Remotely Yours: Internet of Things Meets Father’s Day

/21 Comments/in /by

[Graphic: Google Glass by Wilbert Baan via Flickr]

[Graphic: Google Glass by Wilbert Baan via Flickr]

After all you father-types have finished opening your gift-wrapped nifty new cellphones and car stereo systems, wireless remote thermostats, fitness tracking watches, and Google Glasses received from your adoring spawn, you might want set aside a little downtime for reading — perhaps on that tablet or e-reader you received for Father’s Day.

Predicting the future on the Web’s 25th anniversary*, a Pew Internet study published in March this year, reveals the depth of naivete bordering on gross ignorance on the part of so-called experts surveyed for this report.

The subhead alone should concern you:

Experts say the Internet will become ‘like electricity’ over the next decade–less visible, yet more deeply embedded in people’s lives, with many good and potentially bad results

Emphasis mine — because really, how much more deeply embedded does the internet need to become in our lives before we begin to rethink its widening application?

At the risk of sounding Ted Kaczynski-ish, we have allowed the development, implementation and integration of technology to run amok. We’ve only paid attention to the narrowest benefits we might receive from explicit application of any new technology, failing to look at the systemic repercussions of all our technology on all our society and on the planet we share.

It’s not your remote controlled light switch in itself that is a problem. Go ahead, turn on your lights at home while you’re on your summer vacation across country.

It’s the lack of thought about the entirety of the internet itself and its embedment that is a major problem. We’ve already become utterly dependent upon it. The additional little tools and toys we inanely call the “internet of things” will only make the situation more complex.

Ask yourself this: If the internet suddenly crashed this week, completely collapsed for an unspecified length of time, what would happen to the global economy?

What would happen to the health of patients in hospitals and care facilities — are there monitoring and medication-dispensing applications that are both life saving and internet mediated?

How would we conduct and record any kind of transaction, between individuals, between businesses, between governments?

Would our power grid continue to run smoothly without the use of the internet?

At a minimum we should be asking ourselves at what point our government will limit its tracking and compilation of meta data, let alone whether it can use data from one’s wireless slowcooker as a criteria to dispatch a deadly drone. Imagine the mind-boggling size of the data farm required to house all the meta data alone from the internet of things.

We should be asking what happens if foreign governments conduct cyber war through this internet of things what our response should be — conduct cyber-retaliation with equal and measured response, taking out wireless ricecookers and teapots on the other side of the globe?

What happens if our cyberweapons are deployed against us, like a customized Stuxnet invisibly tweaking all the settings on all our internet of things? Would we know we’d been targeted until far too late?

Anyhow, just some food for thought, something to mull over as you flip your remotely monitored ribs on the smoker while sipping on your icy cold brew produced from your wirelessly controlled refrigerator — which may tell you soon you’re low on beer.

Happy Father’s Day!

* h/t @sarahkendzior

Share this entry

Mike Rogers Says Google Must Lose Its Quarter to Save a Rickety Bank

/13 Comments/in , /by

Screen shot 2014-06-12 at 10.03.25 PMJosh Gerstein already wrote about some of this Mike Rogers blather. But I wanted to transcribe the whole thing to display how utterly full of shit he is.

At a conference at Georgetown the other day, (see video 3), Rogers laid into the tech companies for opposing USA Freedumber, which he badly misrepresented just before this. The context of European opportunism beings at 1:06, the quote begins after 1:08.

We should be very mad at Google, and Microsoft, and Facebook, because they’re doing a very interesting, and I think, very dangerous thing. They’ve come out and said, “well, we oppose this new FISA bill because it doesn’t go far enough.” When you peel that onion back a little bit, and why are you doing this, this is a good bill, it’s safe, bipartisan, it’s rational, it meets all the requirements for Fourth Amendment protection, privacy protection, and allowing the system to work,

Rogers claims they’re doing so solely because they’re afraid to lose European business. And Rogers — a Republican! — is furious that corporations prioritize their profits (note, Rogers has never complained that some of these same companies use European tax shelters to cheat the tax man).

