Does a Fifth of Yahoo’s Value Derive from (Perceived) Security and Privacy?

/9 Comments/in , /by

The NYPost is reporting that Verizon is trying to get a billion dollar discount off its $4.8 billion purchase price for Yahoo.

“In the last day we’ve heard that [AOL head, who is in charge of these negotiations] Tim [Armstong] is getting cold feet. He’s pretty upset about the lack of disclosure and he’s saying can we get out of this or can we reduce the price?” said a source familiar with Verizon’s thinking.

That might just be tough talk to get Yahoo to roll back the price. Verizon had been planning to couple Yahoo with its AOL unit to give it enough scale to be a third force to compete with Google and Facebook for digital ad dollars.

The discount is being pushed because it feels Yahoo’s value has been diminished, sources said.

AOL/Yahoo will reach about 1 billion consumers if the deal closes in the first quarter, with a stated goal to reach 2 billion by 2020. AOL boss Tim Armstrong flew to the West Coast in the past few days to meet with Yahoo executives to hammer out a case for a price reduction, a source said.

At one level, this is just business. Verizon has the opportunity to save some money, and it is exploring that opportunity.

But the underlying argument is an interesting one, as it floats a potential value — over a fifth of the original purchase price — tied to Yahoo’s ability to offer its users privacy.

As I understand it, the basis for any discount would be an interesting debate, too. The NYP story implies this is a reaction to both Yahoo’s admission that upwards of 500 million Yahoo users got hacked in 2014 and the more recent admission that last year Yahoo fulfilled a FISA order to scan all its incoming email addresses without legal challenge.

Yahoo has claimed that it only recently learned about the 2014 hack of its users — it told Verizon within days of discovering the hack. If that’s true, it’s not necessarily something Yahoo could have told Verizon before the purchase. (Indeed, Verizon should have considered Yahoo’s security posture when buying it.) But there are apparently real questions about how forthcoming Yahoo has been about the extent of the hack. The number of people affected might be in the billions.

Yahoo can’t claim to have been ignorant about its willingness to respond to exotic FISA requests without legal challenge, however.

Verizon bought Yahoo at a time when Yahoo’s aggressive challenged to PRISM back in 2007 was public knowledge. Given that Verizon had been — or at least had been making a show — of limiting what it would agree to do under USA Freedom Act (Verizon got too little credit, in my opinion, for being the prime necessary driver behind the reform), that earlier legal challenge would have aligned with what Verizon itself was doing: limiting its voluntary cooperation with US government spying requests. But now we learn Yahoo had repurposed its own spam and kiddie porn filter to help the government spy, without complaint, and without even telling its own security team.

I’ll let the mergers and acquisitions lawyers fight over whether Verizon has a claim about the purchase price here. Obviously, the $1 billion is just the opening offer.

But there is a real basis for the claim, at least in terms of value. Verizon bought Yahoo to be able to bump its user base up high enough to be able to compete with Google and Facebook. The perception, particularly in Europe, that Yahoo has neither adequately valued user security nor pushed back against exotic US government demands (especially in the wake of the Snowden revelations) will make it a lot harder to maintain, much less expand, the user base that is the entire purpose for the purchase.

So we’re about to learn how much of an international Internet Service Provider’s value is currently tied to its ability to offer security to its users.

BREAKING! There Were State-Sponsored Terrorists Operating in the US in 2015

/7 Comments/in , /by

If we’re to believe the NYT’s explanation for why Yahoo was asked to scan all its email in 2015, there are (or were) state-sponsored terrorists operating in the US. That’s the only logical explanation for why the FBI would use an individualized FISA court order to obligate Yahoo to adapt their kiddie porn filter to search for a signature used by what NYT describes as state sponsored terrorists.

Although the digital signature was individually approved by a judge, who was persuaded that there was probable cause to believe that it was uniquely used by a foreign power, the collection was unusual because it involved the systematic scanning of all Yahoo users’ emails. More typical surveillance court orders instead target specific user accounts.

[snip]

In fact, according to the government official and other people familiar with the matter, Yahoo was served with an individualized court order to look only for code uniquely used by the foreign terrorist organization, and it adapted the scanning systems that it already had in place to comply with that order rather than building a new capability.

Now, I don’t find this explanation all that plausible, because if there were real state-sponsored terrorists operating in the US, the US would be bombing the shit out of the country in question. Pakistan and Saudi Arabia sponsor terrorists, but they’re our friends and we try to overlook the way they foster terrorism. So I’m betting these aren’t real terrorists, but instead entities the government has told the FISA Court are terrorists to make it possible to approve things they otherwise would find questionable. Plus, it sounds so much cooler when you make such explanations than if you admit you were scanning all Yahoo users’ emails to search for hackers.

I’m going to wildarseguess that this really means the US had a line on Iranian Revolutionary Guard hacking techniques. I say that because the government has long argued that Iran (or at least, the Revolutionary Guard) is a terrorist organization so it can use fancy spy tools that have only been approved for terrorism uses. It’s a bullshit claim, but one the FISC has consistently approved going back years, probably to 2006 (and one OLC almost certainly approved under Stellar Wind). If this operation had happened two months later, after USA Freedom Act expanded the definition of foreign power to within two degrees of proliferators, they might have used that excuse, but back then, piggybacking a terrorist claim onto the use of the foreign government tie would provide the most impressive claim to need to scan domestically.

We even know the IRGC uses Yahoo, because that’s what NSA was collecting on in 2011 when someone spamouflaged key IRGC accounts at precisely the moment we were trying to entrap a top IRGC commander in the Scary Iran Plot.

And while the request to Yahoo came at a later time, we know that the US was aggressively going after Iranian hackers at least in late 2014 because they were targeting banks. DOJ would go on to indict a bunch of Iranians for, among other things, hacking a very small dam.

