Posts

Rattled: China’s Hardware Hack – SMCI’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response Bloomberg Businessweek received from Super Micro Computer in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. Super Micro Computer’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses to Bloomberg’s story will be posted separately.
__________

Supermicro

While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard.[1] We are not aware of any customer dropping Supermicro as a supplier for this type of issue.[2]

[1] (a) “we are not aware” “nor have we been contacted” — who is we?

(b) “nor have we been contacted by any government agency” — has Supermicro been contacted by customers or their auditors or their security teams, contract or not, about security problems?

[2] Were one or more of Supermicro’s customers dropped by their customers because of security concerns including problems with firmware? Are any of the customers or customers of customers U.S. government entities?

Every major corporation in today’s security climate is constantly responding to threats and evolving their security posture. As part of that effort we are in regular contact with a variety of vendors, industry partners and government agencies sharing information on threats, best practices and new tools. This is standard practice in the industry today. However, we have not been in contact with any government agency regarding the issues you raised.[3]

[3] Has Supermicro been in contact with any government agency regarding any security issues including firmware updates?

Furthermore, Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies.[4]

[4] Interesting pointer about networking chips. What other motherboard content does Supermicro not design or manufacture, procuring from other companies? What procured motherboard components have firmware associated with them?

Rattled: China’s Hardware Hack – Amazon’s Response

[NB: Note the byline. Portions of my analysis may be speculative. / ~Rayne]

The following analysis includes a copy of an initial response  received from Amazon by Bloomberg Businessweek in response to its story, The Big Hack. In tandem with the Bloomberg story Amazon’s response was published on October 4 at this link. The text of Amazon’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses by Amazon to Bloomberg’s story will be assessed separately in a future post.

This analysis is a work in progress and subject to change.
__________

Amazon

It’s untrue that AWS[1] knew about a supply chain compromise, an issue with malicious chips, or hardware modifications[2] when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI[3] to investigate or provide data about malicious hardware.

[1] Identity – were there ever any third-party contractors or representatives involved in the relationship with Elemental? With Supermicro? Are there more than one Amazon subsidiary entity involved in the evaluation, purchasing, implementation of Elemental or Supermicro products into Amazon or its subsidiary enterprise? Which entity submitted this denial to Bloomberg Businessweek: Amazon, AWS, or some other subsidiary?

[2] What about evidence of bad or mismatched firmware and firmware updates?

[3] Did any law enforcement, military, or intelligence agency work with Amazon or any of its subsidiaries or contractors to investigate or provide data on hardware which failed to operate to specification or as expected?

We’ve re-reviewed our records[4] relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit[5] that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.[6]

[4] “our records” — whose records and what kind? Identity needs clarification as well as the type of records.

[5] Who is the third-party security auditor? How and why were they engaged?

[6] What about evidence of bad or mismatched firmware and firmware updates?

The pre-acquisition audit described four issues with a web application (not hardware or chips)[7] that SuperMicro provides for management of their motherboards. All these findings were fully addressed before we acquired Elemental. The first two issues, which the auditor[8] deemed as critical, related to a vulnerability in versions prior to 3.15 of this web application (our audit covered prior versions of Elemental appliances as well), and these vulnerabilities had been publicly disclosed by SuperMicro on 12/13/2013.[9]

[7] “web application” — but not firmware?

[8] Is this still the unnamed third-party security auditor or an internal auditor employed by Amazon or a subsidiary?

[9] How was this “publicly disclosed by SuperMicro”? SMCI’s website does not currently have either a press release or an SEC filing matching this date (see screenshots at bottom of this page).

Because Elemental appliances are not designed to be exposed to the public internet, our customers are protected against the vulnerability by default.[10] Nevertheless, the Elemental team had taken the extra action on or about 1/9/2014 to communicate with customers and provide instructions to download a new version of the web application from SuperMicro (and after 1/9/2014, all appliances shipped by Elemental had updated versions of the web application).[11] So, the two “critical” issues that the auditor found, were actually fixed long before we acquired Elemental. The remaining two non-critical issues with the web application were determined to be fully mitigated by the auditors if customers used the appliances as intended, without exposing them to the public internet.[12]

[10] “exposed to the public internet” — did customer data run through Elemental’s Supermicro devices between 2013 and 2015?

[11] What about firmware?

[12] Did customer data still run through devices with the two non-critical issues? Are any machines with these non-critical issues still in production?

Additionally, in June 2018, researchers made public reports of vulnerabilities in SuperMicro firmware.[13] As part of our standard operating procedure, we notified affected customers promptly, and recommended they upgrade the firmware in their appliances.[14]

[13] Researchers at Eclypsium are reported to have told Supermicro of vulnerabilities in January 2018. When was Amazon, AWS, or other Amazon subsidiary notified of these vulnerabilties?

[14] Give the six-month gap between Eclypsium’s notification to Supermicro and the public’s notification, when were Amazon’s, AWS’, or other Amazon subsidiary’s customers notified of these vulnerabilties?

__________

Screenshots

Supermicro’s SEC filings – last of year 2013:

Supermicro’s press releases – last of year 2013:

Rattled: China’s Hardware Hack – Apple’s Response

[NB: Note the byline. Portions of my content are speculative. / ~Rayne]

The following analysis includes a copy of an initial response received from Apple by Bloomberg Businessweek in response to its story, The Big Hack. In tandem with the Bloomberg story this was published on October 4 at this link. Apple’s response is offset in blockquote format. No signer was indicated in the published response. Additional responses from Apple to Bloomberg’s story will be assessed separately in a future post.

This analysis is a work in progress and subject to change.
__________

Apple

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple.[1] Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them.[2] We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.[3]

[1] Phrasing avoids who made the allegation(s).

[2] “rigorous internal investigations” doesn’t describe what they actually investigated; “each time” refers to investigations AFTER Bloomberg contacted Apple, AFTER 2016 when Apple had broken off relations with Supermicro.

[3] “refuting virtually aspect” does not mean “every and all.”