And they say, “well, we have to do this because we have to make sure we don’t lose our European business.” I don’t know about the rest of you, that offends me from the word, “European business.” Think about what they’re doing. They’re willing, in their minds, to justify the importance of their next quarter’s earnings in Europe, versus the National Security of the United States. Everybody on those boards should be embarrassed, and their CEOs should be embarrassed, and their stockholders should be embarrassed.That one quarter cannot be worth the National Security of the United States for the next 10 generations. And if we don’t get this part turned around very quickly, it will likely get a little ugly, and that emotional piece that we got by is going to be right back in the center of the room to no good advantage to our ability to protect the United States.

Mostly, he seems pissed because he knows the collective weight of the tech companies may give those of us trying to defeat USA Freedumber a fighting chance, which is what Rogers considers an emotional place because Democracy.

But Rogers’ rant gets truly bizarre later in the same video (after 1:23) where he explains what the security interest is:

We have one particular financial institution that clears, somewhere about $7 trillion dollars in global financial transactions every single day. Imagine if tomorrow that place gets in there and through an attack of which we know does exist, the potential does exist where the information is destroyed and manipulated, now you don’t know who owes what money, some of that may have lost transactions completely forever, imagine what that does to the economy, $7 trillion. Gone — right? Gone. It’s that serious.

Mind you, Rogers appears unaware that a banks shuffling of money — while an incredibly ripe target for hackers — does not really contribute to the American economy. This kind of daily volume is churn that only the very very rich benefit from. And one big reason it’s a target is because it is an inherently fragile thing.

To make all this even more hysterical, Rogers talks about risk driving insurance driving proper defensive measures from the target companies … yet he seems not to apply those rules to banks.

Mike Rogers, it seems, would rather kill Google’s business than permit this rickety vitality killing bank to feel the full brunt of the risk of its own business model.

Share this entry

Trent Franks and the EMP Threat to the Electrical Grid

/18 Comments/in , /by

At a House Judiciary Committee oversight hearing for Department of Homeland Security today, Trent Franks implored DHS Secretary Jeh Johnson to consider the threat of electromagnetic pulse or geomagnetic disturbance to the electrical grid because “we have additional information that seems to indicate the threat is more significant than we have been aware of.”

Franks also submitted an amendment to the Intelligence Authorization requiring the Director of National Intelligence to report on the threat EMPs pose to the US through 2025.

I have no idea whether this is credible or not. Franks is not one of the Members of Congress I consider to be the most reliable (and our resident desert rat has even less complimentary things to say).

But golly. Franks sure seems worried about the EMP threat of late.

 

Share this entry

What If the Democratic Response to Snowden Is to Expand Surveillance?

/30 Comments/in , , /by

I got distracted reading two pieces this morning. This great Andrew O’Hehir piece, on how those attacking Edward Snowden and Glenn Greenwald ought to consider the lesson of Justice Louis Brandeis’ dissent in Olmstead.

In the famous wiretapping case Olmstead v. United States, argued before the Supreme Court in 1928, Justice Louis Brandeis wrote one of the most influential dissenting opinionsin the history of American jurisprudence. Those who are currently engaged in what might be called the Establishment counterattack against Glenn Greenwald and Edward Snowden,including the eminent liberal journalists Michael Kinsley and George Packer, might benefit from giving it a close reading and a good, long think.

Brandeis’ understanding of the problems posed by a government that could spy on its own citizens without any practical limits was so far-sighted as to seem uncanny. (We’ll get to that.) But it was his conclusion that produced a flight of memorable rhetoric from one of the most eloquent stylists ever to sit on the federal bench. Government and its officers, Brandeis argued, must be held to the same rules and laws that command individual citizens. Once you start making special rules for the rulers and their police – for instance, the near-total impunity and thick scrim of secrecy behind which government espionage has operated for more than 60 years – you undermine the rule of law and the principles of democracy.

“Our Government is the potent, the omnipresent teacher,” Brandeis concluded. “For good or for ill, it teaches the whole people by its example. Crime is contagious. If the Government becomes a lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy. To declare that in the administration of the criminal law the end justifies the means — to declare that the Government may commit crimes in order to secure the conviction of a private criminal — would bring terrible retribution.”

And this more problematic Eben Moglen piece talking about how Snowden revealed a threat to democracy we must now respond to.

