Showing posts with label NSA. Show all posts
Showing posts with label NSA. Show all posts

Tuesday, November 24, 2009

Wikileaks to release over 500K text pager intercepts from 9/11

Wikileaks is releasing over 500,000 U.S. national text pager intercepts from September 11, 2001, over the next two days:
From 3AM on Wednesday November 25, 2009, until 3AM the following day (New York Time), WikiLeaks will release over half a million US national text pager intercepts. The intercepts cover a 24 hour period surrounding the September 11, 2001 terrorist attacks in New York and Washington.

The first message, corresponding to 3AM September 11, 2001, five hours before the first attack, will be released at 3AM November 25, 2009 and the last, corresponding to 3AM September 12, 2001 at 3AM November 26, 2009.

Text pagers are mostly carried by persons operating in an official capacity. Messages in the collection range from Pentagon and New York Police Department exchanges, to computers reporting faults to their operators as the World Trade Center collapsed.
This is a significant and completely objective record of the defining moment of our time. We hope that its entry into the historical record will lead to a deeper and more nuanced understanding of how this tragedy and its aftermath may have been prevented.

While we are obligated by to protect our sources, it is clear that the information comes from an organization which has been intercepting and archiving national US telecommunications since prior to 9/11.
The Transparent Society getting closer, it appears...

Saturday, September 20, 2008

EFF sues the NSA, Bush, Cheney, Addington, etc.

The Electronic Frontier Foundation has filed Jewel v. NSA to try another tactic in stopping unconstitutional warrantless wiretapping of U.S. residents. Their previous lawsuit against AT&T, Hepting v. AT&T, is still in federal court as the EFF argues with the government over whether the telecom immunity law passed by our spineless Congress is itself constitutional or applicable to the case.

Jewel v. NSA names as defendants the National Security Agency, President George W. Bush, Vice President Dick Cheney, Cheney's chief of staff David Addington, former Attorney General Alberto Gonzales, and "other individuals who ordered or participated in warrantless domestic surveillance."

Friday, August 01, 2008

Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure

I saw two articles this morning which I think invite comparison. First, Phil Dunkelberger, CEO of PGP Corporation, says people visiting China should take laptops with no data, or encrypt what data they have:

Travelers carrying smart cell phones, blackberries or laptop computers could unwittingly be offering up sensitive personal or business information to officials who monitor state-controlled telecommunications carriers, Dunkelberger said.

He said that without data encryption, executives could have business plans or designs pilfered, while journalists' lists of contacts could be exposed, putting sources at risk.

Dunkelberger said that during unrest in Tibet in March, overseas Tibetan activists found their computer systems under heavy pressure from Chinese security agencies trying to trace digital communications.

"What the Chinese tried to do was infiltrate their security to see who in China the Tibet movement was talking to," he said.

...

Dunkelberger, whose firm serves many multinational corporations operating in China, said, "A lot of places in the world, including China, don't have the same view of personal space and privacy that we do in the United States."

"You've got to suspect that every place you're doing work is being monitored and being watched," he said.

Dunkelberger's advice is good as far as it goes. Of course, PGP Whole Disk Encryption won't help protect data in transit, and while PGP Email will protect the content of email messages, it won't conceal the source and destination. The threat described is one where traffic analysis enough can reveal a lot, and so you'd want to make use of a corporate VPN, some kind of proxy, or a system like TOR if you want to protect information about where your Internet traffic is ultimately going. PGP is a good company that makes great products; my employer uses PGP Whole Disk Encryption and Email products.

The second article, however, casts some doubt on the last part of what Dunkelberger says. It looks like the U.S., where the NSA engages in warrantless wiretapping with the assistance of the large incumbent telecoms (and a spineless Congress gives them immunity for violations of the law), the CIA spies on foreign visitors within the borders of the U.S. in conjunction with the FBI's counterintelligence division, isn't so different from other countries. It's now publicly admitted by DHS that Immigrations and Customs Enforcement officers have the right to seize laptops and other electronic devices from people entering the U.S. and hang on to them indefinitely in order to search them. Therefore Dunkelberger's advice should be taken by anyone coming into the U.S., as well--use blank laptops or laptops with encryption only. Some companies have begun to only allow employees to have a web browser and a VPN client on their laptops, and keep all data in the corporation, which can completely eliminate this particular governmental risk.

Saturday, July 19, 2008

Netroots and telecom

There's a telecom panel at the Netroots Nation conference today on the subject of "Big Telecom: An Emerging Threat to Our Democracy?" The implied answer is yes, and it appears that every participant on the panel will be making that case. Here's the description of the panel:
Massive telecom companies control virtually all of our voice and internet communications these days—and new evidence shows a near-total lack of commitment to our democracy. AT&T has proposed filtering all content traveling on its network. Verizon tried initially to block NARAL's pro-choice text messages. Most telecom companies are fighting net neutrality. Can democracy survive an assault by those who control the tubes?
The panel members don't include anyone with any experience managing or operating an actual telecom network, but instead includes two people who have repeatedly demonstrated not only an ignorance of telecom law, technology, and policy, but who have misrepresented facts and failed to engage with the arguments of their critics, Matt Stoller and Timothy Karr (see posts on this blog in the "net neutrality" category). The closest person to a representative of a telecom is Michael Kieschnick of Working Assets, a company that is a reseller of long distance and wireless service on Sprint's network.

I agree with many of their positions--I don't think ISPs should be allowed to block websites on the basis of disagreement with content. I think ISPs should be transparent about their network management processes and filtering. Where I disagree with them is that they advocate that the FCC step in to regulate the Internet in a way that it has never had authority to do so before, and demand that network operators not be allowed to implement classes of service with different rates of charges, or even usage caps. Art Brodsky expresses the point which has also been made by Robb Topolsky of Public Knowledge, Timothy Karr of Free Press, and Matt Stoller:
In the name of "network management," some companies want to throttle down the use of legal applications, like BitTorrent which may, coincidentally, provide competition in entertainment programming. They want to impose usage caps across the board on all customers which would stifle innovation and curb the use of video (there's that anti-competitive meme again) without actually solving the problem of the so-called "bandwidth hogs." The way caps are being discussed now, they would only lead to higher prices and less usage for an industry that already charges more for less than most broadband providers around the world. Parts of our broadband industry may be the only sector in the world that wants to cut down the amount of its product it wants customers to use.
Brodsky's last sentence is clearly false--broadband is like a fixed-price all-you-can-eat buffet. All businesses want to maximize their profits by maximizing revenue and minimizing costs. When bandwidth is sold at a fixed cost in unlimited amounts, where a small number of users are consuming the majority of the service, it's in the business's interest to restrict those users or charge them more for what they consume in order to satisfy the rest in a cost-effective manner. The options are few--you can either restrict the "bandwidth hogs" in some way, charge them more so that they pay for what they use, or raise the price for everyone. These guys seem to advocate the latter approach, while I'm in favor of allowing all the options to be used in a competitive market. Where I disagree with Comcast's approach in issuing RST packets to block BitTorrent traffic is not that they did it, but that they were not transparent about what they were doing (and apparently didn't quite get it quite right--it should not have completely broken BitTorrent, but only slowed it down).

