Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged backdoors

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

Even the Former Director of the NSA Hates the FBI's New Surveillance Push - The Daily B... - 0 views

www.thedailybeast.com/...r-new-surveillance-powers.html

surveillance state FBI Comey encryption-backdoors

shared by Paul Merrell on 28 Jul 15 - No Cached
  • The head of the FBI has spent the last several months in something of a panic, warning anyone who will listen that terrorists are “going dark”—using encrypted communications to hide from the FBI—and insisting that the bureau needs some kind of electronic back door to get access to those chats.It’s an argument that civil libertarians and technology industry executives have largely rejected. And now, members of the national security establishment—veterans of both the Obama and Bush administrations—are beginning to speak out publicly against FBI Director Jim Comey’s call to give the government a skeleton key to your private talks.
  • The encryption issue was also one of several small, but telling, ways in which Comey seemed out of sync with some of his fellow members of the national security establishment here at the Aspen Security Forum.
  • This isn’t the first intra-government fight over encryption, Chertoff noted. The last time an administration insisted on a technological back door—in the 1990s—Congress shot down the idea. And despite cries of “going dark” back then, the government found all kinds of new ways to spy. “We collected more than ever. We found ways to deal with that issue,” Chertoff told the forum.
Paul Merrell

High Court Rules UK's Surveillance Powers Violate Human Rights - 0 views

www.tomshardware.com/...ourt-dripa-unlawful,29615.html

surveillance state GCHQ UK litigation

shared by Paul Merrell on 20 Jul 15 - No Cached
  • UK's High Court found the rushed Data Retention and Investigatory Powers Act (DRIPA) to be illegal under the European Convention on Human Rights and EU Charter of Fundamental Rights, both of which require respect for private and family life, as well as protection of personal data in the case of the latter. DRIPA was challenged by two members of Parliament (MPs), Labor's Tom Watson and the Conservative David Davis, who argued that the surveillance of communications wasn't limited to serious crimes, that individual notices for data collection were kept secret, and that no provision existed to protect those who need professional confidentiality, such as lawyers and journalists. DRIPA was pushed through in three days last year after the European Court of Justice ruled that the EU data retention powers were disproportionate, which invalidated the previous data retention law in the UK. The UK High Court also ruled that sections 1 and 2 of DRIPA were unlawful based on the fact that they fail to provide precise policies to ensure that data is only accessed for the purpose of investigating serious crimes. Another major point against DRIPA was that it didn't require judicial approval, which could limit access to only the data that is strictly necessary for investigations.
  • DRIPA passed in only three days, but the Court allowed it to continue for another nine months, to give the UK government enough time to draft new legislation. Although this almost doubles the time in which this law will exist, it might be better in the long term, as it gives the members of Parliament enough time to debate its successor, without having to rush yet another law fearing that the government's surveillance powers will expire. This court ruling arrived at the right time, as the UK government is currently preparing the draft for the Investigative Powers Bill (also called Snooper's Charter by many), which further expands the government's surveillance powers and may even request encryption backdoors. It also joins other recent reviews of the government's surveillance laws that called for much stricter oversight done by judges rather than the government's own members. "Campaigners, MPs across the political spectrum, the Government's own reviewer of terrorism legislation are all calling for judicial oversight and clearer safeguards," said James Welch, Legal Director for Liberty, a human rights organization.
  • Paul Merrell on 20 Jul 15
     