So [Snowden] did what it takes great courage to do in the presence of what you believe to be radical injustice. He wasn’t first, he won’t be last, but he sacrificed his life as he knew it to tell us things we needed to know. Snowden committed espionage on behalf of the human race. He knew the price, he knew the reason. But as he said, only the American people could decide, by their response, whether sacrificing his life was worth it.

So our most important effort is to understand the message: to understand its context, purpose, and meaning, and to experience the consequences of having received the communication.

Even once we have understood, it will be difficult to judge Snowden, because there is always much to say on both sides when someone is greatly right too soon.

I raise them in tandem here because both address the threat of spying to something called democracy. And the second piece raises it amid the context of American Empire (he compares the US to the Roman decline into slavery).

I raise them here for two reasons.

First, because neither directly notes that Snowden claimed he leaked the documents to give us a choice, the “chance to determine if it should change itself.”

“For me, in terms of personal satisfaction, the mission’s already accomplished,” he said. “I already won. As soon as the journalists were able to work, everything that I had been trying to do was validated. Because, remember, I didn’t want to change society. I wanted to give society a chance to determine if it should change itself.”

“All I wanted was for the public to be able to have a say in how they are governed,” he said. “That is a milestone we left a long time ago. Right now, all we are looking at are stretch goals.”

Snowden, at least, claims to have contemplated the possibility that, given a choice, we won’t change how we’re governed.

And neither O’Hehir nor Moglen contemplates the state we’re currently in, in which what we call democracy is choosing to expand surveillance in response to Snowden’s disclosures.

Admittedly, the response to Snowden is not limited to HR 3361. I have long thought a more effective response might (or might not!) be found in courts — that if, if the legal process does not get pre-empted by legislation. I have long thought the pressure on Internet companies would be one of the most powerful engines of change, not our failed democratic process.

But as far as Congress is concerned, our stunted legislative process has started down the road of expanding surveillance in response to Edward Snowden.

And that’s where I find Moglen useful but also problematic.

He notes that the surveillance before us is not just part of domestic control (indeed, he actually pays less attention to the victims of domestic surveillance than I might have, but his is ultimately a technical argument), but also of Empire.

While I don’t think it’s the primary reason driving the democratic response to Snowden to increase surveillance (I think that also stems from the Deep State’s power and the influence of money on Congress, though many of the surveillance supporters in Congress are also supporting a certain model of US power), I think far too many people act on surveillance out of either explicit or implicit beliefs about the role of US hegemony.

There are some very rational self-interested reasons for Americans to embrace surveillance.

For the average American, there’s the pride that comes from living in the most powerful country in history, all the more so now that that power is under attack, and perhaps the belief that “Us” have a duty to take it to “Them” who currently threaten our power. And while most won’t acknowledge it, even the declining American standard of living still relies on our position atop the world power structure. We get cheap goods because America is the hegemonic power.

To the extent that spying on the rest of the world serves to shore up our hegemonic position then, the average American might well have reason to embrace the spying, because it keeps them in flat screen TVs.

But that privilege is just enjoyed by some in America. Moglen, tellingly, talks a lot about slavery but says nothing about Jim Crow or the other instruments of domestic oppression that have long used authoritarian measures against targeted populations to protect white male power. American history looked at not against the history of a slavery that is past, but rather against the continuity of history in which some people — usually poor and brown and/or female — don’t participate in the American “liberty” and “privacy” Moglen celebrates, our spying on the rest of the world is more of the same, a difference in reach but not in kind. Our war on drugs and war on terror spying domestically is of a piece with our dragnet internationally, if thus far more circumscribed by law (but that law is expanding and that will serve existing structures of power!).

But there’s another reason Americans — those of the Michael Kinsley and George Packer class — might embrace surveillance. That’s the notion that American hegemony is, for all its warts, the least bad power out there. I suspect Kinsley and (to a lesser extent) Packer would go further, saying that American power is affirmatively good for the rest of the world. And so we must use whatever it takes to sustain that power.

It sounds stupid when I say it that way. I’m definitely oversimplifying the thought process involved. Still, it is a good faith claim: that if the US curtails its omnipresent dragnet and China instead becomes the dominant world power (or, just as likely, global order will dissolve into chaos), we’ll all be worse off.

