Cybersecurity Archives - Page 51 of 88

Tuesday Morning: The Week’s Peak Crey

January 12, 2016/28 Comments/in automobiles, Culture, Cybersecurity /by Rayne

I cannot with the unexpected engagement picture in my Twitter timeline of news oligarch Rupert Murdoch and model Jerry Hall, on the heels of losing David Bowie and in the wake of El Chapo-Penn. Tell me this is the craziest it will get this week.

D-Day for Microsoft’s earlier Internet Explorer versions
In case you didn’t already know this, Microsoft is slowly killing off its Internet Explorer browser brand, beginning with the end of technical support for all but IE 11.

Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical supports and security updates. Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10.

Some organizations are still relying on older IE versions — a dicey proposition if other non-Microsoft browsers aren’t compatible with their systems. Get a move on, people.

OMG! Terrorists may use drones!
Hoocoudanode cheap and readily available drones might be repurposed by terrorists for flying IEDs. The breathlessness. Really. But wait, they can be stopped!

“The best defence against the hostile use of drones is to employ a hierarchy of countermeasures encompassing regulatory countermeasures, passive countermeasures and active countermeasures.”

I don’t know about you, but I picture the sky soon dark with counterterror drones, swarming like the air over a northern Michigan road in mayfly season.

Processor troubles
Intel’s Skylake processors run into problems with complex computing, freezing PCs. A BIOS update is being distributed as a fix. But this isn’t the only bug out there. Read this, especially this bit: “…CPUs are now complex enough that they’ve become too complicated to test effectively.”

Hmm. In other words, future shock has moved beyond consumers.

NPR interviewed VW CEO Matthias Mueller
I’m sure Porsche has been wondering what the hell they were thinking, tieing up with Volkswagen. Porsche’s top guy is now tasked with clean up after VW, and he’s struggling. Witness NPR handing Mueller a shovel, and watching as he just keeps digging.

NPR: You said this was a technical problem, but the American people feel this is not a technical problem, this is an ethical problem that’s deep inside the company. How do you change that perception in the U.S.?

Matthias Mueller: Frankly spoken, it was a technical problem. We made a default, we had a … not the right interpretation of the American law. And we had some targets for our technical engineers, and they solved this problem and reached targets with some software solutions which haven’t been compatible to the American law. That is the thing. And the other question you mentioned — it was an ethical problem? I cannot understand why you say that.

NPR: Because Volkswagen, in the U.S., intentionally lied to EPA regulators when they asked them about the problem before it came to light.

Mueller: We didn’t lie. We didn’t understand the question first. And then we worked since 2014 to solve the problem. And we did it together and it was a default of VW that it needed such a long time.

Somebody needs to explain the Law of Holes to Mueller.

Also worth revisiting the definition of crazy today. Carry on.

Ukraine’s Power System Hacking: Coordinated in More than One Way?

January 11, 2016/12 Comments/in Cybersecurity, Foreign Policy /by Rayne

[original graphic: outsidethebeltway.com]

Analysis by industrial control team SANS determined hacking of Ukrainian electrical power utilities reported on 23-DEC-2015 was a coordinated attack. It required multiple phases to achieve a sustained loss of electricity to roughly 80,000 customers. SANS reported they “are confident” the following events occurred:

The adversary initiated an intrusion into production SCADA systems

Infected workstations and servers

Acted to “blind” the dispatchers

Acted to damage the SCADA system hosts (servers and workstations)

Action would have delayed restoration and introduce risk, especially if the SCADA system was essential to coordinate actions

Action can also make forensics more difficult

Flooded the call centers to deny customers calling to report power out

An investigation is still underway, and the following are still subject to confirmation:

The adversaries infected workstations and moved through the environment

Acted to open breakers and cause the outage (assessed through technical analysis of the Ukrainian SCADA system in comparison to the impact)

Initiated a possible DDoS on the company websites

The part that piques my attention is the defeat of SCADA systems by way of a multiphased attack — not unlike Stuxnet. Hmm…

Another interesting feature of this cyber attack is its location. It’s not near sites of militarized hostilities along the border with Russia. where many are of Russian ethnicity, but in the western portion of Ukraine.