    The Dark State takes another hit.
Paul Merrell

Hacking Team Asks Customers to Stop Using Its Software After Hack | Motherboard - 0 views

motherboard.vice.com/...-using-its-software-after-hack

surveillance state Hacking-Team hacked

shared by Paul Merrell on 07 Jul 15 - No Cached
  • But the hack hasn’t just ruined the day for Hacking Team’s employees. The company, which sells surveillance software to government customers all over the world, from Morocco and Ethiopia to the US Drug Enforcement Agency and the FBI, has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned. “They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.
  • Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said. On Sunday night, an unnamed hacker, who claimed to be the same person who breached Hacking Team’s competitor FinFisher last year, hijacked its Twitter account and posted links to 400GB of internal data. Hacking Team woke up to a massive breach of its systems.
  • A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data. “The hacker seems to have downloaded everything that there was in the company’s servers,” the source, who could only speak on condition of anonymity, told Motherboard. “There’s pretty much everything here.” It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source. “I did not expect a breach to be this big, but I’m not surprised they got hacked because they don’t take security seriously,” the source told me. “You can see in the files how much they royally fucked up.”
  • ...2 more annotations...
  • For example, the source noted, none of the sensitive files in the data dump, from employees passports to list of customers, appear to be encrypted. “How can you give all the keys to your infrastructure to a 20-something who just joined the company?” he added, referring to Pozzi, whose LinkedIn shows he’s been at Hacking Team for just over a year. “Nobody noticed that someone stole a terabyte of data? You gotta be a fuckwad,” the source said. “It means nobody was taking care of security.”
  • The future of the company, at this point, it’s uncertain. Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard. It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts. Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely. The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about. To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.
Paul Merrell

Exclusive: NSA infiltrated RSA security more deeply than thought - study | Reuters - 0 views

www.reuters.com/...-nsa-rsa-idUSBREA2U0TY20140331

surveillance state NSA NSA-backdoors RSA

shared by Paul Merrell on 01 Apr 14 - No Cached
  • ecurity industry pioneer RSA adopted not just one but two encryption tools developed by the U.S. National Security Agency, greatly increasing the spy agency's ability to eavesdrop on some Internet communications, according to a team of academic researchers. Reuters reported in December that the NSA had paid RSA $10 million to make a now-discredited cryptography system the default in software used by a wide range of Internet and computer security programs. The system, called Dual Elliptic Curve, was a random number generator, but it had a deliberate flaw - or "back door" - that allowed the NSA to crack the encryption.A group of professors from Johns Hopkins, the University of Wisconsin, the University of Illinois and elsewhere now say they have discovered that a second NSA tool exacerbated the RSA software's vulnerability.The professors found that the tool, known as the "Extended Random" extension for secure websites, could help crack a version of RSA's Dual Elliptic Curve software tens of thousands of times faster, according to an advance copy of their research shared with Reuters.While Extended Random was not widely adopted, the new research sheds light on how the NSA extended the reach of its surveillance under cover of advising companies on protection.
Paul Merrell

Tech giants oppose NSA reform bill for timid safeguards against spying - RT USA - 0 views