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server.[4] Apple never had any contact with the FBI or any other agency about such an incident.[5] We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

[4] (a) What about problems with firmware updates, including malicious firmware, firmware not issued by Supermicro, or hijacking to firmware upgrade sites not created by Supermicro?

(b) “purposely planted in any server” refers not to Supermicro’s motherboards but Elemental or other server assemblies.

[5] What about contact with any government agency regarding firmware? What about contact with a third-party entity regarding firmware problems, including security researchers?

[6] This phrasing focuses on law enforcement but not on other possibilities like intelligence entities or non-law enforcement functions like Commerce or Treasury Departments.

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers;[7] Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers has ever been found to hold malicious chips.[9]

[7] (a) What about earlier versions of Bloomberg’s narrative the public hasn’t seen?

(b) Did Siri and Topsy ever share a data farm facility?

[8] (a) Was Siri ever deployed on Elemental brand servers?

(b) Was Topsy ever deployed on Elemental brand servers?

[9] Did any of the servers on which Siri and Topsy were deployed experience firmware problems including malicious firmware, firmware not issued by Supermicro, or hijacking to firmware upgrade sites not created by Supermicro?

As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections. We did not uncover any unusual vulnerabilities in the servers we purchased from Super Micro when we updated the firmware and software according to our standard procedures.[10]

[10] Is this a statement of current practices or practices during the period of time about which Bloomberg reported? Why did Apple end its relationship with Supermicro?

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs.[11] That one-time event was determined to be accidental and not a targeted attack against Apple.[12]

[11] Gaslighting about the journalists’ credibility. Have there ever been any servers from Elemental or other server manufacturer with “infected drivers,” including the “single Super Micro server in one of our labs”? Were any servers of any make with “infected drivers” in production environments, whether they faced customers or not?

[12] How is an “infected driver” an accident?

While there has been no claim that customer data was involved, we take these allegations seriously and we want users to know that we do everything possible to safeguard the personal information they entrust to us.[13] We also want them to know that what Bloomberg is reporting about Apple is inaccurate.[14]

[13] This is not the same as saying “customer data was not exposed.”

[14] “inaccurate” but not “wrong,” “erroneous,” “false,” or “untrue”?

Apple has always believed in being transparent about the ways we handle and protect data.[15] If there were ever such an event as Bloomberg News has claimed, we would be forthcoming about it and we would work closely with law enforcement.[16] Apple engineers conduct regular and rigorous security screenings to ensure that our systems are safe. We know that security is an endless race and that’s why we constantly fortify our systems against increasingly sophisticated hackers and cybercriminals who want to steal our data.[17]

[15] Tell us about iPhone encryption.

[16] “an event” is not “events”. “Forthcoming” may not mean “public disclosure” or “reveal that we are under non-disclosure agreements.” “Would work closely with law enforcement” is not the same as “working with intelligence community,” or “working with Commerce/Treasury Departments.”

[17] No specific mention of nation-state actors.

Rattled: China’s Hardware Hack

[NB: Note the byline. Portions of my analysis may be speculative. / ~Rayne]

As I noted in my last Three Things post, information security folks are rattled by the October 4 Bloomberg Businessweek report that extremely tiny microchips may have been covertly embedded in motherboards used by U.S. businesses.

Their cognitive dissonance runs in two general directions — the feasibility of implanting a chip at scale, and the ability of such a chip to provide a viable backdoor to a device.

Hardware security researchers and professionals have been debating manufacturing feasibility and chip ability across Twitter. Joe Fitz’ recent tweet threads suggest implantation of a rogue chip is entirely doable on a mechanical basis though what happens once a chip has been embedded must be assessed from a software perspective. Fitz is not alone in his assessment; other professionals and academics believe it’s possible to insert a ‘malicious’ chip. Computer security academic Nicholas Weaver pointed to small devices which could do exactly what the Bloomberg report suggested if these tiny objects were embedded into motherboards during manufacturing.

The feasibility also requires the right opportunity — a confluence of personnel, manufacturing capability and capacity, timing and traceability. Let’s say a rogue or compromised employee manages to slip chips into a batch of motherboards; which ones? To whom will they ship? How could a rogue/compromised employee ensure the motherboards left the facility undetected?

The Bloomberg report paints the U.S.-based Supermicro plant as a perfect environment in which such hardware infiltration could happen easily. With employees divided by two very different languages — English-speakers far less likely to understand Mandarin-speakers — discussions between multiple rogue/compromised employees could be very easy as would be sharing of written instructions. Supermicro’s ISO certifications for standards 9001, 13485, 14001, and 27001 may shed some light on how the company expected to manage two different languages in the same workplace.

One could argue a bilingual workplace shouldn’t pose a challenge given how many companies already use English/Spanish, English/French, or English/German. Compare, however, these words:

English: hardware

German: either hardware or computerhardware

French: either hardware or le matériel

Spanish: either hardware or los equipos

Mandarin: 硬件 (yìng jiàn)

With enough exposure the average English-as-primary-language worker could readily understand the most common western language words for equipment they were manufacturing. It would take considerably more investment in education to recognize and understand a pictographic language making casual quality control difficult.

The environment is even more challenging for mixed language staff in manufacturing plants located in China.

~ | ~ | ~

Let’s look at a timeline of events leading up to the Bloomberg report this week. Note how often the word ‘firmware‘ is used in this timeline and in the responses from Apple and Amazon to the Bloomberg story:

1993 — Charles Liang launched Supermicro.

2007 — Social search analytics company Topsy founded.

2005 — Defence Science Board warned “trojan horse” chips bought overseas could negatively affective military systems.

2008 — BusinessWeek reported that fake Chinese-made microchips had entered the military’s supply chain causing system crashes.

2010 — Defence Department bought 59,000 chips, unaware they were counterfeit.

2Q2011 — China denied entry visas to senators Levin and McCain staff for congressional probe in Guangdong province.

October 2011 — Apple releases Siri.

December 2013 — Apple acquired  Topsy.