More specifically, the affected power company served the Ivano-Frankivsk region, through which a large amount of natural gas is piped toward the EU. Note the map included above, showing the location and direction of pipelines as well as their output volume. Were the pipelines one of the targets of the cyber attack, along with the electricity generation capacity in the region through which the pipes run? Was this hack planned and coordinated not only to take out power and slow response to the outage but to reduce the pipeline output through Ukraine to the EU?

Monday Morning: So — We Meet Again

January 11, 2016/55 Comments/in automobiles, Culture, Cybersecurity /by Rayne

[image (modified): Leo Suarez via Flickr]

Monday: the bad penny we never escape, turning up once again beneath our cart’s wheels just as we set in motion. Just give a hard shove, push on, and don’t look back.

Volkswagen’s bad news, good news as Detroit’s auto show opens
Bad news first: In news dump zone on Friday afternoon, we heard Volkswagen wasn’t going to release documents pertaining to the emissions control defeat scandal to several U.S. states’ attorneys. VW said it couldn’t due to privacy laws, which sounds dicey; why do corporations have privacy rights? You’d think only U.S. businesses would attempt such excuses.

The good news was held until VW’s CEO Matthias Mueller arrived in U.S. for the soft opening of the North American International Auto Show in Detroit. VW is working on a catalytic converter it believes will resolved the emissions problem for roughly 2/3 of the affected vehicles. I’m guessing this is fix is intended for the oldest vehicles, and that the newest ones are likely to be swapped with a new vehicle, or a sizeable discount on a replacement will be offered. Color me skeptical about the effectiveness of this fix; if this was such an obvious and easy solution, it would already appear on VW’s diesel-powered passenger vehicles. Fuel economy will likely diminish due to increased back pressure — but that’s why I think this fix is for the oldest cars. It would encourage VW loyalists to buy a new one.

Juniper Network shuts the (a?) backdoor
The network equipment company says it’s “dropping” NSA-developed code after the revelation of a backdoor into their network device software. Does anyone believe all covert access by NSA has now been eliminated, though, if Juniper’s source code isn’t open?

Apple’s devices monitoring your emotions soon?
Ridiculously cash-rich Apple snapped up artificial intelligence company Emotient, which makes an application to interpret users’ emotions based on their facial expressions — sentiment analysis, they call it. I call it creepy as hell, especially since smartphone users can’t be absolutely certain their cameras aren’t in use unless they physically cover the apertures.

And yes, I do cover apertures on my devices with low-tack adhesive tape. It’s the first thing I do after opening the box on any new camera-enabled device, even before charging the battery.

That’s enough to get your cart moving. I hope to have a post up later, on the recent power outage in Ukraine.

In Response to Continued Resonance of Awlaki Videos, US Relaunched Social Media Propaganda Campaign

January 8, 2016/10 Comments/in Cybersecurity, Terrorism /by emptywheel

As far as we know, the perpetrators of the November attack on Paris were radicalized by each other, in specific neighborhoods in Europe.

According to the complaint filed against his Enrique Marquez, the friend who got him guns, Syed Rizwan Farook, adopted radical beliefs after consuming the lectures, videos, and magazine of Anwar al-Awlaki. In fact, Farook and Marquez moved towards planning an attack in 2011, in the immediate wake of the drone killing of Awlaki and his son. As to Tashfeen Malik, Farook’s wife, while she did some searches on ISIS just before Farook started an attack on his workplace, public reporting suggests that like the French terrorists, she adopted extreme beliefs through relationships formed in brick and mortar life.

Nevertheless, in response to the anxiety produced by these attacks, the Obama Administration is rolling out yet another propaganda campaign against ISIS. As part of it, it shifts the approach to funding NGOs to do the propaganda work, something I argued any such efforts should be doing in a piece for Vice this week. Though as I noted, any such effort needs to stop countering ISIS propaganda and offering a positive vision that will be meaningful to those with grievances. That was one of the things included in a briefing to Silicon Valley today.