So rest assured, Yahoo users! FBI only made Yahoo scan your emails because it was hunting terrorists in your inbox.

But remember, that also means there are real state-sponsored terrorists — and not just ISIS wannabes — among us.

Update: Revolutionary for Republican fixed.

HAL (er, um, BAH) Bites NSA

/6 Comments/in /by

Way back in August, the government arrested a guy named Harold Thomas Martin III, who goes by Hal. Someone leaked news of the arrest to some of a who’s who list of NYT reporters — including Adam Goldman, Jo Becker, Michael Schmidt, David Sanger, Scott Shane, Matt Apuzzo, and Mark Mazzetti — who wrote what was originally a four paragraph story noting Martin is a Booz contractor and he is suspected of “taking the highly classified ‘source code’ developed by the agency to break into computer systems of adversaries like Russia, China, Iran and North Korea.” That is, the leak suggested that the FBI had found their Shadow Brokers culprit.

The story has since been updated to include, among other things, a claim from an “Administration official” that “investigators suspected that Mr. Martin might have taken the material before Mr. Snowden’s actions became public,” which is rather curious since the classified documents described in the DOJ announcement on the arrest are six 2014 documents obtained from sensitive intelligence that were found in his house and vehicle.

The complaint alleges that among the classified documents found in the search were six classified documents obtained from sensitive intelligence and produced by a government agency in 2014. These documents were produced through sensitive government sources, methods, and capabilities, which are critical to a wide variety of national security issues. The disclosure of the documents would reveal those sensitive sources, methods, and capabilities.

Martin may have started taking documents before Snowden, but if DOJ’s allegations are true, he was able to continue even after Snowden (and would have needed to if he were actually the Shadow Broker source).

The conflicting information on this suggests that DOJ doesn’t have any fucking clue what Hal Martin did yet, or why he did it. FBI was clearly trying to figure that out while someone was leaking to everyone at the NYT in terms that suggested the FBI had found the Shadow Brokers source (including the completely bullshit emphasis on Russian and Chinese targets, ignoring how many American companies have been exposed in the Shadow Brokers leak).

Or perhaps not.

The original Shadow Brokers announcement was (as Rayne’s timeline lays out) on August 15. Martin was arrested on August 27. Since that time there have been two more Shadow Brokers announcements, one of little import that seems to mock Asian diction posted on PasteBin on August 28, and another bizarre self-interview posted on Medium last week. In my quick review the voice of those posts is different from the original (as is the claimed political bent). So it is possible the FBI has kept Martin’s arrest secret to try to lure in someone else with further SB announcements.

Or maybe Martin just stupidly brought work home and is fucked because the NSA believes or believed he could be the source of the Shadow Brokers documents, and they need a scapegoat and he’ll do fine. Good thing he is being represented by the same public defender who got Thomas Drake off with a plea deal.

Which leaves the one certainty we can take away from this thus far. Booz Allen Hamilton — which just got $144 million in new DOD business yesterday (h/t Tim Shorrock) — needs a lot more scrutiny in its ability to keep the nation’s secrets safe … and may well need to lose a lot of business.

Wednesday: This One Day

/9 Comments/in , , /by

In this roundup: British fascists rise, smart fridge serves porn, and a Zika overview.

Today’s featured short film by Crystal Moselle is about finding one’s tribe, finding one’s place, crossing the threshold to adulthood in the safety of community. Men may not feel this one as keenly as women will. Many of us are skating alone, running into obstacles set before us simply because we are. With a little support we could skate the world.

Love how Bikini Kill’s Rebel Girl plays us out at the end. That.

Brexit and broken

  • Ian Dunt: Tories have become Ukip (Politics.co.uk) — Op-ed looks at UK’s Conservative Party and its aggressive shift toward white nationalism.
  • No joke: UK’s Home Secretary sounds like a Nazi (LBC) — Seriously, read the link. Can’t tell Amber Rudd’s speech from Hitler’s Mein Kampf.
  • The Daily Mail as Tories’ key influencer (OpenDemocracy) — Anthony Barnett looks at the Mail’s succession to Murdoch’s right-wing propaganda mill. The Mail was one of the two largest traditional media influences on right-wing politicians and Brexit voters (the other being NewsCorp’s The Sun); an American parallel would be the shift in media influence on public opinion as Fox News gave way to a more rightest, Trump-friendly CNN. We don’t trust CNN any more than we do Fox, and the UK shouldn’t trust the Mail any more than it should trust The Sun.
  • Theresa May’s Tory Conference speech: fascism wearing a progressive mask (VICE) — May isn’t well known by either UK or US public; her speech this week to her own party gave us a better look at the politician, and she’s not at all pretty. May uses progressive language to make her case, but what she’s really pushing is outright fascism.
  • Unwinding a country rich in diversity (OpenDemocracy) — University of Birmingham lecturer and Oxford University research associate Nando Sigona looks at the United Kingdom as an EU citizen. How does a small but densely populated country — land mass the size of Michigan with a population equal to California and Texas combined — move away from the diversity which has made it rich for millennia? Imagine one of those U.S. states (MI/CA/TX) suddenly telling anyone not ‘native’ to that state to leave; what would it do to that state, let alone the people who must leave? It’s not tenable.
  • 80th anniversary of East London’s Battle of Cable Street (Guardian) — The British have apparently forgotten their history and are now condemned to repeat it. Who is this generation’s Oswald Mosely: Boris Johnson, Nigel Farage, Michael Gove, Theresa May? With attacks on immigrants increasing, the new blackshirts already make their presence known; they only lack a Mosely.

Still skeptical about Tories’ aggression? Just look at this tweet from Tim Colburne, former deputy chief of staff for LibDem Party’s Nick Clegg. This is not the work of a party working for business interests. We are watching a new Nazism rapidly engulfing the United Kingdom. I doubt it will remain united much longer at this pace.

