Posts

Tuesday Morning: Some Kind of Freak

Today’s the intersection of my Gwen Stefani jag and International Women’s Day 2016. Need some more estrogen-powered music to celebrate IWD? Try this list — note and compare Lesley Gore’s You Don’t Own Me and Nancy Sinatra’s These Boots Are Made for Walking against more recent tunes like No Doubt’s Just A Girl.

Let’s roll…

Volkswagen shocked, SHOCKED! the EPA went public on the diesel emissions standards cheat
But by the time the EPA made public statements regarding VW, the German automaker had already known about the International Council on Clean Transportation’s research results for a year and had yet to reveal to shareholders the risk of prosecution and penalties. VW’s leadership hoped for a mild and quiet slap on the hands and enough time for a technical solution before the EPA’s disclosure:

“In the past, even in the case of so-called ‘defeat device’ infringements, a settlement was reached with other carmakers involving a manageable fine without the breach being made public,” VW argued. “And in this case, the employees of Volkswagen of America had the impression on the basis of constructive talks with the EPA that the diesel issue would not be made public unilaterally but that negotiations would continue.”

Hope somebody is looking at insider trading for any sign that VW executives were unloading stock in the period between September 2014 when ICCT’s results were published, and when the EPA went public in 2015. Wonder what penalties there are under German/EU laws for this?

USDOJ appealed last week’s ruling in Brooklyn iPhone 5S case
At the heart of this appeal is Apple’s past cooperative actions when federal law enforcement asked for assistance in unlocking iPhones. Apple, however, said past acquiescence is not consent. USDOJ has now asked for review of Judge Orenstein’s ruling.

Apple co-founder Steve Wozniak appeared on Conan, sided unsurprisingly with Apple
Woz admitted to having tried his hand at writing viruses for Mac, but the entire premise terrified him, compelling him to destroyed his efforts. Video of his appearance included at this link.

France to punish phonemakers for encryption, while UK’s GCHQ says it should get around encryption
A narrow body of water, a different language, and a recent terrorist attack make for very different reactions to encrypted communications. France’s Parliament voted yesterday to punish phonemakers which do not cooperate with law enforcement on unencrypting data; the bill is not yet law, subject to further parliamentary process. Meanwhile, Britain’s spy chief said he hopes methods can be developed to get around encryption without building backdoors.

Drive-by quickies

And it’s Presidential Primary Day in Michigan, Mississippi, Idaho, Hawaii. I may avoid social media for most of the day for this reason. Hasta pasta!

Info Security Firms and Their Antivirus Software Monitored (Hacked?) by NSA, GCHQ

[NSA slide indicated info sec AV firms targeted for surveillance]

[NSA slide indicated info sec AV firms targeted for surveillance]

Let’s call this post a work in progress. I’m still reading through a pile of reporting from different outlets to see if it’s all the same information but rebranded, or if there’s a particular insight one outlet picked up, missed by the rest. Here are a few I’ve been working on today:

7:03 am – Popular Security Software Came Under Relentless NSA and GCHQ Attacks (The Intercept)

7:12 am – US and British Spies Targeted Antivirus Companies (WIRED)

9:48 am – Spies are cracking into antivirus software, Snowden files reveal (The Hill)

12:18 pm – GCHQ has legal immunity to reverse-engineer Kaspersky antivirus, crypto (Ars Technica-UK)

12:57 pm*  – US, UK Intel agencies worked to subvert antivirus tools to aid hacking [Updated] (Ars Technica)(*unclear if this is original post time or time update posted))

~3:00 pm – NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users (TechCrunch)
(post time is approximate as site only indicates rounded time since posting)

The question I don’t think anyone can answer yet is whether the hack of Kaspersky Lab using Duqu 2.0 was part of the effort by NSA or GCHQ, versus another nation-state. I would not be surprised if the cover over this operation was as thin as letting the blame fall on another entity. We’ve seen this tissue paper-thin cover before with Stuxnet.

For the general public, it’s important to note two things:

— Which firms were not targeted (that we know of);

— Understand the use of viruses and other malware that already threaten and damage civilian computing systems only creates a bigger future threat to civilian systems.

Once a repurposed and re-engineered exploit has been discovered, the changes to it are quickly shared, whether to those with good intentions or criminal intent. Simply put, criminals are benefiting from our tax dollars used to help develop their future attacks against us.