December 2013 — Supermicro publicly disclosed vulnerability/ies in a web application related to management of motherboards (Amazon response, email Oct 2018)

December 2013 — CBS’ 60 Minutes program aired a story about the NSA in which a plot involving a rogue BIOS had been identified.

First half 2014 (date TBD) — Intelligence officials tell White House that PRC’s military would infiltrate Supermicro’s motherboard production with microchips intended for the U.S. market.

January 2014 — Elemental communicated to existing customers that a new version of the web app was available for download; equipment shipped after this date had updated versions of the web app. (Amazon response, email Oct 2018)

Early 2015 — Amazon launched pre-acquistion evaluation of startup Elemental Technologies which used Supermicro motherboards in servers it made.

Late spring 2015 — Elemental sent several servers to Ontario CAN for testing by third-party security firm. It found non-spec chips on server motherboards. (Bloomberg report)

May 2015 — Apple detected unusual network activity and experienced firmware problems.

Summer 2015 — Apple found non-spec chips on Supermicro motherboards Apple bought from Supermicro. (Bloomberg report)

September 2015 — Amazon announced its acquisition of Elemental.

December 2015 — Apple shut down Topsy.

Mid-2016 — Apple broke off its relationship with Supermicro.

June 2018 — Researchers publicized vulnerabilties found in Supermicro firmware. AWS notified customers and recommended a firmware upgrade. (Amazon response, email Oct 2018)

October 2018 — Amazon, Apple, Supermicro, and PRC submitted responses denying Bloomberg’s report. (Published by Bloomberg)

~ | ~ | ~

Follow up reporting by other news outlets increase the layers of denial that cloud companies Amazon and Apple were affected by a possible breach of the hardware supply chain.

Some have asked if Bloomberg’s report is merely an attempt to undermine Amazon and Apple, which are the two most valuable companies in the U.S. and in Apple’s case, the world.

It is their value and their place in the stock market along with the customers they serve which may drive some of the denial.

Remember that Amazon’s AWS has provided hosting to U.S. government agencies. Government employees also use Apple iPhones and by extension, Apple’s cloud services. Is it at all possible that in providing services to government agencies these corporations and/or their subsidiaries have been read into programs obligating a degree of secrecy which includes denial of vulnerabilities and breaches which do not affect directly the average non-governmental user of Amazon and Apple products and services?

~ | ~ | ~

There are additional events which appear to have happened independently of the alleged hardware supply chain infiltration. They may be extremely important and highly relevant if looked at from an industry and intelligence perspective.

March 2014Freescale Semiconductor lost 20 employees in apparent crash of Malaysia Air flight MH370 en route to Beijing. The employees were supposed to begin work on a new chip manufacturing facility in China. While Freescale’s chips were not those one might ordinarily associate with server motherboards, it’s worth asking if Freescale at that time had any chips which might have served as server chips, or if they could work as illicit hardware hacks when embedded in a motherboard. Freescale has since been acquired by NXP.

Late 2010 — Beginning in late 2010, China identified and executed a network of U.S. agents within its borders over a two-year period, resulting in the deaths of at least 30 persons and the prosecution of former CIA agent Jerry Chung Shin Lee who worked as an informant for PRC. The exposure of these spies was blamed in part on a compromised communications system which had been previously used in the middle east. Due to compartmentalization of the project, it’s reported Lee could not have identified the agents, placing more emphasis on the communications system.

Mid-2011 — China refused visas to staff for senators Carl Levin and John McCain for the purposes of investigating electronic components manufacturing in city of Shenzhen in Guangdong province. The congressional probe sought the source of counterfeit parts which had entered the U.S. military’s supply chain; U.S. Commerce Department reported in January 2010 that 400 companies surveyed “overwhelmingly cited China” as the point of origin for counterfeit parts.

These events spawn more questions when looking at technology supply chain hacking and communications systems which rely on this supply chain.

Did Freescale’s plans to expand production in China pose a risk to the hardware supply chain hack? Or was it simply a fluke that a substantive portion of the company’s manufacturing engineers disappeared on that flight? Though Freescale originated in Austin, Texas, it had a presence in China since 1992 with at least eight design labs and manufacturing facilities in China as of 2014.

Was the communications system used by doomed U.S. assets in China affected not by tradecraft or betrayal, or even by counterfeit parts, but by the hardware supply chain hack — and at an even earlier date than the timeline of events shown above related to Supermicro’s compromised motherboard production?

Did China refuse admittance to Guangdong province in 2011 related not to counterfeit parts but to the possibility that supply chain hacks beyond counterfeiting alone might be revealed?

Is the supply chain hack reported by Bloomberg part of a much larger security threat which has been slowly revealed but not widely acknowledged because the threat has been viewed through narrow military, or intelligence, or tech industry lenses?

The tech industry may be rattled by allegations that the computer hardware supply chain has been hacked. But the possibility this hack has gone on much longer and with massive potential collateral damage may truly shake them up.

~ | ~ | ~

There is a third train of cognitive dissonance, not limited to information security professionals. Persons outside the tech industry have indulged in denialism, taking comfort in the aggressive pushback by Apple and Amazon which each claim in their own way that the Bloomberg report is inaccurate. (I have an analysis of the early responses by Apple and Amazon; I will also examine later expanded responses as well as Supermicro’s and PRC’s responses as soon as time permits.)

But there have been reports for years about counterfeit electronic components, obstruction of investigations into these components, system failures which could be attributed to hardware or software which do not meet specifications. Cognitive dissonance also resists Bloomberg’s report that as many as 30 U.S. companies were affected, not just Apple and Amazon which have offered up high-profile rebuttals.

And there have been reports in industries outside of cloud services and the military where off specification or counterfeit electronic components have made it into production. One such anecdote appears in a thread at Hacker News YCombinator, discussing credit card payment systems and development of screening systems requiring application of tests using angular momentum to determine if a board has been altered without breaking the board’s tamper-proof seal.

