Ken Dilanian has a very interesting article in the Los Angeles Times outlining the latest failure in Congress’ attempts to exert oversight over drones. Senator Carl Levin had the reasonable idea of calling a joint closed session of the Senate Armed Services and Intelligence Committees so that the details of consolidating drone functions under the Pentagon (and helping the CIA to lose at least one of its paramilitary functions) could be smoothed out. In the end, “smooth” didn’t happen:
An effort by a powerful U.S. senator to broaden congressional oversight of lethal drone strikes overseas fell apart last week after the White House refused to expand the number of lawmakers briefed on covert CIA operations, according to senior U.S. officials.
Sen. Carl Levin (D-Mich.), who chairs the Armed Services Committee, held a joint classified hearing Thursday with the Senate Intelligence Committee on CIA and military drone strikes against suspected terrorists.
But the White House did not allow CIA officials to attend, so military counter-terrorism commanders testified on their own.
But perhaps the White House was merely retaliating for an earlier slight from Congress:
In May, the White House said it would seek to gradually move armed drone operations to the Pentagon. But lawmakers added a provision to the defense spending bill in December that cut off funds for that purpose, although it allows planning to continue.
Dilanian parrots the usual framing of CIA vs JSOC on drone targeting:
Levin thought it made sense for both committees to share a briefing from generals and CIA officials, officials said. He was eager to dispel the notion, they said, that CIA drone operators were more precise and less prone to error than those in the military.
The reality is that targeting in both the CIA and JSOC drone programs is deeply flawed, and the flaws lead directly to civilian deaths. I have noted many times (for example see here and here and here) when John Brennan-directed drone strikes (either when he had control of strike targeting as Obama’s assassination czar at the White House or after taking over the CIA and taking drone responsibility with him) reeked of political retaliation rather than being logically aimed at high value targets. But those examples pale in comparison to Brennan’s “not a bake sale” strike that killed 40 civilians immediately after Raymond Davis’ release or his personal intervention in the peace talks between Pakistan and the TTP. JSOC, on the other hand, has input from the Defense Intelligence Agency, which, as Marcy has noted, has its own style when it comes to “facts”. On top of that, we have the disclosure from Jeremy Scahill and Glenn Greenwald earlier this week that JSOC will target individual mobile phone SIM cards rather than people for strikes, without confirming that the phone is in possession of the target at the time of the strike. The flaws inherent in both of these approaches lead to civilian deaths that fuel creation of even more terrorists among the survivors.
Dilanian doesn’t note that the current move by the White House to consolidate drones at the Pentagon is the opposite of what took place about a year before Brennan took over the CIA, when his group at the White House took over some control of JSOC targeting decisions, at least with regard to signature strikes in Yemen.
In the end, though, it’s hard to see how getting all drone functions within the Pentagon and under Senate Armed Services Committee oversight will improve anything. Admittedly, the Senate Intelligence Committee is responsible for the spectacular failure of NSA oversight and has lacked the courage to release its thorough torture investigation report, but Armed Services oversees a bloated Pentagon that can’t even pass an audit (pdf). In the end, it seems to me that this entire pissing match between Congress and the White House is over which committee(s) will ultimately be blamed for failing oversight of drones.
I confess, I don’t really know what Angry Birds is, except that my tweener niece was hot on the game a year ago.
But apparently it must be a key part of terrorist training (which makes me worried about my niece), because the NSA gathers up cell phone data the Angry Birds app leaks.
The National Security Agency and its UK counterpart GCHQ have been developing capabilities to take advantage of “leaky” smartphone apps, such as the wildly popular Angry Birds game, that transmit users’ private information across the internet, according to top secret documents.
From some app platforms, relatively limited, but identifying, information such as exact handset model, the unique ID of the handset, software version, and similar details are all that are transmitted.