Keep in mind some of the foreign workers and children the Tories (and Ukip) want identified are U.S. citizens.

Elsewhat, elsewhere

Cybernia, ho!

  • Ireland not happy about the Yahoo email scandal (ITNews-AU) — Ireland wants to know if Yahoo’s scanning emails on behalf of U.S. government compromises Irish citizens’ privacy. Germany’s Fabio de Masi, a member of the European Parliament, has also asked for more details. Yahoo’s scanning could put the brakes on a US-EU data sharing agreement.
  • Alleged terror plotter charged, had operating system in cufflink (Guardian) — Located in Cardiff, Wales, the accused also possessed a book on missile guidance and control; he was responsible for a blog with information about Isis and cyber-security guidance.
  • Smart refrigerator – now with Pornhub (The Register) — Didn’t manufacturers clue in about so-called smart refrigerators a couple years ago after they were hacked? Clearly not if it’s still possible to hijack displays on Internet of Things devices for porn.

Longread: Overview on Zika
This is a decent meta piece in Omni magazine. Article also points out simple preventive interventions to reduce Zika infections: air conditioning and window screens. Also suggests implementing these in Africa where other arbovirus diseases are endemic, like yellow fever, dengue, chikunguya as well as Zika — except AC will create a greater demand for electricity as well as manufacturing pressure for screens. Also doesn’t really deal with the fact more people are outside during daylight hours in warmer climates, and those who work outdoors (like farmers) have no choice. More comprehensive research on arboviruses is needed and work toward vaccines is probably cheaper, faster, and less taxing to the environment than scaling up electricity and manufacturing. Worth a read if flawed.

Phew. That’s enough for today. Thankfully it’s downhill from here. Catch you later!

Wednesday: Time Travel

/1 Comment/in , , /by

In this roundup: A short film about a mother’s time travel adventure, the Internet of Stupid Things, and more.

Read more

Yahoo’s Three Hacks

/4 Comments/in /by

As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.

But that massive hack is actually one of three interesting hacks of Yahoo in recent years.

2012 alleged Peace affiliated hack

In August, Motherboard reported — and reported to Yahoo — that the hacker known as Peace, who may have ties to Ukrainian and/or organized crime and also sold the MySpace and Linked In credentials, was selling credentials from what he said were 200 million accounts hacked in 2012. But when Motherboard tried to verify the data, some of it came back as out of date or invalid.

According to a sample of the data, it contains usernames, hashed passwords (created with md5 algorithm), dates of birth, and in some cases back-up email addresses. The data is being sold for 3 bitcoins, or around $1,860, and supposedly contains 200 million records from “2012 most likely,” according to Peace. Until Yahoo confirms a breach, however, or the full dataset is released for verification, it is possible that the data is collated and repackaged from other major data leaks.

[snip]

Motherboard obtained a very small sample of the data—only 5000 records—before it was publicly listed, and found that most of the two dozen Yahoo usernames tested by Motherboard did correspond to actual accounts on the service. (This was done by going to the login section of Yahoo, entering the email address, and clicking next; when the email address wasn’t recognised, it was not possible to continue.)

However, when Motherboard attempted to contact over 100 of the addresses in the sample set, many returned as undeliverable. “This account has been disabled or discontinued,” read one autoresponse to many of the emails that failed to deliver properly, while others read “This user doesn’t have a yahoo.com account.”

2014 state actor hack

Yahoo claims it discovered the 500 million user hack in its investigation of the Peace allegations in August. The details being released now, in particular the encryption used with the account, vary from what Peace claimed in August.

A source familiar with the investigation told Motherboard on Thursday that, although no direct evidence was found to support Peace’s claims, Yahoo conducted a broader investigation, and during that time, they found the attack from what they described as a state-sponsored actor in 2014. The source declined to provide any evidence that the attack was state-sponsored, but said that the company strongly believed it to be the case.

According to Yahoo’s announcement, the majority of passwords were hashed with the strong hashing function bcrypt, meaning that hackers will have a much harder time at obtaining many users’ real passwords. The source claimed that only a very small percentage of password hashes were not bcrypt.

Note, while Yahoo is claiming this was a hack done by a state actor, it has not said what state actor.

Also, Yahoo appears to be suggesting that Peace’s claim he had Yahoo credentials was not true. Though, given that Yahoo is being acquired by Verizon at the moment, they would have an incentive to claim they didn’t know about this massive hack earlier.

2016 individual hack tied to DNC

Finally, an individualized hack of a Yahoo user — DNC consultant Alexandra Chalupa — was an independent source of the claim that DNC hackers might have ties to Russia or Ukraine. While the hack was evident from emails released by WikiLeaks, Chalupa had worked with Yahoo’s Michael Isikoff previously and he added details explaining her suspicions about the timing.

“I was freaked out,” Chalupa, who serves as director of “ethnic engagement” for the DNC, told Yahoo News in an interview, noting that she had been in close touch with sources in Kiev, Ukraine, including a number of investigative journalists, who had been providing her with information about Manafort’s political and business dealings in that country and Russia.

“This is really scary,” she said.

[snip]

Chalupa’s message, which had not been previously reported, stands out: It is the first indication that the reach of the hackers who penetrated the DNC has extended beyond the official email accounts of committee officials to include their private email and potentially the content on their smartphones. After Chalupa sent the email to Miranda (which mentions that she had invited this reporter to a meeting with Ukrainian journalists in Washington), it triggered high-level concerns within the DNC, given the sensitive nature of her work. “That’s when we knew it was the Russians,” said a Democratic Party source who has knowledge of the internal probe into the hacked emails. In order to stem the damage, the source said, “we told her to stop her research.”

