Wednesday Morning: Water, Water, Everywhere [UPDATE]

/24 Comments/in , , /by

Day after day, day after day,
We stuck, nor breath nor motion;
As idle as a painted ship
Upon a painted ocean.

Water, water, every where,
And all the boards did shrink;
Water, water, every where,
Nor any drop to drink.

— excerpt, The Rime of the Ancient Mariner by Samuel Taylor Coleridge

Felony and misdemeanor charges are expected today in the Flint water crisis. State Attorney General Bill Schuette will put on a media dog-and-pony show, when it is expected that three persons — two engineers with the Michigan Department of Environmental quality and a Flint water department employee — will be charged for Flint’s lead water levels after the cut-over to Flint River water.

Mind you, the descriptions of these persons do not match that of higher level persons who were responsible for

1) making the final decision to cut Flint off from Detroit’s water system and switching to the Flint river;
2) evaluating work performed by consulting firms about the viability of Flint River as a water source, or about reporting on lead levels after the cut-over;
3) ensuring the public knew on a timely basis the water was contaminated once it was already known to government officials;
4) lack of urgency in responding to a dramatic uptick in Legionnaire’s disease, or the blood lead levels in children.

Just for starters. Reading the Flint water crisis timeline (and yes, it needs updating), it’s obvious negligence goes all the way to the top of state government, and into the halls of Congress.

Michigan’s Governor Snyder has elected to perform some weird self-flagellating mea culpa or performance art, by insisting he and his wife will drink filtered Flint city water for a month. It’s a pointless gesture since the toxic lead levels, experienced during the two years immediately after the city’s cut-over to the Flint River, have already fallen after doing permanent damage to roughly eight thousand children in and around Flint.

Flint’s Mayor Karen Weaver said about the governor’s stunt, “[H]e needs to come and stay here for 30 days and live with us and see what it’s like to use bottled or filtered water when you want to cook and when you want to brush your teeth.”

Or get a new mortgage, I would add. The gesture also does nothing for Flint’s property values. Imagine living in Flint, trying to refinance your home to a lower interest rate, telling the bank, “Oh, but the water’s safe enough for the governor!” and the bank telling you, “Nah. Too risky.”

UPDATE — 10:45 AM EDT —
Charges have been filed against City of Flint’s Laboratory & Water Quality Supervisor Mike Glasgow and Michigan Department of Environmental Quality Office of Drinking Water and Management Assistance district director Steven Busch and MI-ODWMA District Engineer Michael Prysby. Mlive.com-Flint reports,

Glasgow is accused of tampering with evidence when he allegedly changed testing results to show there was less lead in city water than there actually was. He is also charged with willful neglect of office.

Prysby and Busch are charged with misconduct in office, conspiracy to tamper with evidence, tampering with evidence, a treatment violation of the Michigan Safe Drinking Water Act and a monitoring violation of the Safe Drinking Water.

None of the individuals charged in the case have been arraigned.

Sure would like to see the evidence on Glasgow, given the email he wrote 14-APR-2014 (see the timeline).

House hearing on encryption yesterday

  • Worth the time if you have it to listen to the House Energy and Commerce Oversight and Investigations Subcommittee’s hearing, ‘Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives‘ to catch Apple’s general counsel Bruce Sewell and UPenn’s CIS asst. prof. Matt Blaze. Not so much for Indiana State Police Captain Charles Cohen, who was caught up in misinfo/disinfo about Apple’s alleged non-cooperation with the U.S. government. Wish there was a transcript, especially for the part where Sewell was quizzed as to whether Apple would encrypt their cloud.
  • Speaking of Cohen and misinfo/disinfo, Apple said it hasn’t released source code to Chinese (Reuters) — This is the spin IN’s Cohen got caught up in. Nope.

Another Congressional hearing of interest: Fed Cybersecurity
In case you missed it, catch the video of today’s House Oversight Subcommittee on Information Technology hearing on Federal Cybersecurity Detecion, Response, and Mitigation. You may have seen Marcy’s tweets on this hearing, at which Juniper Networks was a no-show, and Rep. Ted Lieu (D-CA) was kind of pissed off. Catch Bruce Schneier’s post about Juniper’s vulnerability.

Volkswagen has company: Mitsubishi’s mileage data tweaked to cheat
The Japanese automaker may have to pay back tax rebates offered on vehicles meeting certain fuel efficiency standards. Data from mileage tests on hundreds of thousands of cars was fudged to make the cars look 5-10 percent more efficient.

Speaking of cheating: Volkswagen’s use of code words masked references to emissions controls cheats
The amount of data under review along with the use of code words and phrases like “acoustic software” may delay the completion of the probe’s report. Don’t forget: tomorrow is the second 30-day deadline set for VW to provide a technical solution for owners of its passenger diesel vehicles.

That’s enough. Michigan state AG newser underway now as I update this again at 1:15 p.m. EDT; I may not update here since I addressed known charges above. Catch you on the other side of the hump.

