Showing posts with label InfraGard. Show all posts
Showing posts with label InfraGard. Show all posts

Tuesday, February 26, 2008

Of course I'm right

I do try to be accurate and correct my mistakes. I was happy to read on the Village Voice's blog that I'm "right." But I think they mean politically right. In some cases, I'm sure I'm to the right of the Village Voice. In others, I'm sure I'm right there with them on the left.

I suppose it could be argued that defending InfraGard from falsehoods is "right" in both senses.

Here's the comment I posted at the Village Voice blog:
I'll happily have my blog characterized as "right" meaning "correct," but I don't think it's terribly accurate to refer to much of its content as politically right wing. I would be happy to hear that ending the war in Iraq, ending the war on drugs, legalizing gay marriage, impeaching George W. Bush, abolishing the CIA, strict separation of church and state, and free speech absolutism (all positions defended at my blog) are now endorsed by the political right--it's about time.

Thanks for the link.
(Obligatory xkcd cartoon about being right. Kat can vouch for its accuracy.)

Sunday, February 24, 2008

New Mexico InfraGard conference

On Friday, I attended the New Mexico InfraGard Member Alliance's "$-Gard 2008" conference in Albuquerque. It was an excellent one-day conference that should be used as a model by other chapters. The conference was open to the public, and featured an informative and entertaining two-hour seminar on fraud and white collar crimes by Frank Abagnale, author of the autobiographical Catch Me If You Can and anti-fraud books The Art of the Steal and Stealing Your Identity. (Another version of Abagnale's talk can be viewed as an online webinar courtesy of City National Bank.) Abagnale argued that fraud has become much easier today than it was when he was a criminal forger, with numerous examples, and also offered some simple and relatively inexpensive ways for businesses and individuals to protect themselves. For example, he recommended the use of microcut shredders, and observed that his own business keeps shredders near every printer, and no documents get thrown away, everything gets shredded. He recommended the use of a credit monitoring service like Privacy Guard, and that if you write checks, you use a black uniball 207 gel pen, which is resistant to check-washing chemicals. For businesses that accept cash, he recommended training employees in some of the security features of U.S. currency rather than relying on pH testing pens, which are essentially worthless at detecting counterfeit money. By recognizing where bills use optical variable ink, for example, you can easily test for its presence in the time it takes you to accept bills from a customer and transfer them into a cash register. He also recommended that businesses use bank Positive Pay services to avoid having business checks altered. Other speakers included Anthony Clark and Danny Quist of Offensive Computing, who gave a talk on "Malware Secrets," based on their research and collection of 275,000 malware samples. Their talk included an overview of the economics of malware, which I believe is essential for understanding how best to combat it. They looked at the underground economy fairly narrowly focused on malware itself, and the cycle of its production, use, reverse engineering by whitehats, the development of antivirus patterns, and then demand for new undetectible malware, and observed that in that particular cycle it's probably the legitimate security companies such as antivirus and IDS vendors who make the most money. They didn't really look at the broader features of the underground economy, such as how botnets are used as infrastructure for criminal enterprises, or the division of criminal labor into different roles to disperse risk, though they certainly mentioned the use of compromised machines for spamming and phishing attacks. They skipped over some of the technical details of their work on automating the unpacking and decryption of malware, which was probably appropriate given the mixed levels of technical background in this audience. A particularly noteworthy feature of their research was their list of features of antivirus software that should be examined when making a purchase decision--performance, detection rates, miss rates, false positive rates, system intrusiveness, a product's own security, ease of mass deployment, speed, update frequency, use of signatures vs. other detection methods, ability to clean, capabilities with various categories of malware (rootkits, trojans, worms, backdoors, spyware), and ability to detect in real time vs. during a scan. Alex Quintana of Sandia National Labs also spoke about current trends in malware, in the most frightening talk of the conference. He talked about how malware has gone from something that attacks exposed servers on the Internet to something that individual clients pull to their machines from the Internet, usually via drive-by downloads. He demonstrated real examples of malware attacks via web pages and via Shockwave Flash, PowerPoint, and Word documents, and explained how one of his colleagues has coined the word "snares" for emails or web pages that lure individuals into targeted drive-by malware downloads. There was a wealth of interesting detail in his presentation, about trojans that use covert tunnels and hiding techniques, injecting themselves into other running processes, using alternate data streams, and obfuscated information in HTTP headers and on web pages. One trojan he described rides on removable media such as USB thumbdrives and runs when inserted into a PC thanks to Windows Autorun; it drops one component that phones home to accept instructions from a command and control server, and another that causes the malware to be written out on any other removable device inserted into the machine. It's a return of the old-fashioned virus vector of moving from machine to machine via removable media rather than over the network. From law enforcement, there were presentations from Melissa McBee-Anderson of the Internet Crime Complaint Center (IC3, another public-private partnership, which acts as a clearinghouse for Internet crime complaints and makes referrals of complaints to appropriate federal, state, , local, and international law enforcement agencies) and from various agents of the Cyber Squad of the Albuquerque FBI office. These presentations were somewhat disappointing in that they demonstrated how huge the problem is, yet how few prosecutions occur. For example, after the 2004 tsunami disasters, there were over 700 fake online charities set up to prey on people's generosity after a disaster, yet only a single prosecution came of it. In 2005, the number of fake online charities for hurricanes Katrina and Rita was over 7,000, yet only five prosecutions came of those, including one in Albuquerque. Yet even that "successful" prosecution led to no jail time, only community service and probation. Frank Abagnale's presentation also included some woeful statistics about prosecutions for white collar crime and check fraud that explicitly made the same point that was implicit in several of the law enforcement presentations. To IC3's credit, however, the showed an example of a link chart generated from their crime complaint data, a very tiny portion of which was brought to them by a law enforcement agency seeking more information, the rest of which came from multiple received complaints. That link chart showed many interconnected events by five organized fraud gangs. Ms. McBee-Anderson also reported on successful international rosecutions against individuals at Lagos, Nigeria's "walking Wal-Mart," where people were selling goods purchased with stolen credit card information and using forged cashier's checks. (I'm still amazed that anyone actually falls for the Nigerian online fraud schemes, but they do.) The conference did a good job of making clear some specific threats and offering recommendations on necessary (yet unfortunately individually insufficient) defenses. It's quite clear that relying solely on law enforcement to provide you with a remedy after the fact is a bad idea. It's essential that private enterprises take preventative measures to protect themselves, and use a layered, defense-in-depth approach to do so.