Brodsky's suggestion that Comcast has an interest in blocking BitTorrent because it provides competition in the entertainment space is absurd--they have an interest in blocking it because it's a very popular application which itself exploits Internet protocols in a way not anticipated by the designers in order to consume more bandwidth, getting around the congestion controls in TCP/IP by using multiple TCP streams. If BitTorrent traffic wasn't filling up the majority of Comcast's bandwidth, they'd have no interest in it, except when the MPAA and RIAA issue them subpoenas about their users infringing copyrights.

If the government prohibits the use of differential classes of service (which is already heavily used by private companies to give priority to applications within their enterprise which have requirements for low latency and jitter, such as real-time streaming audio and video, including Voice over IP) and requires that congestion be dealt with by building out infrastructure sufficiently that there will never be congestion no matter how many users max out their connectivity with BitTorrent, that will reduce competition by culling smaller companies out of the picture and making market entry more difficult. In any environment where a provider's upstream capacity is less than the sum of the capacity to every customer (and that's everywhere, today, and always has been), all-you-can-eat bandwidth is like a commons. The more that is available, the more the heavy users will consume, to the detriment of each other and the light users. Without setting caps and having tiered pricing or implementing technology that prioritizes packets and drops from the heavy users and from less-realtime-sensitive applications first (like BitTorrent), there are no incentives against consuming everything that is available.

I also think it's a huge mistake to have the FCC start regulating the Internet. FCC chairman Kevin Martin would no doubt love to place indecency standards and filtering requirements on Internet content. Once you open the door to FCC regulation of the Internet, that becomes more likely. And the FCC has been completely ineffectual at dealing with existing abuses like fraudulent telemarketing, illegal prerecord calls to residences and cell phones, caller ID spoofing, etc., already covered by statute and regulation. I'd rather see clear statutes that include private rights of action than entrust control of the Internet to the FCC. The FCC is a slow-moving bureaucracy, and AT&T and Verizon have the deepest pockets, the most lawyers, and the most personnel who have shuffled back and forth between government (including the NSA) and industry. That gives AT&T and Verizon the tactical advantage, and leads to less competition rather than more.

Which brings me to the warrantless wiretapping and telecom immunity issues, which Cindy Cohn of the EFF no doubt addressed on the Netroots Nation panel. I suspect I have little if any disagreement with her. I've long been a supporter of the EFF, as are many people involved in the management of ISPs. I strongly oppose telecom immunity for warrantless wiretapping, a complete abdication of Congress' responsibility to support the U.S. Constitution. But this shows the power of AT&T and Verizon. Not only did they get what they wanted, but the very infrastructure which was built to do this massive interception of traffic for the NSA and for law enforcement interception under the CALEA laws was built for them with assistance from government funds. All telecoms have to be compliant with CALEA (now including VoIP and broadband Internet providers), but the big incumbents who were most capable of affording it on their own got it at the lowest costs, while their competition was required to build it out at their own expense even if it never gets used.

But there are legitimate uses for deep packet inspection, for understanding the nature of the traffic on a network for management purposes, including tracking down security and abuse issues. Since it is in the hands of the end user to use encryption to protect sensitive content, I think use of DPI by network providers is reasonable for the purposes of providing better service in the same way that it's reasonable for a voice provider to intercept traffic for quality measurement purposes. It's also reasonable for interception to occur for "lawful intercept," but it should always require a court order (i.e., both executive and judicial branch approval) on reasonable grounds. The difficulty of obtaining wiretaps depicted in the television program "The Wire" is how it should be.

I've written a lot on these issues, much which can be found in this blog's Network Neutrality Index.

If any reader of this blog happens to have attended the Netroots Nation telecom panel or comes across a description of its content, please point me to it, as I'd like to see what was said. I don't have high hopes for the accuracy or reasonability of statements from Stoller and Karr, but I could be surprised, and the other panelists probably had interesting and important things to say.

(See my Blogger profile for the disclosure of my employment by Global Crossing, which is currently listed by Renesys as the #3 network provider on the Internet in terms of number of customers, ahead of AT&T and Verizon, behind Sprint and Level 3.)

UPDATE: The "Big Telecom" panel was live-blogged (dead, unarchived link: http://openleft.com/showDiary.do;jsessionid=C865142FFB85E14AAD27045B9A342B15?diaryId=7032"). Stoller's anecdote about the Bill of Rights on metal is referring to Dean Cameron's "security edition" of the Bill of Rights, which was also promoted by Penn Jillette.

Wednesday, March 12, 2008

NSA's data mining and eavesdropping described

The March 10 Wall Street Journal contains a fairly detailed description of the data mining operation being run by the NSA. The program described is more data mining than eavesdropping, though it does involve the collection of transactional data like call detail records for telephone calls, and intercepted Internet data like web search terms and email senders and recipients. Also included is financial transaction data and airline data. I think most of this had already been pieced together, but this is a fairly comprehensive summary in one place. The WSJ story reports that leads generated from the data mining effort are then fed into the Terrorist Surveillance Program, which does warrantless eavesdropping. (An earlier version of this post incorrectly referred to the whole operation as the Terrorist Surveillance Program.)

Saturday, February 23, 2008

More InfraGard FUD and misinformation

Gary D. Barnett, president of a financial services firm in Montana, has written an article about InfraGard for The Future of Freedom Foundation, apparently inspired by the Progressive article. Thankfully, he avoids the bogus "shoot to kill" claims, but he introduces some erroneous statements of his own. It's apparent that he didn't bother speaking to anyone in InfraGard or doing much research before writing his article, which is another attempt to spread fear, uncertainty, and doubt about the program.

Barnett first goes wrong when he writes:

InfraGard’s stated goal “is to promote ongoing dialogue and timely communications between members and the FBI.” Pay attention to this next part:

Infragard members gain access to information that enables them to protect their assets and in turn give information to government that facilitates its responsibilities to prevent and address terrorism and other crimes.
I take from this statement that there is a distinct tradeoff, a tradeoff not available to the rest of us, whereby InfraGard members are privy to inside information from government to protect themselves and their assets; in return they give the government information it desires. This is done under the auspices of preventing terrorism and other crimes. Of course, as usual, “other crimes” is not defined, leaving us to guess just what information is being transferred.
First, there isn't a "distinct tradeoff." There is no "quid pro quo" required of InfraGard members. All InfraGard members get the same access to bulletins as the others, regardless of whether they share information back. There are some specific sector-oriented subgroups that share information only with each other (and such private groups also exist independently of InfraGard, such as the sector Information Sharing and Analysis Centers, or ISACs). The FBI may come to a company from time to time with specific threat information relevant to them (I've seen this happen once with respect to my own company), but that happens whether a company is a member of InfraGard or not. (Where InfraGard membership might give added benefit is that the FBI knows that the InfraGard member has undergone some rudimentary screening. There are companies that are set up and run by con artists, as well as by foreign intelligence agents, believe it or not, and where there is apparent risk of such a setup, the FBI is obviously going to be less forthcoming than with somebody they already know.)

Second, "not available to the rest of us" suggests that InfraGard membership is difficult to come by. It's not. I suspect Mr. Barnett himself could be approved, as could whoever does IT security for his company.

Third, there's no need to guess about the "other crimes." The FBI's own priority list tells you:

1. Protect the United States from terrorist attack. (Counterterrorism)
2. Protest the United States against foreign intelligence operations and espionage. (Counterintelligence)
3. Protect the United States against cyber-based attacks and high-technology crimes. (Cyber crime)
4. Combat public corruption at all levels.
5. Protect civil rights.
6. Combat transnational/national criminal enterprises.
7. Combat major white collar crime.
8. Combat significant violent crime.
9. Support federal, state, local, and international partners.
10. Upgrade technology to successfully perform the FBI's mission.