Share this entry

Tuesday Morning: Trash Day

/7 Comments/in , , /by

It’s trash day in my neighborhood. Time to take the garbage to the curb. I aim for as little trash as possible, which means buying and consuming less processed/more fresh foods. I use paper/glass/ceramic/stainless steel for storage, avoiding plastics as much as possible. Every lick of plastic means oil — either the plastic has been created wholly from oil, or fossil fuels have been used in its manufacture. Can say the same about the manufacturing of paper/glass/ceramic/stainless steel, but paper can be composted/recycled/renewed, and the rest can be used for lifetimes if cared for. I use ceramic bowls that belonged to my great-grandmother, and stainless pots and bowls once belonging to my mother, and I expect to hand them down some day.

Which makes me all judgy when I’m walking through the neighborhood, side-eyeing the garbage cans at the curb. Can’t believe how much waste is created every week, and how willing we are to pay tax dollars to stick it in the ground as landfill. How can Family X not bother to recycle at all? How can Family Y live on so much processed, chemical-laden garbage? It’s all right there at the end of their driveway, their addiction to fossil fuel consumption spelled out in trash.

What small change can you make in your lifestyle so Judgy McJudgyPants here doesn’t side-eye your trash cans?

Speaking of trash…

Piling on the wonks, Part 3: United Healthcare exiting Obamacare in Michigan
Disclosure: UHC is my health insurer, which I am fortunate enough to afford. But I couldn’t stay with them if I had to go on Obamacare. UHC says it’s losing too much money in Michigan to remain in the program — not certain how given the double-digit underwriting increase it posted for this past year. UHC will leave other states which may not fare as well as Michigan, and even Michigan will suffer from decreasing competition. Do tell us, though, wonks, how great Obamacare is. I’m sure I will feel better should I ever have to shop Obamacare plans for pricey coverage with a dwindling number of providers. And if you missed the previous discussions on inept Obamacare wonkery, see Part 1 by Marcy and Part 2 by Ed Walker.

Tech Tiews

  • Don’t let anybody say Apple isn’t cooperating with law enforcement (Phys.org) — Apple has, to the tune of 30,000 times from Jul-Dec 2015 alone, according to a report released late Monday.
  • BlackBerry CEO says telecom companies should ‘comply with reasonable lawful access requests‘ to assist law enforcement (Reuters) — Nice bit of footwork from a company which passed their encryption key to Canadian law enforcement as far back as 2010.
  • If you missed the 60 Minutes segment about the security threat posted by Signalling System Number 7 protocol (SS7), you should read up. (The Guardian) — Also wouldn’t hurt to look into end-to-end encryption for your communications. Wonder what role SS7 played in NSA’s and GHCQ’s ‘treasure mapping’ Germany’s Telekom and other global networks, and if this explains why SS7 is still not secure?
  • [Presence of drugs in car] plus [pics of cash on phone] = suspicious (Ars Technica) — Wait, isn’t the presence of illegal drugs in one’s car enough to make one a suspect?
  • New technology for chip-embedded smart cards will speed checkout times, says VISA (Phys.org) — What the hell are we being forced to switch to so-called smart cards for if they don’t actually improve checkout process already? We’ll piss away any savings from increased security standing in line waiting.

Time to fetch the emptied trash can. See you tomorrow!

Share this entry

Monday Morning: Calm, You Need It

/5 Comments/in , /by

Another manic Monday? Then you need some of Morcheeba’s Big Calm combining Skye Edward’s mellow voice with the Godfrey brothers’ mellifluous artistry.

Apple’s Friday-filed response to USDOJ: Nah, son
You can read here Apple’s response to the government’s brief filed after Judge James Orenstein’s order regarding drug dealer Jun Feng’s iPhone. In a nutshell, Apple tells the government they failed to exhaust all their available resources, good luck, have a nice life. A particularly choice excerpt from the preliminary statement:

As a preliminary matter, the government has utterly failed to satisfy its burden to demonstrate that Apple’s assistance in this case is necessary—a prerequisite to compelling third party assistance under the All Writs Act. See United States v. N.Y. Tel. Co. (“New York Telephone”), 434 U.S. 159, 175 (1977). The government has made no showing that it has exhausted alternative means for extracting data from the iPhone at issue here, either by making a serious attempt to obtain the passcode from the individual defendant who set it in the first place—nor to obtain passcode hints or other helpful information from the defendant—or by consulting other government agencies and third parties known to the government. Indeed, the government has gone so far as to claim that it has no obligation to do so, see DE 21 at 8, notwithstanding media reports that suggest that companies already offer commercial solutions capable of accessing data from phones running iOS 7, which is nearly three years old. See Ex. B [Kim Zetter, How the Feds Could Get into iPhones Without Apple’s Help, Wired (Mar. 2, 2016) (discussing technology that might be used to break into phones running iOS 7)]. Further undermining the government’s argument that Apple’s assistance is necessary in these proceedings is the fact that only two and a half weeks ago, in a case in which the government first insisted that it needed Apple to write new software to enable the government to bypass security features on an iPhone running iOS 9, the government ultimately abandoned its request after claiming that a third party could bypass those features without Apple’s assistance. See Ex. C [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, Cal. License Plate #5KGD203 (“In the Matter of the Search of an Apple iPhone” or the “San Bernardino Matter”), No. 16-cm-10, DE 209 (C.D. Cal. Mar. 28, 2016)]. In response to those developments, the government filed a perfunctory letter in this case stating only that it would not modify its application. DE 39. The letter does not state that the government attempted the method that worked on the iPhone running iOS 9, consulted the third party that assisted with that phone, or consulted other third parties before baldly asserting that Apple’s assistance remains necessary in these proceedings. See id. The government’s failure to substantiate the need for Apple’s assistance, alone, provides more than sufficient grounds to deny the government’s application.