Other apps choose to transmit much more data, meaning the agency could potentially net far more. One mobile ad platform, Millennial Media, appeared to offer particularly rich information. Millennial Media’s website states it has partnered with Rovio on a special edition of Angry Birds; with Farmville maker Zynga; with Call of Duty developer Activision, and many other major franchises.
Rovio, the maker of Angry Birds, said it had no knowledge of any NSA or GCHQ programs looking to extract data from its apps users.
“Rovio doesn’t have any previous knowledge of this matter, and have not been aware of such activity in 3rd party advertising networks,” said Saara Bergström, Rovio’s VP of marketing and communications. “Nor do we have any involvement with the organizations you mentioned [NSA and GCHQ].”
Millennial Media did not respond to a request for comment.
This is all very predictable (and will undoubtedly finally launch a conversation about data spillage on mobile apps).
But seriously. How many Angry Bird players does NSA really claim it has a valid foreign intelligence purpose to target?
The last decade witnessed the rise of deep state — an entity not clearly delineated that ultimately controls the military-industrial complex, establishing its own operational policy and practice outside the view of the public in order to maintain its control.
Citizens believe that the state is what they see, the evidence of their government at work. It’s the physical presence of their elected representatives, the functions of the executive office, the infrastructure that supports both the electoral process and the resulting machinery serving the public at the other end of the sausage factory of democracy. We the people put fodder in, we get altered fodder out — it looks like a democracy.
But deep state is not readily visible; it’s not elected, it persists beyond any elected official’s term of office. While a case could be made for other origins, it appears to be born of intelligence and security efforts organized under the Eisenhower administration in response to new global conditions after World War II. Its function may originally have been to sustain the United States of America through any threat or catastrophe, to insure the country’s continued existence.
Yet the deep state and its aims may no longer be in sync with the United States as the people believe their country to be — a democratic society. The democratically elected government does not appear to have control over its security apparatus. This machinery answers instead to the unseen deep state and serves its goals.
As citizens we believe the Department of State and the Department of Defense along with all their subset functions exist to conduct peaceful relations with other nation-states while protecting our own nation-state in the process. Activities like espionage for discrete intelligence gathering are as important as diplomatic negotiations to these ends. The legitimate use of military force is in the monopolistic control of both Departments of State and Defense, defining the existence of a state according to philosopher Max Weber.
The existing security apparatus, though, does not appear to function in this fashion. It refuses to answer questions put to it by our elected representatives when it doesn’t lie to them outright. It manages and manipulates the conditions under which it operates through implicit threats. The legitimacy of the military force it yields is questionable because it cannot be restrained by the country’s democratic processes and may subvert control over military functions.
Further, it appears to answer to some other entity altogether. Why does the security apparatus pursue the collection of all information, in spite of such activities disrupting the ability of both State and Defense Departments to operate effectively? Why does it take both individuals’ and businesses’ communications while breaching their systems, in direct contravention to the Constitution’s Fourth Amendment prohibition against illegal search and seizure? Continue reading
Playwright August Strindberg wrote, “…There are poisons that blind you, and poisons that open your eyes.”
We’ve been blinded for decades by complacency and stupidity, as well as our trust. Most Americans still naively believe that our government acts responsibly and effectively as a whole (though not necessarily its individual parts).
By effectively, I mean Americans believed their government would not deliberately launch a military attack that could affect civilians — including Americans — as collateral damage. Such a toll would be minimized substantively. Yesterday’s celebration related to the P5+1 interim agreement regarding Iran’s nuclear development program will lull most Americans into deeper complacency. The existing system worked, right?
But U.S. cyber warfare to date proves otherwise. The government has chosen to deliberately poison the digital waters so that all are contaminated, far beyond the intended initial target.
There’s very little chance of escaping the poison, either. The ubiquity of U.S. standards in hardware and software technology has ensured this. The entire framework — the stack of computing and communications from network to user applications — has been affected.