A Yahoo spokesman said the pop-up warning to Chalupa “appears to be one of our notifications” and said it was consistent with a new policy announced by Yahoo on its Tumblr page last December to notify customers when it has strong evidence of “state sponsored” cyberattacks.

Significantly, this story, at least, claims this (and not cyber consultant CrowdStrike) is where DNC certainty that the hack was perpetrated by Russians came from.

Note that Chalupa’s Yahoo address was also affected in the Linked In hack, which exposed a simple password.

For now, I’m just presenting these three separate hacks as data points of interest.

Wednesday: Big Wheels Turning

/4 Comments/in , , , , /by

Hard to believe this was made in 1982. Yeah, the production quality doesn’t match today’s digital capabilities, but the story itself seems really prescient. How can an ethically-compromised bloviating bigot manage to fumble his way into office?

Now you know. Bet you can even offer constructive feedback on how director Danny DeVito could update this script for today’s social media-enhanced election cycle.

Self-Driving Vehicles

  • NHTSA issues guidelines for self-driving cars (Detroit Free Press) — FINALLY. But is it a bit too late now that Uber already has a fleet on the streets of Pittsburgh and Tesla has been running beta cars? Let’s face it: the federal government has been very slow to acknowledge the rise of artificial intelligence in any field, let alone the risks inherent in computer programming used in vehicles. We’re literally at the end of a two-term presidency, on the cusp of entirely new policies toward transportation, and NOW the NHTSA steps in? We need to demand better and faster rather than this future-shocked laggy response from government — and that goes for Congress as well as the White House. Congress fails to see the importance of early regulation in spite of adequate warning:

    Legislators warned automakers at the 15 March Senate hearing that the governing body took a dim view of the industry’s ability to self-regulate. “Someone is going to die in this technology,” Duke University roboticist Missy Cummings told the US Senate during a tense hearing where she testified alongside representatives from General Motors and Delphi Automotive, among others.

    Senators Ed Markey and Richard Blumenthal, who questioned car executives at the hearing, had cosponsored a 2015 bill to regulate self-driving automobiles. The bill was referred to committee and never returned to the floor. [source: Guardian]

    In the mean time, we have an initial 15-point guideline the NHTSA wants to address; are they enough? Is a guideline enough? Witness Volkswagen’s years-long fraud, flouting laws; without more serious consequences, would a company with Volkswagen’s ethics pay any heed at all to mere guidelines? Are you ready to drive on the road with nothing but non-binding guidelines to hold makers of autonomous cars accountable?

  • Multiple Tesla car models hackable (Keen Security Lab) — Check this video on YouTube. At first this seems like an innocuous problem, just lights, mirrors, door locks…and then * boom * the brakes while driving. These same functions would also be controlled by AI in a self-driving car, by the way, and they’re already on the road. This is exactly what I mean by the feds being slow to acknowledge AI’s rise.
  • ‘OMG COOL’-like impressions from early self-driving Uber passengers (Pittsburgh Post-Gazette) — Criminy. The naïveté is astonishing. Of course this technology seems so safe and techno-cool when you have an Uber engineer and programmer along for the ride, offering the illusion of safety. Like having a seasoned, licensed taxi driver. Why not just pay for an actual human to drive?
  • Tesla caught in back-and-forth with Mobileye (multiple sources) — After analyzing the May 2016 fatal accident in Florida involving Tesla’s semi-autonomous driving system, Tesla tweaked the system. The gist of the fatal accident appears to have been a false-positive misinterpretation of the semi-trailer as an overhead road sign, for which a vehicle would not slow down. But this particular accident alone didn’t set off a dispute between Tesla and the vendor for its Autopilot system, Mobileye. Another fatal accident in China which occurred in January was blamed on Tesla’s Autopilot — but that, too, was not the point of conflict between Tesla and its vendor. Mobileye apparently took issue with Tesla over “hands on” versus “hands-free” operation; the computer vision manufacturer’s 16-SEP press release claims Tesla said the Autopilot system would be hands on but was rolled out in 2015 as hands-free. Mobileye may also have taken issue with how aggressively Tesla was pursuing its own computer vision technology even before the two companies agreed to end their relationship this past July.  A volley of news stories over the last two weeks suggest there’s more going on than the hands on versus hands-free issue. Interestingly enough, the burst of stories began just after a hacker discovered there’s a previously undisclosed dash cam capturing shots of Tesla vehicle operations — and yet only a very small number of the flurry of stories mentioned this development. Hmm. Unfortunately, the dash cam feature would not have captured snaps for the two known fatal accidents because the nature of the accidents prevented the camera from sending images to Tesla servers.

Artificial Intelligence

  • The fall of humans is upon us with our help (Forbes) — this article asks what happens when white collar jobs are replaced by artificial intelligence. Oh, how nice, Forbes, that you worry about the white collar dudes like yourselves but not the blue collar workers already being replaced.How about discussing alternative employment for 3.5 million truck drivers?
    Or the approximately 230,000 taxi drivers?
    How about subway, streetcar, and tram operators (number of which I don’t currently have a number)?
    How about the administrative jobs supporting these workers?This is just a portion of transportation alone which will be affected by the introduction of AI in self-driving/autonomous vehicles. What about other blue collar jobs at risk — like fast food workers, of which there are 3.5 million? And we wonder why Trump appeals to a certain portion of the working class. He won’t be informed at all about this, will not have a solution except to remove persons of color as competition for employment. But the left must develop a cogent response to this risk immediately. It’s already here, the rise of machines as AI and algorithmic replacements for humans. Let’s not wait for the next Luddite rebellion V.2.0 — or is Trump’s current support the rebellion’s inception?
  • But every business needs AI! (Forbes) — Uh…no conflict here at all with the previous article. Nope. Just playing the refs. Save America, people, just keep buying!(By the way, note how this contributor touts Hello Barbie chatbot as a positive sign, though Mattel’s internet-enabled Barbie products have had some serious problems with security.)
  • The meta-threat of artificial intelligence (MIT Technology Review) — Doubt my opinion? Don’t take it from me, then, take it from experts including one who plans to make a fortune from AI — like Elon Musk.