Mm-hmm. That.

Dieselgate: Volkswagen racing toward deadline

  • Thursday, April 21 is the extended deadline for VW to propose a technical solution for ~500,000 passenger diesel cars in the U.S. (Intl Business Times) — The initial deadline was 24-MAR, establishing a 30-day window of opportunity for VW to create a skunkworks team to develop a fix. But if a team couldn’t this inside 5-7 years since the cars were first sold in the U.S., another 30 days wouldn’t be enough. Will 60 days prove the magical number? Let’s see.
  • VW may have used copyrighted hybrid technology without paying licensing (Detroit News) — What the heck was going on in VW’s culture that this suit might be legitimate?
  • After last month’s drop-off in sales, VW steps up discounting (Reuters) — Trust in VW is blamed for lackluster sales; discounts aren’t likely to fix that.

Once around the kitchen

  • California’s winter rains not enough to offset long-term continued drought (Los Angeles Times) — Op-ed by Jay Famiglietti, senior water scientist at the NASA Jet Propulsion Laboratory–Pasadena and UC-Irvine’s professor of Earth system science. Famiglietti also wrote last year’s gangbuster warning about California’s drought and incompatible water usage.
  • Western scientists meet with North Korean scientists on joint study of Korean-Chinese volcano (Christian Science Monitor) — This seems quite odd, that NK would work in any way with the west on science. But there you have it, they are meeting over a once-dormant nearly-supervolcano at the Korea-china border.
  • BTW: Deadline today for bids on Yahoo.

There you are, your week off to a solid start. Catch you tomorrow morning!

Share this entry

The FBI’s Asinine Attempt to Retroactively Justify Cracking Farook’s Phone

/7 Comments/in , /by

“Hold on honey,” said Syed Rizwan Farook, who had just murdered 14 of his co-workers, “let me go get my work phone in case they call me during our getaway”

That’s the logic the FBI is now peddling to reporters who are copping onto what was clear from the start: that there was never going to be anything of interest on Farook’s phone. After all, they’re suggesting geolocation data on the phone (some of which would be available from Verizon) might explain the 18 minutes of the day of the attack the FBI has yet to piece together.

For instance, geolocation data found on the phone might yet yield clues into the movements of the shooters in the days and weeks before the attack, officials said. The bureau is also trying to figure out what the shooters did in an 18-minute period following the shooting.

Farook drove a SUV to the attack and was killed in the same SUV. To suggest his work phone, which was found in a Lexus at his house, might have useful geolocation data about the day of the attack would suggest he made a special trip to the car to leave his phone in it and turned it off afterwards (if we really believe it was off and not just drained when the FBI found it the day after the attack).

Hold on honey, let me go place my work phone in the Lexus.

Similarly, it is nonsensical to suggest the phone would yield evidence of ties with foreign terrorists.

The FBI has found no links to foreign terrorists on the iPhone of a San Bernardino, Calif., terrorist but is still hoping that an ongoing analysis could advance its investigation into the mass shooting in December, U.S. law enforcement officials said.

They’ve had the metadata from the phone since December 6, at the latest. That’s what would show ties with foreign terrorists, if Farook had been so stupid as to plot a terrorist attack against his colleagues on his work phone, to which his employer had significant access.

Finally, reporters should stop repeating the FBI’s claim that Farook turned off his backups.

In particular, the bureau wanted to know if there was data on the phone that was not backed up in Apple’s servers. Farook had stopped backing up the phone to those servers in October, six weeks before the attack.

The government has actually never said that in sworn declarations. Rather, their forensics guy, Christopher Pluhar, asserted only that Farook may have turned them off.

Importantly, the most recent backup is dated October 19, 2015, which indicates to me that Farook may have disabled the automatic iCloud backup feature associated with the SUBJECT DEVICE. I believe this because I have been told by SBCDPH that it was turned on when it was given to him, and the backups prior to October 19, 2015 were with almost weekly regularity. [my emphasis]

But if he did, he was a damned incompetent terrorist, because — as Jonathan Zdziarski, who is quoted in this article, pointed out — at the same screen he would have used to turn off the iCloud backup, he could have also deleted all his prior backups, which we know he didn’t do.

  • Find my iPhone is still active on the phone (search by serial number), so why would a terrorist use a phone he knew was tracking him? Obviously he wouldn’t. The Find-my-iPhone feature is on the same settings screen as the iCloud backup feature, so if he had disabled backups, he would have definitely known the phone was being tracked. But the argument that Farook intentionally disabled iCloud backup does not hold water, since he would have turned off Find-my-iPhone as well.
  • In addition to leaving Find-my-iPhone on, the option to delete all prior backups (which include iMessage history and other content) is also on the same settings screen as the option to disable iCloud backups. If Farook was trying to cover up evidence of leads, he would have also deleted the existing backups that were there. By leaving the iCloud backup data, we know that Farook likely did not use the device to talk to any leads prior to October 19.