• Network: Communications pathways have been tapped, either to obtain specific content, or obtain a mirror copy of all content traveling through it. It matters not whether telecom network, or internal enterprise networks.
• Security Layer: Gatekeeping encryption has been undermined by backdoors and weakened standards, as well as security certificates offering handshake validation
• Operating Systems: Backdoors have been obtained, knowingly or unknowingly on the part of OS developers, using vulnerabilities and design flaws. Not even Linux can be trusted at this point (Linux progenitor Linus Torvalds has not been smart enough to offer a dead man’s switch notification.)
• User Applications: Malware has embedded itself in applications, knowingly or unknowingly on the part of app developers.
End-to-end, top-to-bottom and back again, everything digital has been touched in one layer of the framework or another, under the guise of defending us against terrorism and cyber warfare.
Further, the government watchdogs entrusted to prevent or repair damage have become part and parcel of the problem, in such a way that they cannot effectively be seen to defend the public’s interests, whether those of individual citizens or corporations. The National Institute of Standards and Technology has overseen the establishment and implementation of weak encryption standards for example; it has also taken testimony [PDF] from computing and communications framework hardware and software providers, in essence hearing where the continued weak spots will be for future compromise.
The fox is watching the hen house, in other words, asking for testimony pointing out the weakest patches installed on the hen house door.
The dispersion of cyber poison was restricted only in the most cursory fashion.
• Stuxnet’s key target appears to have been Iran’s Natanz nuclear facility, aiming at its SCADA equipment, but it spread far beyond and into the private sector as disclosed by Chevron. The only protection against it is the specificity of its end target, rendering the rest of the malware injected but inert. It’s still out there.
• Duqu, a “sibling” cyber weapon, was intended for widespread distribution, its aims two-fold. It delivered attack payload capability, but it also delivered espionage capability.
• Ditto for Flame, yet another “sibling” cyber weapon, likewise intended for widespread distribution, with attack payload and espionage capability.
There could be more than these, waiting yet to be discovered.
In the case of both Duqu and Flame, there is a command-and-control network of servers still in operation, still communicating with instances of these two malware cyber weapons. The servers’ locations are global — yet another indicator of the planners’/developers’ intention that these weapons be dispersed widely.
Poison everything, everywhere.
But our eyes are open now. We can see the poisoners fingerprints on the work they’ve done, and the work they intend to do. Continue reading
Over the last handful of days breathless reports may have crossed your media streams about Stuxnet infecting the International Space Station.
The reports were conflations or misinterpretations of cybersecurity expert Eugene Kaspersky’s recent comments before the Australian Press Club in Canberra. Here’s an excerpt from his remarks, which you can enjoy in full in the video embedded above:
[26:03] “…[government] departments which are responsible for the national security for national defense, they’re scared to death. They don’t know what to do. They do understand the scenarios. They do understand it is possible to shut down power plants, power grids, space stations. They don’t know what to do. Uh, departments which are responsible for offense, they see it as an opportunity. They don’t understand that in cyberspace, everything you do is [a] boomerang. It will get back to you.
[26:39] Stuxnet, which was, I don’t know, if you believe American media, it was written, it was developed by American and Israel secret services, Stuxnet, against Iran to damage Iranian nuclear program. How many computers, how many enterprises were hit by Stuxnet in the United States, do you know? I don’t know, but many.
Last year for example, Chevron, they agreed that they were badly infected by Stuxnet. A friend of mine, work in Russian nuclear power plant, once during this Stuxnet time, sent a message that their nuclear plant network, which is disconnected from the internet, in Russia there’s all that this [cutting gestures, garbled], so the man sent the message that their internal network is badly infected with Stuxnet.
[27:50] Unfortunately these people who are responsible for offensive technologies, they recognize cyber weapons as an opportunity. And a third category of the politicians of the government, they don’t care. So there are three types of people: scared to death, opportunity, don’t care.”
