Cybersecurity

North Korea and Sony: James Clapper Describes His Trip

As debates about whether North Korea hacked Sony continue (or even better, websites mockingly show you could randomly assign blame to any number of people; h/t Kim Zetter), there’s something that has long bothered me. The excuse for the government’s failure to provide a more fulsome description of the reasons it is so sure North Korea is to blame always go back to (NSA’s) sources and methods.

For example, here’s Jack Goldsmith making the legitimate argument that one reason you can’t attribute properly is because it would expose what we don’t know, and make us more vulnerable to hackers.

The problem with saying that the “secrecy of the NSA’s sources and methods is going to have to take a back seat to the public’s right to know” is that public knowledge could exacerbate the cyber threat.  For when other countries know those aspects of those sources and methods, they can hide their tracks better in the next attack.  The U.S. Government might think that the credibility hit it takes for not revealing more in the face of this relatively mild attack on Sony is outweighed by the longer-term advantages – to meeting and defeating greater cybersecurity threats – of having penetrated networks and conversations in unknown ways.  The game is iterative, and the proper balance of secrecy and disclosure at any particular time is tricky.  

There’s one part of the hack, however, for which such claims can’t be made — and which, in the government’s descriptions, has been just as weak as the FBI’s public forensic case against North Korea: motive.

Not only did the movie The Interview, only become the motive well after the hack, but — even assuming Kim Jong-Un is batshit crazy — the rest of the hack still doesn’t make sense. Why burn all those stars before targeting The Interview? Why release so much about Sony’s IP and other financial dealings before targeting The Interview? Why do nothing in the face of The Interview‘s subsequent release and broad success? In other words, why does the bulk of the attack actually not attack the purported target of it? Heck, the hackers didn’t even make the most of the materials on the Interview obtained in the hack to best serve North Korea’s interests.

No description of the motive I’ve seen makes any sense (again, even assuming that everyone in North Korean positions of authority are crazy or at least irrational).

Meanwhile, as far as I know I had been the only person to point out that James Clapper made a highly unusual trip to North Korea just weeks before the hack to pick up two Americans North Korea claims were US spies.

Curiously, claims that North Korea launched the hack make no mention of James Clapper’s highly unusual trip to North Korea, just a few weeks before the hack was discovered, to pick up two Americans North Korea had imprisoned, claiming they were spies.

It seems to me you might more likely find a rational motive for a rash attack on US soil (albeit at the US subsidiary of Japanese company) in that trip than in a movie, no matter how curious the movies’ ties to US national security figures. That is, not only did North Korea allegedly hack Sony for a movie reviewed by government officials depicting the assassination of Kim, but it did so weeks after the top US spy personally flew to North Korea to rescue two Americans North Korea claimed were spies, one of whom entered on a tourist visa and then ripped it up claiming he wanted to talk to North Koreans.

Reports from a press blitz Clapper did upon his return described Clapper delivering a letter from President Obama — which he described as doing no more than naming Clapper as envoy to pick up the two Americans but which Clapper declined to quote — and North Korea as disappointed that Obama hadn’t offered something more in exchange for the prisoners.

Mr. Clapper revealed details of the trip in an interview with The Wall Street Journal. The North Koreans seemed disappointed when he arrived without a broader peace overture in hand, he said. At the same time, they didn’t ask for anything specific in return for the prisoners’ release.

U.S. officials say the mission, which few officials within the Obama administration knew about until Mr. Clapper was returning, wasn’t meant to signal any change in the U.S.’s approach to the reclusive North.

Mr. Clapper’s earlier conversations with older North Korean officials on his one-day trip had been contentious. He heard what he called a far more “tempered” tone from a younger North Korean whom he described as an interlocutor and who accompanied him on the 40-minute drive back to the airport at the trip’s end. He said the interlocutor expressed regret that the North and South remained split and asked Mr. Clapper if he’d return to Pyongyang.

[snip]

The plan to send Mr. Clapper came together suddenly.

North Korea made clear that it wanted the U.S. to send a “senior envoy” and that it wanted a communication from the president.