Longread: Academia becomes the new white collar underclass
You may have noted Long Island University-Brooklyn’s 12-day lockout which was not really resolved last week but deferred by a contract extension. The dispute originated over a pay gap between Brooklyn and two other better paid LIU campuses. Ridiculous sticking point, given the small distance between these campuses LIU barred instructors from campus and halted their benefits during the lockout. Students walked out, infuriated by the temps who subbed in for the locked-out instructors — a cafeteria worker in one case filled in for an English instructor. LIU’s walkout won’t be the only such conflict over academic wages. To understand the scale of the problem, you’ll want to read this piece at Guernica, which explains how academia is being shaken down across the U.S., not just in Brooklyn. I remember asking an academic administrator back in 2006 what would happen when secondary education was commodified; they couldn’t imagine it ever happening. And now the future has arrived. What are we going to do about this while retaining U.S. standard in education?

Hope you’re liking the site revamp! Do leave a comment if you find anything isn’t working up to snuff.

A Cosmopolitan Defense of Snowden

/22 Comments/in , /by

A bunch of human rights groups have started a campaign calling on President Obama to pardon Edward Snowden, to coincide with the release of the Snowden movie today.

With regards to Snowden’s fate, I believe — as I have from the start — that US interest would have been and would be best served if a safe asylum for Snowden were arranged in a friendly country. I had said France at the time, but now Germany would be the obvious location. Obama is not going to pardon Snowden, and Presidents Hillary or Trump are far less likely to do so, not least because if a president pardoned Snowden it would be an invitation for a metaphorical or literal assassination attempt. But I also think it would have always served US interests to keep Snowden out of a place like Russia. That ship has already sailed, but I still think we insist on making it impossible for him to leave Russia (by pressuring allies like Germany that might otherwise have considered asylum) largely out of self-destructive motives, an urge to prove our power that often overrides our interests.

That’s all background to recommending you read this post from Jack Goldsmith arguing against pardon for Snowden. While I disagree with big parts of it, it is the most interesting piece I’ve seen on the Snowden pardon question, for or against.

Like me, Goldsmith believes there’s no chance Snowden will get a pardon, even while admitting that Snowden’s disclosures brought worthwhile transparency to the Intelligence Community. Unlike me, he opposes a pardon, in part, because of the damage Snowden did, a point I’ll bracket for the moment.

More interestingly, Goldsmith argues that a pardon should be judged on whether Snowden’s claimed justification matches what he actually did.

Another difficulty in determining whether a pardon is warranted for Snowden’s crimes is that the proper criteria for a pardon are elusive.  Oliver Wendell Holmes once declared that a pardon “is the determination of the ultimate authority that the public welfare will be better served by inflicting less” than what the criminal law specified.  But how to measure or assess the elusive public welfare?  The Constitution delegates that task exclusively to the President, who can use whatever criteria he chooses.  Many disagreements about whether a pardon is appropriate are at bottom disagreements about what these criteria should be.  Some will question whether Snowden should be pardoned even if his harms were trivial and the benefits he achieved were great.  Indeed, presidents don’t usually grant pardons because a crime brought benefits.  My own view is that in this unusual context, it is best to examine the appropriateness of a pardon in the first instance through an instrumental lens, and also to ask how well Snowden’s stated justification for his crimes matches up with the crimes he actually committed.

Goldsmith goes on to engage in what I consider a narrowly bracketed discussion of Snowden’s leaks about violations of US law (for example, he, as everyone always does, ignores NSA double dipping on Google and Yahoo servers overseas), claiming to assess whether they were violations of the Constitution, but in fact explicitly weighing whether they were a violation of the law.

His exposure of the 702 programs (PRISM and upstream collection) is harder to justify on these grounds, because these programs were clearly authorized by public law and have not sparked nearly the same criticism, pushback, or reform.

After substituting law for Constitution, the former OLC head (the guy who approved of much of Stellar Wind by claiming FISA exclusivity didn’t really mean FISA exclusivity) makes what is effectively an Article II argument — one nowhere nearly as breathtaking as Goldsmith’s Stellar Wind one. Most of Snowden’s leaks can’t be unconstitutional, Goldsmith argues, because they took place overseas and were targeted at non-US persons.

What I do not get, and what I have never seen Snowden or anyone explain, is how his oath to the U.S. Constitution justified the theft and disclosure of the vast number of documents that had nothing to do with operations inside the United States or U.S. persons.  (Every one of the arguments I read for Snowden’s pardon yesterday focused on his domestic U.S. revelations and ignored or downplayed that the vast majority of revelations that did not involve U.S. territory or citizens.)  To take just a few of hundreds of examples, why did his oath to the Constitution justify disclosure that NSA had developed MonsterMind, a program to respond to cyberattacks automatically; or that it had set up data centers in China to insert malware into Chinese computers and had penetrated Huawei in China; or that it was spying (with details about how) in many other foreign nations, on Bin Laden associate Hassam Ghul’s wife, on the UN Secretary General,  and on the Islamic State; or that it cooperates with intelligence services in Sweden and Norway to spy on Russia?; and so on, and so on.  These and other similar disclosures (see here for many more) concern standard intelligence operations in support of national security or foreign policy missions that do not violate the U.S. Constitution or laws, and that did extraordinary harm to those missions.  The losses of intelligence that resulted are not small things, since intelligence information, and especially SIGINT, is a core element of American strength and success (and not just, as many seem to think, related to counterterrorism).  It doesn’t matter that leaks in this context sparked modest reforms (e.g., PPD 28).  The Constitution clearly permits foreign intelligence surveillance, and our elected representatives wanted these obviously lawful practices to remain secret.