Some might question this list, in particular #5, on the basis of the FBI's past record, but my interactions with law enforcement lead me to believe that there are many who do take #5 quite seriously and would challenge and speak out against actions contrary to it. I was at an InfraGard conference in New Mexico yesterday at which an exchange occurred that went something like this:

Me: I work for a global telecommunications company.
He: You're not one of those companies that's been eavesdropping on us, are you?
Me: No.
He: Good.

"He" was a member of New Mexico's InfraGard--and a member of law enforcement. I'll have more to say about warrantless wiretapping in a moment.

The real issue with this list is that the top two are probably misplaced, and 6-8 (and #10!) have been suffering, as I've previously written about.

Barnett goes on:
Since these members of InfraGard are people in positions of power in the “private” sector, people who have access to a massive amount of private information about the rest of us, just what information are they divulging to government? Remember, they are getting valuable consideration in the form of advance warnings and protection for their lives and assets from government. This does not an honest partnership make; quite the contrary.
There are several key ways in which private industry helps the FBI through InfraGard. One is securing their own infrastructure against attacks so that it doesn't create a problem that the FBI needs to devote resources to. Two is by bringing criminal issues that are identified by private companies to the attention of the FBI so that it can investigate and bring prosecutions. Three is by assisting the FBI in its investigations by explaining what evidence that requires technical skills to understand means, and giving them guidance in how to successfully track down criminals.

Barnett goes on to talk about Rep. Jane Harman's bill in Congress, HR1955/S.1959, which I've also briefly commented on at this blog, and makes some significant errors of fact. He writes this this bill "if passed, will literally criminalize thought against government." That's false--the bill doesn't criminalize anything, it just creates a commission that will write a report and make recommendations. That commission has no law enforcement powers of any kind, not even the power of subpoena. Barnett also mistakenly thinks that this bill contains a reference to InfraGard. He writes:
S.1959, if passed, will be attached to the Homeland Security Act and InfraGard is already a part of the Department of Homeland Security. This is not a coincidence. Under section 899b of S.1959 it is stated:
Preventing the potential rise of self radicalized, unaffiliated terrorists domestically cannot be easily accomplished solely through traditional Federal intelligence or law enforcement efforts, and can benefit from the incorporation of State and local efforts.

This appears to be a direct reference to the InfraGard program.

The reference to "the incorporation of State and local efforts" into "traditional Federal intelligence or law enforcement efforts" in counterterrorism contains no reference to private partnerships, only to combining law enforcement efforts at federal, state, and local levels. This is a reference to what are called "fusion centers," like the Arizona Counter-Terrorism Information Center (ACTIC). The people who work in those centers are people from government agencies (at the federal, state, and local levels) with government security clearances. InfraGard in Phoenix does partner with ACTIC, which in practice means that ACTIC representatives give presentations to InfraGard (all of which I believe have also been open to the general public), ACTIC shares threat information with InfraGard much like the FBI does, and that InfraGard members are encouraged to report potential terrorist tip information to ACTIC. (ACTIC also encourages the general public to do this, which I think is far more likely to waste resources than identify any actual terrorists.)

Note that Barnett is mistaken when he writes that InfraGard is part of the Department of Homeland Security. InfraGard is not a government agency or part of a government agency--it is a non-governmental organization, or actually a collection of non-governmental organizations, which are 501(c)(3) nonprofits, with leadership provided by board members who are InfraGard members. Each chapter has a coordinator from the FBI who is not on the board. The FBI provides guidance and suggestions, but the organizations are run by the boards.

Now Barnett goes into Matt Rothschild territory when he writes: "I’m just speculating, of course, but is it possible that InfraGard will be a domestic police and spying arm for the government concerning “thought crime”?" It's not just speculation, it's uninformed speculation. InfraGard is not part of government and has no police powers of any kind. I've previously addressed the degree to which I think the "spying" is a risk--I think it's relatively low, but worth talking about.

Barnett continues in a Rothschild vein when he says "InfraGard, on the other hand, is an organization cloaked in secrecy. It holds secret meetings with the FBI." This talk of InfraGard being "cloaked in secrecy" is grossly exaggerated. The group has fairly open membership and most meetings are open to the public. When there are meetings restricted to membership, those typically wouldn't be accurately described as "secret meetings with the FBI." I and other members of InfraGard have had private meetings with FBI agents with respect to particular investigations, but it would be inaccurate to describe those as "InfraGard meetings." Law enforcement by its very nature requires a high degree of confidentiality for ongoing investigations, but it is a mistake to infer that this means conspiratorial plotting or spying.

Towards the end of his article, Barnett talks about warrantless wiretapping, telecom immunity, and the secrecy of InfraGard membership:
Considering the recent attempts by President Bush and his administration to protect many telecommunications companies and executives from prosecution for releasing private information, how many of the top telecom executives are members of InfraGard? I, for one, would be very interested in this information, but alas, it is not public information; it is secret.
What's the sense in which InfraGard membership is secret? Only in that it's not made available to the general public. Barnett writes that "no one outside InfraGard is to know who is a member unless previous approval has been given," but this is his misinterpretation of a guideline he quotes, not what it says. There's nothing prohibiting an InfraGard member from identifying themselves as such, only from identifying others as such without their consent. And if you're going to speak on behalf of InfraGard, you need to get approval from the organization first. (And note that I'm not speaking on behalf of InfraGard here, and have had no approval from InfraGard for what I've written on my blog.) If you're an InfraGard member, you have access to the online directory of InfraGard members. If Barnett is really interested in knowing who is a member, all he has to do is join.

As for "how many of the top telecom executives are members of InfraGard," I haven't looked, but I would be willing to wager that the answer is none. I know that none of the members of the "Senior Leadership Team" of my company are members of InfraGard, though my boss, our VP of Global Security, heads the Rochester, NY chapter of InfraGard. Senior executives of large corporations don't have time or interest to belong to InfraGard, and it's not really geared to them, as opposed to members of their physical and IT security organizations.

And as for warrantless wiretapping (I said I'd get back to it), InfraGard has nothing to do with that and it's foolish to think that it would. That activity has involved direct relationships between incumbent telecom providers (AT&T certainly, and probably Verizon as well) and the National Security Agency, with information restricted to employees holding government security clearances on a "need to know" basis, as the ACLU and EFF lawsuits have revealed. These relationships also probably include commercial relationships, and have included movement of personnel from one to the other--for example, AT&T has a Director of Government Solutions who came from the NSA. InfraGard members, many if not most of which hold no government security clearances, are not in the loop on that activity. (For that matter, I suspect few FBI personnel are in the loop on that, either.)

I find it discouraging that articles like Barnett's are written and published. Such inaccurate information serves to distract from real issues and real government abuses and to discredit those who repeat it, when they have other things to say that are worth hearing, paying attention to, and acting upon. I hope that Barnett and FFF will strive for greater accuracy in the future.