He didn’t actually say the ISS was infected with Stuxnet; he only suggested it’s possible Stuxnet could infect devices on board. Malware infection has happened before when a Russian astronaut brought an infected device used on WinXP machines with her to the station.
But the Chevron example is accurate, and we’ll have to take the anecdote about a Russian nuclear power plant as fact. We don’t know how many facilities here in the U.S. or abroad have been infected and negatively impacted as only Chevron to date has openly admitted exposure. It’s not a stretch to assume Stuxnet could exist in every manner of facility using SCADA equipment combined with Windows PCs; even the air-gapped Russian nuclear plant, cut off from the internet as Kaspersky indicates, was infected.
The only thing that may have kept Stuxnet from inflicting damage upon infection is the specificity of the encrypted payload contained in the versions released in order to take out Iran’s Natanz nuclear facility. Were the payload(s) injected with modified code to adapt to their host environs, there surely would have been more obvious enterprise disruptions.
In other words, Stuxnet remains a ticking time bomb threatening energy and manufacturing production at a minimum, and other systems like those of the ISS at worst case. Continue reading
There’s a sense of security vested in the idea that the caller is outside the house and the woman is tucked safely in the bosom of her home. Phew, she’s safe; nothing to see here, move along…
In reality the caller is camped directly outside the woman’s window, watching every move she makes even as she assures herself that everything is fine.
After a tepid reaction to the initial reporting last week, most media and their audience took very little notice of the Washington Post’s followup piece — what a pity, as it was the singular voice confirming the threat sits immediately outside the window.
Your window, as it were, if you have an account with either Yahoo or Google and use their products. The National Security Agency has access to users’ content inside the corporate fenceline for each of these social media firms, greasy nose pressed to glass while peering in the users’ windows.
There’s more to story, one might suspect, which has yet to be reported. The disclosure that the NSA’s slides reflected Remote Procedure Calls (RPCs) unique to Google and Yahoo internal systems is only part of the picture, though this should be quite frightening as it is.
Access to proprietary RPCs means — at a minimum — that the NSA has:
1) Access to content and commands moving in and out of Google’s and Yahoo’s servers, between their own servers — the closest thing to actually being inside these corporations’ servers.
2) With these RPCs, the NSA has the ability to construct remote login access to the servers without the businesses’ awareness. RPCs by their nature require remote access login permissions.
3) Construction through reverse engineering of proprietary RPCs could be performed without any other governmental bodies’ awareness, assuming the committees responsible for oversight did not explicitly authorize access to and use of RPCs during engineering of the MUSCULAR/SERENDIPITY/MARINA and other related tapping/monitoring/collection applications.
4) All users’ login requests are a form of RPC — every single account holder’s login may have been gathered. This includes government employees and elected officials as well as journalists who may have alternate accounts in either Gmail or Yahoo mail that they use as a backup in case their primary government/business account fails, or in the case of journalists, as a backchannel for handling news tips. Continue reading
This won’t be a cool, calm, collected post like Marcy writes, because it’s me, the angry mom. You might even have seen me Tuesday afternoon in the school parking lot waiting to pick up a kid after sports practice. I was the one gripping the steering wheel too tightly while shouting, “BULLSHIT!” at the top of my lungs at the radio.
President Obama to ABC’s new Latino channel, Fusion (1:34): It’s important for us to make sure that as technology develops and expands and the capacity for intelligence gathering becomes a lot greater that we make sure that we’re doing things in the right way that are reflective of our values.
Ari Shapiro (1:46): And, Audie, I think what you’re hearing in that quote is a sense that is widespread in this administration that technological improvements have let the government do all kinds of things they weren’t able to do before. They tapped the German Chancellor’s personal cellphone and nobody really stopped to ask whether these are things they should be doing. And so that question, just because we can do something, well, does it mean we should be doing it, that’s the question that seems to be the focus of this review.
Bullshit, bullshit, bullshit.