Having laid out a (compared to his Stellar Wind defense) fairly uncontroversial argument about the current interpretation of the Constitution reserving wiretapping of non-Americans to the President (though my understanding of the actual wiretapping in the Keith decision, of Americans in Africa, would say Presidents can’t wiretap Americans overseas without more process than Americans’ communications collected under bulk collection overseas currently get), Goldsmith goes onto make his most important point.

The real defense of Snowden stems not from our own Constitution, but from a moral and ethical defense of American values.

What might be the moral and ethical case for disclosing U.S. intelligence techniques against other countries and institutions?  (I will be ignore possible cosmopolitan impulses for Snowden’s theft and leaks, which I think damage the case for a pardon for violations of U.S. law.)  I think the most charitable moral/ethical case for leaking details of electronic intelligence operations abroad, including against our adversaries, is that these operations were harming the Internet, were hypocritical, were contrary to American values, and the like, and Snowden’s disclosures were designed to save the Internet and restore American values.  This is not a crazy view; I know many smart and admirable people who hold it, and I believe it is ethically and morally coherent.

This is a remarkable paragraph. First, it defines what is, I think, the best defense of Snowden. American values and public claims badly conflict with what we were and still are doing on the Internet. I’d add, that this argument also works to defend Chelsea Manning’s leaks: she decided to leak when she was asked to assist Iraqi torture in the name of Iraqi liberation, a dramatic conflict of US stated values with our ugly reality.

But the paragraph is also interesting for the way Goldsmith, almost as an aside, “ignore[s] possible cosmopolitan impulses for Snowden’s theft and leaks, which I think damage the case for a pardon for violations of U.S. law.” I take this to argue that if you’re leaking to serve some universal notion of greater good — some sense of world citizenship — then you can’t very well ask to be pardoned by US law. Perhaps, in that case, you can only ask to be pardoned by universal or at least international law. I’ll come back to this.

Goldsmith contrasts the moral and ethical case based on American values with his own, a moral and ethical one that justifies US spying to serve US interests in a complex and dangerous world.

But it is also not a crazy view, and it is also ethically and morally coherent, to think that U.S. electronic intelligence operations abroad were entirely lawful and legitimate efforts to serve U.S. interests in a complex and dangerous world, and that Snowden’s revelations violated his secrecy pledges and U.S. criminal law and did enormous harm to important American interests and values.

For the record, I think Snowden has said some of US spying does serve US interests in a complex and dangerous world. But from that view, the old defender of Article II argues that a President — the guy or gal who by definition is the only one can decide to pardon Snowden — must always adhere to the latter (Goldsmith’s) moral and ethical stance.

Unfortunately for Snowden’s pardon gambit,  President Obama, and any one who sits in the Oval Office charged with responsibility for American success around the globe, will (and should) embrace the second moral/ethical perspective, and will not (and should not) countenance the first moral/ethical perspective, which I take to be Snowden’s.

Goldsmith then ends where I began, with a more polite explanation that any president that pardoned Snowden would be inviting metaphorical or literal assassination. He also suggests the precedent would lead to more leaks. But that seems to ignore 1) that Snowden leaked even after seeing what they did to Manning (that is, deterrence doesn’t necessarily work) 2) the Petraeus precedent has already exposed the classification system as one giant load of poo.

Anyway, by my reading, Goldsmith argues that this debate pits those motivated out of American values versus those motivated out of perceived American interests, and that any President must necessarily operate from the latter.

I’m interested in that because I think the former motivation really does explain a goodly number of the leakers and whistleblowers I know. People a generation older than me, I think, may have been true believers in the fight against the Evil Empire during the Cold War, only to realize we risk becoming the Evil Empire they spent their life fighting. Every time I see Bill Binney, he makes morbid cracks about how he was the guy who invented “Collect it all,” back when he was fighting Russia. People a generation younger than me — Snowden, Manning, and likely a lot more — more often responded out of defense of all that is great in America after 9/11, only to find that that we have not adhered to that greatness in prosecuting the war on terror. These are gross generalizations. But I think the conflict is real among a lot of people, and it’s one that will always fight increasingly diligent efforts to tamp down dissent.

That said, I want to note something else Goldsmith did, while making his aside that anyone making a cosmopolitan defense of Snowden cannot ask for a pardon under US law (a view I find fairly persuasive, which may be why I think a reasonable outcome is for Snowden to live out his life in Germany). In making that aside, Goldsmith effectively dismissed the possibility that living US values rather than interests might be both cosmopolitan and in our national interest.

I’ve talked about this repeatedly — the degree to which Snowden’s disclosures (and, to a lesser extent, Manning’s) served to expose some lies that are critical to American hegemony. Our hegemonic position relies — according to people like Goldsmith and, perhaps in reality, though the evidence is mixed — on our global dragnet, which in turn serves our global military presence. But it has also relied on an ideology, every bit as important as ideology was during the Cold War, that espoused democracy and market capitalism and, underscoring both of those, a belief in the worth of every individual (and by extension, individual nation) to compete on equal terms. Without that ideology, we’re just a garden variety empire, which is a lot harder to sustain because it requires more costly (in terms of dollars and bodies) coercion rather than persuasion.

And Snowden’s leaks showed we used our preferential position astride the world’s telecommunications network and our claim to serve freedom of expression to serve as the hegemon. Hell, the aftermath of that shows it even more! Country after country has backed off giving Snowden asylum — the proper cosmopolitan resolution — because the US retains enough raw power and/or access to the fruits of the dragnet to persuade countries that’s not in their “interest.”