rt.com/...644-google-facebook-nsa-reform

surveillance state NSA NSA-reform legislation ambush-tactics Obama

shared by Paul Merrell on 23 May 14 - No Cached
  • Ahead of Thursday’s US House vote on a bill sold as reform of a major US government spying program, top technology firms like Google have joined civil liberties and privacy groups in calling the legislation inadequate in fighting mass surveillance. The Reform Government Surveillance coalition – AOL, Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo – offered a statement on Wednesday denouncing the USA Freedom Act as a weak attempt at ending the government’s bulk storage of domestic phone metadata.
  • The USA Freedom Act would take the mass storage of phone records away from the government. Instead, telecommunications companies would be required to store the data. The bill would require the National Security Agency to get approval to search the telecoms’ cache of records from the often-compliant Foreign Intelligence Surveillance Court. Last-minute changes to the bill rankled privacy groups on Tuesday, leading many of them to decry the backdoor dealings as responsible for a “weakened,” “watered down” bill compared to what had previously passed the House Judiciary and Intelligence Committees earlier this month. On Wednesday, the tech coalition echoed these concerns, calling the amended legislation a move “in the wrong direction” of needed reform regarding mass surveillance. "The latest draft opens up an unacceptable loophole that could enable the bulk collection of Internet users' data," the coalition said. "While it makes important progress, we cannot support this bill as currently drafted and urge Congress to close this loophole to ensure meaningful reform." The loophole referred to by the coalition pertains to the USA Freedom Act’s definition for how and when government officials can search collected phone metadata records.
  • The new language – approved by House leaders and the Obama administration in recent days – modifies the prohibitions on bulk collection of domestic data to allow government officials to search for Americans’ phone records using a “a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought.” This revised standard for the USA Freedom Act’s reform of surveillance is too broad and leaves privacy protections at risk, civil liberties groups said on Tuesday. In addition, the legislation’s new language also weakens the bill’s transparency provisions which outlined how much technology companies can disclose to customers about the extent of government requests of user data.
  • ...2 more annotations...
  • In addition to the tech coalition’s protest, the Computer & Communications Industry Association – whose members include Pandora, Samsung, Sprint, and others – said Wednesday it would “not support consideration or passage of the USA Freedom Act in its current form." The Obama administration publicly threw its support behind the amended USA Freedom Act, saying the bill would “provide the public greater confidence in our programs and the checks and balances in the system.” “The bill ensures our intelligence and law enforcement professionals have the authorities they need to protect the nation, while further ensuring that individuals’ privacy is appropriately protected when these authorities are employed,” the White House included.
  • Lawmakers opposed to the secretive negotiations attempted on Tuesday to counter the weakened surveillance reform bill by offering an amendment to the National Defense Authorization Act (NDAA) that is “materially identical” to the version of the USA Freedom Act that was advanced by the House Judiciary and Intelligence Committees earlier this month. Yet the amendment was denied by the House Rules Committee late Tuesday. The House is now scheduled to vote on the USA Freedom Act on Thursday under closed rules, which forbids adding amendments before the final vote.
  • Paul Merrell on 23 May 14
     
    The Obama Administration and NSA supporters in the House of Representatives resort to a successful last-minute ambush attack to eviscerate the modest reforms proposed in the USA Freedom Act. 
Paul Merrell

FBI demands new powers to hack into computers and carry out surveillance | US news | Th... - 0 views