I do think there’s something to this belief, though it suppresses the other alternative — that the US could use this moment to improve the basis from which US exercises its hegemony rather than accept the increasingly coercive exercise of our power — or better yet use the twilight of our hegemony to embrace something more fair (and also something more likely to adequately respond to the global threat of climate change). But I do believe those who claim US hegemony serves the rest of the world believe it fairly uncritically.

One more thing. Those who believe that American power is affirmatively benign power may be inclined to think the old ways of ensuring that power — which includes a docile press — are justified. As much as journalism embraced an adversarial self-image after Watergate, the fundamentally complicit role of journalism really didn’t change for most. Thus, there remains a culture of journalism in which it was justified to tell stories to the American people — and the rest of the world — to sustain American power.

One of those stories, for example, is the narrative of freedom that Moglen embraces.

That is, for those who believe it is worth doing whatever it takes to sustain the purportedly benign American hegemon, it would be consistent to also believe that journalists must also do whatever it takes to sustain purportedly benign system of (white male) power domestically, which we call democracy but which doesn’t actually serve the needs of average Americans.

And for better or worse, those who embrace that power structure, either domestically and/or internationally, expanding surveillance is rational, so long as you ignore the collateral damage.

Update: Tempered critique of Packer because I agree he’s not embracing this journalist as narrative teller as much.

Share this entry

US Indicts Chinese Hackers for Stealing Information on Trade Negotiations

/9 Comments/in , /by

Screen Shot 2014-05-19 at 11.44.15 AMDOJ just announced the indictment of 5 Chinese People’s Liberation Army hackers (complete with Most Wanted posters) for breaking into a bunch of companies — and the United Steel Workers — in Pittsburgh.

I’ll have more to say about the indictment later, but for now there are two parts of it I find to be particularly interesting.

The indictment was brought by the US Attorney for Western PA, David Hickton, not EDVA (the Defense Industry) or SDNY (Wall Street) where the US complains more loudly about hacking. The victims include Pittsburgh’s most important companies — US Steel, Westinghouse, and Alcoa. After watching the presser, I would be shocked if Hickton is not planning on running for higher office in Western PA.

But there’s another detail about Western PA that may be of interest. In addition to these blue chip industrial companies, Pittsburgh is also home to Carnegie Mellon’s CERT, a public-private venture on fighting cyberthreats. That is, I suspect this indictment came out of Pittsburgh because it has the facilities to investigate such crimes.

But the other interesting aspect of this indictment coming out of Pittsburgh is that — at least judging from the charged crimes — there is far less of the straight out IP theft we always complain about with China.

In fact, much of the charged activity involves stealing information about trade disputes — the same thing NSA engages in all the time. Here are the charged crimes committed against US Steel and the United Steelworkers, for example.

In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2).  Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation.  Some of these e-mails resulted in the installation of malware on U.S. Steel computers.  Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks).  Wang thereafter took steps to identify and exploit vulnerable servers on that list.

[snip]

In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries.  At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes.  USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013. 

This is solidly within the ambit of what NSA does in other countries. (Recall, for example, how we partnered with the Australians to obtain information to help us in a clove cigarette trade dispute.)

I in no way mean to minimize the impact of this spying on USS and USW. I also suspect they were targeted because the two organizations partner together on an increasingly successful manufacturing organization. Which would still constitute a fair spying target, but also one against which China has acute interests.

But that still doesn’t make it different from what the US does when it engages in spearphishing — or worse — to steal information to help us in trade negotiations or disputes.

We’ve just criminalized something the NSA does all the time.

Update: Adding, one other reason they’re probably bringing this indictment with industrials as victims is because their information is not as sensitive as Defense Contractor or Wall Street victims is.

Update: These guys are named in Mandiant’s most recent report on China’s hacking. So that’s a lot of what they used for the indictment, presumably. But they indicted with companies that aren’t as sensitive as some of Mandiant’s other clients.

Update: Correction: only Wang Dong was on Mandiant’s list, meaning 2 of their ID’ed people were not indicted.

Share this entry

Keith Alexander Declares Failure in War on Terror, as He Earlier Declared Failure in Cyberdefense

/12 Comments/in , , /by

The New Yorker has a weird interview with Keith Alexander. The weirdness stems from Alexander’s wandering answers, which may, in turn, stem from the fact that the interview was not done by an NSA beat reporter. Such interviews seem to flummox NSA insiders.

