water crisis. State Attorney General Bill Schuette will put on a media dog-and-pony show, when it is expected that three persons — two engineers with the Michigan Department of Environmental quality and a Flint water department employee — will be charged for Flint’s lead water levels after the cut-over to Flint River water.

Mind you, the descriptions of these persons do not match that of higher level persons who were responsible for

1) making the final decision to cut Flint off from Detroit’s water system and switching to the Flint river;
2) evaluating work performed by consulting firms about the viability of Flint River as a water source, or about reporting on lead levels after the cut-over;
3) ensuring the public knew on a timely basis the water was contaminated once it was already known to government officials;
4) lack of urgency in responding to a dramatic uptick in Legionnaire’s disease, or the blood lead levels in children.

Just for starters. Reading the Flint water crisis timeline (and yes, it needs updating), it’s obvious negligence goes all the way to the top of state government, and into the halls of Congress.

Michigan’s Governor Snyder has elected to perform some weird self-flagellating mea culpa or performance art, by insisting he and his wife will drink filtered Flint city water for a month. It’s a pointless gesture since the toxic lead levels, experienced during the two years immediately after the city’s cut-over to the Flint River, have already fallen after doing permanent damage to roughly eight thousand children in and around Flint.

Flint’s Mayor Karen Weaver said about the governor’s stunt, “[H]e needs to come and stay here for 30 days and live with us and see what it’s like to use bottled or filtered water when you want to cook and when you want to brush your teeth.”

Or get a new mortgage, I would add. The gesture also does nothing for Flint’s property values. Imagine living in Flint, trying to refinance your home to a lower interest rate, telling the bank, “Oh, but the water’s safe enough for the governor!” and the bank telling you, “Nah. Too risky.”

UPDATE — 10:45 AM EDT —
Charges have been filed against City of Flint’s Laboratory & Water Quality Supervisor Mike Glasgow and Michigan Department of Environmental Quality Office of Drinking Water and Management Assistance district director Steven Busch and MI-ODWMA District Engineer Michael Prysby. Mlive.com-Flint reports,

Glasgow is accused of tampering with evidence when he allegedly changed testing results to show there was less lead in city water than there actually was. He is also charged with willful neglect of office.

Prysby and Busch are charged with misconduct in office, conspiracy to tamper with evidence, tampering with evidence, a treatment violation of the Michigan Safe Drinking Water Act and a monitoring violation of the Safe Drinking Water.

None of the individuals charged in the case have been arraigned.

Sure would like to see the evidence on Glasgow, given the email he wrote 14-APR-2014 (see the timeline).

House hearing on encryption yesterday

  • Worth the time if you have it to listen to the House Energy and Commerce Oversight and Investigations Subcommittee’s hearing, ‘Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives‘ to catch Apple’s general counsel Bruce Sewell and UPenn’s CIS asst. prof. Matt Blaze. Not so much for Indiana State Police Captain Charles Cohen, who was caught up in misinfo/disinfo about Apple’s alleged non-cooperation with the U.S. government. Wish there was a transcript, especially for the part where Sewell was quizzed as to whether Apple would encrypt their cloud.
  • Speaking of Cohen and misinfo/disinfo, Apple said it hasn’t released source code to Chinese (Reuters) — This is the spin IN’s Cohen got caught up in. Nope.

Another Congressional hearing of interest: Fed Cybersecurity
In case you missed it, catch the video of today’s House Oversight Subcommittee on Information Technology hearing on Federal Cybersecurity Detecion, Response, and Mitigation. You may have seen Marcy’s tweets on this hearing, at which Juniper Networks was a no-show, and Rep. Ted Lieu (D-CA) was kind of pissed off. Catch Bruce Schneier’s post about Juniper’s vulnerability.

Volkswagen has company: Mitsubishi’s mileage data tweaked to cheat
The Japanese automaker may have to pay back tax rebates offered on vehicles meeting certain fuel efficiency standards. Data from mileage tests on hundreds of thousands of cars was fudged to make the cars look 5-10 percent more efficient.

Speaking of cheating: Volkswagen’s use of code words masked references to emissions controls cheats
The amount of data under review along with the use of code words and phrases like “acoustic software” may delay the completion of the probe’s report. Don’t forget: tomorrow is the second 30-day deadline set for VW to provide a technical solution for owners of its passenger diesel vehicles.