In addition to his early tweets assessing feasibility of malicious or covert off-spec chips added to motherboards, Nicholas Weaver wrote a post for Lawfare about the Bloomberg report.

The Bloomberg story also explains a previous mystery: in 2016, Apple quietly removed all SuperMicro servers from their products due to an unspecified “Security Incident.”  At the time the rumor was that SuperMicro provided a sabotaged BIOS—that is, the bootstrap program used to start the computer, another “god mode” target for compromise. Apple denied then that there was any security incident—just as they are denying one now.

This incident once again illustrates the “Coventry problem,” referring to Winston Churchill’s apocryphal decision not to prevent the bombing of Coventry in order to keep secret that British intelligence had decrypted the Enigma machine. Robertson and Riley describe a U.S. intelligence apparatus that knew of these ongoing attacks, but could not effectively notify the affected companies nor provide useful recommendations. If the intelligence community had warned these companies, it would probably have revealed to the Chinese that the U.S. was aware of these activities, as well as potentially compromise an ongoing FBI investigation described in the article.

Weaver called the suspect Supermicro firmware a ‘BIOS’ — the first use of this term across multiple reports covering the Bloomberg report and its aftermath. This change in nomenclature is critical, particularly so given the point he makes about the “Coventry problem.” The term ‘BIOS’ does not appear in the early responses from Apple, Amazon, or Supermicro.

In December 2013, CBS’ 60 Minutes aired a report about the NSA; it appeared at the time to puff up the agency after the publication of Edward Snowden’s leaked documents about the government’s domestic spying using  PRISM. Within the story was a claim about a thwarted cyberattack:

Debora Plunkett: One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability— to destroy computers.

John Miller: To destroy computers.

Debora Plunkett: To destroy computers. So the BIOS is a basic input, output system. It’s, like, the foundational component firmware of a computer. You start your computer up. The BIOS kicks in. It activates hardware. It activates the operating system. It turns on the computer.

This is the BIOS system which starts most computers. The attack would have been disguised as a request for a software update. If the user agreed, the virus would’ve infected the computer.

John Miller: So, this basically would have gone into the system that starts up the computer, runs the systems, tells it what to do.

Debora Plunkett: That’s right.

John Miller: —and basically turned it into a cinderblock.

Debora Plunkett: A brick.

John Miller: And after that, there wouldn’t be much you could do with that computer.

The description sounds remarkably like the rogue firmware update in concert with a malicious/covert chip.

The manner in which this report was handled by the NSA, however, made it appear like disinformation. The assessment that such firmware would be used solely brick a device heightened the FUD around this report, deterring questions about applications other than bricking a device — like taking control of the computer, or collecting all its transaction and data. Was the FUD-enhanced release via 60 Minutes the intelligence community’s approach to the “Coventry problem”?

~ | ~ | ~

The problem Bloomberg’s Jordan Robertson and Michael Riley reported is probably much bigger than they described. It is bigger than Supermicro motherboards and firmware, and it’s not a problem of the near-term future but ongoing over the last decade.

At what point will U.S. industries organize a collective response to both counterfeit and off-specification manufacturing of electronic components overseas? They can’t count on a calm and rational response from the Trump administration given the unnecessary trade war it launched against China.
_____

Disclosure: I have positions in AAPL and AMZN in my investment portfolio.

Photo: Pavan Trikutam via Unsplash

Three URGENT Things: POTUS’ Alert Text, Facebonked, Kavanuh-uh

Let’s get right to it, no time for preamble (and don’t forget to check the byline above).

~ 3 ~

There will be an unblockable nationwide test of the Presidential Alert system on all cell phones today at 2:18 p.m. ET.

This infuriates me to no end, especially after Trump’s insulting bullshit at his fan club rally last night in which he denigrated assault survivor Dr. Blasey Ford. It’s as if he’s going to grab us all by the privates at the same time today without our consent.

Think about it: so much of your private personal life goes through your phone and now Trump’s FEMA has decided it will inject itself into your phone?

Lifehacker has a decent article suggesting some methods for mitigating or avoiding the text if not blocking it — you can read about it at this link.

Make sure you tell friends and family ASAP about this alert so they don’t freak out and aren’t in the middle of something important when this alert shows up.

Pity the poor residents of Hawaii, having to face this crap first thing this morning.

Time zone conversion for the alert:

Eastern: 2:18 p.m. ET
Central: 1:18 p.m. CT
Mountain: 12:18 p.m. MT
Pacific: 11:18 a.m. PT
Alaska: 10:18 a.m.
Hawaii: 08:18 a.m.

Check time conversion at this link. I’m going to shut my phone off at 2:00 p.m. ET and take an hour-long break.

~ 2 ~

The half-assed FBI investigation will likely be finished today; don’t expect to see the Swiss cheese-y results riddled with holes where testimony wasn’t collected. It’s unlikely the public will see this report.

This means McConnell will likely pursue a vote on cloture today to end debate in order for the full Senate to vote on Kavanaugh before the end of the week.

Which in turn means CALL YOUR SENATORS. Yes, even the steadfast Democrats who are unlikely to sway because their offices are being flooded with right-wing calls demanding their poor rich white frat boy judge be seated for a lifetime on the Supreme Court.

Screw that. Just MAKE THE CALLS.

Congressional switchboard: (202) 224-3121

Need a script for your call? @Celeste_pewter has them broken into four categories:

– The Democrats who have already said yes, and won’t flip no matter what.
– The red state Democrats.
– The potential GOP flips.
– The GOP senators who will vote yes, no matter what.

And a universal, all-senators script.

Pick the appropriate script and have at it. (Thanks, Celeste!)

HOOSIERS: Make a special effort to thank Joe Donnelly who came out last night as a NO on Kavanaugh. He is surely being pummeled today by Indiana’s finest red staters.

NORTH DAKOTANS: Heitkamp is down but within margin of error of her Republican opponent. Make sure you call so that she doesn’t feel pressure to backslide.