www.theguardian.com/...hacking-computers-surveillance

surveillance state FBI Fed.R.Crim.P.-41 roving-warrants

shared by Paul Merrell on 01 Nov 14 - No Cached
  • The FBI is attempting to persuade an obscure regulatory body in Washington to change its rules of engagement in order to seize significant new powers to hack into and carry out surveillance of computers throughout the US and around the world. Civil liberties groups warn that the proposed rule change amounts to a power grab by the agency that would ride roughshod over strict limits to searches and seizures laid out under the fourth amendment of the US constitution, as well as violate first amendment privacy rights. They have protested that the FBI is seeking to transform its cyber capabilities with minimal public debate and with no congressional oversight. The regulatory body to which the Department of Justice has applied to make the rule change, the advisory committee on criminal rules, will meet for the first time on November 5 to discuss the issue. The panel will be addressed by a slew of technology experts and privacy advocates concerned about the possible ramifications were the proposals allowed to go into effect next year.
  • “This is a giant step forward for the FBI’s operational capabilities, without any consideration of the policy implications. To be seeking these powers at a time of heightened international concern about US surveillance is an especially brazen and potentially dangerous move,” said Ahmed Ghappour, an expert in computer law at University of California, Hastings college of the law, who will be addressing next week’s hearing. The proposed operating changes related to rule 41 of the federal rules of criminal procedure, the terms under which the FBI is allowed to conduct searches under court-approved warrants. Under existing wording, warrants have to be highly focused on specific locations where suspected criminal activity is occurring and approved by judges located in that same district. But under the proposed amendment, a judge can issue a warrant that would allow the FBI to hack into any computer, no matter where it is located. The change is designed specifically to help federal investigators carry out surveillance on computers that have been “anonymized” – that is, their location has been hidden using tools such as Tor.
  • Were the amendment to be granted by the regulatory committee, the FBI would have the green light to unleash its capabilities – known as “network investigative techniques” – on computers across America and beyond. The techniques involve clandestinely installing malicious software, or malware, onto a computer that in turn allows federal agents effectively to control the machine, downloading all its digital contents, switching its camera or microphone on or off, and even taking over other computers in its network.
  • ...2 more annotations...
  • Civil liberties and privacy groups are particularly alarmed that the FBI is seeking such a huge step up in its capabilities through such an apparently backdoor route. Soghoian said of next week’s meeting: “This should not be the first public forum for discussion of an issue of this magnitude.” Jennifer Granick, director of civil liberties at the Stanford center for internet and society, said that “this is an investigative technique that we haven’t seen before and we haven’t thrashed out the implications. It absolutely should not be done through a rule change – it has to be fully debated publicly, and Congress must be involved.” Ghappour has also highlighted the potential fall-out internationally were the amendment to be approved. Under current rules, there are no fourth amendment restrictions to US government surveillance activities in other countries as the US constitution only applies to domestic territory.
  • Another insight into the expansive thrust of US government thinking in terms of its cyber ambitions was gleaned recently in the prosecution of Ross Ulbricht, the alleged founder of the billion-dollar drug site the Silk Road. Experts suspect that the FBI hacked into the Silk Road server, that was located in Reykjavik, Iceland, though the agency denies that. In recent legal argument, US prosecutors claimed that even if they had hacked into the server without a warrant, it would have been justified as “a search of foreign property known to contain criminal evidence, for which a warrant was not necessary”.
  • Paul Merrell on 01 Nov 14
     
    This rule change has been in the works during the last year.  "The change is designed specifically to help federal investigators carry out surveillance on computers that have been "anonymized" - that is, their location has been hidden using tools such as Tor."  Are we dizzy yet? The State Department is pushing the use of TOR by dissidents in nations whose governments State and the CIA intends to overthrow. Meanwhile, Feed Bag, Inc. wants use of TOR to be sufficient grounds for installing malware on anyone using it to make their systems and all their systems can see or hear be an open book. Let's see. There's the First Amendment right to anonymous speech just to begin with. McIntyre v. Ohio Elections Comm'n, 514 US 334 (1995). ("Under our Constitution, anonymous pamphleteering is not a pernicious, fraudulent practice, but an honorable tradition of advocacy and of dissent. Anonymity is a shield from the tyranny of the majority. It thus exemplifies the purpose behind the Bill of Rights, and of the First Amendment in particular: to protect unpopular individuals from retaliation-and their ideas from suppression-at the hand of an intolerant society. The right to remain anonymous may be abused when it shields fraudulent conduct. But political speech by its nature will sometimes have unpalatable consequences, and, in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.") (Internal citation omitted.) And of course there's the Natural Law liberty to whisper, to utter words in a way that none but the intended recipient can hear. So throw on the violation of the Fifth Amendment's Liberty clause. Then there's the plain language of the Fourth Amendment warrant clause, "particularly describing the *place* to be searched." Not to mention the major reason for the Fourth Amendment, to abolish the "general warrant" that had enabled the Crown to search wherever the warrant's executor's little heart desired.  And th
Paul Merrell

Verizon's New, Encrypted Calling App Plays Nice With the NSA - Businessweek - 0 views