That’s enough. Michigan state AG newser underway now as I update this again at 1:15 p.m. EDT; I may not update here since I addressed known charges above. Catch you on the other side of the hump.

Tuesday Morning: Trash Day

It’s trash day in my neighborhood. Time to take the garbage to the curb. I aim for as little trash as possible, which means buying and consuming less processed/more fresh foods. I use paper/glass/ceramic/stainless steel for storage, avoiding plastics as much as possible. Every lick of plastic means oil — either the plastic has been created wholly from oil, or fossil fuels have been used in its manufacture. Can say the same about the manufacturing of paper/glass/ceramic/stainless steel, but paper can be composted/recycled/renewed, and the rest can be used for lifetimes if cared for. I use ceramic bowls that belonged to my great-grandmother, and stainless pots and bowls once belonging to my mother, and I expect to hand them down some day.

Which makes me all judgy when I’m walking through the neighborhood, side-eyeing the garbage cans at the curb. Can’t believe how much waste is created every week, and how willing we are to pay tax dollars to stick it in the ground as landfill. How can Family X not bother to recycle at all? How can Family Y live on so much processed, chemical-laden garbage? It’s all right there at the end of their driveway, their addiction to fossil fuel consumption spelled out in trash.

What small change can you make in your lifestyle so Judgy McJudgyPants here doesn’t side-eye your trash cans?

Speaking of trash…

Piling on the wonks, Part 3: United Healthcare exiting Obamacare in Michigan
Disclosure: UHC is my health insurer, which I am fortunate enough to afford. But I couldn’t stay with them if I had to go on Obamacare. UHC says it’s losing too much money in Michigan to remain in the program — not certain how given the double-digit underwriting increase it posted for this past year. UHC will leave other states which may not fare as well as Michigan, and even Michigan will suffer from decreasing competition. Do tell us, though, wonks, how great Obamacare is. I’m sure I will feel better should I ever have to shop Obamacare plans for pricey coverage with a dwindling number of providers. And if you missed the previous discussions on inept Obamacare wonkery, see Part 1 by Marcy and Part 2 by Ed Walker.

Tech Tiews

  • Don’t let anybody say Apple isn’t cooperating with law enforcement (Phys.org) — Apple has, to the tune of 30,000 times from Jul-Dec 2015 alone, according to a report released late Monday.
  • BlackBerry CEO says telecom companies should ‘comply with reasonable lawful access requests‘ to assist law enforcement (Reuters) — Nice bit of footwork from a company which passed their encryption key to Canadian law enforcement as far back as 2010.
  • If you missed the 60 Minutes segment about the security threat posted by Signalling System Number 7 protocol (SS7), you should read up. (The Guardian) — Also wouldn’t hurt to look into end-to-end encryption for your communications. Wonder what role SS7 played in NSA’s and GHCQ’s ‘treasure mapping’ Germany’s Telekom and other global networks, and if this explains why SS7 is still not secure?
  • [Presence of drugs in car] plus [pics of cash on phone] = suspicious (Ars Technica) — Wait, isn’t the presence of illegal drugs in one’s car enough to make one a suspect?
  • New technology for chip-embedded smart cards will speed checkout times, says VISA (Phys.org) — What the hell are we being forced to switch to so-called smart cards for if they don’t actually improve checkout process already? We’ll piss away any savings from increased security standing in line waiting.

Time to fetch the emptied trash can. See you tomorrow!

Monday Morning: Calm, You Need It

Another manic Monday? Then you need some of Morcheeba’s Big Calm combining Skye Edward’s mellow voice with the Godfrey brothers’ mellifluous artistry.