But beyond all the rambling about Jeopardy and “free vowels” and disingenuous claims (and silences) about past terrorist events, ultimately Keith Alexander wants us to know that we are at greater risk as he steps down after more than 8 years of protecting us.

His logic for that is not that terrorists struck the Boston Marathon last year, in spite of NSA apparently collecting on them but not reviewing the collection — he doesn’t even mention that.

Rather, it’s that the number of terrorist attacks are going up globally. The US has thus far avoided such attacks (ignoring hate crimes and the Marathon attack), which he points to as proof our spying is working. But he also points to it as proof that we’re due.

There are people on one side saying that these N.S.A. programs could have stopped these plots. And then there are people who dispute that.

We know we didn’t stop 9/11. People were trying, but they didn’t have the tools. This tool, we believed, would help them. Let’s look at what’s happening right now. You ought to get this from the START Program at the University of Maryland. They have the statistics on terrorist attacks. 2012 and 2013. The number of terrorist attacks in 2012—do you know how many there were globally?

How many?

Six thousand seven hundred and seventy-one. Over ten thousand people killed. In 2013, it would grow to over ten thousand terrorist attacks and over twenty thousand people killed. Now, how did we do in the United States and Europe? How do you feel here? Safe, right? I feel pretty safe.

[snip]

So think about how secure our nation has been since 9/11. We take great pride in it. It’s not because of me. It’s because of those people who are working, not just at N.S.A. but in the rest of the intelligence community, the military, and law enforcement, all to keep this country safe. But they have to have tools. With the number of attacks that are coming, the probability, it’s growing—

I’m sorry, could you say that once more?

The probability of an attack getting through to the United States, just based on the sheer numbers, from 2012 to 2013, that I gave you—look at the statistics. If you go from just eleven thousand to twenty thousand, what does that tell you? That’s more. That’s fair, right?

I don’t know. I think it depends what the twenty thousand—

—deaths. People killed. From terrorist attacks. These aren’t my stats. The University of Maryland does it for the State Department.

I’ll look at them. I will. So you’re saying that the probability of an attack is growing.

The probability is growing. What I saw at N.S.A. is that there is a lot more coming our way. Just as someone is revealing all the tools and the capabilities we have. What that tells me is we’re at greater risk. I can’t measure it. You can’t say, Well, is that enough to get through? I don’t know. It means that the intel community, the military community, and law enforcement are going to work harder.

Since Alexander invited us, let’s see what the START data say, shall we? Here’s what they tell us:

According to the annex, the 10 countries that experienced the most terrorist attacks in 2013 are the same as those that experience the most terrorist attacks in 2012.

Although terrorist attacks occurred in 93 different countries, they were heavily concentrated geographically. More than half of all attacks (57%), fatalities (66%), and injuries (73%) occurred in Iraq, Pakistan and Afghanistan. By wide margin, the highest number of fatalities (6,378), attacks (2,495) and injuries (14,956) took place in Iraq. The average lethality of attacks in Iraq was 40 percent higher than the global average and 33 percent higher than the 2012 average in Iraq.

The US hasn’t been attacked. But attacks are mushrooming in Iraq, Pakistan, and Afghanistan. These not only happen to be places where we’ve been fighting the war on terror the longest and most directly, places where Alexander has been at the forefront of the fight, even before he took over at NSA. But they also happen to be those places overseas that the NSA uses to legitimize their global reach.

Yet 13 or 11 years of concentrated spying — of collect it all — in those places has not eliminated terrorism. On the contrary, terrorism is now getting worse.

And now they serve as both the proof that spying is working and that spying is more necessary than ever.

Rather than evidence that the War on Terror is failing.

We shouldn’t be surprised that we’re losing a war fighting which Alexander was one of the longest tenured generals (though I don’t think he bears primary responsibility for the policy decisions that have led to this state). After all, last year, Alexander said that also under his watch, we had been plundered like a colony via cyberattacks. He seems to think he lost both the war on terror and on cyberattacks.

Which, if you’re invested in Wall Street, ought to alarm you. Because that’s where Keith Alexander is headed to wage war next.

Share this entry

Lying Keith Alexander to Shack up with Promontory and Profit Off His Fearmongering

/5 Comments/in /by

Man, I knew Keith Alexander was going to cash in after he retired. And I probably would have placed all my chips on him profiting off his cyber fearmongering.