We also know from a supplemental Pluhar declaration that Farook had not activated the remote-wipe function, which he also would have done if he were a smart terrorist trying to cover his tracks.

Finally, Apple’s Privacy Manager, as Erik Neuwenschander demonstrated, Pluhar didn’t know what the fuck he was talking about with regards to backups.

Agent Pluhar also makes incorrect claims in paragraph 10(b). Agent Pluhar claims that exemplar iPhones that were used as restore targets for the iCloud backups on the subject device “showed that … iCloud back-ups for ‘Mail,’ ‘Photos,’ and ‘Notes’ were all turned off on the subject device.” This is false because it is not possible. Agent Pluhar was likely looking at the wrong screen on the device. Specifically, he was not looking at the settings that govern the iCloud backups. It is the iCloud backup screen that governs what is backed up to iCloud. That screen has no “on” and “off” options for “Mail,” “Photos,” or “Notes.

Zdziarski offers another possible explanation for the lack of backups on Farook’s phone, so there are other possible explanations.

iCloud backups could have ceased for a number of reasons, including a software update that was released on October 21, just two days after the last backup, or due to iCloud storage filling up.

The point is, we don’t know, and it’s not even clear Pluhar would know how to check. So given all that other evidence suggesting Farook may not have turned off his backups, journalists probably should not claim, as fact, he did.

Of course, that claim is really just a subset of the larger set of the bullshit FBI has fed us about the phone. It’d really be nice if people stopped taking their bullshit claims seriously, as so few of the past ones have held up.

Share this entry

Friday Morning: Dark Water Jazz

/5 Comments/in , , /by

It’s Friday and that means jazz here at emptywheel. But no genre exploration today, just this lovely, evocative downtempo jazz/trip hop fusion work.

It’s dark water jazz indeed this week…

Congress oublies the Flint water crisis
I can’t find anything in C-SPAN about the House Energy and Commerce Committee hearing which was to address the crisis. Convenient for Republicans running for office right now to keep themselves at arm’s length from a Republican scandal. We’re lucky the hearing was captured at all; it can be found at the committee’s website. (Video 3:44:08)

It must be difficult to kowtow to traditional GOP underwriters while trying to appear like you’re doing a credible job of representing Americans most in need. But it’s a lot easier to bury and forget the inconvenient.

The latest scuttlebutt is that the bipartisan Energy Policy Modernization Act of 2015 (S.2012) will proceed without additional funding to remedy Flint’s damaged water system, still replete with lead piping. Senate Republicans led by Senator Mike Lee of Utah protested the inclusion of funding for Flint in this bill, threatening to reject it altogether.

Wait — you know who’s up for reelection this season? Senator Mike Lee! Amazing coincidence! Or not. You know, Senator Lee, when your fellow senators leak about your obstruction, you should catch a clue. Sometimes actually helping Americans is more important than sucking up to your anti-tax overlords.

You know who else is up for reelection this season? Senator Lisa Murkowski, the chair of the counterpart Senate Energy Committee and the sponsor of S.2012. You’d think she’d want to look effective as a leader and at governance.

Roughly 8,000 children will continue to live as if they are in a third world country, with a patchwork of assistance for their health and education, but no relief from the lead pipes which continue to run from the water department to their homes. Imagine them drinking water out bottles for the rest of their childhoods, their families having to take additional time and effort to lug bottles upon bottles for their daily essential needs.

Don’t even suggest these families leave. They are stuck, STUCK in Flint, because their property values have been gutted by the failure of a GOP-led state administration, and the continued avoidance by a GOP-led Congress. Who wants to buy a home with lead pipes in Flint now? Which banks want to finance new mortgages to those homes? Which insurers want to write coverage on them?

Some government aid has been offered to Flint — which the ever-ineffectual Rep. Fred Upton recited like a litany during the hearing (see 0:13:30 in the video) — but none of it addresses the lead piping.

Donald Trump won the Republican primary in Flint’s home county of Genessee, by the way. Can’t understand why…

Cleaning off the desk
Stuff worth perusing, but I’m not going to elaborate on before I chuck it in the bin for the week.

  • Microsoft suing U.S. government for gagging the software company about government requests for users’ information. (Microsoft) — MSFT president Brad Smith wrote in a blog post about the suit; note the complaint here (pdf) in which MSFT shared these details:

    Between September 2014 and March 2016, Microsoft received 5,624 federal demands for customer information or data. Of those, nearly half—2,576—were accompanied by secrecy orders, forbidding Microsoft from telling the affected customers that the government was looking at their information. The vast majority of these secrecy orders related to consumer accounts and prevent Microsoft from telling affected individuals about the government’s intrusion into their personal affairs; others prevent Microsoft from telling business customers that the government has searched and seized the emails of individual employees of the customer. Further, 1,752 of these secrecy orders contained no time limit, meaning that Microsoft could forever be barred from telling the affected customer about the government’s intrusion. The government has used this tactic in this District. Since September 2014, Microsoft received 25 secrecy orders issued in this District, none of which contained any time limit. These secrecy orders prohibit Microsoft from speaking about the government’s specific demands to anyone and forbid Microsoft from ever telling its customers whose documents and communications the government has obtained. The secrecy orders thus prevent Microsoft’s customers and the public at large from ever learning the full extent of government access to private, online information

    Emphasis Microsoft’s. Therein the one way to release a limited amount of information: file suit against the government.