Apple’s Friday-filed response to USDOJ: Nah, son
You can read here Apple’s response to the government’s brief filed after Judge James Orenstein’s order regarding drug dealer Jun Feng’s iPhone. In a nutshell, Apple tells the government they failed to exhaust all their available resources, good luck, have a nice life. A particularly choice excerpt from the preliminary statement:

As a preliminary matter, the government has utterly failed to satisfy its burden to demonstrate that Apple’s assistance in this case is necessary—a prerequisite to compelling third party assistance under the All Writs Act. See United States v. N.Y. Tel. Co. (“New York Telephone”), 434 U.S. 159, 175 (1977). The government has made no showing that it has exhausted alternative means for extracting data from the iPhone at issue here, either by making a serious attempt to obtain the passcode from the individual defendant who set it in the first place—nor to obtain passcode hints or other helpful information from the defendant—or by consulting other government agencies and third parties known to the government. Indeed, the government has gone so far as to claim that it has no obligation to do so, see DE 21 at 8, notwithstanding media reports that suggest that companies already offer commercial solutions capable of accessing data from phones running iOS 7, which is nearly three years old. See Ex. B [Kim Zetter, How the Feds Could Get into iPhones Without Apple’s Help, Wired (Mar. 2, 2016) (discussing technology that might be used to break into phones running iOS 7)]. Further undermining the government’s argument that Apple’s assistance is necessary in these proceedings is the fact that only two and a half weeks ago, in a case in which the government first insisted that it needed Apple to write new software to enable the government to bypass security features on an iPhone running iOS 9, the government ultimately abandoned its request after claiming that a third party could bypass those features without Apple’s assistance. See Ex. C [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, Cal. License Plate #5KGD203 (“In the Matter of the Search of an Apple iPhone” or the “San Bernardino Matter”), No. 16-cm-10, DE 209 (C.D. Cal. Mar. 28, 2016)]. In response to those developments, the government filed a perfunctory letter in this case stating only that it would not modify its application. DE 39. The letter does not state that the government attempted the method that worked on the iPhone running iOS 9, consulted the third party that assisted with that phone, or consulted other third parties before baldly asserting that Apple’s assistance remains necessary in these proceedings. See id. The government’s failure to substantiate the need for Apple’s assistance, alone, provides more than sufficient grounds to deny the government’s application.

Mm-hmm. That.

Dieselgate: Volkswagen racing toward deadline

  • Thursday, April 21 is the extended deadline for VW to propose a technical solution for ~500,000 passenger diesel cars in the U.S. (Intl Business Times) — The initial deadline was 24-MAR, establishing a 30-day window of opportunity for VW to create a skunkworks team to develop a fix. But if a team couldn’t this inside 5-7 years since the cars were first sold in the U.S., another 30 days wouldn’t be enough. Will 60 days prove the magical number? Let’s see.
  • VW may have used copyrighted hybrid technology without paying licensing (Detroit News) — What the heck was going on in VW’s culture that this suit might be legitimate?
  • After last month’s drop-off in sales, VW steps up discounting (Reuters) — Trust in VW is blamed for lackluster sales; discounts aren’t likely to fix that.

Once around the kitchen

  • California’s winter rains not enough to offset long-term continued drought (Los Angeles Times) — Op-ed by Jay Famiglietti, senior water scientist at the NASA Jet Propulsion Laboratory–Pasadena and UC-Irvine’s professor of Earth system science. Famiglietti also wrote last year’s gangbuster warning about California’s drought and incompatible water usage.
  • Western scientists meet with North Korean scientists on joint study of Korean-Chinese volcano (Christian Science Monitor) — This seems quite odd, that NK would work in any way with the west on science. But there you have it, they are meeting over a once-dormant nearly-supervolcano at the Korea-china border.
  • BTW: Deadline today for bids on Yahoo.

There you are, your week off to a solid start. Catch you tomorrow morning!

The FBI’s Asinine Attempt to Retroactively Justify Cracking Farook’s Phone

“Hold on honey,” said Syed Rizwan Farook, who had just murdered 14 of his co-workers, “let me go get my work phone in case they call me during our getaway”

That’s the logic the FBI is now peddling to reporters who are copping onto what was clear from the start: that there was never going to be anything of interest on Farook’s phone. After all, they’re suggesting geolocation data on the phone (some of which would be available from Verizon) might explain the 18 minutes of the day of the attack the FBI has yet to piece together.

For instance, geolocation data found on the phone might yet yield clues into the movements of the shooters in the days and weeks before the attack, officials said. The bureau is also trying to figure out what the shooters did in an 18-minute period following the shooting.

Farook drove a SUV to the attack and was killed in the same SUV. To suggest his work phone, which was found in a Lexus at his house, might have useful geolocation data about the day of the attack would suggest he made a special trip to the car to leave his phone in it and turned it off afterwards (if we really believe it was off and not just drained when the FBI found it the day after the attack).