Here, let me spell this out in terms a school-aged kid can understand.
This is a doorknob with a lock; so is the second closure device on the right.
The lock technology used on the second door is very different; it’s no longer simple analog but digitally enhanced. The second lock’s technology might be more complicated and difficult to understand. But it’s still a lock; its intrinsic purpose is to keep unauthorized persons out.
If one were to pick either lock in any way, with any tools to enter a home that is not theirs and for which they do not have permission to enter, they are breaking-and-entering.
If it’s law enforcement breaching that lock, they’d better have a damned search warrant or a court order, in the absence of a clear emergency or obvious crime in progress.
The argument that information technology has advanced to the point where the NSA blindly stumbles along without asking whether they should do what they are doing, or asking whether they are acting legally is bullshit. They have actively ignored or bypassed the proverbial lock on the door. It matters not where the lock is located, inside or outside the U.S.
The Washington Post’s revelation Wednesday that the NSA cracked Yahoo’s and Google’s SSL — secure sockets layer — is equivalent to evidence of deliberately busted door locks. So is the wholesale undermining of encryption systems on computers, cellphones, and network equipment revealed in reports last month, whether by weakened standards or by willfully placed holes integrated in hardware or software.
The NSA has quite simply broken into every consumer electronic device used for communications, and their attached networks. When the NSA was forced to do offer explanations for their actions, they fudged interpretations of the Constitution and laws in order to continue what they were doing. Their arguments defending their behavior sound a lot like a child’s reasoning. Continue reading
In follow-up to yesterday’s I Con, Le Monde reports that France’s spy agency, DGSE and the US, established a data sharing arrangement in 2011-2012 via which France provides call data to the US. It notes that part of the data the US gets comes from the French (apparently, Le Monde has better mastery of the conjunction than American National Security journalists) and that French citizens, as well as other targets, are included.
I suspect this is where the global dragnet may proceed: where we learn, country by country, that the US has side deals with partners, in addition to massive collections done largely (in Europe, anyway) by GCHQ, that allows it access to a lot of metadata.
But there’s something missing.
The US can, so long as it gets away with it, collect as much metadata as it can from France and other foreign countries. In the US, it has to work through the courts (well, that’s the law, one the Bush Administration flouted for 5 years).
And yet, the US collects far more metadata in the US than it does in France. In the last month of 2012, the US (and its partners, including GCHQ and DGSE) collected 70.3 million pieces of metadata in France, or roughly 1.07 piece of metadata on every French person. According to the Guardian, Boundless Informant shows the NSA (and its partners) collected 2.89 billion pieces of data in the month ending March 2013, or roughly 9.32 pieces of metadata on every American. And all that’s apparently before you consider the billions or trillions of pieces of metadata collected in the phone dragnet (which of course collects on “substantially all” the 310 million Americans (though in France, investigators can access phone metadata more readily).
That is, legally, the NSA (and its partners, including GCHQ) are not bound by legal limits on what they collect. But it collects more on Americans than it does on the French.
And yet … NSA finds more terrorists in Europe than in America.
More terrorists, less metadata.
I am sure this is a matter of comparing oranges to orange bouncey balls. Different times of the year, different numbers of terrorists in the country, different complementary tools and investigative skills. That is, there are nuances in all this data that neither the Snowden document recipients nor the NSA are going to be able to explain anytime soon. But they both seem to agree Boundless Informant does provide some picture of how much data the NSA (and its partners) collect where. And that does seem to show that NSA collects relatively more in the US than it does in Europe.
If that’s the case, then why is having a complete haystack of metadata here in the US pursuant to the Section 215 dragnet necessary? Doesn’t the European case show you can find even more terrorists without it?
Given that I’m very interested in the carrots and sticks the government uses to get tech companies to help spy on us, I find it rather interesting that from 2007 until August 31, DOD was allowing Google to pay for jet fuel at Moffett Field near Google’s HQ in Mountain View at DOD’s substantially discounted rate.