www.businessweek.com/...pp-comes-prehacked-for-the-nsa

surveillance state Verizon backdoors pseudo-encryption

shared by Paul Merrell on 13 Dec 14 - No Cached
  • Verizon is the latest big company to enter the post-Snowden market for secure communication, and it's doing so with an encryption standard that comes with a way for law enforcement to access ostensibly secure phone conversations.Verizon Voice Cypher, the product introduced on Thursday with the encryption company Cellcrypt, offers business and government customers end-to-end encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app. The encryption software provides secure communications for people speaking on devices with the app, regardless of their wireless carrier, and it can also connect to an organization's secure phone system. Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they're able to prove that there's a legitimate law enforcement reason for doing so. Seth Polansky, Cellcrypt's vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. "It's only creating a weakness for government agencies," he says. "Just because a government access option exists, it doesn't mean other companies can access it." 
  • Phone carriers like Verizon are required by U.S. law to build networks that can be wiretapped. But the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law.
  • There has been increased interest in encryption from individual consumers, too, largely thanks to the NSA revelations leaked by Edward Snowden. Yahoo and Google began offering end-to-end encrypted e-mail services this year. Silent Circle, a startup catering to consumer and enterprise clients, has been developing end-to-end voice encryption for phones calls. Verizon's service, with a monthly price of $45 per device, isn't targeting individual buyers and won't be offered to average consumers in the near future.But Verizon's partner, Cellcrypt, looks upon selling to large organizations as the first step toward bringing down the price before eventually offering a consumer-level encryption service. "At the end of the day, we'd love to have this be a line item on your Verizon bill," says Polansky.
  • ...2 more annotations...
  • Other companies have designed their encryption in this way, including AT&T, which offers encrypted phone service for business customers. Apple and Android recently began protecting content stored on users's phones in a way that would keep the tech companies from being able to comply with requests from law enforcement. The move drew public criticism from FBI Director James Comey, and some security experts expect that a renewed effort to stir passage of legislation banning such encryption will accompany Silicon Valley's increased interest in developing these services. Verizon believes major demand for its new encryption service will come from governmental agencies conveying sensitive but unclassified information over the phone, says Tim Petsky, a senior product manager for Verizon Wireless. Corporate customers who are concerned about corporate espionage are also itching for answers. "You read about breaches in security almost every week in the press," says Petsky. "Enterprise customers have been asking about ways to secure their communications and up until this point, we didn't have a solution." 
  • Many people in the security industry believe that a designed access point creates a vulnerability for criminals or spies to exploit. Last year reports surfaced that the FBI was pushing legislation that would require many forms of Internet communication to be wiretap-ready. A group of prominent security experts responded strongly: "Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences (PDF) for the economic well-being and national security of the United States," they wrote in a report issued in May. 
Paul Merrell

Visit the Wrong Website, and the FBI Could End Up in Your Computer | Threat Level | WIRED - 0 views

www.wired.com/...operation_torpedo

surveillance state FBI drive-by-malware Tor digital-privacy

shared by Paul Merrell on 09 Aug 14 - No Cached
  • Security experts call it a “drive-by download”: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes. Now the technique is being adopted by a different kind of a hacker—the kind with a badge. For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system. The approach has borne fruit—over a dozen alleged users of Tor-based child porn sites are now headed for trial as a result. But it’s also engendering controversy, with charges that the Justice Department has glossed over the bulk-hacking technique when describing it to judges, while concealing its use from defendants. Critics also worry about mission creep, the weakening of a technology relied on by human rights workers and activists, and the potential for innocent parties to wind up infected with government malware because they visited the wrong website. “This is such a big leap, there should have been congressional hearings about this,” says ACLU technologist Chris Soghoian, an expert on law enforcement’s use of hacking tools. “If Congress decides this is a technique that’s perfectly appropriate, maybe that’s OK. But let’s have an informed debate about it.”
  • The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates. What’s changed is the way the FBI uses its malware capability, deploying it as a driftnet instead of a fishing line. And the shift is a direct response to Tor, the powerful anonymity system endorsed by Edward Snowden and the State Department alike.
Paul Merrell