Hold on honey, let me go place my work phone in the Lexus.

Similarly, it is nonsensical to suggest the phone would yield evidence of ties with foreign terrorists.

The FBI has found no links to foreign terrorists on the iPhone of a San Bernardino, Calif., terrorist but is still hoping that an ongoing analysis could advance its investigation into the mass shooting in December, U.S. law enforcement officials said.

They’ve had the metadata from the phone since December 6, at the latest. That’s what would show ties with foreign terrorists, if Farook had been so stupid as to plot a terrorist attack against his colleagues on his work phone, to which his employer had significant access.

Finally, reporters should stop repeating the FBI’s claim that Farook turned off his backups.

In particular, the bureau wanted to know if there was data on the phone that was not backed up in Apple’s servers. Farook had stopped backing up the phone to those servers in October, six weeks before the attack.

The government has actually never said that in sworn declarations. Rather, their forensics guy, Christopher Pluhar, asserted only that Farook may have turned them off.

Importantly, the most recent backup is dated October 19, 2015, which indicates to me that Farook may have disabled the automatic iCloud backup feature associated with the SUBJECT DEVICE. I believe this because I have been told by SBCDPH that it was turned on when it was given to him, and the backups prior to October 19, 2015 were with almost weekly regularity. [my emphasis]

But if he did, he was a damned incompetent terrorist, because — as Jonathan Zdziarski, who is quoted in this article, pointed out — at the same screen he would have used to turn off the iCloud backup, he could have also deleted all his prior backups, which we know he didn’t do.

  • Find my iPhone is still active on the phone (search by serial number), so why would a terrorist use a phone he knew was tracking him? Obviously he wouldn’t. The Find-my-iPhone feature is on the same settings screen as the iCloud backup feature, so if he had disabled backups, he would have definitely known the phone was being tracked. But the argument that Farook intentionally disabled iCloud backup does not hold water, since he would have turned off Find-my-iPhone as well.
  • In addition to leaving Find-my-iPhone on, the option to delete all prior backups (which include iMessage history and other content) is also on the same settings screen as the option to disable iCloud backups. If Farook was trying to cover up evidence of leads, he would have also deleted the existing backups that were there. By leaving the iCloud backup data, we know that Farook likely did not use the device to talk to any leads prior to October 19.

We also know from a supplemental Pluhar declaration that Farook had not activated the remote-wipe function, which he also would have done if he were a smart terrorist trying to cover his tracks.

Finally, Apple’s Privacy Manager, as Erik Neuwenschander demonstrated, Pluhar didn’t know what the fuck he was talking about with regards to backups.

Agent Pluhar also makes incorrect claims in paragraph 10(b). Agent Pluhar claims that exemplar iPhones that were used as restore targets for the iCloud backups on the subject device “showed that … iCloud back-ups for ‘Mail,’ ‘Photos,’ and ‘Notes’ were all turned off on the subject device.” This is false because it is not possible. Agent Pluhar was likely looking at the wrong screen on the device. Specifically, he was not looking at the settings that govern the iCloud backups. It is the iCloud backup screen that governs what is backed up to iCloud. That screen has no “on” and “off” options for “Mail,” “Photos,” or “Notes.

Zdziarski offers another possible explanation for the lack of backups on Farook’s phone, so there are other possible explanations.

iCloud backups could have ceased for a number of reasons, including a software update that was released on October 21, just two days after the last backup, or due to iCloud storage filling up.

The point is, we don’t know, and it’s not even clear Pluhar would know how to check. So given all that other evidence suggesting Farook may not have turned off his backups, journalists probably should not claim, as fact, he did.

Of course, that claim is really just a subset of the larger set of the bullshit FBI has fed us about the phone. It’d really be nice if people stopped taking their bullshit claims seriously, as so few of the past ones have held up.

Friday Morning: Dark Water Jazz

It’s Friday and that means jazz here at emptywheel. But no genre exploration today, just this lovely, evocative downtempo jazz/trip hop fusion work.