This is an issue that has gotten far too little attention in the wake of the Snowden leaks: to what degree is the cost of the Snowden leaks measured in terms of exposing to the subjects of our hegemon facts that their leaders already knew (either because they were and are willing co-participants in the spying or knowledgeable adversaries engaged in equally ambitious but less effective surveillance)? I don’t doubt there are individual programs that have been compromised, though thus far the IC has badly hurt its case by making claims (such as that Al Qaeda only adopted encryption in response to Snowden, or that Snowden taught terrorists how to use burner phones) that are easily falsifiable. But a big part of the leaks are about the degree to which the US can (and does passively in many cases via bulk collection) spy on everyone.

But to me, the big cost has been in terms of exposing America’s hegemonic ideology as the fiction that ideologies always become if they aren’t from the start.

Note, I fully accept that that may be an unacceptable cost. America’s hegemony was already weakening; I believe Snowden’s disclosures simply accelerated that. It is absolutely possible that the weakening of US hegemony will create a vacuum of power that will leave chaos. That chaos may, may have already, led to a desire for strongmen in response. There were outside factors playing into all of this. The Iraq War did far more to rot America’s hegemonic virtue than Edward Snowden’s leaks ever could have. And it’s not clear that an empire based on oil can provide the leadership we need to fight climate change, which will increasingly be the source of chaos. But I accept that it is possible Snowden accelerated a process that may lead to horrible outcomes.

Here’s the thing, though: this younger generation of leakers — of dissident servants of the hegemon — don’t need to be cured of a lifetime of ideology. It may take, as it did with Manning, no more than critical assessment of some flyers confiscated by our so-called partners in liberation for the ideology cementing our hegemonic authority to crumble.

Our hegemony depends on the ideology of our values. That seems to both have been the trigger for and may justify the cosmopolitan interest in exposing our hypocrisy. And whether or not Americans should give a shit about the freedom of non-American subjects of the hegemon, to the extent that servants of that ideology here find the hypocrisy unsustainable, we’re likely to have more Mannings and more Snowdens.

Our global dragnet may very well serve the ethics of those who serve presidentially-defined American interests. As such, Snowden’s leaks are surely seen as unforgivable damage.

But it is also possible that American hegemony is only — was only — sustainable to the degree that we made sure that global dragnet was limited by the values that have always been critical to the ideology underlying our hegemony.

FBI can’t pretend to be the AP without special approval. They can pretend to be Apple.

/6 Comments/in /by

As a number of outlets have reported, the DOJ IG just released a report on FBI’s impersonation of a journalist in 2007. The FBI pretended to be the AP to catch a high school student making bomb threats.

As I will explain in more detail in a follow-up post, the IG report somewhat exonerated the Agents who engaged in that effort. It also gives reserved approval of an interim policy FBI adopted this June (that is, well after the press complained, and just as the IG was finishing this report) that would prevent the FBI from pulling a similar stunt without higher level approval.

But some of the details in the report — as well as one of its recommendations — suggests that the FBI would still be able to pretend to be a software company making a software update. Here’s the recommendation.

Recommendation 2: The FBI should consider the appropriate level of review required before FBI employees in a criminal investigation use the name of third party organizations or businesses without their knowledge or consent.

As the report explains, this concern arises because FBI policies on undercover activities distinguishes between impersonating a biological person and a corporate one.

Finally, as we described in Section III of this report, we learned during the course of this review that while FBIHQ approval is required to use a third person’s “online identity” in undercover online communications or to make “untrue representations . . . concerning the activities or involvement of any third person” without that person’s knowledge or consent, special approval was not required to use the identity of an organization or business in undercover online communications or in other undercover activities. The new interim policy changes that policy as it relates to news organizations, but does not address this issue with regard to non-news organizations or businesses. We think the Department should consider the appropriate level of review necessary before agents in a criminal investigation are allowed to use the name of a third-party organization or business without its knowledge or consent, in light of the potential impact that use might have on the third party’s reputation.30

30 After reviewing a draft of this report, the FBI provided comments explaining that the heightened level of review and approval required for FBI employees to pose as members of the news media was introduced because such activity potentially could “impair news-gathering activities” under the First Amendment, but that such constitutional considerations do not apply to businesses and other third parties. Our recommendation, however, does not rely on equating the reputational interests of some third party organizations and businesses with the constitutional interests of others. We believe that reputational interests, and the potential impact FBI investigations can have on those interests, are themselves sufficiently important to merit some level of review before FBI employees use the names of third party organizations or businesses without their knowledge or consent. [my emphasis]

The new policy requires additional approvals before the FBI can pretend to be a news-gathering organization, but only requires that higher approval for news-gathering organizations, not other corporate entities.

In other words, FBI is only imposing these new restrictions because by pretending to be a journalist, it might impair the news-gathering activities under the First Amendment. But the FBI doesn’t care about the reputational harm that its undercover activities might do to non news media corporations.

And there’s nothing here that would prohibit the FBI to engage in the most obvious undercover activity to accomplish the same objective they had in the bomb threat case: to get someone to click a link that would, unbeknownst to the target, infect their computer with malware.

In other words, by all appearances, the FBI can’t infect you with malware by pretending they want to interview you, but they could infect you with malware by pretending they want to update your software.

A Busy Day for the Bears

/18 Comments/in , /by

Yesterday, there were three arguably big events associated with stolen records alleged to have ties to Russia’s GRU.

Simon Biles treats her ADHD

The first is the leak, by a group explicitly calling itself Fancy Bear (though the hack was once tied to Polish Anonymous), of anti-doping agency records showing the Williams sisters and Simone Biles all got approval for and took drugs on a list of otherwise banned substances. While there are no allegations of impropriety — indeed, Biles explained that in her case the exception involved treating ADHD — the story got covered by the major international press, including the Beeb, NBC, and NYT.