There’s a gross insufficiency of words to describe the level of shallow thinking and foresight employed in protecting our interests.

And unfortunately, the private sector cannot move fast enough to get out in front of this massive snowball of shite rolling towards it and us.

EDIT — 5:55 pm EDT —

And yes, I heard about the Polish airline LOT getting hit with a DDoS, grounding their flights. If as the airline’s spokesman is correct and LOT has recent, state-of-the-art systems, this is only the first such attack.

But if I were to hear about electrical problems on airlines over the next 24-48 hours, I wouldn’t automatically attribute it to hacking. We’re experiencing effects of a large solar storm which may have caused/will cause problems over the last few hours for GPS, communications, electricals systems, especially in North America.

EDIT — 1:15 am EDT 23JUN2015 —

At 2:48 pm local time Christchurch, New Zealand’s radar system experienced a “fault” — whatever that means. The entire radar system for the country was down, grounding all commercial flights. The system was back up at 4:10 pm local time, but no explanation has yet been offered as to the cause of the outage. There were remarks in both social media and in news reports indicating this is not the first such outage; however, it’s not clear when the last fault was, or what the cause may have been at that time.

It’s worth pointing out the solar storm strengthened over the course of the last seven hours since the last edit to this post. Aurora had been seen before dawn in the southern hemisphere, and from northern Europe to the U.S. Tuesday evening into Wednesday morning. It’s possible the storm affected the radar system — but other causes like malware, hacking, equipment and human failure are also possibilities.

Verizon VP: Company-Based Transparency Reports Don’t Help Consumers

There was a fascinating panel of Telecom execs and bloggers discussing human rights at RightsCon yesterday. Among others, Verizon Executive Vice President and General Counsel Randal Milch spoke.

As I noted in passing, Verizon published an update to their Transparency Report the other day. Particularly as compared to AT&T’s bogus report, the Verizon report was laudable for its explanation of what it couldn’t show, such as when it acknowledged that its report did not include the hundreds of millions of customers whose records got turned over under Section 215.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

It also acknowledged something obvious but that which should be explicit: when the government obtains content from Verizon, it sometimes gets metadata as well.

Some FISA orders that seek content also seek non-content; we counted those as FISA orders for content and to avoid double counting have not also counted them as FISA orders for non-content.

All this is useful information that lends the report itself credibility.

So when I first approached Milch, I thanked him for the quality of his report.

Which is why I was so surprised when he said the government should be in the business of transparency reports, not the providers. I challenged that, noting that an easy comparison of AT&T and Verizon’s reports strongly suggests that Verizon demands more legal process for requests than AT&T. He dismissed that, suggesting any differences arise from the different kind of client base the providers have.

Granted, Milch was talking about your average consumer, not … me.

But it seemed bizarre. Or perhaps it was a testament that Milch and Verizon generally don’t want to have to compete in this front.

Milch answered one other question of mine: I asked whether the Verizon/Vodaphone split affected Verizon’s obligations to the UK (that is, to GCHQ). He claims it didn’t affect it at all, that it was more an investment stake and that none of Verizon’s cell call records were in the UK. (No, I didn’t point out that the records are right where GCHQ wants them, in places accessible under Tempora).

So at least according to Milch’s claims, my theory laid out here is wrong.

NSA May Not Voyeuristically Pore Through Email But GCHQ Voyeuristically Pores Through WebCam Pictures

Back in James Clapper’s very first attempt to dismiss his lies to Ron Wyden, he said,

“What I said was, the NSA does not voyeuristically pore through U.S. citizens’ e-mails. I stand by that,” Clapper told National Journal in a telephone interview.

Apparently, however, NSA’s partner goes one step beyond that, with NSA”s assistance: GCHQ pores through bulk collected webcam photos, including those of US persons, of Yahoo’s users.

Britain’s surveillance agency GCHQ, with aid from the National Security Agency, intercepted and stored the webcam images of millions of internet users not suspected of wrongdoing, secret documents reveal.

GCHQ files dating between 2008 and 2010 explicitly state that a surveillance program codenamed Optic Nerve collected still images of Yahoo webcam chats in bulk and saved them to agency databases, regardless of whether individual users were an intelligence target or not.

This includes the 3 to 11% of images that show nudity.

Sexually explicit webcam material proved to be a particular problem for GCHQ, as one document delicately put it: “Unfortunately … it would appear that a surprising number of people use webcam conversations to show intimate parts of their body to the other person. Also, the fact that the Yahoo software allows more than one person to view a webcam stream without necessarily sending a reciprocal stream means that it appears sometimes to be used for broadcasting pornography.”