There is also a need for more credible positive messaging and content that provides alternatives to young people concerned about many of the grievances ISIL highlights

The other part of the campaign is a bit sillier. The Administration asked for tech companies to do things like measuring resonance of ISIL messages.

Some have suggested that a measurement of level of radicalization could provide insights to measure levels of radicalization to violence. While it is unclear whether radicalization is measureable or could be measured, such a measurement would be extremely useful to help shape and target counter-messaging and efforts focused on countering violent extremism. This type of approach requires consideration of First Amendment protections and privacy and civil liberties concerns, additional front-end research on specific drivers of radicalization and themes among violent extremist populations, careful design of intervention tools, dedicated technical expertise, and the ability to iteratively improve the tools based on experience in deploying them. Industry certainly has a lot of expertise in measuring resonance in order to see how effective and broad a messaging campaign reaches an audience. A partnership to determine if resonance can be measured for both ISIL and counter-ISIL content in order to guide and improve and more effectively counter the ISIL narrative could be beneficial.

This seems to be a problematic approach both because this should be the intelligence community’s job and because they’re supposed to be pretending this isn’t about focusing on Muslims. Plus, as I noted, the recent big attacks weren’t primarily about social media. More importantly, Jim Comey has testified that the social media companies already are helpful.

Comey, apparently, only went along to demand encryption — and it showed up in the briefing document shared at the meeting.

In addition to using technology to recruit and radicalize, terrorists are using technology to mobilize supporters to attack and to plan, move money for, coordinate, and execute attacks. The roles played by terrorist leaders and attack plotters in this activity vary, ranging from providing general direction to small groups to undertake attacks of their own design wherever they are located to offering repeated and specific guidance on how to execute attacks. To avoid law enforcement and the intelligence community detecting their activities, terrorists are using encrypted forms of communications at various stages of attack plotting and execution. We expect terrorists will continue to use technology to mobilize, facilitate, and operationalize attacks, including using encrypted communications where law enforcement cannot obtain the content of the communication even with court authorization. We would be happy to provide classified briefings in which we could share additional information.

While Apple was at this meeting, some of the other key players the government would have to address about encryption were not, making this appeal rather silly.

And note the seduction here: the government wants to tell the tech companies how extremists (they really mean only ISIS) are using encryption, but they’re only willing to do so in a classified setting. That would make it harder to counter the bogus claims the government has repeatedly been caught making.

Ultimately, the Administration seems to have no awareness of another of the key problems. They recognize that ISIS’ propaganda is splashy. But they accord no responsibility for mainstream media for magnifying it.

[T]here is a shortage of compelling credible alternative content; and this content is often not as effectively produced or distributed as pro-ISIL content and lacks the sensational quality that can capture the media’s attention.

If the government is going to ask the private sector to do their part, why aren’t they on a plane demanding that CNN stop fear-mongering all the time, both magnifying the effect of ISIS’ propaganda and increasing the polarization between Muslims and right wingers? If CNN can’t be asked to adjust its business model to stop empowering terrorists, why is Silicon Valley being asked to, when the latter are more central to baselines security?

Update: Here’s a list of participants.

Denis McDonough,White House Chief of Staff,

Lisa Monaco, Assistant to the President for Homeland Security & Counter Terrorism

Todd Park, White House Advisor for Technology

Megan Smith, White House Chief Technology Officer

Loretta Lynch, Attorney General

James Clapper, Director, National Intelligence

James Comey, Director, FBI

Tony Blinken, Deputy Secretary, Department of State

Mike Rogers, Director of the National Security Agency

Jeh Johnson, Secretary of Homeland Security

Friday Morning: Looks Like We Made It!

January 8, 2016/24 Comments/in Culture, Cybersecurity /by Rayne

[image: Viewminder via Flickr]

Looks like we survived the first business week of the year, made it through floods and fire and other apocalyptic events. Can’t imagine what next week will bring at this rate.