The White House tapped Mr. Clapper, because he was a cabinet-level official though not a member of the cabinet or a diplomat. The White House didn’t want to signal to the North Koreans that Mr. Clapper was being sent to conduct a diplomatic negotiation. Mr. Clapper had also served as a military intelligence officer in South Korea in the mid-1980s and had a continuing interest in the Korean peninsula.

[snip]

Gen. Kim Young Chol appeared to be taken aback when handed the letter, Mr. Clapper said.

Written in English, the letter introduced Mr. Clapper as the president’s envoy and “characterized the release of the two detainees as a positive gesture,” Mr. Clapper said, declining to quote it directly. “It didn’t apologize.”

It’s possible there was more to the trip than Clapper’s very boisterous press blitz let on.

And it turns out I’m no longer the only one who links the trip to North Korea and the hack. At a speech at a cybersecurity conference at Fordham today, Clapper repeated accusations that North Korea had done the Sony hack, claiming that the General Kim Youn(g) Chol, with whom he had met on his trip, ordered the attack (see also Eamon Javers’ TL) amid more details of what went wrong with his plane and other details of his trip. The Bureau Kim Youn(g) Chol heads is among those sanctioned last week in response to the hack, though it doesn’t appear he’s among the sanction targets himself (though there is someone with a very similar name, Kim Yong Chol, who is Korea Mining Company’s representative in Iran, who was sanctioned). 

I’m still not convinced that North Korea did the hack. But if they did, then there’s more of a backstory, precisely where Clapper is pointing to it: in his trip to North Korea just weeks before the hack.

Alternately, Clapper’s fixation on his trip may suggest his meeting with Kin Youn(g) Chol has influenced analysis of the hack, leading Clapper’s subordinates to ascribe more importance to heated meetings while their boss was in North Korea than they logically should.

Either way, Clapper’s giving a very partial description of that trip. But now that he has returned to doing so, it ought to be a much more significant focus for reporting on the alleged North Korea hack.

Hacking in the IOB Reports

If I’m not mistaken, this — in the Q3 2008 NSA Report to the Intelligence Oversight Board — is the first mention of Computer Network Exploitation in the reports.

Screen Shot 2015-01-04 at 9.25.22 AM

 

As with almost every single reference to CNE — that is, hacking, or the use of malware to be able to spy on a target — this one is entirely redacted. (The sole exception is a targeted email that was detasked because the target entered the US, in the Q1 2009 report).

The number/complexity of incidents or details expand for some years, as with this in Q2 2009.

Screen Shot 2015-01-04 at 9.31.07 AM

The entries invariably cite 18 USC 798 as a FOIA exemption. They vary on whether they’re FVEY (that is, permissibly shared with members of the Five Eyes) or NF (that is, not to be shared with any foreign government), though in later years the entries have much more frequently been NF — take that, Brits! And the entries appear under “Other,” not EO 12333 (which is curious, given that hacking should be governed by EO 12333).

After that first, single-incident mention, CNE appears in each report until Q4 2011, after which it doesn’t appear again (though there is an entirely redacted section that appears in all but the most recent report in the EO 12333 section).

I make these observations not because they tell us anything about what kind of hacking the NSA is doing (you can look to Snowden’s documents for that). But to lay out several questions.

If — as claimed in Shane Harris’ @War hacking is increasingly how we collect SIGINT — how is it regulated? Did NSA, does NSA still, consider it to be something other than EO 12333 collection? What counts as a violation when you’re hacking to collect intelligence? To what degree is IOB overseeing the methods used, as opposed to just the actions that’d be violations regardless of the collection type (as detasking someone in the US would be)? And if CNE (hacking) has entirely disappeared from these reports, does that mean NSA has just cleaned up its act, or that it simply doesn’t report on this anymore?

I get why these passages are entirely redacted. In part, NSA is sustaining the same myth it sustains when it doesn’t admit StuxNet. It’s pretending it is not engaging in the same hacking it sanctions North Korea for.

Only it is. Which raises real questions about what kind of oversight it gets.

 

As FBI’s Amerithrax Case Continues to Crumble, Bureau Digs in on North Korea Claims

Screen shot 2014-12-30 at 12.16.49 PM

In ads released even as their claims about North Korea come under scrutiny, FBI tries to make cybersecurity Agents look like Eliot Ness.