UPDATE (23 October 2022): Note that Frank Abagnale's life story of con artistry turned out itself to be a con, as documented in Alan C. Logan's book, The Greatest Hoax on Earth: Catching Truth, While We Can (2020).

Saturday, February 23, 2008

More InfraGard FUD and misinformation

Gary D. Barnett, president of a financial services firm in Montana, has written an article about InfraGard for The Future of Freedom Foundation, apparently inspired by the Progressive article. Thankfully, he avoids the bogus "shoot to kill" claims, but he introduces some erroneous statements of his own. It's apparent that he didn't bother speaking to anyone in InfraGard or doing much research before writing his article, which is another attempt to spread fear, uncertainty, and doubt about the program.

Barnett first goes wrong when he writes:

InfraGard’s stated goal “is to promote ongoing dialogue and timely communications between members and the FBI.” Pay attention to this next part:

Infragard members gain access to information that enables them to protect their assets and in turn give information to government that facilitates its responsibilities to prevent and address terrorism and other crimes.
I take from this statement that there is a distinct tradeoff, a tradeoff not available to the rest of us, whereby InfraGard members are privy to inside information from government to protect themselves and their assets; in return they give the government information it desires. This is done under the auspices of preventing terrorism and other crimes. Of course, as usual, “other crimes” is not defined, leaving us to guess just what information is being transferred.
First, there isn't a "distinct tradeoff." There is no "quid pro quo" required of InfraGard members. All InfraGard members get the same access to bulletins as the others, regardless of whether they share information back. There are some specific sector-oriented subgroups that share information only with each other (and such private groups also exist independently of InfraGard, such as the sector Information Sharing and Analysis Centers, or ISACs). The FBI may come to a company from time to time with specific threat information relevant to them (I've seen this happen once with respect to my own company), but that happens whether a company is a member of InfraGard or not. (Where InfraGard membership might give added benefit is that the FBI knows that the InfraGard member has undergone some rudimentary screening. There are companies that are set up and run by con artists, as well as by foreign intelligence agents, believe it or not, and where there is apparent risk of such a setup, the FBI is obviously going to be less forthcoming than with somebody they already know.)

Second, "not available to the rest of us" suggests that InfraGard membership is difficult to come by. It's not. I suspect Mr. Barnett himself could be approved, as could whoever does IT security for his company.

Third, there's no need to guess about the "other crimes." The FBI's own priority list tells you:

1. Protect the United States from terrorist attack. (Counterterrorism)
2. Protest the United States against foreign intelligence operations and espionage. (Counterintelligence)
3. Protect the United States against cyber-based attacks and high-technology crimes. (Cyber crime)
4. Combat public corruption at all levels.
5. Protect civil rights.
6. Combat transnational/national criminal enterprises.
7. Combat major white collar crime.
8. Combat significant violent crime.
9. Support federal, state, local, and international partners.
10. Upgrade technology to successfully perform the FBI's mission.

Some might question this list, in particular #5, on the basis of the FBI's past record, but my interactions with law enforcement lead me to believe that there are many who do take #5 quite seriously and would challenge and speak out against actions contrary to it. I was at an InfraGard conference in New Mexico yesterday at which an exchange occurred that went something like this:

Me: I work for a global telecommunications company.
He: You're not one of those companies that's been eavesdropping on us, are you?
Me: No.
He: Good.

"He" was a member of New Mexico's InfraGard--and a member of law enforcement. I'll have more to say about warrantless wiretapping in a moment.

The real issue with this list is that the top two are probably misplaced, and 6-8 (and #10!) have been suffering, as I've previously written about.

Barnett goes on:
Since these members of InfraGard are people in positions of power in the “private” sector, people who have access to a massive amount of private information about the rest of us, just what information are they divulging to government? Remember, they are getting valuable consideration in the form of advance warnings and protection for their lives and assets from government. This does not an honest partnership make; quite the contrary.
There are several key ways in which private industry helps the FBI through InfraGard. One is securing their own infrastructure against attacks so that it doesn't create a problem that the FBI needs to devote resources to. Two is by bringing criminal issues that are identified by private companies to the attention of the FBI so that it can investigate and bring prosecutions. Three is by assisting the FBI in its investigations by explaining what evidence that requires technical skills to understand means, and giving them guidance in how to successfully track down criminals.

Barnett goes on to talk about Rep. Jane Harman's bill in Congress, HR1955/S.1959, which I've also briefly commented on at this blog, and makes some significant errors of fact. He writes this this bill "if passed, will literally criminalize thought against government." That's false--the bill doesn't criminalize anything, it just creates a commission that will write a report and make recommendations. That commission has no law enforcement powers of any kind, not even the power of subpoena. Barnett also mistakenly thinks that this bill contains a reference to InfraGard. He writes:
S.1959, if passed, will be attached to the Homeland Security Act and InfraGard is already a part of the Department of Homeland Security. This is not a coincidence. Under section 899b of S.1959 it is stated:
Preventing the potential rise of self radicalized, unaffiliated terrorists domestically cannot be easily accomplished solely through traditional Federal intelligence or law enforcement efforts, and can benefit from the incorporation of State and local efforts.