The document estimates that between 3% and 11% of the Yahoo webcam imagery harvested by GCHQ contains “undesirable nudity”.

Given past discussions of circumcision in regards to terrorist suspects, it’s only a matter of time before GCHQ defends its nudity stash because such evidence can be proof of radicalization (heh). Plus, we already know that NSA and GCHQ like to use targets’ online porn habits to discredit them.

Coming soon to an “oversight” hearing near you: James Clapper refuses to talk about this invasion of an American company’s customers’ privacy because it occurs under EO 12333 and liaison partnerships, and therefore is not subject to Congressional oversight.

Did GCHQ and NSA Lose an Eye Today?

As the business press is crowing, Vodaphone and Verizon are officially divorced.

After pulling off the $130 billion sale, Vodafone will drop from the world’s second-biggest phone company to the fourth, measured by market value, behind China Mobile Ltd., AT&T Inc. and Verizon Communications Inc. (VZ), data compiled by Bloomberg showed. Vodafone’s weighting in share indexes such as the FTSE 100 in London will be cut approximately in half.

Shareholders will get a return of about 102 pence ($1.70) per share. That’s about $23.9 billion in cash and about $58.6 billion in Verizon Communications shares.

Vodafone’s shares rose 2.8 percent to 236.10 pence at 2:45 p.m. in London. Verizon slipped 0.3 percent to $47.97 in New York.

“This is a great day for Verizon,” Verizon CEO Lowell McAdam said in a statement. “The new Verizon now has full ownership of the U.S. wireless industry leader in network performance, profitability and cash flow.”

The deal will help Vodafone pay off debt and help fund 7 billion pounds of additional network investments by March 2016, adding high-speed broadband and wireless coverage across its largest markets.

And rejoicing was heard on both sides of the Atlantic!

Curiously, though, I seem to be the only one asking what seems to be an obvious question: how will this high level British-US breakup affect the Five Eyes dragnet?

Particularly given reports that Verizon is (was?) one of 7 Tempora providers, I wonder whether splitting with Vodaphone has permitted Verizon to withdraw from compliance with GCHQ data requests.

Back in 2006, USA Today’s report that the NSA had a database of all of AT&T, Verizon, and BellSouth’s phone records caused one of the telecoms to refuse to turn over data without being legally obligated (and for a number of reasons, it is unlikely AT&T was the provider that demanded an order).

The publication of the Verizon Secondary Order on June 5, 2013 exposed Verizon far more than that 2006 story. And it exposed Verizon uniquely, in a way AT&T and Sprint hadn’t been exposed. ODNI exacerbated that exposure further when it released another document with Verizon’s name unredacted.

If I were Verizon, I would be doing nothing more than the government(s) legally requred me to do. And as of today, Verizon may have one less government with the ability to make such requirements.

Update: On March 4, Verizon’s General Counsel said the Vodaphone/Verizon split will have no effect on Verizon’s obligations to the US.

GCHQ DDoS Hackers Hang Out with NSA’s Audit-Free Techies

Yesterday, I noted NBC’s report that GCHQ conducted a DDoS attack against Anonymous IRC chat.

There’s a subtle point that deserves more attention: GCHQ presented the underlying Powerpoint to NSA’s SIGDEV conference.

The documents, from a PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, show that the unit known as the Joint Threat Research Intelligence Group, or JTRIG, boasted of using the DDOS attack – which it dubbed Rolling Thunder — and other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

[snip]

In the presentation on hacktivism that was prepared for the 2012 SIGDEV conference, one official working for JTRIG described the techniques the unit used to disrupt the communications of Anonymous and identify individual hacktivists, including some involved in Operation Payback. Called “Pushing the Boundaries and Action Against Hacktivism,” the presentation lists Anonymous, Lulzsec and the Syrian Cyber Army among “Hacktivist Groups,” says the hacktivists’ targets include corporations and governments, and says their techniques include DDOS and data theft.

SIGDEV is NSA’s term for the agency’s efforts to develop new signals intelligence techniques and sources. Thus, GCHQ presented the attack as the cutting edge of what NSA does.

Goodie.