It’s dark water jazz indeed this week…

Congress oublies the Flint water crisis
I can’t find anything in C-SPAN about the House Energy and Commerce Committee hearing which was to address the crisis. Convenient for Republicans running for office right now to keep themselves at arm’s length from a Republican scandal. We’re lucky the hearing was captured at all; it can be found at the committee’s website. (Video 3:44:08)

It must be difficult to kowtow to traditional GOP underwriters while trying to appear like you’re doing a credible job of representing Americans most in need. But it’s a lot easier to bury and forget the inconvenient.

The latest scuttlebutt is that the bipartisan Energy Policy Modernization Act of 2015 (S.2012) will proceed without additional funding to remedy Flint’s damaged water system, still replete with lead piping. Senate Republicans led by Senator Mike Lee of Utah protested the inclusion of funding for Flint in this bill, threatening to reject it altogether.

Wait — you know who’s up for reelection this season? Senator Mike Lee! Amazing coincidence! Or not. You know, Senator Lee, when your fellow senators leak about your obstruction, you should catch a clue. Sometimes actually helping Americans is more important than sucking up to your anti-tax overlords.

You know who else is up for reelection this season? Senator Lisa Murkowski, the chair of the counterpart Senate Energy Committee and the sponsor of S.2012. You’d think she’d want to look effective as a leader and at governance.

Roughly 8,000 children will continue to live as if they are in a third world country, with a patchwork of assistance for their health and education, but no relief from the lead pipes which continue to run from the water department to their homes. Imagine them drinking water out bottles for the rest of their childhoods, their families having to take additional time and effort to lug bottles upon bottles for their daily essential needs.

Don’t even suggest these families leave. They are stuck, STUCK in Flint, because their property values have been gutted by the failure of a GOP-led state administration, and the continued avoidance by a GOP-led Congress. Who wants to buy a home with lead pipes in Flint now? Which banks want to finance new mortgages to those homes? Which insurers want to write coverage on them?

Some government aid has been offered to Flint — which the ever-ineffectual Rep. Fred Upton recited like a litany during the hearing (see 0:13:30 in the video) — but none of it addresses the lead piping.

Donald Trump won the Republican primary in Flint’s home county of Genessee, by the way. Can’t understand why…

Cleaning off the desk
Stuff worth perusing, but I’m not going to elaborate on before I chuck it in the bin for the week.

  • Microsoft suing U.S. government for gagging the software company about government requests for users’ information. (Microsoft) — MSFT president Brad Smith wrote in a blog post about the suit; note the complaint here (pdf) in which MSFT shared these details:

    Between September 2014 and March 2016, Microsoft received 5,624 federal demands for customer information or data. Of those, nearly half—2,576—were accompanied by secrecy orders, forbidding Microsoft from telling the affected customers that the government was looking at their information. The vast majority of these secrecy orders related to consumer accounts and prevent Microsoft from telling affected individuals about the government’s intrusion into their personal affairs; others prevent Microsoft from telling business customers that the government has searched and seized the emails of individual employees of the customer. Further, 1,752 of these secrecy orders contained no time limit, meaning that Microsoft could forever be barred from telling the affected customer about the government’s intrusion. The government has used this tactic in this District. Since September 2014, Microsoft received 25 secrecy orders issued in this District, none of which contained any time limit. These secrecy orders prohibit Microsoft from speaking about the government’s specific demands to anyone and forbid Microsoft from ever telling its customers whose documents and communications the government has obtained. The secrecy orders thus prevent Microsoft’s customers and the public at large from ever learning the full extent of government access to private, online information

    Emphasis Microsoft’s. Therein the one way to release a limited amount of information: file suit against the government.

  • Claims after March attack that Brussels airport security was lax impels Belgium’s transport minister to quit (euronews) — Bombs were detonated before security clearance area; not certain how minister could have prevented bombing except to move clearance all the way to the edge of the airport’s perimeter instead of after check-in.
  • UC-Davis sanitized the internet to prop its image (SacBee) — School paid $175K to excise references to a 2011 attack on student protesters by police using teargas. Should keep in mind UC-Davis is part of the University of California, of which former Homeland Secretary Janet Napolitano is president, who authorized spying-by-malware on UC-Berkeley.
  • Hey, did you know there’s a tiny sovereign country inside U.S. borders? (Atlas Obscura) — Welcome to Molossia, have a nice day! Surprised no uber-wealthy hit on this as a potential money-laundering. tax-avoidance strategy: make your own country inside the U.S.