Less than 10 days ago, Jim laid out yet more evidence that the FBI’s claimed explanation for the anthrax attack — that USAMRIID researcher Bruce Ivins not only perpetrated the attack, but did so acting alone — was scientifically problematic. So 13 years ago, anonymous sources blamed Iraq for the attack, 12 years ago they blamed Steven Hatfill, and 6 years ago, they started blaming Bruce Ivins. Probably, none of those claims are true.

The FBI still hasn’t solved one of the most alarming terrorist attacks in this country, an attempt to kill two sitting US Senators. Instead, it persists in a claim (versus Ivins) that doesn’t comport with the science, to say nothing of the other circumstantial evidence. FBI only ever sustained that claim by assuming — based on no known evidence — that a Lone Wolf, rather than conspirators, launched the attack.

Even as new evidence undermining the FBI’s obstinate claims about Ivins got released, the FBI has been making equally obstinate claims that North Korea is behind the Sony hack.

And then someone crashed North Korea’s Internet which, given how tiny it is, is the strategic equivalent of launching spitballs at a small group of North Korea’s elite. A truly awesome use of American power!

As I noted on Salon, even as the FBI was leaking its certitude to the big press that North Korea was behind the hack, Kim Zetter was pointing out all the reasons that made no sense.

Now, with a week of holiday cheers under their belts, more of the press is beginning to note all the experts questioning the FBI’s claim. Shane Harris describes the FBI “doubling down” on its original theory.

In spite of mounting evidence that the North Korean regime may not have been wholly responsible for a brazen cyberassault against Sony—and possibly wasn’t involved at all—the FBI is doubling down on its theory that the Hermit Kingdom solely bears the blame.

“We think it’s them,” referring to the North Koreans, an FBI spokesperson told The Daily Beast when asked to respond to reports from private investigators that other culprits were responsible. The latest evidence, from the cyberanalysis firm the Norse Corp., suggests that a group of six individuals, including at least one disgruntled ex-Sony employee, is behind the assault, which has humiliated Sony executives, led to threats of terrorist attacks over the release of a satirical film, and prompted an official response from the White House.

The FBI said in a separate statement to journalists on Monday that “there is no credible information to indicate that any other individual is responsible for this cyberincident.” When asked whether that left open the possibility that other individuals may have assisted North Korea or were involved in the assault on Sony, but not ultimately responsible for the damage that was done, the FBI spokesperson replied, “We’re not making the distinction that you’re making about the responsible party and others being involved.”

Time catalogs the alternatives to FBI’s theories.

And Politico notes that when one cybersecurity company, Norse, shared its analysis, the FBI refused to share its own data, as the company had expected.

The FBI says it is standing by its conclusions, but the security community says the agency has been open and receptive to help from the private sector throughout the Sony investigation.

Norse, one of the world’s leading cyber intelligence firms, has been researching the hack since it was made public just before Thanksgiving.

Norse’s senior vice president of market development said the quickness of the FBI’s conclusion that North Korea was responsible was a red flag.

“When the FBI made the announcement so soon after the initial hack was unveiled, everyone in the [cyber] intelligence community kind of raised their eyebrows at it, because it’s really hard to pin this on anyone within days of the attack,” Kurt Stammberger said in an interview as his company briefed FBI investigators Monday afternoon.

He said the briefing was set up after his company approached the agency with its findings.

Stammberger said after the meeting the FBI was “very open and grateful for our data and assistance” but didn’t share any of its data with Norse, although that was what the company expected.

It’s a bad thing, given how much evidence is out there about this hack, that the FBI won’t let more of its thinking be tested publicly.

Meanwhile, in a remarkable joining of opinion, both Jack Goldsmith and Moon of Alabama note that Obama may have wasted US credibility by so quickly accusing North Korea.

And NYT’s Ombud, Margaret Sullivan, admits that NYT too quickly repeated — and granted anonymity to — FBI’s flimsy claims.

[A]s a reader, Brad Johnson, noted in an email. He wrote: “Did NYT learn its lesson from the Iraq WMD debacle, or is the paper back to bad habits of writing stories from whole cloth based on anonymous White House and intelligence agency officials?”

Now that the matter of who was behind the hack is coming under more scrutiny, including in The Times (though with less prominence), those kinds of questions are even more germane.