Saudi Arabia may sell shares in oil producer Aramco
Listing Aramco could create the most valuable company in the world, worth over a trillion in U.S. dollars. The move may raise cash to pay down some of the Saudi government’s debt, but it opens the oil producer to public scrutiny. Would it be worth the hassle?

With Russia increasingly eating into Aramco’s market share of China, and OECD countries’ oil consumption falling, selling shares in Aramco may not raise enough cash as its revenues may remain flat. Prices for utilities have already been raised within Saudi Arabia, shifting a portion of expenses to the public. What other cash-producing moves might Saudi Arabia make in the next year?

Detroit’s annual Autoshow brings VW’s CEO for more than a visit to tradeshow booth
Looks like Volkswagen’s Matthias Mueller will be tap dancing a lot next week — first at the 2016 North American International Auto Show, which unofficially opens Sunday, and then with the Environmental Protection Agency.

What’s the German word for “mea culpa”? Might be a nice name for a true “clean diesel” vehicle.

Data breaches now so common, court throws out suit
You’re going to have to show more than your privacy was lost if you sue a company for a data breach. Judge Joanna Seybert for U.S. District Court for the Eastern District of New York dismissed a class action suit against craft supplies retailer Michael’s last week, writing that lead plaintiff “has not asserted any injuries that are ‘certainly impending’ or based on a ‘substantial risk that the harm will occur.” Whalen’s credit card had been used fraudulently, but she wasn’t liable for the charges.

Annoyingly, Clapper v Amnesty International USA was used as precedent, much as it had been in last summer’s suit against Home Depot for a data breach. At this rate, retailers will continue to thumb their noses at protecting their customers’ data, though identity theft-related losses amount to more than all other property theft losses combined [pdf].

Don’t forget China: DOJ raids Chinese hoverboard company’s stall at CES 2016
I can’t find any previous examples of law enforcement conducting a raid at a trade show — if you know of one, please share in comments. The Department of Justice’s raid yesterday on Changzhou First International Trade Co.’s booth at CES 2016 doesn’t appear to have precedent. Changzhou’s hoverboard product looks an awful lot like Future Motion’s Onewheel, which had been the subject of a Kickstarter project. The Chinese hoverboard was expected to market for $500, versus the Onewheel at $1500.

Makes me wonder if there are other examples of internet-mediated crowd-funded technology at risk of intellectual property theft.

Pass the Patron. I’m declaring it tequila-thirty early today.

Wednesday Morning: Otherwise Known as Mike-Mike-Mike Day

January 6, 2016/17 Comments/in Culture, Cybersecurity, Foreign Policy, Health Policy /by Rayne

My condolences to the poor Mikes among us who have suffered every Hump Day since Geico’s TV commercial became so popular.

North Korean nuclear test detected by ‘earthquake’
About 10:00 a.m. North Korean local time Wednesday, an event measured at 5.1 on Richter scale occurred near the site of recent underground nuclear testing. South Korea described the “earthquake” as “man-made” shortly after. Interestingly, China called it a “suspected explosion” — blunt language for China so early after the event.

NK’s Kim Jong Un later confirmed a “miniaturized hydrogen nuclear device” had been successfully tested. Governments and NGOs are now studying the event to validate this announcement. The explosion’s size calls the type of bomb into question — was this a hydrogen or an atomic weapon?

I’m amused at the way the news dispersed. While validating the story, I searched for “North Korea earthquake”; the earliest site in the search was BNO News (a.k.a. @BreakingNews) approximately 45 minutes after the event, followed 17 minutes later by Thompson Reuters Foundation. Not Reuters News, but the Foundation, and only the briefest regurgitation of an early South Korean statement. Interesting.

Spies’ ugly deaths
Examining the deaths of spies from 250 AD to present, Lapham’s Quarterly shows us how very cruel humans remain toward each other over the last millennia. Clearly, vicious deaths have not foiled the use of spies.

Zika virus outbreak moves Brazil to caution women against pregnancy now
An outbreak of the mosquito-borne Zika virus in Brazil may be linked to a sizeable uptick in microcephalic births — 2782 this past year, compared to 150 the previous year. The Brazilian government is now cautioning women to defer pregnancy until the end of the rainy season when the virus’ spread has been slowed.