  • Claims after March attack that Brussels airport security was lax impels Belgium’s transport minister to quit (euronews) — Bombs were detonated before security clearance area; not certain how minister could have prevented bombing except to move clearance all the way to the edge of the airport’s perimeter instead of after check-in.
  • UC-Davis sanitized the internet to prop its image (SacBee) — School paid $175K to excise references to a 2011 attack on student protesters by police using teargas. Should keep in mind UC-Davis is part of the University of California, of which former Homeland Secretary Janet Napolitano is president, who authorized spying-by-malware on UC-Berkeley.
  • Hey, did you know there’s a tiny sovereign country inside U.S. borders? (Atlas Obscura) — Welcome to Molossia, have a nice day! Surprised no uber-wealthy hit on this as a potential money-laundering. tax-avoidance strategy: make your own country inside the U.S.

And with that we’re off, headed for a nice spring weekend ahead. Have a good one!

Share this entry

FBI Has Been Not Counting Encryption’s Impact on Investigations for Over a Decade

/4 Comments/in /by

During the first of a series of hearings in the last year in which Jim Comey (at this particular hearing, backed by Deputy Attorney General Sally Yates) pushed for back doors, they were forced to admit they didn’t actually have numbers proving encryption was a big problem for their investigations because they simply weren’t tracking that number.

On the issue on which Comey — and his co-witness at the SJC hearing, Deputy Attorney General Sally Yates — should have been experts, they were not. Over an hour and a quarter into the SJC hearing, Al Franken asked for actual data demonstrating how big of a problem encryption really is. Yates replied that the government doesn’t track this data because once an agency discovers they’re targeting a device with unbreakable encryption, they use other means of targeting. (Which seems to suggest the agencies have other means to pursue the targets, but Yates didn’t acknowledge that.) So the agencies simply don’t count how many times they run into encryption problems. “I don’t have good enough numbers yet,” Comey admitted when asked again at the later hearing about why FBI can’t demonstrate this need with real data.

In point of fact, a recent wiretap report shows that in the criminal context, at least, federal agencies do count such incidences, sometimes. But they don’t report the numbers in a timely fashion (5 of the 8 encrypted federal wiretaps reported in 2014 were from earlier years that were only then being reported), and agencies were eventually able to break most of the encrypted lines (also 5 of 8). Moreover, those 8 encrypted lines represented only 0.6 percent of all their wiretaps (8 of 1279). Reporting for encrypted state wiretaps were similarly tiny. Those numbers don’t reflect FISA wiretaps. But there, FBI often partners with NSA, which has even greater ability to crack encryption.

In any case, rather than documenting the instances where encryption thwarted the FBI, Comey instead asks us to just trust him.

Which is important background to an ancillary detail in this NYT story on how FBI tried a work-around for PGP in 2003 — its first attempt to do so — to go after some animal rights activists (AKA “eco-terrorists).

In early 2003, F.B.I. agents hit a roadblock in a secret investigation, called Operation Trail Mix. For months, agents had been intercepting phone calls and emails belonging to members of an animal welfare group that was believed to be sabotaging operations of a company that was using animals to test drugs. But encryption software had made the emails unreadable.

So investigators tried something new. They persuaded a judge to let them remotely, and secretly, install software on the group’s computers to help get around the encryption.

[snip]

“This was the first time that the Department of Justice had ever approved such an intercept of this type,” an F.B.I. agent wrote in a 2005 document summing up the case.

DOJ didn’t include this encounter with encryption in the wiretap reports that mandate such reporting.

It is also unclear why the Justice Department, which is required to report every time it comes across encryption in a criminal wiretap case, did not do so in 2002 or 2003. The Justice Department and F.B.I. did not comment Wednesday.

It didn’t count that encounter with crypto even though FBI was discussing — as Bob Litt would 13 years later — exploiting fears of “terrorism” to get Congress to pass a law requiring back doors.

“The current terrorism prevention context may present the best opportunity to bring up the encryption issue,” an F.B.I. official said in a December 2002 email. A month later, a draft bill, called Patriot Act 2, revealed that the Justice Department was considering outlawing the use of encryption to conceal criminal activity. The bill did not pass.

Now, it may be that, as remained the case until last year, FBI simply doesn’t record that they encountered encryption and instead tries to get the information some other way. But by all appearances, encryption was tied to that wiretap.

Which suggests another option: that FBI isn’t tracking how often it encounters encryption because it doesn’t want to disclose that it is actually finding a way around it.

That’d be consistent with what they’ve permitted providers to report in their transparency reports. Right now, providers are not permitted to report on new collection (say, collection reflecting the compromise of Skype) for two years after it starts. The logic is that the government is effectively giving itself a two year window of exclusive exploitation before it will permit reporting that might lead people to figure out something new has been subjected to PRISM or other collection.