Syria in the Crosshairs - Obama Confirms Airstrikes Will Not Be Limited to Iraq | SCG News - 0 views

scgnews.com/es-will-not-be-limited-to-iraq

war & peace Syria U.S.-foreign-policy Syrian-War Obama escalation

shared by Paul Merrell on 17 Jul 14 - No Cached
  • One year ago the Obama administration was doing their very best to build up public support for U.S. military intervention in Syria. Even though that attempt failed, no one who has been following this crisis closely believed for a moment that this was the end. They would regroup and try again from another angle. The angle they chose was surprising. Iraq has been off the media radar for so long that almost no one was factoring it in as an important geopolitical variable. ISIS (or ISIL) changed that. In our video "The Fall of Iraq What You're Not Being Told" we covered the history of U.S. tinkering in Iraq dating back to 1963, and showed how the U.S. government's push to topple Assad by funding and arming extremists in Syria enabled ISIS to gain a foothold in the region. At the end of that video we pointed to how this latest crisis in Iraq was likely to be used as a pretext for U.S. strikes in Syria.
  • The Obama administration confirmed this when questioned yesterday on whether the U.S. military intervention in Iraq would be extended to Syria. Their response: “We don't restrict potential U.S. action to a specific geographic space,” "The president's made clear time and again that we will take action as necessary, including direct U.S. military action, if it's necessary to defend the United States against an imminent threat," the official said. "Clearly we're focused on Iraq. That's where our ISR [intelligence, surveillance and reconnaissance] resources have surged. That's where we're working to develop additional intelligence," the official added. "But the group [ISIS], again, operates broadly and we would not restrict our ability to take action that is necessary to protect the United States." Oh, and this time Obama is not going to ask for permission from Congress. No one is talking about how the Syrian government (and the Washington's desire to topple it) fits into this, but once the U.S. is carrying out airstrikes in Syrian territory, it would be trivial to expand the scope of the mission to include Syrian military targets. That way there would be no need for debate on the topic. The public would just find out we were at war after the fact (and probably via youtube). It's a backdoor approach.
  • Another variable that has changed in the equation since last year is Russia's involvement. Due to the crisis in Ukraine, Russia has been placed on the defensive diplomatically, and as of yet it seems to be too tied up with disputes with Kiev to take an active role in the deliberations over ISIS. In the first round of the Syrian crisis both China and Russia warned the U.S. several times against military intervention, and Russia threatened that it could lead to a nuclear conflict. At this point, it's not clear whether Russia and China see where Washington is planning to take this, or if they will back up their previous threats when the time comes. It is also yet to be seen whether the relentless anti-Russia propaganda campaign that western media outlets have been pushing since the Ukraine crisis will affect Putin's ability to influence the outcome diplomatically. The annexation of Crimea will definitely be used to discredit Putin if he attempts to block airstrikes in Syria.
  • Paul Merrell on 17 Jul 14
     
    Obama has Syria in his rocket-sights again, but no consultation with Congress this time. 
Paul Merrell

EFF Pries More Information on Zero Days from the Government's Grasp | Electronic Fronti... - 0 views