Compared to number of Ebola virus cases in 2014-2015, Zika poses a much greater risk in terms of spread and future affected population. The virus has not received much attention, in spite of more than a million cases in Brazil, as symptoms among children and adults are relatively mild.

BCP now available in Oregon over the counter
Thanks to recent state legislation, women in Oregon now have greater access to birth control pills over the counter. California will soon implement the same legislation.

That’s one way of reducing the future number of white male libertarian terrorists demanding unfettered use of public space and offerings of snacks.

Microsoft’s tracking users’ minutes in Windows 10
No longer content with tracking the number of devices using Windows operating system, Microsoft now measures how long each user spends in Windows 10. Why such granular measures? The company won’t say.

Worth remembering two things: 1) Users don’t *own* operating system software — they’re licensees; 2) Software and system holes open to licensors may be holes open to others.

New cross-platform ransomware relies on JavaScript*
Won’t matter whether users run Windows, Linux, Apple’s Mac OS: if a device runs JavaScript, it’s at risk for a new ransomware infection. Do read the article; this malware is particularly insidious because it hides in legitimate code, making it difficult to detect for elimination. And do make sure you keep backup copies of critical files off your devices in case you’re hit by this ransomware.

Buckle up tight in your bobsled. It’s all downhill after lunch, kids.

[* this word edited to JavaScript from Java./Rayne]

Tuesday Morning: Wow, You Survived Business Day 1

January 5, 2016/11 Comments/in automobiles, Culture, Cybersecurity, Environment /by Rayne

[image by Valentina via Flickr]

The post-holiday season debris field continues to thin out, making its way by the truckful to the landfill. I wonder how much oil the season’s plastic wrappings consumed.

Here’s what the trash man left behind this morning.

Hackers caused power outage — the first of its kind?
Marcy’s already posted about the electrical power disruption in Ukraine this past week, labeled by some as the first known hacker-caused outage. I find the location of this malware-based outage disturbing due to its location in western Ukraine. Given the level of tensions with Russia along the eastern portion of the country, particularly near Donetsk over the past couple of years, an outage in the west seems counterintuitive if the hackers were motivated by Ukraine-Russian conflict.

And hey, look, the hackers may have used backdoors! Hoocudanode hackers would use backdoors?!

Fortunately, one government is clued in: the Dutch grok the risks inherent in government-mandated backdoors and are willing to support better encryption.

‘Netflix and chill’ in a new Volvo
I’ve never been offered a compelling case for self-driving cars. Every excuse offered — like greater fuel efficiency and reduced traffic jams — only make greater arguments for more and better public transportation.

The latest excuse: watching streaming video while not-driving is Volvo’s rationalization for developing automotive artificial intelligence.

I’m not alone in my skepticism. I suspect Isaac Asimov is rolling in his grave.

US Govt sues pollution-cheater VW — while GOP Congress seeks bailout for VW
WHAT?! Is this nuts or what? A foreign car company deliberately broke U.S. laws, damaging the environment while lying to consumers and eating into U.S.-made automotive market share. The Environmental Protection Agency filed suit against Volkswagen for its use of illegal emissions control defeat systems. The violation of consumers’ trust has yet to be addressed.

Thank goodness for the GOP-led House, which stands ready to offer a freaking bailout to a lying, cheating foreign carmaker which screwed the American public. Yeah, that’ll fix everything.

Remember conservatives whining about bailing out General Motors during 2008’s financial crisis? All of them really need a job working for VW.

Massive data breach affecting 191 million voters — and nobody wants to own up to the database problem
An infosec researcher disclosed last week a database containing records on 191 million voters was exposed. You probably heard about this already and shrugged, because data breaches happen almost daily now. No big deal, right?

Except that 191 million voters is more than the number of people who cast a vote in 2012 or even 2008 presidential elections. This database must represent more than a couple election cycles of voter data because of its size — and nobody’s responding appropriately to the magnitude of the problem.

Nobody’s owning up to the database or the problem, either.