And with that we’re off, headed for a nice spring weekend ahead. Have a good one!

FBI Has Been Not Counting Encryption’s Impact on Investigations for Over a Decade

During the first of a series of hearings in the last year in which Jim Comey (at this particular hearing, backed by Deputy Attorney General Sally Yates) pushed for back doors, they were forced to admit they didn’t actually have numbers proving encryption was a big problem for their investigations because they simply weren’t tracking that number.

On the issue on which Comey — and his co-witness at the SJC hearing, Deputy Attorney General Sally Yates — should have been experts, they were not. Over an hour and a quarter into the SJC hearing, Al Franken asked for actual data demonstrating how big of a problem encryption really is. Yates replied that the government doesn’t track this data because once an agency discovers they’re targeting a device with unbreakable encryption, they use other means of targeting. (Which seems to suggest the agencies have other means to pursue the targets, but Yates didn’t acknowledge that.) So the agencies simply don’t count how many times they run into encryption problems. “I don’t have good enough numbers yet,” Comey admitted when asked again at the later hearing about why FBI can’t demonstrate this need with real data.

In point of fact, a recent wiretap report shows that in the criminal context, at least, federal agencies do count such incidences, sometimes. But they don’t report the numbers in a timely fashion (5 of the 8 encrypted federal wiretaps reported in 2014 were from earlier years that were only then being reported), and agencies were eventually able to break most of the encrypted lines (also 5 of 8). Moreover, those 8 encrypted lines represented only 0.6 percent of all their wiretaps (8 of 1279). Reporting for encrypted state wiretaps were similarly tiny. Those numbers don’t reflect FISA wiretaps. But there, FBI often partners with NSA, which has even greater ability to crack encryption.

In any case, rather than documenting the instances where encryption thwarted the FBI, Comey instead asks us to just trust him.

Which is important background to an ancillary detail in this NYT story on how FBI tried a work-around for PGP in 2003 — its first attempt to do so — to go after some animal rights activists (AKA “eco-terrorists).

In early 2003, F.B.I. agents hit a roadblock in a secret investigation, called Operation Trail Mix. For months, agents had been intercepting phone calls and emails belonging to members of an animal welfare group that was believed to be sabotaging operations of a company that was using animals to test drugs. But encryption software had made the emails unreadable.

So investigators tried something new. They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.

[snip]

“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.

DOJ didn’t include this encounter with encryption in the wiretap reports that mandate such reporting.

It is also unclear why the Justice Department, which is required to report every time it comes across encryption in a criminal wiretap case, did not do so in 2002 or 2003. The Justice Department and F.B.I. did not comment Wednesday.

It didn’t count that encounter with crypto even though FBI was discussing — as Bob Litt would 13 years later — exploiting fears of “terrorism” to get Congress to pass a law requiring back doors.

“The current terrorism prevention context may present the best opportunity to bring up the encryption issue,” an F.B.I. official said in a December 2002 email. A month later, a draft bill, called Patriot Act 2, revealed that the Justice Department was considering outlawing the use of encryption to conceal criminal activity. The bill did not pass.

Now, it may be that, as remained the case until last year, FBI simply doesn’t record that they encountered encryption and instead tries to get the information some other way. But by all appearances, encryption was tied to that wiretap.

Which suggests another option: that FBI isn’t tracking how often it encounters encryption because it doesn’t want to disclose that it is actually finding a way around it.

That’d be consistent with what they’ve permitted providers to report in their transparency reports. Right now, providers are not permitted to report on new collection (say, collection reflecting the compromise of Skype) for two years after it starts. The logic is that the government is effectively giving itself a two year window of exclusive exploitation before it will permit reporting that might lead people to figure out something new has been subjected to PRISM or other collection.

Why would we expect FBI to treat its own transparency any differently?

Update: This post has been updated to include more of the NYT article and a discussion of how encryption transparency may match provider transparency.

FBI’s Latest Story about the Hack of Farook’s Phone

There’s a lot that doesn’t quite make sense in Ellen Nakashima’s explanation for how FBI broke into Syed Rizwan Farook’s iPhone.

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.

[snip]

At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.