This appears to be a direct reference to the InfraGard program.

The reference to "the incorporation of State and local efforts" into "traditional Federal intelligence or law enforcement efforts" in counterterrorism contains no reference to private partnerships, only to combining law enforcement efforts at federal, state, and local levels. This is a reference to what are called "fusion centers," like the Arizona Counter-Terrorism Information Center (ACTIC). The people who work in those centers are people from government agencies (at the federal, state, and local levels) with government security clearances. InfraGard in Phoenix does partner with ACTIC, which in practice means that ACTIC representatives give presentations to InfraGard (all of which I believe have also been open to the general public), ACTIC shares threat information with InfraGard much like the FBI does, and that InfraGard members are encouraged to report potential terrorist tip information to ACTIC. (ACTIC also encourages the general public to do this, which I think is far more likely to waste resources than identify any actual terrorists.)

Note that Barnett is mistaken when he writes that InfraGard is part of the Department of Homeland Security. InfraGard is not a government agency or part of a government agency--it is a non-governmental organization, or actually a collection of non-governmental organizations, which are 501(c)(3) nonprofits, with leadership provided by board members who are InfraGard members. Each chapter has a coordinator from the FBI who is not on the board. The FBI provides guidance and suggestions, but the organizations are run by the boards.

Now Barnett goes into Matt Rothschild territory when he writes: "I’m just speculating, of course, but is it possible that InfraGard will be a domestic police and spying arm for the government concerning “thought crime”?" It's not just speculation, it's uninformed speculation. InfraGard is not part of government and has no police powers of any kind. I've previously addressed the degree to which I think the "spying" is a risk--I think it's relatively low, but worth talking about.

Barnett continues in a Rothschild vein when he says "InfraGard, on the other hand, is an organization cloaked in secrecy. It holds secret meetings with the FBI." This talk of InfraGard being "cloaked in secrecy" is grossly exaggerated. The group has fairly open membership and most meetings are open to the public. When there are meetings restricted to membership, those typically wouldn't be accurately described as "secret meetings with the FBI." I and other members of InfraGard have had private meetings with FBI agents with respect to particular investigations, but it would be inaccurate to describe those as "InfraGard meetings." Law enforcement by its very nature requires a high degree of confidentiality for ongoing investigations, but it is a mistake to infer that this means conspiratorial plotting or spying.

Towards the end of his article, Barnett talks about warrantless wiretapping, telecom immunity, and the secrecy of InfraGard membership:
Considering the recent attempts by President Bush and his administration to protect many telecommunications companies and executives from prosecution for releasing private information, how many of the top telecom executives are members of InfraGard? I, for one, would be very interested in this information, but alas, it is not public information; it is secret.
What's the sense in which InfraGard membership is secret? Only in that it's not made available to the general public. Barnett writes that "no one outside InfraGard is to know who is a member unless previous approval has been given," but this is his misinterpretation of a guideline he quotes, not what it says. There's nothing prohibiting an InfraGard member from identifying themselves as such, only from identifying others as such without their consent. And if you're going to speak on behalf of InfraGard, you need to get approval from the organization first. (And note that I'm not speaking on behalf of InfraGard here, and have had no approval from InfraGard for what I've written on my blog.) If you're an InfraGard member, you have access to the online directory of InfraGard members. If Barnett is really interested in knowing who is a member, all he has to do is join.

As for "how many of the top telecom executives are members of InfraGard," I haven't looked, but I would be willing to wager that the answer is none. I know that none of the members of the "Senior Leadership Team" of my company are members of InfraGard, though my boss, our VP of Global Security, heads the Rochester, NY chapter of InfraGard. Senior executives of large corporations don't have time or interest to belong to InfraGard, and it's not really geared to them, as opposed to members of their physical and IT security organizations.

And as for warrantless wiretapping (I said I'd get back to it), InfraGard has nothing to do with that and it's foolish to think that it would. That activity has involved direct relationships between incumbent telecom providers (AT&T certainly, and probably Verizon as well) and the National Security Agency, with information restricted to employees holding government security clearances on a "need to know" basis, as the ACLU and EFF lawsuits have revealed. These relationships also probably include commercial relationships, and have included movement of personnel from one to the other--for example, AT&T has a Director of Government Solutions who came from the NSA. InfraGard members, many if not most of which hold no government security clearances, are not in the loop on that activity. (For that matter, I suspect few FBI personnel are in the loop on that, either.)

I find it discouraging that articles like Barnett's are written and published. Such inaccurate information serves to distract from real issues and real government abuses and to discredit those who repeat it, when they have other things to say that are worth hearing, paying attention to, and acting upon. I hope that Barnett and FFF will strive for greater accuracy in the future.

Thursday, February 21, 2008

Canada busts 17 in botnet ring

This morning Canada arrested 17 people of ages ranging from 17 to 26 years old for running botnets containing "up to one million computers" in 100 countries. They face charges that could result in up to 10 years in prison.

This barely scratches the surface of online criminal activity. Niels Provos of Google did a study (PDF) that found that of 4.5 million websites scanned between March of 2006 and February of 2007, 450,000 of them attempt to load malware on visiting machines. Sophos' similar survey in July of last year that found that 29% of websites host malware, 28% host porn or gambling content, and 19% are spam-related. Drive-by malware installations (where merely visiting a website causes malware to be loaded onto your machine) are definitely the method of choice for creating botnets today. I recommend using Firefox with the NoScript plugin and the MyWOT plugin to help prevent getting infected by such sites.