Here’s a novel idea: perhaps Congress, instead of bailing out lying, cheating foreign automakers, ought to spend their time investigating violations of voters’ data — those folks that put them in office?

Any member of Congress not concerned about this breach should also avoid bitching about voter fraud, because hypocrisy. Ditto the DNC and the Hillary Clinton campaign.

Whew, there it is, another mark on the 2016 resolution checklist. Have you checked anything off your list yet? Fess up.

Power Imbalances in Ukraine

January 5, 2016/9 Comments/in Cybersecurity, Energy Policy /by emptywheel

The western press is ginning up alarm because hackers caused a power outage in Ukraine.

Western Ukraine power company Prykarpattyaoblenergo reported an outage on Dec. 23, saying the area affected included regional capital Ivano-Frankivsk. Ukraine’s SBU state security service responded by blaming Russia and the energy ministry in Kiev set up a commission to investigate the matter.

While Prykarpattyaoblenergo was the only Ukraine electric firm that reported an outage, similar malware was found in the networks of at least two other utilities, said Robert Lipovsky, senior malware researcher at Bratislava-based security company ESET. He said they were ESET customers, but declined to name them or elaborate.

If you buy that this really is the first time hackers have brought down power (I don’t), it is somewhat alarming as a proof of concept. But in reality, that concept was proved by StuxNet and the attack on a German steel mill at the end of 2014.

I’m more interested in the discrepancy of coverage between this and the physical sabotage of power lines going into Crimea in November.

A state of emergency was declared after four pylons that transmit power to Crimea were blown up on Friday and Saturday night. Russia’s energy ministry scrambled to restore electricity to cities using generators, but the majority of people on the peninsula remained powerless on Saturday night.

Cable and mobile internet stopped working, though there was still mobile phone coverage, and water supplies to high-rise buildings halted.

[snip]

On Saturday, the pylons were the scene of violent clashes between activists from the Right Sector nationalist movement and paramilitary police, Ukrainian media reported. Ukrainian nationalists have long been agitating for an energy blockade of Crimea to exert pressure on the former Ukrainian territory.

There was even less attention to a smaller attack just before the New Year. (h/t joanneleon, who alerted me to it)

Officials said concrete pylons supporting power lines near the village of Bohdanivka, in southern Ukraine’s Kherson region, were damaged on Wednesday night.

“According to preliminary conclusions of experts… the pylon was damaged in an explosion,” a statement from police said on Thursday.

[snip]

Crimean Tatar activist Lenur Islyamov suggested that strong winds might have brought down the pylon and denied that Tatar activists had been behind the latest power cut.

While the physical attack did get coverage, there seemed to be little concern about the implications of an attack aiming to undercut Russian control of the peninsula. Whereas here, the attack is treated as illegitimate and a purported new line in the sand.

I get why this is the case (though the press ought to rethink their bias in reporting it this way). After all, when our allies engage in sabotage we don’t consider it as such.

But the US is just as vulnerable to physical sabotage as cyber sabotage, as an apparently still unsolved April 16, 2013 attack on a PG&E substation in Silicon Valley demonstrated, and as the case of Crimea shows, physical sabotage can be more debilitating. We should really be cautious about what we treat as normatively acceptable.

Monday Morning: First, Same as the Last

January 4, 2016/14 Comments/in Culture, Cybersecurity /by Rayne

[image via bazbizSF via Flickr]

Hear that sound? Like so many sighs of resignation? Yup, it’s the first Monday of the new year, and with it, a plethora of shiny resolutions slowly breached and broken like WiFi-enabled toys.

One of my 2016 resolutions (which I hope will last more than a week) is a morning update here at emptywheel. Won’t be hot-urgent-newsy, just stuff worth scanning while you have a cup of joe. Let’s see if I can stick it out five days — then I’ll try another benchmark.

Droning on
Did you get or give a drone as a gift this holiday season? Better make sure it’s registered with the Federal Aviation Administration.