Friday, February 08, 2008

Tinfoil hat brigade generates fear about Infragard

An article in The Progressive by Matthew Rothschild worries that the FBI's InfraGard program is deputizing businesses, training them for martial law, and giving them a free pass to "shoot to kill." Rothschild writes:
The members of this rapidly growing group, called InfraGard, receive secret warnings of terrorist threats before the public does—and, at least on one occasion, before elected officials. In return, they provide information to the government, which alarms the ACLU. But there may be more to it than that. One business executive, who showed me his InfraGard card, told me they have permission to “shoot to kill” in the event of martial law.
Nonsense. I've been a member of the Phoenix InfraGard Members Alliance for years. It's a 501(c)(3) organization sponsored by the FBI whose members have been subjected to some rudimentary screening (comparable to what a non-cleared employee of the federal government would get). Most InfraGard meetings are open to the general public (contrary to Rothschild's statement that "InfraGard is not readily accessible to the general public"), but the organization facilitates communications between members about sensitive subjects like vulnerabilities in privately owned infrastructure and the changing landscape of threats. The FBI provides some reports of threat information to InfraGard members through a secure website, which is unclassified but potentially sensitive information. InfraGard members get no special "shoot to kill" or law enforcement powers of any kind--and membership in the organization is open to anyone who can pass the screening. As Rothschild notes in the first sentence of his article, there are over 23,000 members--that is a pretty large size for a conspiracy plot.

At one point in the article, Rothschild quotes InfraGard National Members Alliance chairman Phyllis Schneck referring to a "special telecommunications card that will enable your call to go through when others will not." This is referring to a GETS card, for the Government Emergency Telecommunications Service, which provides priority service for call completion in times of emergency or disaster to personnel who are working to support critical infrastructure. There is a similar service for wireless priority (Wireless Priority Service), and yet another for critical businesses and organizations (like hospitals) which need to have their telecommunications service re-established first after a loss of service due to disaster (Telecommunications Service Priority). These programs are government programs that are independent of InfraGard, though InfraGard has helped members who represent pieces of critical infrastructure obtain GETS cards.

The ACLU's concern about InfraGard being used as a tip line to turn businesses into spies is a more plausible but still, in my opinion, unfounded concern. Businesses are not under any pressure to provide information to InfraGard, other than normal reporting of criminal events to law enforcement. The only time I've been specifically asked to give information to InfraGard is when I've been asked to speak at a regular meeting, which I've done a few times in talks that have been open to the public about malware threats and botnets.

Check out the comments in The Progressive for some outright hysteria about fascism and martial law. I saw similar absurdity regarding the Department of Homeland Security's TOPOFF 4 exercise, which was a sensible emergency planning exercise. Some people apparently are unable to distinguish common-sense information sharing and planning in order to defend against genuine threats from the institution of a fascist dictatorship and martial law.

Now, I think there are plausible criticisms to be made of the federal government's use of non-governmental organizations--when they're used to sidestep laws and regulations like the Freedom of Information Act, to give lots of government grant money to organizations run by former government employees, to legally mandate funding of and reporting to private organizations and so forth. The FBI has created quite a few such organizations to do things like collect information about missing and exploited children, online crime, and so forth, typically staffed by former agents. But personally, I've not witnessed anything in InfraGard that has led me to have any concerns that it's being used to enlist private businesses into questionable activities--rather, it's been entirely devoted to sharing information that private businesses can use to shore up their own security and for law enforcement to prosecute criminals.

UPDATE (February 9, 2008): The irony is that Matthew Rothschild previously wrote, regarding 9/11 truthers:
We have enough proof that the Bush administration is a bunch of lying evildoers. We don't need to make it up.
He's right about that, but he's now helped spread nonsense about InfraGard and seriously damaged his own credibility. I find it interesting that people are so willing to conclude that InfraGard is a paramilitary organization, when it's actually an educational and information sharing organization that has no enforcement or even emergency, disaster, or incident response function (though certainly some of its members have emergency, disaster, and incident response functions for the organizations they work for).

UPDATE (February 10, 2008): I suspect tomorrow Christine Moerke of Alliant Energy will be getting calls from reporters asking what specifically she confirmed. I hope they ask for details about the conference in question, whether it was run by InfraGard or DHS, what the subject matter was, and who said what. If there's actually an InfraGard chapter endorsing the idea that InfraGard members form armed citizen patrols authorized to use deadly force in time of martial law, that's a chapter that needs to have its leadership removed. My suspicion, though, is that some statements about protection of infrastructure by their own security forces in times of disaster or emergency have been misconstrued. Alliant Energy operates nuclear plants, nuclear plants do have armed guards, and in Arizona, ARS 13-4903 describes the circumstances under which nuclear plant security officers are authorized to use deadly force. Those people, however, are thoroughly trained and regularly tested regarding the use of force and the use of deadly force in particular, which is not the case for InfraGard members.

UPDATE (February 11, 2008): Somehow, above, I neglected to make the most obvious point--that the FBI doesn't have the authority to grant immunity to prosecution for killing. If anyone from the FBI made that statement to InfraGard members, they were saying something that they have no authority to deliver on.

UPDATE (February 12, 2008): I've struck out part of the above about the ACLU's concern about spying being unfounded, as I think that's too strong of a denial. There is a potential slippery slope here. The 9/11 Commission Report pointed to various communication problems that led to the failure to prevent the 9/11 attacks. These problems included failure to share information (mainly from the CIA to the FBI and INS), failure to communicate information within the FBI (like Phoenix Special Agent Ken Williams' memo about suspicious Middle Easterners in flight schools), and failure to have enough resources to translate NSA intercepts (some specific chatter about the attacks was translated after the attacks had already occurred). As a result, the CIA has been working closely with the FBI on counterterrorism and counterintelligence at least since 2001. (Also see Dana Priest, "CIA Is Expanding Domestic Operations," The Washington Post, October 23, 2002, p. A02, which is no longer available on the Post's site but can be found elsewhere on the web, on sites whose other content is so nutty I refuse to link, as well as this January 2006 statement from FBI Director Robert Mueller on the InfraGard website, which includes the statement that "Today, the FBI and CIA are not only sharing information on a regular basis, we are exchanging employees and working together on cases every day.")

The slippery slope is this--the CIA is an organization which recruits and develops in its officers a sense of flexible ethics which has frequently resulted in incredible abuses, and which arguably has done more harm than good to U.S. interests. (My opinion on the CIA may be found in my posts on this blog labeled "CIA"; I highly recommend Tim Weiner's Legacy of Ashes: The History of the CIA.) Some of that ethical flexibility may well rub off on FBI agents who work closely with CIA case officers. (The FBI itself has also had a history of serious abuses, an objective account of which may be found in Ronald Kessler's book The Bureau: The Secret History of the FBI.) And then, that same ethical flexibility may rub off on InfraGard members as a result of their relationships with the FBI (and potentially relationships with the CIA, as well). The intelligence community seems to have a hunger for more and more information from more and more sources, but it is already awash in a sea of information that it has trouble processing today. (It doesn't help that the Army fires direly needed Arabic translators because they are gay.) The need is to accurately assess the information that it has, and ensure that bits and pieces aren't cherry-picked to produce desired conclusions, as well as ensure that information isn't sought or assembled to serve personal and political ends of particular interests rather than combatting genuine threats to the country and its citizens.

My recommendation is that all InfraGard members read Kessler's The Bureau, Weiner's Legacy of Ashes, and view the film that won the 2007 Academy Award for best foreign film, "The Lives of Others," to help innoculate them against such a slippery slope.