Trouble getting through switchboard or full mailbox? Try contacting your senators’ local offices. Look them up at:

Contacting Congress: https://www.contactingcongress.org
Ballotpedia: https://ballotpedia.org/Who_represents_me%3F

~ 1 ~

Facebook’s massive breach exposes what a bad, BAD idea it was to allow a Facebook login to become a universal login for other applications. Let’s not forget Facebook has also appropriated users’ phone numbers for advertising without users’ consent. It’s a security cataclysm and Facebook is once again flat-footed.

NEVER LOG INTO SITES WITH FACEBOOK USERID.

Never use the same password for more than one site.

Use a password manager.

Read up here about the problem.

What did I do? I gave up Facebook years ago when it was clear to me they were a security cesspool.

~ 0 ~

Now get going. Run!

Treat this as an open thread.

The Crimes with which NSD Envisions Charging Those Attacking Elections

The Senate Judiciary Committee had a hearing on how to protect our elections today. Among others, Deputy Assistant Attorney General Adam Hickey from DOJ’s National Security Division testified. He gave a list of some of the crimes he thought might be used to charge people who tampered with elections.

Foreign influence operations, though not always illegal, can implicate several U.S. Federal criminal statutes, including (but not limited to) 18 U.S.C. § 371 (conspiracy to defraud the United States); 18 U.S.C. § 951 (acting in the United States as an agent of a foreign government without prior notification to the Attorney General); 18 U.S.C. § 1001 (false statements); 18 U.S.C. § 1028A (aggravated identity theft); 18 U.S.C. § 1030 (computer fraud and abuse); 18 U.S.C. §§ 1343, 1344 (wire fraud and bank fraud); 18 U.S.C. § 1519 (destruction of evidence); 18 U.S.C. § 1546 (visa fraud); 22 U.S.C. § 618 (Foreign Agents Registration Act); and 52 U.S.C. §§ 30109, 30121 (soliciting or making foreign contributions to influence Federal elections, or donations to influence State or local elections).

In their testimony, Ken Wainstein (someone with extensive experience of national security prosecutions, but less apparent focus on the available evidence in this investigation) and Ryan Goodman (who doesn’t have the prosecutorial experience of Wainstein, but who is familiar with the public facts about the investigation) also list what crimes they think will get charged.

I find a comparison of what each raised, along with what has already been charged, to be instructive. I believe that comparison looks like this:

I’m interested, in part, because Hickey, who likely has at least a sense of the Mueller investigation (if not personal involvement), sees the case somewhat differently than two differently expert lawyers. Two charges — agent of a foreign power (basically, being a foreign spy in the US not working under official cover) and CFAA (hacking) seem obvious to both National Security Division prosecutors, but have not yet been publicly charged. Illegal foreign contributions seems obvious to those paying close attention, but also has not been charged. We might expect to see all three charges before we’re done.

Neither Wainstein nor Goodman mentioned false statements, but of course that’s what we’ve seen charged most often so far.

Then there are the two crimes Hickey mentions that the others don’t, but that have not yet been charged (both have been alleged as overt acts in the Internet Research Agency indictment): Visa fraud (alleged against the trolls who came to the US to reconnoiter in 2014) and destruction of evidence (again, alleged against IRA employees destroying evidence after Facebook’s role was discovered). Mueller also described George Papadopoulos destroying evidencec when he deleted his Facebook account, but like the Russian trolls, he didn’t get charged for it. Visa fraud, in particular, is something that multiple figures might be accused of — Alexander Torshin and others reaching out via NRA, Natalia Veselnitskaya, and even Brits who worked illegally during the election for Cambridge Analytica.

I confess I’m most interested in Hickey’s mention of destruction of evidence, though. That’s true, in part, because SDNY seems to think Michael Cohen might destroy evidence.

Hope Hicks, too, reportedly thought about hiding evidence from authorities. Then there’s the report that Mueller is checking encrypted messaging apps as people turn in phones when they arrive for interviews.

Huckey seems to think some of the people being investigated — beyond Papadopoulos and IRA troll Viktorovna Kaverzina — may have been destroying evidence.

I wonder if he has reason to suspect that.

[Photo: Emily Morter via Unsplash]

Open Thread: Oddments Olio

A dog’s breakfast, hodgepodge, pastiche, olio — this is a catch-all post with an open thread. I have a bunch of tidbits and loose ends with no place to go, not enough on which to center posts. Make of them what you will and bring your own potpourri in comments.

Loews — No, not Lowe’s as in the big box hardware store chain. Loews Regency, as in pricey hotel in NYC where Trump’s personal attorney and likely cut-out has been staying, ostensibly because of construction at his home. Yeah, the same home which was searched this past week along with this hotel room and office.

One detail folks may have forgotten: Loews Regency is the same hotel where Felix Sater arranged a 27-JAN-2017 meeting between Michael Cohen and Ukrainian lawmaker Andrey Artemenko to discuss a plan to lift the sanctions on Russia. Totally legal one week after the inauguration, right? But why meet with the president’s personal lawyer instead of State Department employees, or wait until Rex Tillerson was confirmed on February 1?

And when was the meeting set up — did Sater take a phone call from Artemenko before the inauguration?

It wasn’t clear back in early 2017 when exactly this back-channel was first established and it’s still not clear now.

Searching Cohen’s room at the Loews seems more reasonable considering the Artemenko meeting. Has Cohen had a room or rooms in Loews Regency since inauguration day or earlier?

~ | ~

Hacka cracka lacka — Hey, remember how former CIA director John Brennan was hacked in 2015 and 2016 by a couple of “Cracka” hackers? Two dudes from North Carolina were arrested and prosecuted, sent to prison for two years for hacking senior U.S. officials.

One detail sticking in my craw has been the third party characterized as a group leader; only a teenager at the time, they were located in the U.K.

Why have so many issues related to politics and information security had links to the U.K. — like Cambridge Analytica/SCL and Brexit? Did somebody manipulate an autistic U.K. teenager into work assisting larger aims?