Why would we expect FBI to treat its own transparency any differently?

Update: This post has been updated to include more of the NYT article and a discussion of how encryption transparency may match provider transparency.

Share this entry

FBI’s Latest Story about the Hack of Farook’s Phone

/3 Comments/in /by

There’s a lot that doesn’t quite make sense in Ellen Nakashima’s explanation for how FBI broke into Syed Rizwan Farook’s iPhone.

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said.

The researchers, who typically keep a low profile, specialize in hunting for vulnerabilities in software and then in some cases selling them to the U.S. government. They were paid a one-time flat fee for the solution.

[snip]

At least one of the people who helped the FBI in the San Bernardino case falls into a third category, often considered ethically murky: researchers who sell flaws — for instance, to governments or to companies that make surveillance tools.

This last group, dubbed “gray hats,” can be controversial. Critics say they might be helping governments spy on their own citizens. Their tools, however, might also be used to track terrorists or hack an adversary spying on the United States. These researchers do not disclose the flaws to the companies responsible for the software, as the exploits’ value depends on the software remaining vulnerable.

Don’t get me wrong. I don’t doubt Nakashima is reporting what she learned; I know other reporters were working on a similar direction.

It’s just that the FBI’s currently operative story still makes no sense. For starters, why would the FBI pay someone selling zero days but not be willing to consider the solutions offered by (just as an example of one forensics person I know who offered to help) Jonathan Zdziarski?

And I still wonder why the government apparently unsealed the warrant in Farook’s case once before it unsealed it to compel Apple. Indeed, while Nakashima (and other reporters) says FBI “did not need the services of the Israeli firm Cellebrite,” I still think using them (or someone similar) as a middle-man might offer the best of all worlds: no official possession of this exploit, easy contracting, the ability to give (as FBI has been) conflicting stories without any of them being fully false. Just as an example, if Cellebrite told FBI it currently couldn’t crack the phone before FBI got an All Writs Act order obligating Apple, then FBI could fairly claim, as they did, that only Apple or FBI could open the phone (even if they hadn’t actually asked many other people who might be able to hack the phone). But if someone went to Cellebrite or even FBI with the exploit after that, then FBI would have a way of using the exploit without having it and therefore having to submit it to the Vulnerabilities Equities Process (though technically they should still have to). FBI would have a way of promising to keep the exploit hidden, which the vendor would require, because it would technically never be in possession of it.

There’s one more thing that is getting lost in this debate. Comey and others keep talking about the use of this for an intelligence function, as if to justify keeping this exploit secret. I know that’s the convenient part of using a terrorism case to raise the stakes of back dooring phones. But this is ultimately a law enforcement issue, not an intelligence one, no matter how much FBI wants to pretend we’re going to find out something going forward. And as such it should be subject to greater standards of disclosure than a pure use of an exploit for intelligence purposes would.

In other words, FBI is still playing word games.

Share this entry

Wednesday Morning: A Whiter Shade

/5 Comments/in , /by

She said, ‘There is no reason
and the truth is plain to see.’
But I wandered through my playing cards
and would not let her be

— excerpt, Whiter Shade of Pale by Procol Harum
cover here by Annie Lennox

I’ve been on an Annie Lennox jag, sorry. I’m indulging myself here at the intersection of a favorite song which fit today’s theme and a favorite performer. Some of you will take me to task for not using the original version by Procol Harum, or another cover like Eric Clapton’s. Knock yourselves out; it’s Lennox for me.

Speaking of a whiter shade and truth…

FBI used a ‘gray hat’ to crack the San Bernardino shooter’s phone
Last evening after regular business hours WaPo published a story which made damned sure we knew:

1) The FBI waded into a fuzzy zone to hack the phone — oh, not hiring a ‘black hat’, mind you, but a whiter-shade ‘gray hat’ hacker;
2) Cellebrite wasn’t that ‘gray hat’;
3) The third-party resource was referred to as ‘professional hackers’ or ‘researchers who sell flaws’;
4) FBI paid a ‘one-time fee’ for this hack — which sounds like, “Honest, we only did it once! How could we be pregnant?!
5) A ‘previously unknown software flaw’ was employed after the third-party pointed to it.

This reporting only generated more questions:

• Why the careful wording, ‘previously unknown software flaw’ as opposed to zero-day vulnerability, which has become a term of art?
• How was the determination made that the party was not black or white but gray, and not just a ‘professional hacker who sold knowledges about a flaw they used’? Or was the explanation provided just stenography?
• However did Cellebrite end up named in the media anyhow if they weren’t the source of the resolution?
• What assurances were received in addition to the assist for that ‘one-time fee’?
• Why weren’t known security experts consulted?
• Why did the FBI say it had exhausted all resources to crack the San Bernardino shooter’s phone?
• Why did FBI director Jim Comey say “we just haven’t decided yet” to tell Apple about this unlocking method at all if ‘persons familiar with the matter’ were going to blab to WaPo about their sketchy not-black-or-white-hat approach instead?

That’s just for starters. Marcy’s gone over this latest story, too, be sure to read.