Tomorrow, I'll be attending a New Mexico InfraGard conference at which I hope to learn more about recent malware trends (and get my copy of Catch Me If You Can and/or The Art of the Steal autographed by their author). This is another one open to the general public, so I expect no talk about "shoot to kill" powers except in jest.

UPDATE (February 22, 2008): I'm quoted in Brian Jackson's article on the Quebec botnet hacker bust on itbusiness.ca. I'm not entirely happy with the quotes attributed to me--I didn't say "tens of millions," though I said there have been botnets with more than a million hosts, and there are multiple millions of compromised hosts out there. If tens of millions is not accurate today, it will be in the future. The other quotation about IRC got a little bit garbled, but is not far off--I made the point that the bots of today have evolved from a combination of IRC bots of the past combined with denial of service attack tools, remote access trojans, and other malware, and many of them still use IRC as their mode of communication.

Friday, February 15, 2008

FBI responds to "shoot to kill" claims about InfraGard

The FBI has issued an official response to Rothschild's Progressive article (PDF), which says, in part:
In short, the article's claims are patently false. For the record, the FBI has not deputized InfraGard, its members, businesses, or anything else in the program. The title, however catchy, is a complete fabrication. Moreover, InfraGard members have no extraordinary powers and have no greater right to "shoot to kill" than other civilians. The FBI encourages InfraGard members -- and all Americans -- to report crime and suspected terrorist activity to the appropriate authorities.
The FBI response also states that Rothschild has "refused even to identify when or where the claimed 'small meeting' occurred in which issues of martial law were discussed," and promises to follow up with further clarifying details if they get that information.

I've updated my own response to Rothschild to include the above information.

Wednesday, February 13, 2008

Pentagon-commissioned Rand report on Iraqi occupation

A Pentagon-commissioned study from the Rand Corporation on U.S. military occupation in the Middle East, titled "War by Other Means: Building Complete and Balanced Capabilities for Counterinsurgency," argues that the U.S. military efforts are "at best inadequate, at worst counter-productive, and, on the whole, infeasible":

The United States should instead focus its priorities on improving "civil governance" and building "local security forces," according to the report, referring to those steps as "capabilities that have been lacking in Iraq and Afghanistan."

"Violent extremism in the Muslim world is the gravest national security threat the United States faces," said David C. Gompert, the report's lead author and a senior fellow at Rand. "Because this threat is likely to persist and could grow, it is important to understand the United States is currently not capable of adequately addressing the challenge."

The report argues for some of the things that have been done as part of the "surge," such as training and equipping local security forces, but maintains that this needs to be done by professional police trainers, not by the military. Building local governments, an efficient and fair justice system, and accessible mass education are also recommendations. A bullet list of recommendations:

  • American military forces can't keep up with training local militaries to match the growth of Muslim insurgent groups and that must improve. Police should be trained by professional police trainers.
  • American military prowess should focus "on border and coastal surveillance, technical intelligence collection, air mobility, large-scale logistics, and special operations against high-value targets."
  • A new information-sharing architecture should be created. This "Integrated Counterinsurgency Operating Network" would promote "universal cell phone use, 'wikis' and video monitoring." [They could call it InfraGard Iraq.]
  • "Pro-America" themes should be dropped "in favor of strengthening local government" and emphasizing the failure of jihadists to meet people's needs.
  • U.S. allies and international organizations, such as NATO, the European Union, and the United Nations could help the United States in areas such as "building education, health and justice systems, and training police and" military forces that perform civilian police duties.
  • Friday, February 08, 2008

    Tinfoil hat brigade generates fear about Infragard

    An article in The Progressive by Matthew Rothschild worries that the FBI's InfraGard program is deputizing businesses, training them for martial law, and giving them a free pass to "shoot to kill." Rothschild writes:
    The members of this rapidly growing group, called InfraGard, receive secret warnings of terrorist threats before the public does—and, at least on one occasion, before elected officials. In return, they provide information to the government, which alarms the ACLU. But there may be more to it than that. One business executive, who showed me his InfraGard card, told me they have permission to “shoot to kill” in the event of martial law.
    Nonsense. I've been a member of the Phoenix InfraGard Members Alliance for years. It's a 501(c)(3) organization sponsored by the FBI whose members have been subjected to some rudimentary screening (comparable to what a non-cleared employee of the federal government would get). Most InfraGard meetings are open to the general public (contrary to Rothschild's statement that "InfraGard is not readily accessible to the general public"), but the organization facilitates communications between members about sensitive subjects like vulnerabilities in privately owned infrastructure and the changing landscape of threats. The FBI provides some reports of threat information to InfraGard members through a secure website, which is unclassified but potentially sensitive information. InfraGard members get no special "shoot to kill" or law enforcement powers of any kind--and membership in the organization is open to anyone who can pass the screening. As Rothschild notes in the first sentence of his article, there are over 23,000 members--that is a pretty large size for a conspiracy plot.

    At one point in the article, Rothschild quotes InfraGard National Members Alliance chairman Phyllis Schneck referring to a "special telecommunications card that will enable your call to go through when others will not." This is referring to a GETS card, for the Government Emergency Telecommunications Service, which provides priority service for call completion in times of emergency or disaster to personnel who are working to support critical infrastructure. There is a similar service for wireless priority (Wireless Priority Service), and yet another for critical businesses and organizations (like hospitals) which need to have their telecommunications service re-established first after a loss of service due to disaster (Telecommunications Service Priority). These programs are government programs that are independent of InfraGard, though InfraGard has helped members who represent pieces of critical infrastructure obtain GETS cards.