One thing is certain: Anonymity continues to be granted to sources far more often than a last-resort basis would suggest.

Though Sullivan’s caution didn’t lead the Editorial Board to show any.

I’m glad people are now showing skepticism, even if it is too late to preserve American credibility (as if we had that anyway after StuxNet).

There’s one more factor that deserves notice here: the role of cybersecurity firms in laundering government propaganda.

One of the most pregnant observations in Zetter’s Countdown to Zero Day comes after Symantec published the first details implicating the US and Israel in the StuxNet attack. The Symantec team expected a bunch of others to jump in and start validating their work. Instead, they were met with almost complete silence. While Zetter didn’t say it explicitly, the implication was that the security industry is driven by its interest in retaining the good will of the US Government. Here, the first security firm to back the North Korea claim was Mandiant, the firm that served as a surrogate for claims against China.

And while in this case there is no lack of experts willing to push back against US claims, I just wonder whether at least some of the initial credulity on the North Korea claims arose because of the dominance of USG contractors among the earliest reports on the hack? While there are some equivalents in the WMD vein, the cyberindustry, in particular, seems particularly prone to serving as a cut-out for both poorly analyzed intelligence and even propaganda.

Ah well. It’s not like anyone is demanding FBI resume its hunt for the terrorist who might have killed two sitting US Senators. Why do I think this will be any different?

We’re Going to Start a War to Protect a Negligent Corporation’s Property?

Over at Salon, I’ve got a piece pushing back against claims that threats made by hackers attributed to — with little concrete evidence — North Korea is an attack on our First Amendment rights. It’s not. It’s an attack on Sony’s property (or, to put it another way, Sony’s right to make a profit off its speech). And as Rayne has pointed out, Sony was unbelievably negligent in protecting its own property.

The decision to pull the film has been criticized as an attack on free speech, most notably by Aaron Sorkin, but also by other commentators. “Today the U.S. succumbed to an unprecedented attack on our most cherished, bedrock principle of free speech,” Sorkin said.  And free speech is one of the things — the last thing — Sony addressed in its statement on the decision. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”

But the threat against the film, which the Department of Homeland Security says is not credible, was only directed at one means of distributing the film: via theater release. A number of people suggested Sony should respond to the threat via other means. Mitt Romney suggested Sony release the film online, for free. Democratic congressman Steve Israel suggested Sony release it directly to DVD. BoingBoing’s Xeni Jardin suggested a global torrent party.

The point is, there are many ways to release the film, most of which would not expose theatergoers and theaters — in the wake of an altered liability landscape after the 2012 mass killing in an Aurora, Colorado, movie theater — to any danger, no matter how remote. Most of those ways would result in far more people watching the film. Some of them might even result in a few North Koreans viewing it.

If the issue is airing the views in the film — and defying the threats of the hackers — such a release would accomplish the goal.

But there’s another issue that seems far more central to this hack than speech: property.

Even before Sony mentioned its filmmakers’ free speech rights, for example, it mentioned the assault on its property rights. “Those who attacked us stole our intellectual property, private emails, and sensitive and proprietary material.” And while free release of its movie would assert its right to free speech, it would result in further financial losses, on top of the other movies (such as “Annie” and “Fury”) released on piracy sites after the hack.

[snip]

The attack on Sony’s property, even more than speech, raises real questions about another detail that has gotten far too little attention during coverage of this hack. Sony Corp. gets hacked a lot, more than 50 breaches in 15 years, and more than some of its rivals, including some fairly significant attacks in recent years that bear no resemblance to this attack. Maybe that’s because it did things like store all its passwords in a file called “password.”

The Administration is already twisting itself in knots trying to retroactively include “multinational movie studio” into its prior definition of critical infrastructure (which normally would include things like electric grid and utilities) so it can make this a state issue. Assuming, all the while, that its certainty North Korea was behind the hack are more certain than that Iraq was behind 9/11.

We’d do well to think a bit about how central to national interests negligently-protected movie company property really is to national interests before this thing spirals out of control.

Sony, Hacked: It’s Not One Massive Breach – It’s More Than 50 Breaches in 15 Years

Cybersecurity_MerrillCollegeofJournalismEver try to follow an evolving story in which the cascade of trouble grew so big and moved so fast it was like trying to stay ahead of a pyroclastic flow?