UPDATE: Amy Goodman interviewed Matt Rothschild for "Democracy Now!" on Wisconsin Public Television, in which it is pretty clear to me that Rothschild is exaggerating something he doesn't understand--what he cites as evidence doesn't support what he claims. Here's a key excerpt, see the link for the full transcript:
MR: [...] And one other member of InfraGard [Christine Moerke of Alliant Energy] confirmed to me that she had actually been at meetings and participated in meetings where the discussion of lethal force came up, as far as what businesspeople are entitled to do in times of an emergency to protect their little aspect of the infrastructure.
AG: But just to clarify, Matt Rothschild, who exactly is empowered to shoot to kill if martial law were declared? The business leaders themselves?
MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
[...]
You know, this is a secretive organization. They’re not supposed to talk to the press. You need to get vetted by the FBI before you can join it. They get almost daily information that the public doesn’t get. And then they have these extraordinary, really astonishing powers being vested in them by FBI and Homeland Security, shoot-to-kill powers. I mean, this is scary stuff.
MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.
It looks to me like the following transformation has occurred:

1. At a DHS conference on emergency response, somebody asks if owners of critical pieces of infrastructure should be expected to use deadly force if necessary to protect it (e.g., a nuclear power plant).
2. Somebody at DHS answers yes. They may even add that in some cases the law provides specific justification for use of deadly force (as in the Arizona statute I cite above).
3. Matt turns that into a general right to "shoot-to-kill" in times of martial law by any InfraGard member.
4. The blogosphere turns that into roving citizen patrols unleashed on the nation as the Bush hit squad after declaration of martial law.

I don't see his key source--Christine Moerke--confirming anything beyond #1 and #2.

Note other exaggerations and contradictions--Rothschild claims that InfraGard is highly secretive and selective, yet has quickly grown to over 23,000 members and has multiple public websites. He fails to note that most InfraGard meetings are open to the general public, or that it has been discussed in many articles in the national press over the last decade. Rothschild speaks of "business leaders," which the blogosphere has turned into "CEOs," yet I suspect the most common "business leader" represented in InfraGard is an IT or physical security manager.

UPDATE (February 15, 2008): The FBI has issued an official response to Rothschild's Progressive article (PDF), which says, in part:
In short, the article's claims are patently false. For the record, the FBI has not deputized InfraGard, its members, businesses, or anything else in the program. The title, however catchy, is a complete fabrication. Moreover, InfraGard members have no extraordinary powers and have no greater right to "shoot to kill" than other civilians. The FBI encourages InfraGard members -- and all Americans -- to report crime and suspected terrorist activity to the appropriate authorities.
The FBI response also states that Rothschild has "refused even to identify when or where the claimed 'small meeting' occurred in which issues of martial law were discussed," and promises to follow up with further clarifying details if they get that information.

UPDATE (February 25, 2008): Here's another blogger with a rational response to The Progressive article.

UPDATE (March 2, 2008): Matthew Rothschild has responded to the FBI's response on Alex Jones' Info Wars blog, and he stands behind every word of his original article. He doesn't display any knowledge of or response to any of the criticisms I've offered.

Wednesday, December 26, 2007

Chinese intelligence was translating for the NSA

The Washington Times reported on December 21 that several years ago, Chinese intelligence successfully subverted the National Security Agency in Hawaii. First, by creating a company based in Hawaii to do Chinese translations which successfully obtained government contracts with the NSA to translate intercepted Chinese communications. The intercepted communications included sufficient information to identify the sources, giving the Chinese the ability to control what information was obtained by the NSA either by preventing significant information from being carried over by the compromised channel or by introducing disinformation.

This shows one of the problems that faces a world superpower whose own language is commonly used and which does little or nothing to encourage its citizens to learn other languages. Understanding communications in other languages require the assistance of translators who may be working for the enemy, and the enemy can almost get away with speaking freely anywhere while being overheard, since the likelihood of comprehension is so small. The more communications you need translated, the more translators you need, and the greater the likelihood of compromise.

UPDATE (January 2, 2008): Noah Schachtman at Wired and Jeffrey Carr at IntelFusion cast some doubt on this story.

Saturday, October 13, 2007

Nacchio says government punished Qwest for noncooperation on eavesdropping

Former Qwest CEO Joseph Nacchio, found guilty of insider trading in April, is claiming in his appeal that part of the reason Qwest stock dropped in value is that the NSA cancelled some lucrative contracts with the company as punishment for its failure to cooperate in illegal warrantless wiretapping (unlike AT&T and Verizon).

The Bush administration is pushing for retroactive immunity to be granted to AT&T and Verizon for its participation in these unconstitutional programs by threatening to veto any surveillance bill that doesn't include such immunity. If the Democrats were smart, they'd go ahead and send him a surveillance bill without the immunity, and then criticize him when he vetoes it for taking action that is going to kill Americans.

CIA head investigates CIA Inspector General

CIA Director (and former head of the NSA) Gen. Michael Hayden is unhappy with CIA Inspector General John Helgerson's work uncovering abuses at the CIA, so he's ordered his own investigation of the IG, including an examination of the office's confidential files. That's sure to put a chill on employee cooperation with or reporting of abuses to the IG's office.

Wednesday, August 15, 2007

Wikiscanner

Virgil Griffith has put together a fascinating data-mining tool that compares anonymous Wikipedia edits to WHOIS records for IP addresses, to allow users to examine edits made by people at particular organizations. The tool can be used to examine edits by people at the NSA (Ft. Meade), the CIA, the Church of Scientology, Bob Jones University, the Environmental Protection Agency, Diebold, the Electronic Frontier Foundation, Wal-Mart, Pfizer, Raytheon, The New York Times, Al-Jazeera, the WorldNetDaily, Fox News, the Republican and Democratic Party, the Vatican, among many others. The organizations listed here are all listed on the side of the tool's main search page, but there are many more in the drop-down list of user-submitted organizations, and you can specify organization names and locations.

Wired magazine has assembled a list of some of the more interesting edits, such as someone at Diebold deleting references to security flaws in electronic voting machines and someone at the CIA editing song lyrics from an episode of Buffy the Vampire Slayer.

Griffith, who built Wikiscanner while working at the Santa Fe Institute, begins graduate work in September at Caltech on theoretical neurobiology and artificial life under Christoph Koch and Chris Adami.

It's wonderful when data mining can be used for good purposes.

(Hat tip to Scott Peterson on the SKEPTIC list.)

Monday, July 09, 2007

DoJ attorney criticizes Bush administration

Department of Justice civil appellate attorney John S. Koppel has written a scathing editorial in The Denver Post:

As a longtime attorney at the U.S. Department of Justice, I can honestly say that I have never been as ashamed of the department and government that I serve as I am at this time.

The public record now plainly demonstrates that both the DOJ and the government as a whole have been thoroughly politicized in a manner that is inappropriate, unethical and indeed unlawful. The unconscionable commutation of I. Lewis "Scooter" Libby's sentence, the misuse of warrantless investigative powers under the Patriot Act and the deplorable treatment of U.S. attorneys all point to an unmistakable pattern of abuse.