    The ACLU's concern about InfraGard being used as a tip line to turn businesses into spies is a more plausible but still, in my opinion, unfounded concern. Businesses are not under any pressure to provide information to InfraGard, other than normal reporting of criminal events to law enforcement. The only time I've been specifically asked to give information to InfraGard is when I've been asked to speak at a regular meeting, which I've done a few times in talks that have been open to the public about malware threats and botnets.

    Check out the comments in The Progressive for some outright hysteria about fascism and martial law. I saw similar absurdity regarding the Department of Homeland Security's TOPOFF 4 exercise, which was a sensible emergency planning exercise. Some people apparently are unable to distinguish common-sense information sharing and planning in order to defend against genuine threats from the institution of a fascist dictatorship and martial law.

    Now, I think there are plausible criticisms to be made of the federal government's use of non-governmental organizations--when they're used to sidestep laws and regulations like the Freedom of Information Act, to give lots of government grant money to organizations run by former government employees, to legally mandate funding of and reporting to private organizations and so forth. The FBI has created quite a few such organizations to do things like collect information about missing and exploited children, online crime, and so forth, typically staffed by former agents. But personally, I've not witnessed anything in InfraGard that has led me to have any concerns that it's being used to enlist private businesses into questionable activities--rather, it's been entirely devoted to sharing information that private businesses can use to shore up their own security and for law enforcement to prosecute criminals.

    UPDATE (February 9, 2008): The irony is that Matthew Rothschild previously wrote, regarding 9/11 truthers:
    We have enough proof that the Bush administration is a bunch of lying evildoers. We don't need to make it up.
    He's right about that, but he's now helped spread nonsense about InfraGard and seriously damaged his own credibility. I find it interesting that people are so willing to conclude that InfraGard is a paramilitary organization, when it's actually an educational and information sharing organization that has no enforcement or even emergency, disaster, or incident response function (though certainly some of its members have emergency, disaster, and incident response functions for the organizations they work for).

    UPDATE (February 10, 2008): I suspect tomorrow Christine Moerke of Alliant Energy will be getting calls from reporters asking what specifically she confirmed. I hope they ask for details about the conference in question, whether it was run by InfraGard or DHS, what the subject matter was, and who said what. If there's actually an InfraGard chapter endorsing the idea that InfraGard members form armed citizen patrols authorized to use deadly force in time of martial law, that's a chapter that needs to have its leadership removed. My suspicion, though, is that some statements about protection of infrastructure by their own security forces in times of disaster or emergency have been misconstrued. Alliant Energy operates nuclear plants, nuclear plants do have armed guards, and in Arizona, ARS 13-4903 describes the circumstances under which nuclear plant security officers are authorized to use deadly force. Those people, however, are thoroughly trained and regularly tested regarding the use of force and the use of deadly force in particular, which is not the case for InfraGard members.

    UPDATE (February 11, 2008): Somehow, above, I neglected to make the most obvious point--that the FBI doesn't have the authority to grant immunity to prosecution for killing. If anyone from the FBI made that statement to InfraGard members, they were saying something that they have no authority to deliver on.

    UPDATE (February 12, 2008): I've struck out part of the above about the ACLU's concern about spying being unfounded, as I think that's too strong of a denial. There is a potential slippery slope here. The 9/11 Commission Report pointed to various communication problems that led to the failure to prevent the 9/11 attacks. These problems included failure to share information (mainly from the CIA to the FBI and INS), failure to communicate information within the FBI (like Phoenix Special Agent Ken Williams' memo about suspicious Middle Easterners in flight schools), and failure to have enough resources to translate NSA intercepts (some specific chatter about the attacks was translated after the attacks had already occurred). As a result, the CIA has been working closely with the FBI on counterterrorism and counterintelligence at least since 2001. (Also see Dana Priest, "CIA Is Expanding Domestic Operations," The Washington Post, October 23, 2002, p. A02, which is no longer available on the Post's site but can be found elsewhere on the web, on sites whose other content is so nutty I refuse to link, as well as this January 2006 statement from FBI Director Robert Mueller on the InfraGard website, which includes the statement that "Today, the FBI and CIA are not only sharing information on a regular basis, we are exchanging employees and working together on cases every day.")

    The slippery slope is this--the CIA is an organization which recruits and develops in its officers a sense of flexible ethics which has frequently resulted in incredible abuses, and which arguably has done more harm than good to U.S. interests. (My opinion on the CIA may be found in my posts on this blog labeled "CIA"; I highly recommend Tim Weiner's Legacy of Ashes: The History of the CIA.) Some of that ethical flexibility may well rub off on FBI agents who work closely with CIA case officers. (The FBI itself has also had a history of serious abuses, an objective account of which may be found in Ronald Kessler's book The Bureau: The Secret History of the FBI.) And then, that same ethical flexibility may rub off on InfraGard members as a result of their relationships with the FBI (and potentially relationships with the CIA, as well). The intelligence community seems to have a hunger for more and more information from more and more sources, but it is already awash in a sea of information that it has trouble processing today. (It doesn't help that the Army fires direly needed Arabic translators because they are gay.) The need is to accurately assess the information that it has, and ensure that bits and pieces aren't cherry-picked to produce desired conclusions, as well as ensure that information isn't sought or assembled to serve personal and political ends of particular interests rather than combatting genuine threats to the country and its citizens.