~ | ~

Facebook’s Chancellor — Prof. David Carroll asked a very good question: why didn’t any member of Congress on either the Senate Judiciary Committee or the House Energy & Commerce Committee ask about Facebook employee Joseph Chancellor, a psychologist who had been hired away from Cambridge Analytica. Well?

Speaking of Facebook, there are several folks who’ve been all over the this scandal, some of whom have been responsible for the public’s awareness that Facebook data had been acquired without users’ consent. Give them a follow:

Carole Cadwalladr — reporter-writer for Guardian-UK and Observer who has doggedly covered Cambridge Analytica/SCL links to Facebook user data and their impact on the Brexit referendum in June 2016. Her Guardian content here (consider throwing them a few bucks for her great work.)

Chris Wylie — Cambridge Analytica’s former director of research now whistleblower who revealed much of the workings between CA/SCL and Facebook’s ill-gotten data.

David Carroll — Associate professor of media design at the School of Art, Media, and Technology at The New School’s Parsons School of Design; he’s been chasing his personal data located in the U.K and is now suing Cambridge Analytica’s parent, SCL, for U.S. data it obtained without consent. (Read about the case and chip into the legal fund at this link.)

Also note that Verge senior writer Sarah Jeong generously tweeted all the members of Congress who’d received donations from Facebook as they questioned CEO Mark Zuckerberg. Check it out.

~ | ~

Content bias — During this week’s committee hearings with Facebook CEO, GOP members of Congress tried repeatedly to make a case that Facebook was biased against conservative content. Too bad Facebook helped get a GOP POTUS elected, shooting that narrative in the ass.

But one related thing has stuck in my craw for quite some time, and I can’t help wonder if it was yet another way in which Facebook was manipulated by a disinformation operation.

Remember back in 2016 stories reporting Facebook’s contract content editors complained that Facebook was biased against conservatives? The story first appeared in Gizmodo on May 9, then got picked up by other outlets. A political story during the campaign season usually happens the other way around — covered first in a big national outlet then picked up in lesser outlets. Why did this story happen via Gizmodo first? This would be the perfect manner in which to launder information; the point of origin is obscured by the second and third outlets to pick it up as they typically go to the biggest source to confirm their story. In this case, an outlet like NYT or WaPo would go to Facebook and put them on the spot. They wouldn’t bug Gizmodo or the leakers who went to Gizmodo.

Another important factor: Gizmodo was part of beleaguered Gawker Media, which was about to implode and bought out months later by Univision. Anybody remaining at the time this story hit was uncertain about the security of their job. Journalists would have been ripe for manipulation because they needed an attention-getting story to improve their odds for a next gig.

In fact, Gawker Media filed for Chapter 11 bankruptcy one month after the Facebook bias story was published — on June 10, 2016. Think of this 30-day time frame as two very stressful paydays for beleaguered Gawker employees who were trying hard to keep on keeping on but probably frantically wallpapering prospective media employers with resumes.

One more important factor: the reporter who covered this story was a technology editor whose beat wasn’t politics or free speech issues. This changed the way the story was covered and rolled out; if a reporter with more savvy and experience covering politics had been approached with this particular tip, they might have known there was something more to this than poor-conservatives-being-suppressed-by-liberal-bias. A political contributor might have questioned the insistance that outlets like Breitbart and Newsmax weren’t being included alongside NYT and WaPo.

Watching GOP congresspersons repeatedly bash Zuckerberg about media bias, I could see the same deer-in-the-headlights reaction Facebook had back in 2016 when these contract editors complained about bias. There was no bias; the hearings this week and the story in 2016 were naked attempts to screw with Facebook’s algorithms so that POS outlets like Mercer-funded, Bannon-operated Breitbart and Alex Jones’ InfoWars could get the same attention as legitimate outlets like NYT and WaPo.

We’re still going to have to press Facebook and other social media outlets to address this problem. It’s just not a problem of bias but identifying legitimate reported journalism. And we all have a problem with being easily played for our lack of sufficient skepticism.

~ | ~

Go for it. What detritus have you been carrying around that doesn’t fit anywhere else? Share in comments.

Facebook, Hot Seat, Day Two — House Energy & Commerce Committee Hearing

This is a dedicated post to capture your comments about Facebook CEO Mark Zuckerberg’s testimony before the House Energy & Commerce Committee today.

After these two hearings my head is swimming with Facebook content, so much so that I had a nightmare about it overnight. Today’s hearing combined with the plethora of reporting across the internet is only making things more difficult for me to pull together a coherent narrative.

Instead, I’m going to dump some things here as food for further consideration and maybe a possible future post. I’ll update periodically throughout the day. Do share your own feedback in comments.

Artificial Intelligence (AI) — every time Mark Zuckerberg brings up AI, he does so about a task he does not want to employ humans to do. Zuckerberg doesn’t want to hire humans even if it means doing the right thing. There are so many indirect references to creating automated tools that are all substitutions for labor that it’s obvious Facebook is in part what it is today because Facebook would rather make profits than hire humans until it is forced to do otherwise.

Users’ control of their data — this is bullshit whenever he says it. If any other entity can collect or copy or see users’ data without explicit and granular authorization, users do not have control of their data. Why simple controls like granular read/not-read settings on users’ data operated by users has yet to be developed and implemented is beyond me; it’s not as if Facebook doesn’t have the money and clout to make this happen.

Zuckerberg is also evasive about following Facebook users and nonusers across the internet — does browsing non-Facebook website content with an embedded Facebook link allow tracking of persons who visit that website? It’s not clear from Zuckerberg’s statements.

Audio tracking — It’s a good thing that Congress has brought up the issue of “coincident” content appearing after users discuss topics within audible range of a mobile device. Rep. Larry Buschon (R-Indiana) in particular offered pointed examples; we should remain skeptical of any explanation received so far because there are too many anedotes of audio tracking in spite of Zuckerberg’s denials.