But remember: NSA’s SIGDEV analysts have access to raw data outside of normal channels. This shows up repeatedly in the primary orders for the dragnet. And, as Bart Gellman noted (and I elaborated on here), Obama specifically exempted these folks from his Presidential Policy Directive limiting our spying (though his PPD did say foreigners could be spied on for cybersecurity reasons).

In other words, the people GCHQ boasted of their attack on Anonymous to are the people who have some of the least oversight within NSA.

The Cayman Islands Agrees to Share Tax Data with the Five Eyes Countries

Screen shot 2013-11-29 at 5.18.17 PMApparently, the people at Treasury don’t need to take advantage of the Black Friday sales. Instead, they’re at work and announcing that the Cayman Islands (and Costa Rica) will share information on US taxpayers with the IRS. The move comes after the Brits rolled out a similar agreement earlier this month.

I assume we’ll see other advanced countries demand similar agreements. But for the moment, just the NSA and GCHQ’s home countries will be able to learn which of their citizens are stashing money in one of the world’s most important tax havens (and one that has been important to Anglo-American financial dominance).

There are two submarine cables serving the Cayman Islands. One — Maya 1 — carries telecom traffic to Hollywood, FL. It is owned, in part, by NSA spy partners AT&T and Verizon. The other carries traffic to Jamaica. Another of the cables that serves Jamaica lands in Boca Raton. A third carries traffic to British Virgin Islands. From BVI, cables carry traffic directly to several other landing spots in the US, as well as — by way of Bermuda — Canada.

Earlier this year, someone leaked massive amounts of data on BVI’s tax shelter clients and habits (though curiously, no US persons were identified among the most prominent culprits). As far as I know, no one has ever discovered how that data got leaked, and there seems little concern from the powers that be about this leaker who, after all, was as audacious as Chelsea Manning or Edward Snowden.

Now, I’m not saying that the US and UK were already stealing Cayman Islands’ data. I’m only saying that doing so would be perfectly within the known practices of America and Britain’s spy agencies.

How Does NSA (and Its Partners) Catch More Terrorists in Europe with Less Metadata?

In follow-up to yesterday’s I Con, Le Monde reports that France’s spy agency, DGSE and the US, established a data sharing arrangement in 2011-2012 via which France provides call data to the US. It notes that part of the data the US gets comes from the French (apparently, Le Monde has better mastery of the conjunction than American National Security journalists) and that French citizens, as well as other targets, are included.

I suspect this is where the global dragnet may proceed: where we learn, country by country, that the US has side deals with partners, in addition to massive collections done largely (in Europe, anyway) by GCHQ, that allows it access to a lot of metadata.

But there’s something missing.

The US can, so long as it gets away with it, collect as much metadata as it can from France and other foreign countries. In the US, it has to work through the courts (well, that’s the law, one the Bush Administration flouted for 5 years).

And yet, the US collects far more metadata in the US than it does in France. In the last month of 2012, the US (and its partners, including GCHQ and DGSE) collected 70.3 million pieces of metadata in France, or roughly 1.07 piece of metadata on every French person. According to the Guardian, Boundless Informant shows the NSA (and its partners) collected 2.89 billion pieces of data in the month ending March 2013, or roughly 9.32 pieces of metadata on every American. And all that’s apparently before you consider the billions or trillions of pieces of metadata collected in the phone dragnet (which of course collects on “substantially all” the 310 million Americans (though in France, investigators can access phone metadata more readily).

That is, legally, the NSA (and its partners, including GCHQ) are not bound by legal limits on what they collect. But it collects more on Americans than it does on the French.

And yet … NSA finds more terrorists in Europe than in America.

More terrorists, less metadata.

I am sure this is a matter of comparing oranges to orange bouncey balls. Different times of the year, different numbers of terrorists in the country, different complementary tools and investigative skills. That is, there are nuances in all this data that neither the Snowden document recipients nor the NSA are going to be able to explain anytime soon. But they both seem to agree Boundless Informant does provide some picture of how much data the NSA (and its partners) collect where. And that does seem to show that NSA collects relatively more in the US than it does in Europe.

If that’s the case, then why is having a complete haystack of metadata here in the US pursuant to the Section 215 dragnet necessary? Doesn’t the European case show you can find even more terrorists without it?

The Short-Comings of Pre-Crime Intelligence

The Sunday Express has a report that I consider one of the strongest pieces of evidence to date that Assad’s military was definitely behind the CW strike last week. (John Kerry is on TV citing forensic evidence, but he also said the evidence comes from someone besides the UN, which gives me pause, particularly given the way the Administration has clearly played with casualty numbers.)