Volkswagen execs get a haircut
Panic among employees and state of Lower Saxony over VW’s losses and anticipated payouts as a result of Dieselgate impelled executives to share the pain and cut their bonuses. Germany’s Lower Saxony is the largest state/municipal shareholder in VW, but it’s doubly exposed to VW financial risks as nearly one in ten Germans are employed in the automotive industry, and VW is the largest single German automotive company. The cuts to bonuses will be retroactive, affecting payouts based on last year’s business performance.

Fuzzy dust bunnies

  • Verizon workers on strike (Boston Globe) — Until minimum wage is raised across the country and offshoring jobs stops, we’ll probably see more labor actions like this. Should be a warning to corporations with quarter-after-quarter profits and offshore tax shelters to watch themselves — they can afford to pay their workers.
  • Facebook deploys bots across its services (Computerworld) — But, but AI is years away, said Microsoft research…meanwhile, you just know Amazon’s Alexa is already looking to hookup with Facebook’s chatbot.
  • Google’s charitable arm ponied up $20M cash for disabled users’ technology improvements (Google.org) — IMO, this was a great move for an underserved population.
  • Judge’s rejects Obama administration blow-off of apex predator wolverines (HGN) — Wolverines, a necessary part of health northern and mountain ecosystems, need cold weather to survive. Montana’s U.S. District Court ruled the administration had not done enough to protect biodiversity including the wolverine. Crazy part of this entire situation is that the feds don’t believe the wolverine warrants Endangered Species Act (ESA) protection and that they can’t tell what effects climate change has on this species, but the species is seen rarely to know. Hello? A rarely-seen species means the numbers are so low they are at risk of extinction — isn’t that what the ESA is supposed to define and prevent?

UPDATE — 12:10 PM EDT —
From @cintagliata via Twitter:

Back in 1971, researchers observed Zika virus replicating in neurons and glia. (in mice) http://bit.ly/1XvsD4d

I’m done with the pesticides-as-causal theory. It may be a secondary exacerbating factor, but not likely primary. In short, we’ve had information about Zika’s destructive effects on the brain and nervous system for 45 years. It’s past time for adequate funding to address prevention, treatments, control of its spread.

It’s all down the hump from here, kids. See you tomorrow morning!

Share this entry

Tuesday Morning: Toivo’s Tango

/9 Comments/in , /by

Did you know the tango evolved into a Finnish subgenre? Me neither, and I’m part Finn on my mother’s side of the family. Both my grandmother and great-grandmother spoke Finn at home after their immigration to the U.S., but apparently never passed the language or Finnish music on to my mother and her siblings. The Finnish tango became so popular a festival — the Tangomarkkinat — was established to celebrate it.

The tango makes its way back again, nearly 9000 miles from its origin to Finland, in this music video. The performer featured here is a very popular Argentine tango singer, Martin Alvarado, singing in Spanish a popular Finnish tango, Liljankukka, written by Toivo Kärki. If you search for the same song and songwriter in YouTube, you’ll trip across even more Finnish tango.

Let’s dance…

Police raid in Belgium today
There were more arrests in Belgium today in connection to Paris attack in November. Not many details yet in the outlets I follow, suggesting information is close to the vest; there was more information very early, which has now moved off feeds, also suggesting tight control of related news. A raid in the southern Brussels suburb of Uccle resulted in the arrest of three persons now being questioned. This raid follows the arrest last Friday of Mohamed Abrini, who has now admitted he is the man seen in security camera video as the ‘man in the hat’ observed just before the bombing of the Brussels’ airport. Thus far, intelligence gathered from suspects and locations indicates a second attack had been planned, attacking the Euro 2016 football championship. Worth noting the media has now been reporting only the given name and a family name first initial for some of those arrested recently.

Up All Night growing, annoying some Parisians
This Occupy movement subset called ‘Up All Night’ or ‘Night Rising’ (Nuit debout) has been rallying during evening hours, protesting austerity-driven labor reforms, France’s continued state of emergency after November’s terrorist attacks, and more. The number of protesters has grown over the last 12 days they have taken to the streets, driven in part by the Panama Papers leak. The crowd has annoyed those navigating the area around the Place de la Republique where the Nuit debout gather. (More here on video.)

Upset over Burr-Feinstein draft bill on encryption continues
The Consumer Technology Association (CTA) issued a statement last night conveying their displeasure with this proposed bill which would mandate compliance with law enforcement access to encrypted digital content. The CTA’s 2200 members include Apple, Google, Microsoft, and any consumer electronic technology manufacturer featured at the annual Consumer Electronics Show each year. This formal statement follows a wave of negative feedback from technology and privacy experts since the draft bill was revealed late last week.