    My recommendation is that all InfraGard members read Kessler's The Bureau, Weiner's Legacy of Ashes, and view the film that won the 2007 Academy Award for best foreign film, "The Lives of Others," to help innoculate them against such a slippery slope.

    UPDATE: Amy Goodman interviewed Matt Rothschild for "Democracy Now!" on Wisconsin Public Television, in which it is pretty clear to me that Rothschild is exaggerating something he doesn't understand--what he cites as evidence doesn't support what he claims. Here's a key excerpt, see the link for the full transcript:
    MR: [...] And one other member of InfraGard [Christine Moerke of Alliant Energy] confirmed to me that she had actually been at meetings and participated in meetings where the discussion of lethal force came up, as far as what businesspeople are entitled to do in times of an emergency to protect their little aspect of the infrastructure.
    AG: But just to clarify, Matt Rothschild, who exactly is empowered to shoot to kill if martial law were declared? The business leaders themselves?
    MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
    [...]
    You know, this is a secretive organization. They’re not supposed to talk to the press. You need to get vetted by the FBI before you can join it. They get almost daily information that the public doesn’t get. And then they have these extraordinary, really astonishing powers being vested in them by FBI and Homeland Security, shoot-to-kill powers. I mean, this is scary stuff.
    MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
    It looks to me like the following transformation has occurred:

    1. At a DHS conference on emergency response, somebody asks if owners of critical pieces of infrastructure should be expected to use deadly force if necessary to protect it (e.g., a nuclear power plant).
    2. Somebody at DHS answers yes. They may even add that in some cases the law provides specific justification for use of deadly force (as in the Arizona statute I cite above).
    3. Matt turns that into a general right to "shoot-to-kill" in times of martial law by any InfraGard member.
    4. The blogosphere turns that into roving citizen patrols unleashed on the nation as the Bush hit squad after declaration of martial law.

    I don't see his key source--Christine Moerke--confirming anything beyond #1 and #2.

    Note other exaggerations and contradictions--Rothschild claims that InfraGard is highly secretive and selective, yet has quickly grown to over 23,000 members and has multiple public websites. He fails to note that most InfraGard meetings are open to the general public, or that it has been discussed in many articles in the national press over the last decade. Rothschild speaks of "business leaders," which the blogosphere has turned into "CEOs," yet I suspect the most common "business leader" represented in InfraGard is an IT or physical security manager.

    UPDATE (February 15, 2008): The FBI has issued an official response to Rothschild's Progressive article (PDF), which says, in part:
    In short, the article's claims are patently false. For the record, the FBI has not deputized InfraGard, its members, businesses, or anything else in the program. The title, however catchy, is a complete fabrication. Moreover, InfraGard members have no extraordinary powers and have no greater right to "shoot to kill" than other civilians. The FBI encourages InfraGard members -- and all Americans -- to report crime and suspected terrorist activity to the appropriate authorities.
    The FBI response also states that Rothschild has "refused even to identify when or where the claimed 'small meeting' occurred in which issues of martial law were discussed," and promises to follow up with further clarifying details if they get that information.

    UPDATE (February 25, 2008): Here's another blogger with a rational response to The Progressive article.

    UPDATE (March 2, 2008): Matthew Rothschild has responded to the FBI's response on Alex Jones' Info Wars blog, and he stands behind every word of his original article. He doesn't display any knowledge of or response to any of the criticisms I've offered.

    Friday, June 09, 2006

    Information Security Index

    This post is an index to posts at The Lippard Blog on the subject of information security. This is probably not a complete list; I've tended to exclude posts labeled "security" that don't specifically touch on information security and may have over-excluded.

    "Richard Bejtlich reviews Extreme Exploits" (August 16, 2005) Link to Richard Bejtlich review of Extreme Exploits, a book I was the technical editor on.

    "Sony's DRM--not much different from criminal hacking" (November 2, 2005) Summary and link to Mark Russinovich's exposure of the Sony rootkit DRM.

    "Defending Against Botnets" (November 3, 2005) Link to my presentation on this subject at Arizona State University.

    "Sony DRM class action lawsuits"
    (November 10, 2005) Comment on the Sony rootkit class action lawsuits.

    "Another Botnet Talk" (December 11, 2005) Comment on my December botnet talk for Phoenix InfraGard, with links to past botnet presentations.

    "Major flaw in Diebold voting machines" (December 23, 2005) A flaw that allows preloading votes on a memory card for Diebold voting machines in an undetectible way.

    "The Windows Meta File (WMF) exploit"
    (January 3, 2006) Description of an at-the-time unresolved Windows vulnerability.

    "New Internet consumer protection tool--SiteAdvisor.com"
    (January 25, 2006) Report on SiteAdvisor.com tool (now a McAfee product).

    "Pushing Spyware through Search" (January 28, 2006) Ben Edelman's work on how Google is connected to spyware by accepting paid advertising from companies that distribute it.

    "Database error causes unbalanced budget" (February 17, 2006) How a house in Indiana was incorrectly valued at $400 million due to a single-keystroke error, leading to wrongly increased budgets and distribution of funds on the expectation of property tax revenue.

    "The Security Catalyst podcast" (February 18, 2006) Announcement of Michael Santarcangelo's security podcast.

    "Controversial hacker publishes cover story in Skeptical Inquirer"
    (February 19, 2006) Critique of Carolyn Meinel's article about information warfare.

    "Even more serious Diebold voting machine flaws"
    (May 14, 2006) Hurst report on new major flaws found in Diebold voting machines.

    "Botnet interview on the Security Catalyst podcast" (May 23, 2006) Link to part I of my interview on botnets with Michael Santarcangelo.