Twitter to bring back Politwoops
Among the stupid moves Twitter made last year was the decision to shut out Sunlight Foundation’s Politwoops platform. The tool archived politicians’ embarrassing tweets even if the tweets had been deleted. With the general election season now in full swing, voters need more accountability of candidates and elected officials, not less. Sunlight Foundation and the Open State Foundation negotiated with Twitter to restore the tool. Let’s hope it’s up and running well before the first caucuses — and let’s hope Twitter gets a grip on its business model, pronto.

You’d think by now Twitter would have figured out politicians’ tweeted gaffes are gasoline to their social media platform growth…

Microsoft spreads FUD about…Microsoft?
If you’re an oldster IT person like me, you recall the Halloween memo scandal of 1998, documenting Microsoft’s practice of promulgating fear, uncertainty, and doubt (FUD) about competing operating systems in order to gain and control Windows market share. For more than a decade, Microsoft relied on FUD to ensure near-ubiquity of Windows and Word software products. Now Microsoft is using FUD not to prevent customers from using other products, but to encourage migration from Windows 7 to Windows 10, to reduce possible state-sponsored attacks on Win 7 systems.

Personally, I think Microsoft has already been ridiculously ham-handed in its push for Win 10 upgrades before this latest FUD. If you are a Win 7 or Win 8 user, you’ve already seen attempts to migrate users embedded in recent security patches (read: crapware). I’ve had enough FUD for a lifetime — I’m already running open source operating systems Linux and Android on most of my devices. I would kill for an Android desktop or laptop (yoohoo, hint-hint, Android developers…).

And don’t even start with the “Buy Apple” routine. Given the large number of vulnerabilities, it’s only a matter of time before Mac OS and iOS attract the same level of attention from hackers as Windows. I’ll hold my AAPL stock as long as you insist on “Buy Apple,” however.

Consumer Electronics Show 2016 — now with biometric brassieres
CES 2016 opens this week in Las Vegas, and all I can think is: Are you fucking kidding me with this fresh Internet of Things stupidity? A biometric bra? What idiot dreamed this up?

Why not biometric jockstraps? I can only imagine the first response to biometric jockstraps: “No EMF radiation near my ‘nads!” Yeah, well the same thing applies to breasts. Didn’t anybody get the memo last year that 217 scientists have expressed concerns about EMF’s potential impact on human health, based on +2,000 peer-reviewed articles?

Or are businesses ignoring this science the same way petrochemical businesses have ignored climate change science?

Phew. There it is, the first checkmark of my 2016 resolutions. Happy first Monday to you. Did you make any New Year’s resolutions? Do tell.

Why Is Congress Undercutting PCLOB?

January 2, 2016/28 Comments/in Cybersecurity /by emptywheel

As I noted last month, the Omnibus budget bill undercut the Privacy and Civil Liberties Oversight Board in two ways.

First, it affirmatively limited PCLOB’s ability to review covert actions. That effort dates to June, when Republicans responded to PCLOB Chair David Medine’s public op-ed about drone oversight by ensuring PCLOB couldn’t review the drone or any other covert program.

More immediately troublesome, last minute changes to OmniCISA eliminated a PCLOB review of the implementation of that new domestic cyber surveillance program, even though some form of that review had been included in all three bills that passed Congress. That measure may have always been planned, but given that it wasn’t in any underlying version of the bill, more likely dates to something that happened after CISA passed the Senate in October.

PCLOB just released its semi-annual report to Congress, which I wanted to consider in light of Congress’ efforts to rein in what already was a pretty tightly constrained mandate.

The report reveals several interesting details.

First, while the plan laid out in April had been to review one CIA and one NSA EO 12333 program, what happened instead is that PCLOB completed a review on two CIA EO 12333 programs, and in October turned towards one NSA EO 12333 program (the reporting period for this report extended from April 1 to September 30).

In July, the Board voted to approve two in-depth examinations of CIA activities conducted under E.O. 12333. Board staff has subsequently attended briefings and demonstrations, as well as obtained relevant documents, related to the examinations.