That’s what it’s like keeping up with emerging reports about the massive cyber attack on Sony. (Granted, it’s nothing like the torture report, but Hollywood has a way of making the story spin harder when it’s about them.)

The second most ridiculous part of the Sony hack story is the way in which the entertainment industry has studiously avoided criticizing those most responsible for data security.

In late November, when the hacker(s) self-identified as “Guardians of Peace” made threats across Sony Pictures’ computer network before releasing digital film content, members of the entertainment industry were quick to revile pirates they believed were intent on stealing and distributing digital film content.

When reports emerged implicating North Korea as the alleged source of the hack, the industry backpedaled away from their outrage over piracy, mumbling instead about hackers.

The industry’s insiders shifted gears once again it was revealed that Sony’s passwords were in a password-protected file, and the password to this file was ‘password.

At this juncture you’d think Sony’s employees and contractors – whose Social Security numbers, addresses, emails, and other sensitive information had been exposed – would demand a corporate-wide purge of IT department and Sony executives.

You’d think that anyone affiliated with Sony, whose past and future business dealings might also be exposed would similarly demand expulsion of the incompetents who couldn’t find OPSEC if it was tattooed on their asses. Or perhaps investors and analysts would descend upon the corporation with pitchforks and torches, demanding heads on pikes because of teh stoopid.

Nope.

Instead the industry has been tsk-tsking about the massive breach, all the while rummaging through the equivalent of Sony Pictures’ wide-open lingerie drawer, looking for industry intelligence. Reporting by entertainment industry news outlets has focused almost solely on the content of emails between executives.

But the first most ridiculous part of this massive assault on Sony is that Sony has been hacked more than 50 times in the last 15 years.

Yes. That’s More Than Fifty.

Inside Fifteen Years. →']);" class="more-link">Continue reading

Reagan? No, Regin — Yet Another [GCHQ] Intelligence Malware

Recently, computer security firm Symantec reported discovery of another intelligence-gathering malware, dubbing  it “Regin.”

What’s particularly interesting about this malware is its targets:

  • It infected computers in Afghanistan, Austria, Belgium, India, Iran, Ireland, Mexico, Pakistan, Russia, Saudia Arabia;
  • At 48% of total infections, the largest group of targets were private individuals and small businesses.

Please do read Symantec’s blog post and its technical paper on Regin to understand how it works as well as its targets. Many news outlets either do not understand malware and cybersecurity, or they get facts wrong whenever major malware attacks are reported. Symantec’s revelation about Regin is no different in this respect.

Independent.ie offers a particularly exceptional example distorting Symantec’s report, claiming “Ireland is one of the countries worst hit globally by a dangerous new computer virus that spies on governments and companies, according to a leading technology firm.”

If by “worst hit,” they mean among the top four countries targeted by this malware? Sure. But only 9% of the infections affected Irish-based computers, versus 28% of infections aimed at Russian machines, and 24% affecting Saudi machines. The Independent.ie’s piece reads like clickbait hyperbole, or fearmongering, take your pick.

What wasn’t addressed by the Independent.ie and numerous other outlets, including those covering the tech sector are some fundamental questions:

  • What assets or activities might the targeted countries have in common that would make them targets of a single intelligence operation organized by one or more nation-states?
  • What are so many private individuals and small businesses targeted by this malware, in contrast to other malware-based intelligence-collection operations seen to date?

The Guardian came closest to examining these issues, having interviewed researchers at computer security firm F-Secure to ask the origins of the malware. As of 24-NOV-2014, the firm’s Mikko Hypponen speculated that the US, UK, and/or Israel were behind Regin’s development and deployment.

As of the video embedded above, Hypponen firmly says the UK’s intelligence entity GCHQ is behind Regin, in particular the malware’s invasion of a Belgian telecom network (see video at 07:20). Continue reading

US Persons on Military Intelligence Sharing Databases

Steven Aftergood catches Charles McCullough, the Intelligence Community Inspector General who has resisted exercising oversight over spying, doing his job.