This last group, dubbed “gray hats,” can be controversial. Critics say they might be helping governments spy on their own citizens. Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States. These researchers do not disclose the flaws to the companies responsible for the software, as the exploits’ value depends on the software remaining vulnerable.

Don’t get me wrong. I don’t doubt Nakashima is reporting what she learned; I know other reporters were working on a similar direction.

It’s just that the FBI’s currently operative story still makes no sense. For starters, why would the FBI pay someone selling zero days but not be willing to consider the solutions offered by (just as an example of one forensics person I know who offered to help) Jonathan Zdziarski?

And I still wonder why the government apparently unsealed the warrant in Farook’s case once before it unsealed it to compel Apple. Indeed, while Nakashima (and other reporters) says FBI “did not need the services of the Israeli firm Cellebrite,” I still think using them (or someone similar) as a middle-man might offer the best of all worlds: no official possession of this exploit, easy contracting, the ability to give (as FBI has been) conflicting stories without any of them being fully false. Just as an example, if Cellebrite told FBI it currently couldn’t crack the phone before FBI got an All Writs Act order obligating Apple, then FBI could fairly claim, as they did, that only Apple or FBI could open the phone (even if they hadn’t actually asked many other people who might be able to hack the phone). But if someone went to Cellebrite or even FBI with the exploit after that, then FBI would have a way of using the exploit without having it and therefore having to submit it to the Vulnerabilities Equities Process (though technically they should still have to). FBI would have a way of promising to keep the exploit hidden, which the vendor would require, because it would technically never be in possession of it.

There’s one more thing that is getting lost in this debate. Comey and others keep talking about the use of this for an intelligence function, as if to justify keeping this exploit secret. I know that’s the convenient part of using a terrorism case to raise the stakes of back dooring phones. But this is ultimately a law enforcement issue, not an intelligence one, no matter how much FBI wants to pretend we’re going to find out something going forward. And as such it should be subject to greater standards of disclosure than a pure use of an exploit for intelligence purposes would.

In other words, FBI is still playing word games.

Wednesday Morning: A Whiter Shade

She said, ‘There is no reason
and the truth is plain to see.’
But I wandered through my playing cards
and would not let her be

— excerpt, Whiter Shade of Pale by Procol Harum
cover here by Annie Lennox

I’ve been on an Annie Lennox jag, sorry. I’m indulging myself here at the intersection of a favorite song which fit today’s theme and a favorite performer. Some of you will take me to task for not using the original version by Procol Harum, or another cover like Eric Clapton’s. Knock yourselves out; it’s Lennox for me.

Speaking of a whiter shade and truth…

FBI used a ‘gray hat’ to crack the San Bernardino shooter’s phone
Last evening after regular business hours WaPo published a story which made damned sure we knew:

1) The FBI waded into a fuzzy zone to hack the phone — oh, not hiring a ‘black hat’, mind you, but a whiter-shade ‘gray hat’ hacker;
2) Cellebrite wasn’t that ‘gray hat’;
3) The third-party resource was referred to as ‘professional hackers’ or ‘researchers who sell flaws’;
4) FBI paid a ‘one-time fee’ for this hack — which sounds like, “Honest, we only did it once! How could we be pregnant?!
5) A ‘previously unknown software flaw’ was employed after the third-party pointed to it.

This reporting only generated more questions:

• Why the careful wording, ‘previously unknown software flaw’ as opposed to zero-day vulnerability, which has become a term of art?
• How was the determination made that the party was not black or white but gray, and not just a ‘professional hacker who sold knowledges about a flaw they used’? Or was the explanation provided just stenography?
• However did Cellebrite end up named in the media anyhow if they weren’t the source of the resolution?
• What assurances were received in addition to the assist for that ‘one-time fee’?
• Why weren’t known security experts consulted?
• Why did the FBI say it had exhausted all resources to crack the San Bernardino shooter’s phone?
• Why did FBI director Jim Comey say “we just haven’t decided yet” to tell Apple about this unlocking method at all if ‘persons familiar with the matter’ were going to blab to WaPo about their sketchy not-black-or-white-hat approach instead?

That’s just for starters. Marcy’s gone over this latest story, too, be sure to read.