The Board also received a series of briefings from the NSA on its E.O. 12333 activities. Board staff held follow-up sessions with NSA personnel on the topics covered and on the agency’s E.O. 12333 implementing procedures. Just after the conclusion of the Reporting Period, the Board voted to approve one in-depth examination of an NSA activity conducted under E.O. 12333. Board staff are currently engaging with NSA staff to gather additional information and documents in support of this examination.

That’s interesting for two reasons. First, it means there are two EO 12333 programs that have a significant impact on US persons, which is pretty alarming since CIA is not supposed to focus on Americans. It also means that the PCLOB could have conducted this study on covert operations between the time Congress first moved to prohibit it and the time that bill was signed into law. There’s no evidence that’s what happened, but the status report, while noting it had been prohibited from accessing information on covert actions, didn’t seem all that concerned about it.

Section 305 is a narrow exception to the Board’s statutory right of access to information limited to a specific category of matters, covert actions.

Certainly, it seems like PCLOB got cooperation from CIA, which would have been unlikely if CIA knew it could stall any review until the Intelligence Authorization passed.

But unless PCLOB was excessively critical of CIA’s EO 12333 programs, that’s probably not why Congress eliminated its oversight role in OmniCISA.

Mind you, it’s possible it was. Around the time the CIA review should have been wrapping up though also in response to the San Bernardino attack, PCLOB commissioner Rachel Brand (who was the lone opponent to review of EO 12333 programs in any case) wrote an op-ed suggesting public criticism and increased restrictions on intelligence agencies risked making the intelligence bureaucracy less effective (than it already is, I would add but she didn’t).

In response to the public outcry following the leaks, Congress enacted several provisions restricting intelligence programs. The president unilaterally imposed several more restrictions. Many of these may protect privacy. Some of them, if considered in isolation, might not seem a major imposition on intelligence gathering. But in fact none of them operate in isolation. Layering all of these restrictions on top of the myriad existing rules will at some point create an encrusted intelligence bureaucracy that is too slow, too cautious, and less effective. Some would say we have already reached that point. There is a fine line between enacting beneficial reforms and subjecting our intelligence agencies to death by a thousand cuts.

Still, that should have been separate from efforts focusing on cybersecurity.

There was, however, one thing PCLOB did this year that might more directly have led to Congress’ elimination of what would have been a legislatively mandated role in cybersecurity related privacy: its actions under EO 13636, which one of the EOs that set up a framework that OmniCISA partly fulfills. Under the EO, DHS and other departments working on information sharing to protect critical infrastructure were required to produce a yearly report on how such shared affected privacy and civil liberties.

The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

As PCLOB described in its report, “toward the end of the reporting period” (that is, around September), it was involved in interagency meetings discussing privacy.

The Board’s principal work on cybersecurity has centered on its role under E.O. 13636. The Order directs DHS to consult with the Board in developing a report assessing the privacy and civil liberties implications of cybersecurity information sharing and recommending ways to mitigate threats to privacy and civil liberties. At the beginning of the Reporting Period, DHS issued its second E.O. 13636 report. In response to the report, the Board wrote a letter to DHS commending DHS and the other reporting agencies for their early engagement, standardized report format, and improved reporting. Toward the end of the Reporting Period, the Board commenced its participation in its third annual consultation with DHS and other agencies reporting under the Order regarding privacy and civil liberties policies and practices through interagency meetings.

That would have come in the wake of the problems DHS identified, in a letter to Al Franken, with the current (and now codified into law) plan for information sharing under OmniCISA.

Since that time, Congress has moved first to let other agencies veto DHS’ privacy scrubs under OmniCISA and, in final execution, provided a way to create an entire bypass of DHS in the final bill before even allowing DHS as much time as it said it needed to set up the new sharing portal.

That is, it seems that the move to take PCLOB out of cybersecurity oversight accompanied increasingly urgent moves to take DHS out of privacy protection.

All this is just tea leaf reading, of course. But it sure seems that, in addition to the effort to ensure that PCLOB didn’t look too closely at CIA’s efforts to spy on — or drone kill — Americans, Congress has also decided to thwart PCLOB and DHS’ efforts to put some limits on how much cybersecurity efforts impinge on US person privacy.