Former National Security Agency chief Gen. Keith Alexander is launching a consulting firm for financial institutions looking to address cybersecurity threats, POLITICO has learned.

Less than two months since his retirement from the embattled agency at the center of the Edward Snowden leak storm, the retired four-star general is setting up a Washington-based operation that will try to attract clients based on his four decades of experience in the military and intelligence — and the continued levels of access to senior decision-makers that affords.

But the part of this story that even I couldn’t have predicted — but makes so much sense it brings tears to my eyes — is that he’s shacking up with Promontory Financial Group, the revolving door regulator to hire that has been caught underestimating its clients’ crimes for big money.

Alexander will lease office space from the global consulting firm Promontory Financial Group, which confirmed in a statement on Thursday that it plans to partner with him on cybersecurity matters.

“He and a firm he’s forming will work on the technical aspects of these issues, and we on the risk-management compliance and governance elements,” said Promontory spokesman Chris Winans.

I’m impressed, Lying Keith: You’ve done my very low expectations even one better!

Share this entry

The IP Police Armed with Internet Vulnerabilities

/15 Comments/in /by

The White House Cybersecurity Coordinator, Michael Daniel, has a post purporting to lay out “established principles” on when the Administration would and would not disclose software and hardware vulnerabilities.

I’ve got a more thorough read below the rule, but I want to focus on one particular line. Daniel describes the downside of disclosing vulnerabilities as losing intelligence.

Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack [sic] stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.

That is, Daniel lays out three threats — terrorism, “hackers or other adversaries,” and IP thieves — that require we use vulnerabilities to combat.

The inclusion of terrorism is not a surprise. That’s the excuse NSA has been using since last June to justify its work.

Cybersecurity (“hackers or other [presumably far more threatening] adversaries”) is the threat that NSA was focused on until such time as it needed to chant terror terror terror to get people to buy into the dragnet. Not only is it not a surprise, but it’s probably the most urgent reason to use vulnerabilities (even if the threat in question is really far more serious than hackers).

But IP thieves?

To be fair, by this Daniel may be meaning Lockheed-Martin’s intellectual property, by which he really means that intellectual property that we fetishize as private property but is really national security. (I’ve got a question in with the White House on this point.) But stated as he does, it could as easily mean Monsanto and Pfizer and even Disney.

In fact, he may well mean that. As I noted, in its original statement, the Administration made quite clear they would use Zero Days for law enforcement as well as national security purposes. Moreover, as I have also noted, NSA rewrote the legally mandated minimization standards in its secret procedures to equate threats to property with threats to life and body, thereby permitting itself to keep data that reveals threats to property that are not otherwise evidence of crime indefinitely (with DIRNSA approval).

And all that’s assuming only NSA will exploit Zero Days. There’s no reason to assume that the FBI (and other law enforcement agencies, including DEA) aren’t using them.

I’m not sure that’s a bad thing either. Several great security experts recently endorsed using hacks for law enforcement, though insisted that overall security must not be compromised.

That’s the point though: how low is the bar for exploiting vulnerabilities? And if they are going to be used for law enforcement purposes — to chase IP thieves rather than threats to our nation — why isn’t it more public? Read more

Share this entry

Obama’s Legal Hacks

/12 Comments/in /by

I have a piece over at The Week on the unusually credible denial the government issued on Friday, claiming they did not know of the Heartbleed vulnerability until earlier this month. In it, I note that Obama adopted a much lower bar for using software vulnerability than his hand-picked Review Group recommended in December. Most troubling, Obama admits he will use exploits for law enforcement, in addition to national security.

But the announcement’s discussion of the interagency review also made clear that the process will, sometimes, approve such a use — which means that the next Heartbleed could be exploited by the NSA. Furthermore, the standard the administration claims to have adopted — “a clear national security or law enforcement need” (italics mine) — is lower than the “urgent and significant national security priority” recommended by the Review Group.

In other words, in very clear language, the government has confessed that it does and will continue to keep secret Heartbleed-style vulnerabilities not just for national security purposes, but also for mere law enforcement.

The idea that the government might hack in the name of law enforcement is not new.