In the course of its tenure since the Sept. 11 attacks, the Bush administration has turned the entire government (and the DOJ in particular) into a veritable Augean stable on issues such as civil rights, civil liberties, international law and basic human rights, as well as criminal prosecution and federal employment and contracting practices. It has systematically undermined the rule of law in the name of fighting terrorism, and it has sought to insulate its actions from legislative or judicial scrutiny and accountability by invoking national security at every turn, engaging in persistent fearmongering, routinely impugning the integrity and/or patriotism of its critics, and protecting its own lawbreakers. This is neither normal government conduct nor "politics as usual," but a national disgrace of a magnitude unseen since the days of Watergate - which, in fact, I believe it eclipses.

In more than a quarter of a century at the DOJ, I have never before seen such consistent and marked disrespect on the part of the highest ranking government policymakers for both law and ethics. It is especially unheard of for U.S. attorneys to be targeted and removed on the basis of pressure and complaints from political figures dissatisfied with their handling of politically sensitive investigations and their unwillingness to "play ball." Enough information has already been disclosed to support the conclusion that this is exactly what happened here, at least in the case of former U.S. Attorney David C. Iglesias of New Mexico (and quite possibly in several others as well). Law enforcement is not supposed to be a political team sport, and prosecutorial independence and integrity are not "performance problems."

...

As usual, the administration has attempted to minimize the significance of its malfeasance and misfeasance, reciting its now-customary "mistakes were made" mantra, accepting purely abstract responsibility without consequences for its actions, and making hollow vows to do better. However, the DOJ Inspector General's Patriot Act report (which would not even have existed if the administration had not been forced to grudgingly accept a very modest legislative reporting requirement, instead of being allowed to operate in its preferred secrecy), the White House-DOJ e-mails, and now the Libby commutation merely highlight yet again the lawlessness, incompetence and dishonesty of the present executive branch leadership.

They also underscore Congress' lack of wisdom in blindly trusting the administration, largely rubber-stamping its legislative proposals, and essentially abandoning the congressional oversight function for most of the last six years. These are, after all, the same leaders who brought us the WMD fiasco, the unnecessary and disastrous Iraq war, Guantanamo, Abu Ghraib, warrantless domestic NSA surveillance, the Valerie Wilson leak, the arrest of Brandon Mayfield, and the Katrina response failure. The last thing they deserve is trust.

...

I realize that this constitutionally protected statement subjects me to a substantial risk of unlawful reprisal from extremely ruthless people who have repeatedly taken such action in the past. But I am confident that I am speaking on behalf of countless thousands of honorable public servants, at Justice and elsewhere, who take their responsibilities seriously and share these views. And some things must be said, whatever the risk.

How long will Mr. Koppel remain at the DoJ before he receives retribution for expressing these opinions?

Friday, September 01, 2006

The hypocrisy of the FreeRepublic.com crowd

In 2000, an article about "The Secret FISA Court: Rubber Stamping Our Rights" created outrage and prompted comments like this:

This is beyond frightening. Thank you for this find.

This does not bode well for continued freedom. Franz Kafka would have judged this too wild to fictionalize. But for us - it’s real.

and this:
Any chance of Bush rolling some of this back? It sounds amazing on its face.
But today, when there's warrantless NSA surveillance that makes the FISA Court look like significant judicial oversight, the comments are like this:
Privacy is a false argument and has been for some time. Your insurance company and the credit bureaus have more on you than the feds do and you can do nothing about it. I would rather be secure knowing that the feds were looking over my shoulder and keeping me safe. I have nothing to hide, and in times of war, these steps are necessary.
So when Clinton engages in eavesdropping (rubber stamped by the FISA Court), it's a threat to the republic, but when Bush does it (without any judicial oversight), it's no problem.

Hat tip to Gene Healy at Cato, by way of The Agitator.

Thursday, August 17, 2006

Judge grants injunction against warrantless wiretapping

Although the ACLU's lawsuit against AT&T in Illinois was thrown out, a separate case in Michigan filed on January 17 of this year against the NSA for warrantless wiretapping without approval of the FISA Court has resulted in a ruling by U.S. District Judge Anna Diggs Taylor that the practice is unconstitutional and must stop immediately. This is not the final decision in the case, but the granting of an injunction for the plaintiff.

The Electronic Frontier Foundation's lawsuit against AT&T also continues.

Sunday, August 06, 2006

Republican playbook for 2006 elections leaked

A 91-page document describing the Republican strategy for the 2006 elections has been leaked and is available online (PDF). The document was obtained by The Raw Story website, which has published a summary:

The document, signed by Senators Rick Santorum (R-PA) and Kay Bailey Hutchison (R-TX), reveals plans to focus Republican Senatorial campaigns on three themes.

Next week, Republicans will tout efforts to "secure America's prosperity" through a variety of programs. Plans for small business health insurance pooling, spending reductions, increased domestic oil drilling, and "permanent death tax reform" are all to be pushed at the state level.

Mid-month, Republicans are expected to shift gears, focusing voter's attention instead on a variety of values-based initiatives. "Democrats oppose preserving a clear definition of marriage, are blocking child custody protections, and have obstructed the confirmation of fair judges," the document reads. "Republicans are committed to protecting these traditional values by fostering a culture of life, protecting children, banning internet gambling and upholding the rule of law."

Stem cell bills, though vetoed by President Bush are also to be championed by Republicans, even as they promote a law preventing "fetus farming," a practice lawmakers believe could one day result from stem cell research. Strangely, a section touting various types of stem cell funding set to be promoted by Republicans is followed by another section, headlined, "Setting The Record Straight: President Bush's Stem Cell Policy Is Working."

Also included in the Republican values push will be the Child Custody Protection Act, which would make "it a federal crime to circumvent state parental involvement laws by taking a minor across state lines for an abortion."

Republicans then plan to spend the month's remaining two weeks promoting the party's efforts in regard to homeland security.

Approval of Attorney General Alberto Gonzales' plan for new, court-martial-like trials for terror detainees seems to be a priority, as are funding for the US-Mexico border fence, employee background checks for port security workers and improvement of the national emergency alert system.

The section seems more concerned, however, with defending the Republican record on security, promoting positive statements by the Iraqi Prime Minister, and combating Democratic criticism. For instance, terror suspect surveillance is listed as a priority, and "liberal newspaper" reports about NSA wiretap programs are criticised, but future programs are not listed among other proposed laws.

Hat tip to Jack Kolb on the SKEPTIC mailing list.

Tuesday, July 25, 2006

Judge throws out ACLU lawsuit against NSA

While the Electronic Frontier Foundation's lawsuit against AT&T continues, U.S. District Judge Matthew F. Kennelly today threw out the ACLU's lawsuit against the National Security Agency for collecting call detail records from AT&T, MCI, and other providers (though not, apparently, from Verizon or BellSouth).

Tuesday, June 20, 2006

More details on apparent NSA interception at AT&T

Salon.com has a new article on a room in an AT&T facility in Bridgeton, MO (a St. Louis suburb) that may be an NSA interception facility. The room is protected by a man trap and biometric security, and the AT&T employees who are permitted to enter it had to get Top Secret security clearances. The work orders for setting up a similar room in a San Francisco AT&T office, reported by former AT&T worker Mark Klein, came from Bridgeton.

The Electronic Frontier Foundation has an ongoing class-action lawsuit against AT&T over its involvement in illegal NSA wiretapping.

Friday, June 09, 2006

Information Security Index

This post is an index to posts at The Lippard Blog on the subject of information security. This is probably not a complete list; I've tended to exclude posts labeled "security" that don't specifically touch on information security and may have over-excluded.