www.eff.org/...cy-zero-days-governments-grasp

surveillance state zero-day-exploits FOIA litigation

shared by Paul Merrell on 26 Jan 16 - No Cached
  • Until just last week, the U.S. government kept up the charade that its use of a stockpile of security vulnerabilities for hacking was a closely held secret.1 In fact, in response to EFF’s FOIA suit to get access to the official U.S. policy on zero days, the government redacted every single reference to “offensive” use of vulnerabilities. To add insult to injury, the government’s claim was that even admitting to offensive use would cause damage to national security. Now, in the face of EFF’s brief marshaling overwhelming evidence to the contrary, the charade is over. In response to EFF’s motion for summary judgment, the government has disclosed a new version of the Vulnerabilities Equities Process, minus many of the worst redactions. First and foremost, it now admits that the “discovery of vulnerabilities in commercial information technology may present competing ‘equities’ for the [government’s] offensive and defensive mission.” That might seem painfully obvious—a flaw or backdoor in a Juniper router is dangerous for anyone running a network, whether that network is in the U.S. or Iran. But the government’s failure to adequately weigh these “competing equities” was so severe that in 2013 a group of experts appointed by President Obama recommended that the policy favor disclosure “in almost all instances for widely used code.” [.pdf].
  • The newly disclosed version of the Vulnerabilities Equities Process (VEP) also officially confirms what everyone already knew: the use of zero days isn’t confined to the spies. Rather, the policy states that the “law enforcement community may want to use information pertaining to a vulnerability for similar offensive or defensive purposes but for the ultimate end of law enforcement.” Similarly it explains that “counterintelligence equities can be defensive, offensive, and/or law enforcement-related” and may “also have prosecutorial responsibilities.” Given that the government is currently prosecuting users for committing crimes over Tor hidden services, and that it identified these individuals using vulnerabilities called a “Network Investigative Technique”, this too doesn’t exactly come as a shocker. Just a few weeks ago, the government swore that even acknowledging the mere fact that it uses vulnerabilities offensively “could be expected to cause serious damage to the national security.” That’s a standard move in FOIA cases involving classified information, even though the government unnecessarily classifies documents at an astounding rate. In this case, the government relented only after nearly a year and a half of litigation by EFF. The government would be well advised to stop relying on such weak secrecy claims—it only risks undermining its own credibility.
  • The new version of the VEP also reveals significantly more information about the general process the government follows when a vulnerability is identified. In a nutshell, an agency that discovers a zero day is responsible for invoking the VEP, which then provides for centralized coordination and weighing of equities among all affected agencies. Along with a declaration from an official at the Office of the Director of National Intelligence, this new information provides more background on the reasons why the government decided to develop an overarching zero day policy in the first place: it “recognized that not all organizations see the entire picture of vulnerabilities, and each organization may have its own equities and concerns regarding the prioritization of patches and fixes, as well as its own distinct mission obligations.” We now know the VEP was finalized in February 2010, but the government apparently failed to implement it in any substantial way, prompting the presidential review group’s recommendation to prioritize disclosure over offensive hacking. We’re glad to have forced a little more transparency on this important issue, but the government is still foolishly holding on to a few last redactions, including refusing to name which agencies participate in the VEP. That’s just not supportable, and we’ll be in court next month to argue that the names of these agencies must be disclosed. 
Paul Merrell

The All Writs Act, Software Licenses, and Why Judges Should Ask More Questions | Just S... - 0 views