As WSJ reported last month, DOJ is trying to get the Judicial Conference to approve language allowing it to get warrants to hack in multiple districts at once.

The government’s push for rule changes sheds light on law enforcement’s use of remote hacking techniques, which are being deployed more frequently but have been protected behind a veil of secrecy for years.

In documents submitted by the government to the judicial system’s rule-making body this year, the government discussed using software to find suspected child pornographers who visited a U.S. site and concealed their identity using a strong anonymization tool called Tor.

The government’s hacking tools—such as sending an email embedded with code that installs spying software — resemble those used by criminal hackers. The government doesn’t describe these methods as hacking, preferring instead to use terms like “remote access” and “network investigative techniques.”

Right now, investigators who want to search property, including computers, generally need to get a warrant from a judge in the district where the property is located, according to federal court rules.

In a computer investigation, that might not be possible, because criminals can hide behind anonymizing technologies. In cases involving botnets—groups of hijacked computers—investigators might also want to search many machines at once without getting that many warrants.

Some judges have already granted warrants in cases when authorities don’t know where the machine is. But at least one judge has denied an application in part because of the current rules. The department also wants warrants to be allowed for multiple computers at the same time, as well as for searches of many related storage, email and social media accounts at once, as long as those accounts are accessed by the computer being searched.

I especially applaud the way WSJ highlighted DOJ’s complaints about Orin Kerr calling what they do hacking.

Even more timely, a team of computer security experts — Steve Bellovin, Matt Blaze, Sandy Clark, and Susan Landau —  just published a paper arguing that legal hacking is a better means to conduct law enforcement collection than a CALEA-type solution. But they argue that the government can and must achieve this law enforcement objective without compromising the security of the network.

¶162 As we alluded to earlier, this is a clash of competing social goods between the security obtained by patching as quickly as possible and the security obtained by downloading the exploit to enable the wiretap to convict the criminal. Although there are no easy answers, we believe the answer is clear. In a world of great cybersecurity risk, where each day brings a new headline of the potential for attacks on critical infrastructure,239 where the Deputy Secretary of Defense says that thefts of intellectual property “may be the most significant cyberthreat that the United States will face over the long term,”240 public safety and national security are too critical to take risks and leave vulnerabilities unreported and unpatched. We believe that law enforcement should always err on the side of caution in deciding whether to refrain from informing a vendor of a vulnerability. Any policy short of full and immediate reporting is simply inadequate. “Report immediately” is the policy that any crime-prevention agency should have, even though such an approach will occasionally hamper an investigation.241

¶163 Note that a report immediately policy does not foreclose exploitation of the reported vulnerability by law enforcement. Vulnerabilities reported to vendors do not result in immediate patches; the time to patch varies with each vendor’s patch release schedule (once per month, or once every six weeks is common), but, since vendors often delay patches,242 the lifetime of a vulnerability is often much longer. Research shows that the average lifetime of a zero-day exploit is 312 days.243 Furthermore, users frequently do not patch their systems promptly, even when critical updates are available.24

¶164 Immediate reporting to the vendor of vulnerabilities considered critical will result in a shortened lifetime for particular operationalized exploits, but it will not prevent the use of operationalized exploits. Instead, it will create a situation in which law enforcement is both performing criminal investigations using the wiretaps enabled through the exploits, and crime prevention through reporting the exploits to the vendor. This is clearly a win/win situation.

[snip]

¶166 The tension between exploitation and reporting can be resolved if the government follows both paths, actively reporting and working to fix even those vulnerabilities that it uses to support wiretaps. As we noted, the reporting of vulnerabilities (to vendors and/or to the public) does not preclude exploiting them.247 Once a vulnerability is reported, there is always a lead time before a “patch” can be engineered, and a further lead time before this patch is deployed to and installed by future wiretap targets. Because there is an effectively infinite supply of vulnerabilities in software platforms,248 provided new vulnerabilities are found at a rate that exceeds the rate at which they are repaired, reporting vulnerabilities need not compromise the government’s ability to conduct exploits. By always reporting, the government investigative mission is not placed in conflict with its crime prevention mission. In fact, such a policy has the almost paradoxical affect that the more active the law enforcement exploitation activity becomes, the more zero-day vulnerabilities are reported to and repaired by vendors.