According to intercepts collected at Troodos, UK’s listening post on Cyprus, the commander of the artillery unit that launched the attack balked at an order to release the CW at first, but then complied under threat of death.

Last night the senior RAF officer said: “The commander of the artillery battery told the regional commander that he would not comply and there was a heated exchange. He was told in direct language that unless the order was carried out, he would be shot. A total of 27 chemical artillery shells were then fired at the suburb in a 14-minute period.”

The conversation was monitored and recorded by British officers based at the remote mountain-top RAF Troodos Signals Intelligence listening post in Cyprus and within minutes details of the conversation had been relayed to GCHQ, Whitehall and the Pentagon.

But I’m interested in the timing of this leak.

Details of this intelligence don’t show up explicitly in the British case for war, though there are claims in it that might reflect it.

There is some intelligence to suggest regime culpability in this attack.

[snip]

There is no obvious political or military trigger for regime use of CW on an apparently larger scale now, particularly given the current presence in Syria of the UN investigation team. Permission to authorise CW has probably been delegated by President Asad to senior regime commanders, such as [*], but any deliberate change in the scale and nature of use would require his authorisation.

However, the uncertainty as to whom Assad had delegated CW launch authority seems wholly incompatible with Whitehall having this intelligence. If they had this intercept, they would seemingly know fairly precisely the chain-of-command in question.

Nor does the intercept appear explicitly in the US case. Though again, there are claims that might reflect the intelligence.

We have intelligence that leads us to assess that Syrian chemical weapons personnel – including personnel assessed to be associated with the SSRC – were preparing chemical munitions prior to the attack. In the three days prior to the attack, we collected streams of human, signals and geospatial intelligence that reveal regime activities that we assess were associated with preparations for a chemical weapons attack.

Syrian chemical weapons personnel were operating in the Damascus suburb of ‘Adra from Sunday, August 18 until early in the morning on Wednesday, August 21 near an area that the regime uses to mix chemical weapons, including sarin. Read more

Big Brother Works Both Sides of the Atlantic

I was rather surprised that there seemed to be more outrage Sunday about the UK’s announced plan to roll out the same ability to monitor everyone’s online activity that the US set up after 9/11 then over Eric Lichtblau’s report–based on the ACLU’s FOIA efforts–revealing that cops all over the country are using our smart phones to spy on us.

At least from the published reports, it sounds like the Brits want to be able to do through GCHQ what NSA and FBI have been doing with hoovered telecom records for years.

A new law – which may be announced in the forthcoming Queen’s Speech in May – would not allow GCHQ to access the content of emails, calls or messages without a warrant.

But it would enable intelligence officers to identify who an individual or group is in contact with, how often and for how long. They would also be able to see which websites someone had visited.

[snip]

“What this is talking about doing is not focusing on terrorists or criminals, it’s absolutely everybody’s emails, phone calls, web access…” he told the BBC.

“All that’s got to be recorded for two years and the government will be able to get at it with no by your leave from anybody.”

He said that until now anyone wishing to monitor communications had been required to gain permission from a magistrate.

Plus, such plans will likely face more of a hurdle in Parliament than such schemes to expand surveillance face in Congress.

Meanwhile, the materials collected from all over the country via ACLU’s state affiliates show that local police are using some of the same approaches–things like communities of interest–that our massive data collection supports.

And as ACLU’s summary makes clear that not just the Feds using Secret PATRIOT, but local cops, are using cell phones to track people with no warrants.

Most law enforcement agencies do not obtain a warrant to track cell phones, but some do, and the legal standards used vary widely. Some police departments protect privacy by obtaining a warrant based upon probable cause when tracking cell phones. For example, police in the County of Hawaii, Wichita, and Lexington, Ky. demonstrate probable cause and obtain a warrant when tracking cell phones. If these police departments can protect both public safety and privacy by meeting the warrant and probable cause requirements, then surely other agencies can as well.

Unfortunately, other departments do not always demonstrate probable cause and obtain a warrant when tracking cell phones. For example, police in Lincoln, Neb. obtain even GPS location data, which is more precise than cell tower location information, on telephones without demonstrating probable cause. Police in Wilson County, N.C. obtain historical cell tracking data where it is “relevant and material” to an ongoing investigation, a standard lower than probable cause.

Read more