“A civilian employee with the Army Intelligence and Security Command made an IC IG Hotline complaint alleging an interagency data repository, believed to be comprised of numerous intelligence and non-intelligence sources, improperly included U.S. person data,” the IC IG wrote. “The complainant also reported he conducted potentially improper searches of the data repository to verify the presence of U.S. persons data. We are researching this claim.”

Given prior reports about ICREACH — which purportedly focuses on foreign collected data but therefore would include US person data collected overseas – this is not that surprising. (I don’t think this should be ICREACH, however, because that’s not explained as a repository.)

But I find it particularly interesting that this complaint comes from someone at INSCOM, the Army intelligence outfit where Keith Alexander tried to ingest US person data in 2001, only to have Mikey Hayden refuse (!).

The heartburn first flared up not long after the 2001 terrorist attacks. Alexander was the general in charge of the Army’s Intelligence and Security Command (INSCOM) at Fort Belvoir, Virginia. He began insisting that the NSA give him raw, unanalyzed data about suspected terrorists from the agency’s massive digital cache, according to three former intelligence officials. Alexander had been building advanced data-mining software and analytic tools, and now he wanted to run them against the NSA’s intelligence caches to try to find terrorists who were in the United States or planning attacks on the homeland.

By law, the NSA had to scrub intercepted communications of most references to U.S. citizens before those communications can be shared with other agencies. But Alexander wanted the NSA “to bend the pipe towards him,” says one of the former officials, so that he could siphon off metadata, the digital records of phone calls and email traffic that can be used to map out a terrorist organization based on its members’ communications patterns.

“Keith wanted his hands on the raw data. And he bridled at the fact that NSA didn’t want to release the information until it was properly reviewed and in a report,” says a former national security official. “He felt that from a tactical point of view, that was often too late to be useful.”

Hayden thought Alexander was out of bounds. INSCOM was supposed to provide battlefield intelligence for troops and special operations forces overseas, not use raw intelligence to find terrorists within U.S. borders. But Alexander had a more expansive view of what military intelligence agencies could do under the law.

“He said at one point that a lot of things aren’t clearly legal, but that doesn’t make them illegal,” says a former military intelligence officer who served under Alexander at INSCOM.

In November 2001, the general in charge of all Army intelligence had informed his personnel, including Alexander, that the military had broad authority to collect and share information about Americans, so long as they were “reasonably believed to be engaged” in terrorist activities, the general wrote in a widely distributed memo.

Indeed, given the timing (IC IG’s report describes this as happening in the fourth quarter of calendar year 2013, so in the months after this Shane Harris report), it’s possible this report is what led the tipster to check whether US person data was available in repositories available to INSCOM.

While INSCOM focuses on battlefield intelligence, it also does cybersecurity and force protection, the kind of thing that has, in the past, targeted Americans (even Americans peddling porn!). So while this might just reflect oversharing, it also might reflect a return to the mentality of Keith Alexander.

Obama Should Only Nominate Jeh Johnson If He Plans on Breaking Up DHS

There are multiple reports that President Obama is considering nominating Jeh Johnson to head DOD.

I get the attraction. Obama and Johnson get along well. Johnson only recently left DOD, so he knows it — and the legal loopholes it exploits — well. And in Johnson, Obama would have someone who would gloss his warmaking as something noble.

I even think Obama might welcome the way such a nomination would heighten the confrontation with the GOP on immigration.

Still, Johnson has served as head of DHS for less than a year. His tenure is only now marking a transition from a period during which DHS had such a wildly spinning revolving door that it could begin to serve its alleged mission.

An exodus of top-level officials from the Department of Homeland Security is undercutting the agency’s ability to stay ahead of a range of emerging threats, including potential terrorist strikes and cyberattacks, according to interviews with current and former officials.

Over the past four years, employees have left DHS at a rate nearly twice as fast as in the federal government overall, and the trend is accelerating, according to a review of a federal database.

The departures are a result of what employees widely describe as a dysfunctional work environment, abysmal morale, and the lure of private security companies paying top dollar that have proliferated in Washington since the Sept. 11, 2001, attacks.

And all that’s on top of DHS’s almost impossible mandate, both because it is either too big or poorly defined.

Look, I’m sure Johnson’s a nice guy and maybe a great manager (he hasn’t been in place long enough for us to know).