www.justsecurity.org/...ware-licenses-judges-questions

surveillance state iPhone EULA warrant encryption-bypass

shared by Paul Merrell on 02 Nov 15 - No Cached
  • Pending before federal magistrate judge James Orenstein is the government’s request for an order obligating Apple, Inc. to unlock an iPhone and thereby assist prosecutors in decrypting data the government has seized and is authorized to search pursuant to a warrant. In an order questioning the government’s purported legal basis for this request, the All Writs Act of 1789 (AWA), Judge Orenstein asked Apple for a brief informing the court whether the request would be technically feasible and/or burdensome. After Apple filed, the court asked it to file a brief discussing whether the government had legal grounds under the AWA to compel Apple’s assistance. Apple filed that brief and the government filed a reply brief last week in the lead-up to a hearing this morning.
  • We’ve long been concerned about whether end users own software under the law. Software owners have rights of adaptation and first sale enshrined in copyright law. But software publishers have claimed that end users are merely licensees, and our rights under copyright law can be waived by mass-market end user license agreements, or EULAs. Over the years, Granick has argued that users should retain their rights even if mass-market licenses purport to take them away. The government’s brief takes advantage of Apple’s EULA for iOS to argue that Apple, the software publisher, is responsible for iPhones around the world. Apple’s EULA states that when you buy an iPhone, you’re not buying the iOS software it runs, you’re just licensing it from Apple. The government argues that having designed a passcode feature into a copy of software which it owns and licenses rather than sells, Apple can be compelled under the All Writs Act to bypass the passcode on a defendant’s iPhone pursuant to a search warrant and thereby access the software owned by Apple. Apple’s supplemental brief argues that in defining its users’ contractual rights vis-à-vis Apple with regard to Apple’s intellectual property, Apple in no way waived its own due process rights vis-à-vis the government with regard to users’ devices. Apple’s brief compares this argument to forcing a car manufacturer to “provide law enforcement with access to the vehicle or to alter its functionality at the government’s request” merely because the car contains licensed software. 
  • This is an interesting twist on the decades-long EULA versus users’ rights fight. As far as we know, this is the first time that the government has piggybacked on EULAs to try to compel software companies to provide assistance to law enforcement. Under the government’s interpretation of the All Writs Act, anyone who makes software could be dragooned into assisting the government in investigating users of the software. If the court adopts this view, it would give investigators immense power. The quotidian aspects of our lives increasingly involve software (from our cars to our TVs to our health to our home appliances), and most of that software is arguably licensed, not bought. Conscripting software makers to collect information on us would afford the government access to the most intimate information about us, on the strength of some words in some license agreements that people never read. (And no wonder: The iPhone’s EULA came to over 300 pages when the government filed it as an exhibit to its brief.)
  • ...1 more annotation...
  • The government’s brief does not acknowledge the sweeping implications of its arguments. It tries to portray its requested unlocking order as narrow and modest, because it “would not require Apple to make any changes to its software or hardware, … [or] to introduce any new ability to access data on its phones. It would simply require Apple to use its existing capability to bypass the passcode on a passcode-locked iOS 7 phone[.]” But that undersells the implications of the legal argument the government is making: that anything a company already can do, it could be compelled to do under the All Writs Act in order to assist law enforcement. Were that the law, the blow to users’ trust in their encrypted devices, services, and products would be little different than if Apple and other companies were legally required to design backdoors into their encryption mechanisms (an idea the government just can’t seem to drop, its assurances in this brief notwithstanding). Entities around the world won’t buy security software if its makers cannot be trusted not to hand over their users’ secrets to the US government. That’s what makes the encryption in iOS 8 and later versions, which Apple has told the court it “would not have the technical ability” to bypass, so powerful — and so despised by the government: Because no matter how broadly the All Writs Act extends, no court can compel Apple to do the impossible.
Paul Merrell

Breaking: Russian troops take control of key gas field from Kurdish forces in Deir Ezzor - 0 views

www.almasdarnews.com/...ield-kurdish-forces-deir-ezzor

war & peace Syria SDF Russia Deir-Ez-Zorr U.S.-foreign-policy

shared by Paul Merrell on 20 Oct 17 - No Cached
  • BEIRUT, LEBANON (3:42 P.M.) – Moments ago, reports came in that Russian Ground Forces troops entered the Koneko Gas Field and its attached company headquarters area in eastern Deir Ezzor province at the invitation of Kurdish-led forces. The information, disseminated by Syrian military reports, claims that an agreement has been brokered between Russia and the US-backed Syrian Democratic Forces whereby the Syrian government will be allowed to assume control over the gas field. If true, then the scope of any backdoor agreements reached between Moscow and Washington regarding the transfer of energy assets held by Kurdish-led militias back to the rightful ownership of the Damascus government may yet encompass wider dimensions (i.e. future transfers) – although there is absolutely no evidence to suggest this is in fact the case.
  • Nonetheless, the unexpected transfer of the Koneko Gas Field by the SDF to the Syrian government does now raise questions as to whether or not the hitherto competition between the Syrian Arab Army and Kurdish-led militias to seize control of the much larger Al-Omar Oil Field from ISIS further south is still on.
  • Paul Merrell on 20 Oct 17
     
    Most of the pundits I follow have been saying that the U.S. will soon withdraw in defeat from Syria. This could mark the beginning of that.
« First ‹ Previous 61 - 72 of 72
Showing 20 items per page