Opioid and other illegal ads — Zuckerberg insists that if users flag them, ads will be reviewed and then taken down. Congress is annoyed the ads still exist. But at the hear of this exchange is Facebook’s reliance on users performing labor Facebook refuses to hire to achieve the expected removal of ads. Meanwhile, Congress refuses to do its own job to increase regulations on opioids, choosing instead to flog Facebook because it’s easier than going after donors like Big Pharma.

Verification of ad buyers — Ad buyers’ legitimacy based on verification of identity and physical location will be implemented for this midterm election cycle, Zuckerberg told Congress. Good luck with that when Facebook has yet to hire enough people to take down opioid ads or remove false accounts of public officials or celebrities.

First Amendment protections for content — Congressional GOP is beating on Facebook for what it perceives as consistent suppression of conservative content. This is a disinfo/misinfo operation happening right under our noses and Facebook will cave just like it did in 2016 while news media look the other way since the material in question isn’t theirs. Facebook, however, has suppressed neutral to liberal content frequently — like content about and images featuring women breastfeeding their infants — and Congress isn’t uttering a peep about this. Congress also isn’t asking any questions about Facebook’s assessments of content

Connecting the world — Zuckerberg’s personal desire to connect humans is supreme over the nature and intent of the connections. The ability to connect militant racists, for example, takes supremacy (literally) over protecting minority group members from persecution. And Congress doesn’t appear willing to see this as problematic unless it violates existing laws like the Fair Housing Act.

More to come as I think of it. Comment away.

UPDATE — 2:45 PM EDT — I’m gritting my teeth so hard as I listen to this hearing that I’ve given myself a headache.

Terrorist content — Rep. Susan Brooks (R-Indiana) asked about Facebook’s handling of ISIS content, to which Zuckerberg said a team of 200 employees focus on counterintelligence to remove ISIS and other terrorist content, capturing 99% of materials before they can be see by the public. Brooks further asked what Facebook is doing about stopping recruitment.

What. The. Fuck? We’re expecting a publicly-held corporation to do counterintelligence work INCLUDING halting recruitment?

Hate speech — Zuckerberg used the word “nuanced” to describe the definition while under pressure by left and right. Oh, right, uh-huh, there’s never been a court case in which hate speech has been defined…*head desk*

Whataboutism — Again, from Michigan GOPr Tim Walberg, pointing to the 2012 Obama campaign…every time the 2012 campaign comes up, you know you are listening to 1) a member of Congress who doesn’t understand Facebook’s use and 2) is working on furthering the disinfo/misinfo campaign to ensure the public thinks Facebook is biased against the GOP.

It doesn’t help that Facebook’s AI has failed on screening GOP content; why candidates aren’t contacting a human-staffed department directly is beyond me. Or why AI doesn’t interact directly with campaign/candidate users at the point of data entry to let them know what content is problematic so it can be tweaked immediately.

Again, implication of discrimination against conservatives and Christians on Facebook — Thanks, Rep. Jeff Duncan, waving your copy of the Constitution insisting the First Amendment is applied equally and fairly. EXCEPT you’ve missed the part where it says CONGRESS SHALL MAKE NO LAW respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press…

The lack of complaints by Democratic and Independent representatives about suppression of content should NOT be taken to mean it hasn’t happened. That Facebook allowed identified GOP-voting employees to work with Brad Parscale means that suppression happens in subtle ways. There’s also a different understanding between right and left wings about Congress’ limitation under the First Amendment AND Democrats/Independents aren’t trying to use these hearings as agitprop.

Internet service — CONGRESS NEEDS TO STOP ASKING FACEBOOK TO HELP FILL IN THE GAPS BETWEEN NETWORKS AND INTERNET SERVICE PROVIDERS THEY HAVE FAILED TO REGULATE TO ENSURE BROADBAND EVERYWHERE. Jesus Christ this bugs the shit out of me. Just stop asking a corporation to do your goddamned jobs; telcos have near monopoly ensured by Congress and aren’t acting in the best interest of the public but their shareholders. Facebook will do the same thing — serve shareholders but not the public interest. REGULATE THE GAP, SLACKERS.

3:00 PM thank heavens this beating is over.

Three more thoughts:

1) Facial recognition technology — non-users should NEVER become subjected to this technology, EVER. Facebook users should have extremely simple and clear opt-in/opt-out on facial technology.

2) Medical technology — absolutely not ever in social media. No. If a company is not in the business of providing health care, they have no business collecting health care data. Period.

3) Application approval — Ask Apple how to do it. They do it, app by app. Facebook is what happens when apps aren’t approved first.

UPDATE — 9:00 PM EDT — Based on a question below from commenter Mary McCurnin about HIPAA, I am copying my reply here to flesh out my concerns about Facebook and medical data collection and sharing:

HIPAA regulates health data sharing between “covered entities,” meaning health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers. Facebook had secretly assigned a doctor to work on promoting a proposal to some specific covered entities to work on a test or beta; the program has now been suspended. The fact this project was secret and intended to operate under a signed agreement rather than attempting to set up a walled-off Facebook subsidiary to work within the existing law tells me that Facebook didn’t have any intention of operating within HIPAA. The hashing concept proposed for early work but still relying on actual user data is absurdly arrogant in its blow off of HIPAA.

Just as disturbing: virtually nothing in the way of questions from Congress about this once-secret program. The premise which is little more than a normalized form of surveillance using users’ health as a criteria is absolutely unacceptable.

I don’t believe ANY social media platform should be in the health care data business. The breach of U.S. Office of Personnel Management should have given enough Congress enough to ponder about the intelligence risks from employment records exposed to foreign entities; imagine the risks if health care data was included with OPM employment information. Now imagine that at scale across the U.S., how many people would be vulnerable in so many ways if their health care information became exposed along with their social records.

Don’t even start with how great it would be to dispatch health care to people in need; we can’t muster the political will to pay for health care for everybody. Why provide monitoring at scale through social media when covered entities can do it for their subscriber base separately, and apparently with fewer data breaches?

You want a place to start regulating social media platforms? Start there: no health care data to mingle with social media data. Absolutely not, hell to the no.