    "Part II of Botnets Interview"
    (June 4, 2006) Link to part II of my botnets interview.

    "'Banner farms' and spyware"
    (June 12, 2006) Ben Edelman's exposure of Hula Direct's "banner farms" used to deliver ads via spyware.

    "When private property becomes the commons" (June 12, 2006) Consumer PCs as Internet "commons," economics and information security.

    "Network security panel in Boston area" (June 12, 2006) Announcement of a public speaking gig.

    "Identity Crisis: How Identification is Overused and Misunderstood" (July 6, 2006) Quotation from Tim Lee review of book by Jim Harper with this title.

    "9th Circuit approves random warrantless searches and seizures of laptops" (July 28, 2006) Bad decision granting border police the right to perform full forensic examination of the hard drives of laptops carried by people wanting to cross the U.S. border.

    "Is it worth shutting down botnet controllers?"
    (August 18, 2006) A response to remarks by Gadi Evron and Paul Vixie that it is no longer worth shutting down botnet controllers.

    "The ineffectiveness of TRUSTe" (September 29, 2006) A larger proportion of sites with TRUSTe certification are marked as untrustworthy in SiteAdvisor's database than of those that don't have TRUSTe certification.

    "The U.S. no-fly list is a joke" (October 5, 2006) The no-fly list has major flaws, listing people who aren't a threat and not listing people who are--and presuming that terrorists will be identifiable by their names.

    "How planespotting uncovered CIA torture flights" (October 20, 2006) How an unusual hobby allowed for traffic analysis to uncover CIA torture flights.

    "Point out the obvious, get raided by the FBI"
    (October 29, 2006) Chris Soghoian gets raided by the FBI after putting up a web page that allows generation of Northwest Airlines boarding passes.

    "Electronic voting machines in Florida having problems in early voting"
    (October 31, 2006) A report on voting machines registering votes for the wrong candidate due to touch screen calibration issues.

    "The Two Faces of Diebold" (November 5, 2006) The difference between the public and private versions of SAIC's report on Diebold voting machine vulnerabilities.

    "FBI eavesdropping via cell phones and OnStar"
    (December 4, 2006) Reports of vulnerabilities in newer cell phones that allow them to be used as listening devices even when powered off.

    "Time to Stop Using Microsoft Word" (December 7, 2006) New unpatched malicious code execution vulnerability in most versions of Word.

    "Staffer for Congressman tries to hire hacker to change grades"
    (December 22, 2006) Todd Shriber's failed attempt to retroactively improve his college career.

    "My bank is on the ball" (January 6, 2007) My bank prevents theft of my money.

    "Skeptical information and security information links" (January 23, 2007) Promotion of my security links and skeptical links sites.

    "Schoolteacher convicted on bogus charges due to malware" (February 4, 2007) Connecticut teacher Julie Amero successfully prosecuted for showing porn to kids, when in fact it was the result of malware on a machine the school district refused to pay for antivirus software on.

    "McCain proposes an unfunded mandate for ISPs" (February 7, 2007) McCain sponsors a bill to force ISPs to scan all traffic for and report child porn images they find.

    "Warner Music: We'd rather go out of business than give customers what they want" (February 9, 2007) Warner Music says no way to DRM-free music.

    "The economics of information security" (February 13, 2007) Ross Anderson and Tyler Moore paper on the economics of infosec.

    "How IPv6 is already creating security problems" (February 19, 2007) Apple AirPort allows bypass of firewall rules via IPv6.

    "Windows, Mac, and BSD Security" (March 8, 2007) Amusing video parody comparing the OSes.

    "Bob Hagen on botnet evolution" (March 9, 2007) My former colleague on trends in botnets.

    "The rsync.net warrant canary" (March 25, 2007) How rsync.net will communicate whether it receives a National Security Letter without breaking the law.

    "FBI focus on counterterrorism leads to increase in unprosecuted fraud and identity theft" (April 11, 2007) The law of unintended consequences strikes again.

    "Banning the distribution of AACS keys is futile"
    (May 3, 2007) You can't stop the communication of a 128-bit number as though it's proprietary.

    "CALEA compliance day" (May 14, 2007) Commemoration of the day that VoIP providers have to be CALEA-compliant.

    "Spying on the homefront"
    (May 14, 2007) PBS Frontline on FBI misuse of National Security Letters and NSA eavesdropping.

    "The bots of summer"
    (June 6, 2007) Report on some media coverage of my botnet interview with the Security Catalyst from 2006.

    "Microsoft's new Turing Test" (June 12, 2007) It's not often I get to combine animal rescue and information security topics, but this is one--using animal pictures to authenticate.

    "Operation Bot Roast" (June 14, 2007) FBI prosecution of some botnet people.

    "Google thinks I'm malware"
    (July 13, 2007) Google stops returning results to me in some cases because my behavior looks like malware activity.

    "Asking printer manufacturers to stop spying results in Secret Service visit?"
    (July 14, 2007) MIT Media Lab project to get people to complain to printer manufacturers about their secret coding of serial numbers, which got one person a visit from the USSS.

    "A marketplace for software vulnerabilities" (July 29, 2007) WabiSabiLabi's abortive attempt to create a market for the sale and purchase of vulnerability information.

    "Another Sony rootkit"
    (September 5, 2007) F-Secure finds another Sony product that installs a rootkit--the Sony MicroVault USM-F memory stick (now off the market).

    "Anti-P2P company suffers major security breach"
    (September 16, 2007) Media Defender gets hacked.

    "Microsoft updates Windows XP and Vista without user permission or notification" (September 17, 2007) Nine executables get pushed to everybody even if Windows update is turned off--except for corporate SMS users.