Odds and ends

  • Cellebrite makes the news again, this time for a ‘textalyzer’ (Ars Technica) — Huh. What a coincidence that an Israeli company attributed with the cracking of the San Bernardino shooter’s iPhone 5c is now commercializing a device for law enforcement to use on drivers’ cellphones. Do read this piece.
  • DARPA still fighting for relevance with its Squad X initiative (Reuters) — Not a single mention of exoskeletons, but enough digital technology to make soldiers glow in the dark on the battlefield.
  • Microsoft’s director of research calls some of us chickenshit because AI is peachy, really (The Guardian) — Uh-huh. This, from the same company that released that racist, sexist POS AI bot Tay not once but twice. And we should all just trust this stuff in our automobiles and in the military. Ri-ight.
  • Farmers watching more than commodities market and the weather (Fortune) — Chinese IP rustlers are sneaking commercially-developed plant materials back to PRC. Hope the Chinese realize just how likely American farmers are to use firearms against trespassers.
  • CDC’s deputy director on Zika: “Everything we look at with this virus seems to be a bit scarier than we initially thought” (Reuters) — I swear multiple news outlets including WaPo have changed the heds on stories which originally quoted this statement. Zika’s observed destruction of brain cells during research is really distressing; so is Zika’s link to Guillain-Barre syndrome in addition to birth defects including microcephaly. In spite of the genuine and deep concern at CDC over this virus’ potential impact on the U.S., the CDC is forced to dig in sofa cushions for loose change to research and fight this infectious agent. Absolutely ridiculous, like we learned nothing from our experience here with West Nile Virus.

That’s it, off to mix up my tango with a whiskey foxtrot. See you tomorrow morning!

Share this entry

Monday Morning: The Urge to Merge

/6 Comments/in , /by

In my eyes, indisposed
In disguises no one knows
Hides the face, lies the snake
The sun in my disgrace

— excerpt, Black Hole Sun by Soundgarden

Looks like this week is all about mergers. Enjoy this simulation on replay several times while listening to Soundgarden’s Black Hole Sun while we dig in.

Roll Call

  • Yahoo’s vulnerability brings all the nasty suitors to the yard (MarketWatch) — If Daily Mail wins, Yahoo will be one massive tabloid, and Tumblr will become a cesspool. Bidding’s open until next Monday; what other potential buyers may emerge this week?
  • Big names in hotels to join after shareholders approve Marriott offer for Starwood Hotels (UPI) — The vote came last Friday after Chinese insurance holding group Anbang withdrew from bidding.
  • Merger of beer producers SABMiller and A-B InBev still in holding pattern (Milwaukee Business Journal) — The deal is languishing for approval by South Africa’s Competition Commission. Part of SABMiller was once South African Brewing.
  • UK balks at Hutchins and Telefonica tie up (Reuters) — Cousins across the pond better watch out; this proposed merger, even if shot down by regulators, portends another telecom marriage ahead. With UK’s Competition and Markets Authority recommending a spin-off of either Three Mobile or O2 mobile network business in order to approve the deal, a divestment of one of these may happen anyhow.

The Yahoo and Hutchins-Telefonica deals bear scrutiny for their potential for mass surveillance depending on how the proposals play out. Yahoo could end up operating under UK laws, and some part(s) of either Hutchins or Telefonica could end up with a non-UK or non-EU partner.

All of these proposed mergers were in the works before the Panama Papers were released; none them appear to be motivated solely by tax reduction, but instead by economies of scale and weak market conditions. It’d be nice if executives of all companies raking in profits realized that failing to pay their hourly workers well has a direct impact on overall market demand. Their businesses could retain autonomy instead of spending time and money on M&A they could spend on employees’ wages.

Speaking of Panama Papers: revelations still shaping policy and politics

  • U.S. Treasury still working on tax rules to reduce tax avoidance and evasion by offshoring (Bloomberg) — Many large holding company structures use intra-group loans to move money out of the U.S. The new rules which may limit these moves may affect not only U.S. corporations but foreign corporations with subsidiaries in the U.S.
  • UK’s PM David Cameron facing heat about tax avoidance strategies used by his family (Scotsman) — Strategies included a tax-free gift of 200,000 pounds to Cameron from his mother. He is supposed to appear before Parliament for questioning.
  • Mossack Fonseca still getting hacked due to poor security response (The Register) — At what point do we ask if MossFon is really just a honeypot, given continued insufficient security?

Just for fun: Rockets!
If you didn’t watch SpaceX’s Falcon 9 launch on Friday, you really ought to make some time to do so for entertainment purposes. The first stage of the rocket returned successfully for reused, nailing a landing on a drone ship — a DRONE SHIP AT SEA. I missed the fact the landing pad was a drone vessel when I watched the first attempts. It’s a really narrow thing, landing on a speck of a pad in the ocean which is pushed around a bit by ocean currents in spite of the drone ship’s programming and/or remote control. (I would love to know who named the drone ship, ‘Of Course I Still Love You’ and why…)

What’s similarly remarkable is the SpaceX team — their excitement is off the map, rather like watching a K-12 FIRST LEGO robotics competition than an aeronautics business at work. Note in the video the team’s reaction just seconds (about 27:30) to the first stage return landing; it’s as if they KNEW they had it nailed before it happened. Wouldn’t you love to know just how they knew?

Also for grins: compare SpaceX’s landing on Friday (start at 23:48 into video) to competitor Blue Origin’s recent rocket return. Blue Origin is owned by Amazon’s Jeff Bezos; the return is so smooth and slick, but it’s in the west Texas desert where potential disruption of the landing has been minimized. Important to keep in mind that SpaceX actually delivered a payload after reaching orbit, where Blue Origin is still limited to sub-orbit elevation.

With that our week’s been launched — let’s go!

Share this entry