But if DHS is a necessary agency, if its domestic spying and immigration and cybersecurity and disaster recovery missions are vital to this nation, if it is going to survive as a many-headed monster, then it should have the person Obama thinks is his best Agency head leading it. If that person is Johnson — as Obama’s consideration of him to lead DOD suggests — then moving him would seem to be a concession that DHS, and its obvious failures, really isn’t all that important after all.

If Obama moves Johnson from DHS to DOD, he should, at the same time, break DHS back up into more manageable agencies, declare the whole experiment an expensive failure, eliminate the word “Homeland” from our vocabularies. Because it is not working, and if there’s no urgency to make it work, then we should break it up into parts that can function competently again.

 

A Radical Proposal of Following the Law

Mieke Eoyang, the Director of Third Way’s National Security Program, has what Ben Wittes bills as a “disruptive” idea: to make US law the exclusive means to conduct all surveillance involving US companies.

But reforming these programs doesn’t address another range of problems—those that relate to allegations of overseas collection from US companies without their cooperation.

Beyond 215 and FAA, media reports have suggested that there have been collection programs that occur outside of the companies’ knowledge. American technology companies have been outraged about media stories of US government intrusions onto their networks overseas, and the spoofing of their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a back door to take the data. As one tech employee said to me, “the back door makes a mockery of the front door.”

As a result of these allegations, companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for reform.  Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the American economic recovery: tech.

[snip]

How about making the FAA the exclusive means for conducting electronic surveillance when the information being collected is in the custody of an American company? This could clarify that the executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US person targets that is in the custody of American companies, unbeknownst to those companies.

As a policy matter, it seems to me that if the information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are acting overseas.

Now, I have nothing against this proposal. It seems necessary but wholly inadequate to restoring trust between the government and (some) Internet companies. Indeed, it represents what should have been the practice in any case.

Let me first take a detour and mention a few difficulties with this. First, while I suspect this might be workable for content collection, remember that the government was not just collecting content from Google and Yahoo overseas — they were also using their software to hack people. NSA is going to still want the authority to hack people using weaknesses in such software, such as it exists (and other software companies probably still are amenable to sharing those weaknesses).  That points to the necessity to start talking about a legal regime for hacking as much as anything else — one that parallels what is going on with the FBI domestically.

Also, this idea would not cover the metadata collection from telecoms which are domestically covered by Section 215, which will surely increasingly involve cloud data that more closely parallels the data provided by FAA providers but that would be treated as EO 12333 overseas (because thus far metadata is still treated under the Third Party doctrine here). This extends to the Google and Yahoo metadata taken off switches overseas. So, such a solution would be either limited or (if and when courts domestically embrace a mosaic theory approach to data, including for national security applications) temporary, because some of the most revealing data is being handed over willingly by telecoms overseas.

→']);" class="more-link">Continue reading

DOJ’s Claims about the Adequacy of Shitty WiFi Rendered Inoperative

Over at Vice, I have a piece reviewed DOJ’s explanation for why they turned off some alleged Asian mobsters DSL so they could then go in as fake DSL repairmen and collected evidence.

The whole thing has a Keystone cops character, especially since the DSL contractor they had roped into working with them screwed up turning off the DSLs, which is why they now claim he was on a “private frolic” when he collected information on his own (that is a technical legal term meaning “freelancing,” but one doing far more than the evidence allows, in my opinion).

My favorite part, though, is how DOJ claims that turning off someone’s DSL would not create any kind of urgency which would eliminate the notion of consent, because after all they could have used the shitty hotel WiFi.

Perhaps the most disturbing claim, though, is that we all have to be satisfied with crummy hotel Wi-Fi. To dismiss the argument that by turning off the villas’ DSL, FBI had created an urgent need that obviated any kind of consent when the villa residents let in the FBI agents pretending to be DSL repairmen, the government claims that there is no legitimate need to seek better internet access than hotel Wi-Fi or personal cell phone tethers: “Defendants do not identify a single legitimate service or application that could not be adequately supported through the hotel’s WI-FI system, their personal hotspots, or personal cellphones, nor could they.”