    "Lessons for information security from Multics"
    (September 19, 2007) Paul Karger and Roger Schell's paper on Multics gets attention from Bruce Schneier.

    "Hacker finds vulnerability in Adobe Reader"
    (September 24, 2007) The era of attacks on applications rather than OS's gets a boost.

    "Break-in at CI Host colo facility" (November 4, 2007) The role of physical security for websites.

    "Spammers and criminals for Ron Paul" (November 6, 2007) Botnets used to send spam promoting Ron Paul.

    "Macintosh security lags behind Windows and BSD" (November 8, 2007) Rundown on new Mac security features, some of which are negative in effect.

    "Multics source code released" (November 13, 2007) Multics becomes open source.

    "Untraceable looks unwatchable"
    (December 18, 2007) A post that generated a huge amount of response, about the Diane Lane movie that flopped at the box office, before it came out.

    "Notorious major spammer indicted"
    (January 3, 2008) Alan Ralsky may actually get what he deserves.

    "Boeing 787 potentially vulnerable to passenger software-based hijacking" (January 8, 2008) Passenger Internet access for the Boeing 787 is physically connected to the network for communication and navigation.

    "'Anonymous' launches 'war' against Scientology"
    (January 22, 2008) Denial of service attacks and other pranks against Scientology.

    "Tinfoil hat brigade generates fear about Infragard"
    (February 8, 2008) Response to Matt Rothschild's article in The Progressive claiming that InfraGard members have the right to "shoot to kill" when martial law is declared.

    "FBI responds to 'shoot to kill' claims about InfraGard" (February 15, 2008) Commentary and link to the FBI's response to Rothschild.

    "Malware in digital photo frames" (February 17, 2008) Viruses in unusual digital storage locations.

    "Canada busts 17 in botnet ring" (February 21, 2008) News about law enforcement action against criminals in Canada.

    "More InfraGard FUD and misinformation" (February 23, 2008) Response to Gary Barnett's InfraGard article at the Future of Freedom Foundation website.

    "New Mexico InfraGard conference" (February 24, 2008) Summary of the New Mexico InfraGard's "Dollar-Gard 2008" conference.

    "Pakistan takes out YouTube, gets taken out in return" (February 25, 2008) Yesterday's events of political and/or religious censorship gone awry in Pakistan.

    "Jeremy Jaynes loses appeal on spamming case"
    (March 1, 2008) The Virginia Supreme Court upholds Virginia's anti-spam law.

    "Software awards scam" (March 25, 2008) Many software download sites give out bogus awards.

    "Scammers scamming scammers" (April 7, 2008) Marco Cova looks at what some phishing kits really do.

    "Bad military botnet proposal" (May 13, 2008) A response to Col. Charles Williamson's proposal to build a military botnet.

    "MediaDefender launches denial of service attack against Revision3" (May 29, 2008) Anti-P2P piracy firm crosses the line and attacks a legitimate company.

    "San Francisco's city network held hostage" (July 19, 2008) Some actual facts behind the hyped charges against the city's network administrator.

    "Did Diebold tamper with Georgia's 2002 elections?" (July 20, 2008) Some troubling information about Diebold's last-minute patching on Georgia election machines.

    "Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure" (August 1, 2008) Concerns about privacy in both China and the U.S.

    "Military botnets article" (August 28, 2008) Peter Buxbaum's article on "Battling Botnets" in Military Information Technology magazine.

    "Virginia Supreme Court strikes down anti-spam law" (September 12, 2008) Julian Jaynes goes free as Virginia's anti-spam law goes away.

    "Sarah Palin's Yahoo account hacked" (September 17, 2008) Palin's Yahoo account is hacked, and the contents published.

    "TSA airport security is a waste of time and money"
    (October 18, 2008) Link to Jeffrey Goldberg's article in The Atlantic.

    "Behind the scenes during the election process" (November 6, 2008) Both major party presidential nominees suffered computer compromises.

    "White House may be forced to recover 'lost' emails"
    (November 14, 2008) Lawsuit may require recovery from backups.

    "Criminal activity by air marshals"
    (November 14, 2008) Multiple cases.

    "PATRIOT Act NSL gag order unconstitutional" (December 19, 2008) Recipients of National Security Letters now can't be gagged without court order.

    "The U.S. Nazi dirty bomb plot" (March 15, 2009) A little-covered story about a real terrorist plot.

    "The Cybersecurity Act of 2009" (April 4, 2009) It's not as bad as it appears.

    "Tracking cyberspies through the web wilderness" (May 12, 2009) How University of Toronto researchers have tracked online spying activity.

    "Bad military botnet proposal still being pushed" (June 26, 2009) Col. Williamson's proposal to build an offensive U.S. military botnet is still being promoted by him.

    "DHS still a mess, five years on" (July 16, 2009) Center for Public Integrity review of DHS.

    "How Twitter got compromised"
    (July 23, 2009) TechCrunch gives the anatomy of the attack on Twitter.

    Sunday, December 11, 2005

    Another Botnet Talk

    I'm giving another talk tomorrow on botnets, this time for the Phoenix chapter of Infragard, the FBI-sponsored 501(c)(3) that is devoted to public sector/private sector partnerships to protect national infrastructures. While Infragard has primarily focused on information technology, they are broadening their focus to include things like agriculture and food distribution, energy production and transmission, chemical plants, etc. This is an update for those who attended my April 2004 Infragard talk, and includes new material that hasn't been in any of my past botnet talks (for ASU, HTCIA, ATIC, FRnOG, and the Phoenix and Rochester, NY chapters of Infragard).