"Richard Bejtlich reviews Extreme Exploits" (August 16, 2005) Link to Richard Bejtlich review of Extreme Exploits, a book I was the technical editor on.

"Sony's DRM--not much different from criminal hacking" (November 2, 2005) Summary and link to Mark Russinovich's exposure of the Sony rootkit DRM.

"Defending Against Botnets" (November 3, 2005) Link to my presentation on this subject at Arizona State University.

"Sony DRM class action lawsuits"
(November 10, 2005) Comment on the Sony rootkit class action lawsuits.

"Another Botnet Talk" (December 11, 2005) Comment on my December botnet talk for Phoenix InfraGard, with links to past botnet presentations.

"Major flaw in Diebold voting machines" (December 23, 2005) A flaw that allows preloading votes on a memory card for Diebold voting machines in an undetectible way.

"The Windows Meta File (WMF) exploit"
(January 3, 2006) Description of an at-the-time unresolved Windows vulnerability.

"New Internet consumer protection tool--SiteAdvisor.com"
(January 25, 2006) Report on SiteAdvisor.com tool (now a McAfee product).

"Pushing Spyware through Search" (January 28, 2006) Ben Edelman's work on how Google is connected to spyware by accepting paid advertising from companies that distribute it.

"Database error causes unbalanced budget" (February 17, 2006) How a house in Indiana was incorrectly valued at $400 million due to a single-keystroke error, leading to wrongly increased budgets and distribution of funds on the expectation of property tax revenue.

"The Security Catalyst podcast" (February 18, 2006) Announcement of Michael Santarcangelo's security podcast.

"Controversial hacker publishes cover story in Skeptical Inquirer"
(February 19, 2006) Critique of Carolyn Meinel's article about information warfare.

"Even more serious Diebold voting machine flaws"
(May 14, 2006) Hurst report on new major flaws found in Diebold voting machines.

"Botnet interview on the Security Catalyst podcast" (May 23, 2006) Link to part I of my interview on botnets with Michael Santarcangelo.

"Part II of Botnets Interview"
(June 4, 2006) Link to part II of my botnets interview.

"'Banner farms' and spyware"
(June 12, 2006) Ben Edelman's exposure of Hula Direct's "banner farms" used to deliver ads via spyware.

"When private property becomes the commons" (June 12, 2006) Consumer PCs as Internet "commons," economics and information security.

"Network security panel in Boston area" (June 12, 2006) Announcement of a public speaking gig.

"Identity Crisis: How Identification is Overused and Misunderstood" (July 6, 2006) Quotation from Tim Lee review of book by Jim Harper with this title.

"9th Circuit approves random warrantless searches and seizures of laptops" (July 28, 2006) Bad decision granting border police the right to perform full forensic examination of the hard drives of laptops carried by people wanting to cross the U.S. border.

"Is it worth shutting down botnet controllers?"
(August 18, 2006) A response to remarks by Gadi Evron and Paul Vixie that it is no longer worth shutting down botnet controllers.

"The ineffectiveness of TRUSTe" (September 29, 2006) A larger proportion of sites with TRUSTe certification are marked as untrustworthy in SiteAdvisor's database than of those that don't have TRUSTe certification.

"The U.S. no-fly list is a joke" (October 5, 2006) The no-fly list has major flaws, listing people who aren't a threat and not listing people who are--and presuming that terrorists will be identifiable by their names.

"How planespotting uncovered CIA torture flights" (October 20, 2006) How an unusual hobby allowed for traffic analysis to uncover CIA torture flights.

"Point out the obvious, get raided by the FBI"
(October 29, 2006) Chris Soghoian gets raided by the FBI after putting up a web page that allows generation of Northwest Airlines boarding passes.

"Electronic voting machines in Florida having problems in early voting"
(October 31, 2006) A report on voting machines registering votes for the wrong candidate due to touch screen calibration issues.

"The Two Faces of Diebold" (November 5, 2006) The difference between the public and private versions of SAIC's report on Diebold voting machine vulnerabilities.

"FBI eavesdropping via cell phones and OnStar"
(December 4, 2006) Reports of vulnerabilities in newer cell phones that allow them to be used as listening devices even when powered off.

"Time to Stop Using Microsoft Word" (December 7, 2006) New unpatched malicious code execution vulnerability in most versions of Word.

"Staffer for Congressman tries to hire hacker to change grades"
(December 22, 2006) Todd Shriber's failed attempt to retroactively improve his college career.

"My bank is on the ball" (January 6, 2007) My bank prevents theft of my money.

"Skeptical information and security information links" (January 23, 2007) Promotion of my security links and skeptical links sites.

"Schoolteacher convicted on bogus charges due to malware" (February 4, 2007) Connecticut teacher Julie Amero successfully prosecuted for showing porn to kids, when in fact it was the result of malware on a machine the school district refused to pay for antivirus software on.

"McCain proposes an unfunded mandate for ISPs" (February 7, 2007) McCain sponsors a bill to force ISPs to scan all traffic for and report child porn images they find.

"Warner Music: We'd rather go out of business than give customers what they want" (February 9, 2007) Warner Music says no way to DRM-free music.

"The economics of information security" (February 13, 2007) Ross Anderson and Tyler Moore paper on the economics of infosec.

"How IPv6 is already creating security problems" (February 19, 2007) Apple AirPort allows bypass of firewall rules via IPv6.

"Windows, Mac, and BSD Security" (March 8, 2007) Amusing video parody comparing the OSes.

"Bob Hagen on botnet evolution" (March 9, 2007) My former colleague on trends in botnets.

"The rsync.net warrant canary" (March 25, 2007) How rsync.net will communicate whether it receives a National Security Letter without breaking the law.

"FBI focus on counterterrorism leads to increase in unprosecuted fraud and identity theft" (April 11, 2007) The law of unintended consequences strikes again.

"Banning the distribution of AACS keys is futile"
(May 3, 2007) You can't stop the communication of a 128-bit number as though it's proprietary.

"CALEA compliance day" (May 14, 2007) Commemoration of the day that VoIP providers have to be CALEA-compliant.

"Spying on the homefront"
(May 14, 2007) PBS Frontline on FBI misuse of National Security Letters and NSA eavesdropping.

"The bots of summer"
(June 6, 2007) Report on some media coverage of my botnet interview with the Security Catalyst from 2006.

"Microsoft's new Turing Test" (June 12, 2007) It's not often I get to combine animal rescue and information security topics, but this is one--using animal pictures to authenticate.

"Operation Bot Roast" (June 14, 2007) FBI prosecution of some botnet people.

"Google thinks I'm malware"
(July 13, 2007) Google stops returning results to me in some cases because my behavior looks like malware activity.

"Asking printer manufacturers to stop spying results in Secret Service visit?"
(July 14, 2007) MIT Media Lab project to get people to complain to printer manufacturers about their secret coding of serial numbers, which got one person a visit from the USSS.

"A marketplace for software vulnerabilities" (July 29, 2007) WabiSabiLabi's abortive attempt to create a market for the sale and purchase of vulnerability information.

"Another Sony rootkit"
(September 5, 2007) F-Secure finds another Sony product that installs a rootkit--the Sony MicroVault USM-F memory stick (now off the market).

"Anti-P2P company suffers major security breach"
(September 16, 2007) Media Defender gets hacked.

"Microsoft updates Windows XP and Vista without user permission or notification" (September 17, 2007) Nine executables get pushed to everybody even if Windows update is turned off--except for corporate SMS users.