The FBI is now claiming, the experience of travelers the world over notwithstanding, that nothing legal could require better Internet access than a hotel’s slow Wi-Fi connection. (Perhaps the Wi-Fi in high-roller villas is better than it is for average travelers, but DOJ’s brief doesn’t make that case by describing the internet speeds Caesars Palace makes available to privileged guests.) Moreover, the government admits that—as many travelers reliant on hotel Wi-Fi can attest—the Wi-Fi just wasn’t all that fast. “The DSL service was faster,” the brief reads.

I mean, I’m not a Malaysian gangster or anything, but I often find myself trying to do things in hotel rooms where neither the WiFi nor my cell phone’s tether provides remotely adequate speed. You know — simple things like posting on a blog. Apparently that’s illegitimate now.

And yes, I have called hotel technicians to help me get the hotel WiFi working and let them right into my room.

Even as I was working on that piece, Kaspersky Lab came out with a warning that hackers (possibly working out of South Korea) have been targeting businessmen through hotel WiFis for 7 years.

Business executives visiting luxury hotels in Asia have been infected with malware delivered over public Wi-Fi networks, Russian security firm Kaspersky Lab has discovered.

The so-called ‘Darkhotel’ hackers managed to tweak their code to ensure that only machines belonging to specific targets were infected, not all visitors’ PCs, and may have included state-sponsored hacking.

They also seemed to have advance knowledge of their victims’ whereabouts and which hotels they would be visiting, Kaspersky said.

CEOs, senior vice presidents, sales and marketing directors and top research and development staff were amongst those on the attackers’ hit list, though no specific names have been revealed.

As soon as they logged onto the hotel Wi-Fi, targets would be greeted with a pop-up asking them to download updates to popular software, such as GoogleToolbar, Adobe Flash and Windows Messenger. But giving permission to the download would only lead to infection and subsequent theft of data from their devices.

You think alleged Asian organized crime members might know that hotel wifi is totally insecure (even setting aside China’s habit of stealing it this way)? You think they may have heard of their peers getting hacked in luxury hotels?

Maybe that’s why they ordered up so many DSL lines.

In any case, DOJ’s argument that there’s no legitimate need for wired Internet access just went out the window.

Emptywheel Twitterverse
JimWhiteGNV RT @SAIDYOUSIF: Is .@johnlegend a hypocrite? Human rights activists in #Bahrain think so http://t.co/2Pm76VNpKt via @mashable #Berlin #Huma
52mreplyretweetfavorite
JimWhiteGNV RT @GatorZoneBB: JJ Schwarz Named SEC Freshman of the Week for the First Time #ItsGreatUF http://t.co/5GhnJQVOHP
2hreplyretweetfavorite
JimWhiteGNV RT @pierre: Benjamin Netanyahu's Long History of Crying Wolf About Iran's Nuclear Weapons - The Intercept http://t.co/W61zX2Cl8m
3hreplyretweetfavorite
JimWhiteGNV RT @carolrosenberg: Urgent: #USSCole judge dismisses official, staff overseeing war court from his case, slows proceedings. http://t.co/I2e
4hreplyretweetfavorite
bmaz @gabrielmalor @Popehat Aw jeez, you mean it can get worse than all the disingenuous howling by both sides for the last three months? Ugh.
4hreplyretweetfavorite
bmaz @yvonnewingett That is great work on that piece.
5hreplyretweetfavorite
bmaz As the River Runs Dry: The Southwest's water crisis http://t.co/IhX4vcQAQf via @azcentral This is a fantastic long form article.
5hreplyretweetfavorite
emptywheel @AliWatkins Problem is they're out of context, which is leading to more disinformation. Sigh.
5hreplyretweetfavorite
emptywheel @AliWatkins There are some new things. There are some things that are newly redacted. Outlines already known, but still a distraction.
5hreplyretweetfavorite
emptywheel @just_security Memo has LONG been available (redacted). You'd all have lot more credibility if someone who knew that doing this analysis.
5hreplyretweetfavorite
emptywheel @ThusBloggedA Hey, he admits he blabs abt stuff he hasn't read about. Why read those who have been writing abt this stuff?
5hreplyretweetfavorite
March 2015
S M T W T F S
« Feb    
1234567
891011121314
15161718192021
22232425262728
293031