Colin Powell rants

The second alleged-Bear event is the release of Colin Powell emails, obtained by DC Leaks, to The Intercept, BuzzFeed, and Politico. The emails include quite recent ones, including one from August 26. Powell now uses GMail, suggesting his emails should be harder to hack than (for example) his State emails on AOL or emails run on a private server. Whether you worry about Russian influence or not, this hack is quite newsworthy.

There are embarrassing emails with Powell asserting that “Everything HRC touches she kind of screws up with hubris,” as well as emails with Powell complaining about Trump’s racism and the press’ stoking of it.

The emails are not limited to election-related ones, either. They also include correspondence between Powell and Jack Straw and how the Chilcot report got buried in all the Brexit news.

Guccifer 2 goes mainstream

dncarchitecture_mc

Finally, there was the “appearance” at a security conference by Guccifer 2.0, the guy who has released the DNC emails that gave the Democrats an excuse to force Debbie Wasserman Schultz’s to resign, though they had been looking for an excuse for some time.

In point of fact, Guccifer 2.0 didn’t appear in person at the conference. Rather, he sent a speech which got read at the conference, with the transcript released to journalists. The speech focused on the negligence of software companies in security. Guccifer went on for several paragraphs about the power and sloppiness of tech companies, arguing they were to blame for hacks.

The next reason, and the crucial one, is software vulnerability. Tech companies hurry to finish the work and earn money. So they break development cycle very often omitting the stage of testing. As a result, clients have raw products installed on their systems and networks with a great number of bugs and holes.

Fourth. It’s well known that all large companies look forward to receiving governmental contracts. They develop governmental websites, communication systems, electronic voting systems, and so on and have their products installed to critical infrastructure objects on the national level.

They are aggressively lobbying their interests. You can see it at the diagram that they spent millions of dollars for lobbying. That doesn’t mean they will produce better software. That means they will get even more money in return.

Then he returned to a claim he has made on two earlier occasions: that he hacked DNC via a vulnerability in VAN.

So, what’s the right question we should ask about cyber crime?

Who hacked a system?

Wrong. The right question is: who made it possible that a system was hacked? In this regard, what question should you ask me?

How I hacked the DNC???

Now you know this is a wrong question. Who made it possible, that I hacked into the DNC? This is the question. And I suppose, you already know the answer. This is NGP VAN Company that operates the DNC network. And this is its CEO Stu Trevelyan who is really responsible for the breach.

Their software is full of holes. And you knew about it even before I came on stage.

You may remember Josh Uretsky, the national data director for Sander’s presidential campaign. He was fired in December, 2015 after improperly accessing proprietary data in the DNC system. As it was agreed, he was intentionally searching for voter information belonging to other campaigns.

However, he is not to blame. The real reason voter information became available for non-authorized users was NGP VAN’s raw software which had holes and errors in the code. And this is the same reason I managed to get access to the DNC network. Vulnerabilities in the NGP VAN software installed on its server which they have plenty of. Shit! Yeah?

This scheme shows how NGP VAN is incorporated in the DNC infrastructure.

One of two schemes released with the speech appears above.

Now, Guccifer’s allegation — tying vulnerabilities in the VAN software to his own hack — could be newsworthy. Recall, after all, that one excuse the Bernie staffer gave for nosing around Hillary’s side of VAN was that Sanders’ own data had been compromised earlier that year. Importantly, Guccifer’s persistent focus on VAN, which was a signature moment in Sanders’ voters disillusionment with the DNC conduct in the election, would provide an alternative motive for this hack rather than just a Putinesque plot to tamper with Hillary’s election.

Thing is, there’s nothing in the materials released on VAN that indicates any particular vulnerability (though the dump does include some dated information on DNC’s computer security): effectively Guccifer makes an allegation but — at least from what I’ve seen and heard from a few people who know security better — doesn’t deliver the goods.

Indeed, while there are documents acknowledging the kind of pay-to-play appointments for big donors that both parties practice, and some other financial data that I suspect may prove more interesting with further scrutiny, there’s nothing really newsworthy in this dump. It seems to be interesting primarily to Bernie diehards, not the press generally, which is rightly more interested by the Powell emails.

Which, again, emphasizes how much Guccifer has been feeding Bernie diehards, either out of his own motivation or his handler’s. It is worth noting that while Guccifer claims to oppose Trump’s policies, he did say this about Sanders: “I have nothing to say about Bernie Sanders. It seems he never had a chance to win the nomination as the Democratic Party itself stood against him!”

Why stomp on the Bears other big blasts?

Which has me wondering about yesterday generally. If someone is orchestrating all these leaks, why have Guccifer “give a speech” on the same day as two highly managed releases, especially given that Guccifer failed to deliver the goods? Indeed, why invite Guccifer to, or have him accept an invitation from, a pretty staid security conference at all?

And what is the role of Darren Martyn, a LulzSec Irish hacker who was indicted along with Jeremy Hammond but apparently never extradited. He’s apparently the one who read Guccifer’s speech. Which raises all sorts of questions about Guccifer’s ties to the Anon group of hackers, or maybe also to what Martyn has been doing since he was indicted in the US.

Let me just close with an observation.

The Democrats have, rightly, been worried about what Guccifer will release closer to the election; I’ve heard specific concerns from connected Dems that he will release far more damning financial documents. The FBI, too, appears uncertain whether the set of documents Guccifer has is the same that the GRU-related hackers are believed to have spied on at the DNC. Thus, both the DNC and FBI would love to do something to make Guccifer show more of his hand.

Before this hack, we were all just waiting to see what Julian Assange, who is clearly maximizing damage to Hillary, will drop next.

And instead, by inviting Guccifer to appear at a conference, someone got Guccifer to drop an additional 700 MB of files while everyone is busy looking at the Powell emails.

 

image_print