Facebook on the Hot Seat Before Senate Judiciary Committee

This is a dedicated post to capture your comments about Facebook CEO Mark Zuckerberg’s testimony before the Senate Judiciary Committee this afternoon. At the time of this post Zuckerberg has already been on the hot seat for more than two hours and another two hours is anticipated.

Before this hearing today I have already begun to think Facebook’s oligopolic position and its decade-plus inability to effectively police its operation requires a different approach than merely increasing regulation. While Facebook isn’t the only corporation monetizing users’ data as its core business model, its platform has become so ubiquitous that it is difficult to make use of a broad swath of online services without a Facebook login (or one of a very small number of competing platforms like Google or Twitter).

If Facebook’s core mission is connecting people with a positive experience, it should be regulated like a telecommunications provider — they, too, are connectors — or it should be taken public like the U.S. Postal Service. USPS, after all, is about connecting individual and corporate users by mediating exchange of analog data.

The EU’s General Data Protection Regulation (GDPR) offers a potential starting point as a model for the U.S. to regulate Facebook and other social media platforms. GDPR will shape both users’ expectations and Facebook’s service whether the U.S. is on board or not; we ought to look at GDPR as a baseline for this reason, while compliant with the First Amendment and existing data regulations like the Computer Fraud and Abuse Act (CFAA).

What aggravates me as I watch this hearing is Zuckerberg’s obvious inability to grasp nuance, whether divisions in political ideology or the fuzzy line between businesses’ interests and users’ rights. I don’t know if regulation will be enough if Facebook (manifest in Zuckerberg’s attitude) can’t fully and willingly comply with the Federal Trade Commission’s 2011 consent decree protecting users’ privacy. It’s possible fines for violations of this consent decree arising from the Cambridge Analytica/SCL abuse of users’ data might substantively damage Facebook; will we end up “owning” Facebook before we can even regulate it?

Have at it in comments.

UPDATE — 6:00 PM EDT — One of my senators, Gary Peters, just asked Zuck about audio capture, whether Facebook uses audio technology to listen to users in order to place ads relevant to users’ conversational topics. Zuck says no, which is really odd given the number of anecdotes floating around about ads popping up related to topics of conversation.

It strikes me this is one of the key problems with regulating social media: we are dealing with a technology which has outstripped its users AND its developers, evident in the inability to discuss Facebook’s operations with real fluency on either the part of government or its progenitor.

This is the real danger of artificial intelligence (AI) used to “fix” Facebook’s shortcomings; not only does Facebook not understand how its app is being abused, it can’t assure the public it can prevent AI from being flawed or itself being abused because Facebook is not in absolute control of its platform.

Zuckerberg called the Russian influence operation an ongoing “arms race.” Yeah — imagine arms made and sold by a weapons purveyor who has serious limitations understanding their own weapons. Gods help us.

EDIT — 7:32 PM EDT — Committee is trying to wrap up, Grassley is droning on in old-man-ese about defending free speech but implying at the same time Facebook needs to help salvage Congress’ public image. What a dumpster fire.

Future shock. Our entire society is suffering from future shock, unable to grasp the technology it relies on every day. Even the guy who launched Facebook can’t say with absolute certainty how his platform operates. He can point to the users’ Terms of Service but he can’t say how any user or the government can be absolutely certain users’ data is fully deleted if it goes overseas.

And conservatives aren’t going to like this one bit, but they are worst off as a whole. They are older on average, including in Congress, and they struggle with usage let alone implications and the fundamentals of social media technology itself. They haven’t moved fast enough from now-deceased Alaska Senator Ted Steven’s understanding of the internet as a “series of tubes.”

Parkland and the Twittered Revolt

Marvel at the teen survivors of the mass shooting at Marjory Stoneham Douglas High School in Parkland, Florida. Their composed rage is terrifying to a generation or two which have not seen the like since the 1960s and early 1970s. They are leading a revolution — but note the platform they’re using to best effect.


I can’t tell you how much use they are making of Facebook as I haven’t used it in several years. What I find telling is the dearth of links to students’ and followers’ Facebook posts tweeted into my timeline. I also note at least one MSD student exited Facebook after receiving death threats.

Twitter’s platform allows the authenticity and immediacy of the students’ communications, as easy to use as texting. There’s no filter. For whatever reason, parents haven’t taken to Twitter as they did Facebook, leaving the micro-blogging platform a space without as much adult oversight.

These attributes terrify the right-wing. There’s nothing limiting the reach of students’ messages — no algorithms slow their tweets. The ability to communicate bluntly, efficiently, and yet with grace has further thrown the right. The right-wing’s inability to accept these students as legitimately speaking for themselves and for their fellow students across the country is an expression of the right’s cognitive dissonance.

The students’ use of Twitter redeems the platform, asserting its true value. It’s 180 degrees from the problems Twitter posed as a toxic cesspool filled with trolls and bots. Parkland’s tragedy exposes what Twitter should be, what Twitter must do to ensure it doesn’t backslide.

Minors shouldn’t have to put up with bullying — especially bullying by adults. Donnie Trump Jr. is one of the worst examples of this bullying and should be booted out of the platform. Other adult bullies have also emerged but Twitter’s user base is ruthless in its swiftness, dealing a coup de grâce to Laura Ingraham’s sponsorships.

If only Twitter itself was as swift in ejecting bullies and trolls. Troll bots continue to flourish even after a large number were removed recently. Victims of tragedies should expect an ethical social media platform to eliminate trolls and bots promptly along with bullies.

Ethical social media platforms also need to ask themselves whether they want to make profit off products intended to maim and kill. Should it allow certain businesses to use promoted tweets to promote deadly products, or allow accounts for lobbying organizations representing weapons manufacturers as well as owners? Should Twitter remove the NRA just as it doesn’t permit accounts representing tobacco products?

Not to mention avoiding Facebook’s ethical crisis — should Twitter be more proactive in protecting its users now that Parkland’s Marjory Stoneham Douglas High School students have revitalized its brand?