Volkswagen execs get a haircut
Panic among employees and state of Lower Saxony over VW’s losses and anticipated payouts as a result of Dieselgate impelled executives to share the pain and cut their bonuses. Germany’s Lower Saxony is the largest state/municipal shareholder in VW, but it’s doubly exposed to VW financial risks as nearly one in ten Germans are employed in the automotive industry, and VW is the largest single German automotive company. The cuts to bonuses will be retroactive, affecting payouts based on last year’s business performance.

Fuzzy dust bunnies

  • Verizon workers on strike (Boston Globe) — Until minimum wage is raised across the country and offshoring jobs stops, we’ll probably see more labor actions like this. Should be a warning to corporations with quarter-after-quarter profits and offshore tax shelters to watch themselves — they can afford to pay their workers.
  • Facebook deploys bots across its services (Computerworld) — But, but AI is years away, said Microsoft research…meanwhile, you just know Amazon’s Alexa is already looking to hookup with Facebook’s chatbot.
  • Google’s charitable arm ponied up $20M cash for disabled users’ technology improvements (Google.org) — IMO, this was a great move for an underserved population.
  • Judge’s rejects Obama administration blow-off of apex predator wolverines (HGN) — Wolverines, a necessary part of health northern and mountain ecosystems, need cold weather to survive. Montana’s U.S. District Court ruled the administration had not done enough to protect biodiversity including the wolverine. Crazy part of this entire situation is that the feds don’t believe the wolverine warrants Endangered Species Act (ESA) protection and that they can’t tell what effects climate change has on this species, but the species is seen rarely to know. Hello? A rarely-seen species means the numbers are so low they are at risk of extinction — isn’t that what the ESA is supposed to define and prevent?

UPDATE — 12:10 PM EDT —
From @cintagliata via Twitter:

Back in 1971, researchers observed Zika virus replicating in neurons and glia. (in mice) http://bit.ly/1XvsD4d

I’m done with the pesticides-as-causal theory. It may be a secondary exacerbating factor, but not likely primary. In short, we’ve had information about Zika’s destructive effects on the brain and nervous system for 45 years. It’s past time for adequate funding to address prevention, treatments, control of its spread.

It’s all down the hump from here, kids. See you tomorrow morning!

Emptywheel Twitterverse
bmaz @Will_Bunch Awe come on man, that was the most informative WH briefing in years.
8mreplyretweetfavorite
emptywheel @TyreJim The best @JasonLeopold can do is get legal fees for @_LightLaw, I think.
9mreplyretweetfavorite
emptywheel Notorious “FOIA Terrorist” Jason Leopold “Saves” FBI Over $300,000 https://t.co/qnJLk3MCWg
16mreplyretweetfavorite
bmaz RT @adamjohnsonNYC: ICYMI bullshit racists are still a thing https://t.co/88GCoN9Fvb
33mreplyretweetfavorite
emptywheel MSF: "lack of meaningful accountability" in Kunduz attack "unlikely to act as a deterrent against future violations" https://t.co/LA3Hjda9tt
45mreplyretweetfavorite
JimWhiteGNV @Pedinska Meh. Those guys are very reclusive. Probably only came out because we are now the driest we've been all spring.
1hreplyretweetfavorite
JimWhiteGNV @Pedinska Apparently coral snake fangs are pretty short so they are reluctant to take on large foes with thick skin/fur.
1hreplyretweetfavorite
JimWhiteGNV @Pedinska See this : https://t.co/BepCVGaEnf See my pic and compare to links for scarlet kingsnake and scarlet snake. Def. coral in house.
1hreplyretweetfavorite
JimWhiteGNV @Pedinska Yes, but this one was the real deal, yellow between red and black. In the safe ones, red touches black. And heads diff colors.
1hreplyretweetfavorite
JimWhiteGNV @Pedinska Yeah, they used up several lives today.
1hreplyretweetfavorite
JimWhiteGNV @Pedinska The cats have brought in a number of harmless corn snakes before. This is the first nasty one.
1hreplyretweetfavorite
emptywheel @charlie_savage The way in which they've hidden the 2009 shut-down, though, is equally significant. That was still the same STLW dragnet.
1hreplyretweetfavorite
April 2016
S M T W T F S
« Mar    
 12
3456789
10111213141516
17181920212223
24252627282930