Granted, this arose because Google provided a light airplane to perform scientific flights for Ames Research Center.
NASA officials have pointed to a related agreement by the Google executives to perform scientific flights and other NASA-related transport. That mostly has involved flights by an Alpha jet, a small trainer bought by the Google executives and used by NASA to measure atmospheric greenhouse gases and ozone.
[T]he contract between H211 and the Pentagon stated that the fuel was supposed to be used only “for performance of a U.S. government contract, charter or other approved use,” and said violations could trigger civil or criminal penalties. There is no indication of any such investigation.
Flight records from the Federal Aviation Administration suggest that the vast bulk of the flights by the Google executives’ fleet have been for non-NASA purposes.
The main jets in the fleet—a Boeing 767, Boeing 757 and four Gulfstream V’s—have departed from Moffett a total of 710 times since 2007, FAA records show. The most frequent destinations were Los Angeles and New York, but the planes also flew 20 times to the Caribbean island of Tortola; 17 to Hawaii; 16 to Nantucket, Mass.; and 15 to Tahiti.
This agreement went into place before Google joined PRISM, for example (though I’m sure Google was already helping NSA on its storage challenges before that). Though I really look forward to Google defending these fuel purchases because so much of what they do is “for performance of a U.S. government contract.”
This is peanuts to a company as rich as Google; access to the airport is probably worth more to Google execs than the cheap gas.
Still, it’s a perk. The kind of perk that might explain why Eric Schmidt believes all this spying is just the nature of society. (h/t Kevin Gosztola)
There’s been spying for years, there’s been surveillance for years, and so forth, I’m not going to pass judgment on that, it’s the nature of our society.
Spying is the nature of society in the same way as special perks for those who help in it, after all.
A friendly handshake is offered;
Names are swapped after entry;
The entrant delivers a present;
The present is unboxed with a secret key…
And * BOOM *
This is cyber weapon Stuxnet‘s operations sequence. At two points in the sequence its identity is masked — at the initial step, when identity is faked by a certificate, and at the third step, when the contents are revealed as something other than expected.
The toxic payload is encrypted and cannot be read until after the handshake, the name swap, and then decrypted when already deep inside the computer.
In the wake of the co-reported story on the National Security Agency’s efforts to crack computer and network encryption systems, the NSA claims they are only doing what they must to protect the country from terrorists, criminals, and cyber attacks generated by individuals, groups, and nation-state actors.
Defense, though, is but one side of the NSA’s sword; it has two lethal edges.
While use of encryption tools may prevent unauthorized access to communications, or allow malicious code to be blocked, the same tools can be used to obstruct legitimate users or shut down entire communications systems.
Encryption APIs (ex: Microsoft CryptoAPI embedded in Windows operating systems) are often used by higher level applications — for example, a random number generator within the API used to create unique keys for access can also be used to create random names or select random event outcomes like a roll of the dice.
In Stuxnet alone we have evidence of encryption-decryption used as cyber warfare, the application planned/written/supported in some way by our own government. This use was Pandora’s Box opened without real forethought to the long-term repercussions, including unintended consequences.
We know with certainty that the repercussions weren’t fully considered, given the idiocy with which members of Congress have bewailed leaks about Stuxnet, in spite of the fact the weapon uncloaked itself and pointed fingers in doing so.
One of the unconsidered/ignored/unintended consequences of using weaponry requiring encryption-decryption is that the blade can cut in the other direction.
Imagine someone within the intelligence community “detonating” a cyber weapon built in the very same fashion as Stuxnet.
A knock at the door with a handshake;
Door open, package shoved in, treated as expected goods;
Encrypted content decrypted.
And then every single desktop computer, laptop, netbook, tablet, and smartphone relying on the same standardized, industry-wide encryption tools “detonates,” obstructing all useful information activities from personal and business work to telecommunications. Continue reading