"Lessons for information security from Multics"
(September 19, 2007) Paul Karger and Roger Schell's paper on Multics gets attention from Bruce Schneier.

"Hacker finds vulnerability in Adobe Reader"
(September 24, 2007) The era of attacks on applications rather than OS's gets a boost.

"Break-in at CI Host colo facility" (November 4, 2007) The role of physical security for websites.

"Spammers and criminals for Ron Paul" (November 6, 2007) Botnets used to send spam promoting Ron Paul.

"Macintosh security lags behind Windows and BSD" (November 8, 2007) Rundown on new Mac security features, some of which are negative in effect.

"Multics source code released" (November 13, 2007) Multics becomes open source.

"Untraceable looks unwatchable"
(December 18, 2007) A post that generated a huge amount of response, about the Diane Lane movie that flopped at the box office, before it came out.

"Notorious major spammer indicted"
(January 3, 2008) Alan Ralsky may actually get what he deserves.

"Boeing 787 potentially vulnerable to passenger software-based hijacking" (January 8, 2008) Passenger Internet access for the Boeing 787 is physically connected to the network for communication and navigation.

"'Anonymous' launches 'war' against Scientology"
(January 22, 2008) Denial of service attacks and other pranks against Scientology.

"Tinfoil hat brigade generates fear about Infragard"
(February 8, 2008) Response to Matt Rothschild's article in The Progressive claiming that InfraGard members have the right to "shoot to kill" when martial law is declared.

"FBI responds to 'shoot to kill' claims about InfraGard" (February 15, 2008) Commentary and link to the FBI's response to Rothschild.

"Malware in digital photo frames" (February 17, 2008) Viruses in unusual digital storage locations.

"Canada busts 17 in botnet ring" (February 21, 2008) News about law enforcement action against criminals in Canada.

"More InfraGard FUD and misinformation" (February 23, 2008) Response to Gary Barnett's InfraGard article at the Future of Freedom Foundation website.

"New Mexico InfraGard conference" (February 24, 2008) Summary of the New Mexico InfraGard's "Dollar-Gard 2008" conference.

"Pakistan takes out YouTube, gets taken out in return" (February 25, 2008) Yesterday's events of political and/or religious censorship gone awry in Pakistan.

"Jeremy Jaynes loses appeal on spamming case"
(March 1, 2008) The Virginia Supreme Court upholds Virginia's anti-spam law.

"Software awards scam" (March 25, 2008) Many software download sites give out bogus awards.

"Scammers scamming scammers" (April 7, 2008) Marco Cova looks at what some phishing kits really do.

"Bad military botnet proposal" (May 13, 2008) A response to Col. Charles Williamson's proposal to build a military botnet.

"MediaDefender launches denial of service attack against Revision3" (May 29, 2008) Anti-P2P piracy firm crosses the line and attacks a legitimate company.

"San Francisco's city network held hostage" (July 19, 2008) Some actual facts behind the hyped charges against the city's network administrator.

"Did Diebold tamper with Georgia's 2002 elections?" (July 20, 2008) Some troubling information about Diebold's last-minute patching on Georgia election machines.

"Expert tells China visitors to encrypt data as U.S. announces policy of laptop seizure" (August 1, 2008) Concerns about privacy in both China and the U.S.

"Military botnets article" (August 28, 2008) Peter Buxbaum's article on "Battling Botnets" in Military Information Technology magazine.

"Virginia Supreme Court strikes down anti-spam law" (September 12, 2008) Julian Jaynes goes free as Virginia's anti-spam law goes away.

"Sarah Palin's Yahoo account hacked" (September 17, 2008) Palin's Yahoo account is hacked, and the contents published.

"TSA airport security is a waste of time and money"
(October 18, 2008) Link to Jeffrey Goldberg's article in The Atlantic.

"Behind the scenes during the election process" (November 6, 2008) Both major party presidential nominees suffered computer compromises.

"White House may be forced to recover 'lost' emails"
(November 14, 2008) Lawsuit may require recovery from backups.

"Criminal activity by air marshals"
(November 14, 2008) Multiple cases.

"PATRIOT Act NSL gag order unconstitutional" (December 19, 2008) Recipients of National Security Letters now can't be gagged without court order.

"The U.S. Nazi dirty bomb plot" (March 15, 2009) A little-covered story about a real terrorist plot.

"The Cybersecurity Act of 2009" (April 4, 2009) It's not as bad as it appears.

"Tracking cyberspies through the web wilderness" (May 12, 2009) How University of Toronto researchers have tracked online spying activity.

"Bad military botnet proposal still being pushed" (June 26, 2009) Col. Williamson's proposal to build an offensive U.S. military botnet is still being promoted by him.

"DHS still a mess, five years on" (July 16, 2009) Center for Public Integrity review of DHS.

"How Twitter got compromised"
(July 23, 2009) TechCrunch gives the anatomy of the attack on Twitter.

Tuesday, May 23, 2006

Bush administration on NSA suit: Courts have no right to address the issue

Ed Brayton points out a paragraph from an AP story that says:
The Bush administration has urged a judge to dismiss a similar case, saying it threatens to divulge state secrets and jeopardize national security. The government argued in briefs that the courts cannot decide the constitutionality of the president's asserted wartime powers to eavesdrop on Americans without warrants.
As Ed observes,
If the courts cannot decide the constitutionality of such programs, then we might as well not have a constitution or courts at all.

Thursday, May 18, 2006

Late 1990s NSA program

The Baltimore Sun has reported on a shelved 1990s NSA program to collect and analyze phone records which had the following features:
*Used more sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.

* Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.

* Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.

* Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records.

Perhaps this program was brought back after 9/11? If such records were maintained with phone number and caller information encrypted until needed, and decrypted only with appropriate legal authorization, would that enable Verizon and BellSouth to truthfully deny having supplied the records to the NSA? I don't think so, unless the system was in the possession of the phone companies and didn't release data to the NSA until legal authorization was obtained. But would such a system be objectionable? So long as the controls genuinely prevented abuse and legal authorizations were really obtained for each use, I don't think it would be. (Via Talking Points Memo.)

BTW, in a New York Times story in which Verizon denied turning over records to the NSA (which BellSouth has also denied), Tony Rutkowski of Verisign is quoted suggesting that the NSA may have collected long-distance phone records rather than local calls. The article notes that Verizon's denial seems to leave the door open to the possibility that MCI, which Verizon recently acquired, had turned over data. Verisign, it should be noted, has been attempting to develop a business where it acts as a third-party manager for subpoenas and wiretapping for phone companies. While the telcos have strongly attempted to block attempts by the government to expand its wiretapping capabilities into the VOIP and Internet arenas (in part on the grounds that the CALEA statutes do not cover them, and also because the infrastructure expense is placed entirely on the telcos), Verisign has supported the government's efforts, as these filed comments with the FCC make clear (red means support for expanded government wiretapping capability, blue means opposition).

You'll note that Verisign is uniformly supportive of the government, and of the three telcos that have come under fire for giving data to the NSA, two are uniformly opposed (BellSouth and SBC (now AT&T)) and one is partly opposed and partly supportive (Verizon). I'm happy to note that my employer, Global Crossing, is not only on record as opposed, but filed comments which addressed more of the issues than most of the other filers.

(UPDATE May 19, 2006: Apparently the 1990s program was called ThinThread.)