They go on to propose a legal regime that can provide clear guidance on which vulnerabilities should be reported, even analogizing the emergency period in which an agency can wiretap before getting a warrant.

But here’s the thing: NSA’s Bull Run program got reported in September, and since then the government has remained coy about whether it uses or even seeds vulnerabilities in software, even though anyone paying attention knew it does. It took claims that the government had been using the Heartbleed vulnerability for two years for the Administration to admit, tacitly, the earlier reports were correct.

The kind of legal regime Bellovin et al recommend requires that this law enforcement function operate within a legal — and therefore publicly acknowledged — framework, rather than piggy backing on the NSA’s executive authorities in secret.

While Friday’s admission is a start, and while it may be true that hacking presents a better solution to law enforcement needs than CALEA, these questions need to be openly discussed.

Otherwise, DOJ not only is hacking — in the dictionary definition Orin Kerr applied — but hacking in the reckless manner that DOJ prosecutes.

Share this entry

Fingerprints and the Phone Dragnet’s Secret “Correlations” Order

/22 Comments/in , , /by

Yesterday, I noted that ODNI is withholding a supplemental opinion approved on August 20, 2008 that almost certainly approved the tracking of “correlations” among the phone dragnet (though this surely extends to the Internet dragnet as well).

I pointed out that documents released by Edward Snowden suggest the use of correlations extends well beyond the search for “burner” phones.

At almost precisely the same time, Snowden was testifying to the EU. The first question he answered served to clarify what “fingerprints” are and how XKeyscore uses them to track a range of innocent activities. (This starts after 11:16, transcription mine.)

It has been reported that the NSA’s XKeyscore for interacting with the raw signals intercepted by mass surveillance programs allow for the creation of something that is called “fingerprints.”

I’d like to explain what that really means. The answer will be somewhat technical for a parliamentary setting, but these fingerprints can be used to construct a kind of unique signature for any individual or group’s communications which are often comprised of a collection of “selectors” such as email addresses, phone numbers, or user names.

This allows State Security Bureaus to instantly identify the movements and activities of you, your computers, or other devices, your personal Internet accounts, or even key words or other uncommon strings that indicate an individual or group, out of all the communications they intercept in the world are associated with that particular communication. Much like a fingerprint that you would leave on a handle of your door or your steering wheel for your car and so on.

However, though that has been reported, that is the smallest part of the NSA’s fingerprinting capability. You must first understand that any kind of Internet traffic that passes before these mass surveillance sensors can be analyzed in a protocol agnostic manner — metadata and content, both. And it can be today, right now, searched not only with very little effort, via a complex regular expression, which is a type of shorthand programming. But also via any algorithm an analyst can implement in popular high level programming languages. Now, this is very common for technicians. It not a significant work load, it’s quite easy.

This provides a capability for analysts to do things like associate unique identifiers assigned to untargeted individuals via unencrypted commercial advertising networks through cookies or other trackers — common tracking means used by businesses everyday on the Internet — with personal details, such as individuals’ precise identity, personal identity, their geographic location, their political affiliations, their place of work, their computer operating system and other technical details, their sexual orientation, their personal interests, and so on and so forth. There are very few practical limitations to the kind of analysis that can be technically performed in this manner, short of the actual imagination of the analysts themselves.

And this kind of complex analysis is in fact performed today using these systems. I can say, with authority, that the US government’s claim that “keyword filters,” searches, or “about” analysis, had not been performed by its intelligence agencies are, in fact, false. I know this because I have personally executed such searches with the explicit authorization of US government officials. And I can personally attest that these kind of searches may scrutinize communications of both American and European Union citizens without involvement of any judicial warrants or other prior legal review.

What this means in non-technical terms, more generally, is that I, an analyst working at NSA, or, more concerningly, an analyst working for a more authoritarian government elsewhere, can without the issue of any warrant, create an algorithm that for any given time period, with or without human involvement, sets aside the communications of not only targeted individuals, but even a class of individual, and that just indications of an activity — or even just indications of an activity that I as the analyst don’t approve of — something that I consider to be nefarious, or to indicate nefarious thoughts, or pre-criminal activity, even if there’s no evidence or indication that’s in fact what’s happening. that it’s not innocent behavior. Read more

Share this entry