Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged security-breach

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

Hackers Stole Secrets of U.S. Government Workers' Sex Lives - The Daily Beast - 0 views

www.thedailybeast.com/...ernment-workers-sex-lives.html

surveillance state OPM-computer-breach Snowden China

shared by Paul Merrell on 26 Jun 15 - No Cached
  • It was already being described as the worst hack of the U.S. government in history. And it just got much worse.A senior U.S. official has confirmed that foreign hackers compromised the intimate personal details of an untold number of government workers. Likely included in the hackers’ haul: information about workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity.Those details, which are now presumed to be in the hands of Chinese spies, are found in the so-called “adjudication information” that U.S. investigators compile on government employees and contractors who are applying for security clearances. The exposure suggests that the massive computer breach at the Office of Personnel Management is more significant and potentially damaging to national security than officials have previously said.
  • Three former U.S. intelligence officials told The Daily Beast that the adjudication information would effectively provide dossiers on current and former government employees, as well as contractors. It gives foreign intelligence agencies a roadmap for finding people with access to the government’s most highly classified secrets.Obama administration officials had previously acknowledged the breach of information that applicants voluntarily disclose on a routine questionnaire, called Standard Form 86, but the theft of the more detailed and wide-ranging adjudication information appears to have gone overlooked.
  • “Whoever compromised the adjudication information is going to have clear knowledge, beyond what’s in the SF86, about who the best targets for espionage are in the United States,” Michael Adams, a computer security expert who served more than two decades in the U.S. Special Operations Command, told The Daily Beast. “This is the most successful cyber attack in the history of the United States,” owing to the amount and quality of the information that was stolen, Adams said. U.S. intelligence officers spend years trying to recruit foreign spies to gather the kinds of details and insights that are contained in adjudication information, one former senior U.S. official said. This official, who requested anonymity, added that adjudication information would give foreign intelligence services “enormous leverage” over U.S. personnel whom they might forcibly interrogate for information or try to recruit.
  • ...4 more annotations...
  • The adjudication process had a broad scope, taking into account the SF86 questionnaire, reports from background investigations, interviews with the applicant's family members and associates, his or her employment history, and for people seeking high-level clearances, the results of polygraph investigations.Seymour said such records “span an employee’s career” and could stretch back as far as 30 years. Officials have said that as many as 18 million people may have been affected by the breach. Asked specifically what information the hackers had obtained, Seymour told lawmakers that she preferred to answer later in a “classified session.” Seymour didn’t specify how many people’s information was stolen. But the OPM oversees background investigations, which comprise a key part of the adjudication process, for more than 90 percent of security clearance applicants, according to the Congressional Research Service. An OPM spokesman didn’t respond to a request for comment in time for publication.
  • A former senior U.S. intelligence official, who asked to remain anonymous, said the OPM breach would cause more damage to national security operations and personnel than the leaks by Edward Snowden about classified surveillance by the National Security Agency.“This is worse than Snowden, because at least programs that were running before the leaks could be replaced or rebuilt,” the former official said. “But OPM, that’s the gift that keeps on giving. You can’t rebuild people.”Adjudicators are in a powerful position because in deciding whether to recommend granting a security clearance, they have access to the entire scope of an applicant’s file and are told to make a subjective analysis.“The adjudication process is the careful weighing of a number of variables known as the whole-person concept,” according to official guidelines. “Available, reliable information about the person, past and present, favorable and unfavorable, should be considered in reaching a determination.”
  • By design, adjudication is an invasive process, meant to unearth risk factors including drug and alcohol abuse, extramarital affairs, a history of violence, and other events that speak to a person’s “trustworthiness” and their susceptibility to blackmail or being recruited to spy for a foreign government.For instance, “compulsive gambling is a concern, as it may lead to financial crimes including espionage,” the guidelines say. Adjudicators are told to note “a pattern of compulsive, self-destructive, or high risk sexual behavior,” “relapse after diagnosis of alcohol abuse,” and “emotionally unstable, irresponsible, dysfunctional, violent, paranoid, or bizarre behavior,” among other warning signs in 13 categories. Some of the embarrassing personal details found in some adjudications have been made public. That’s what happens after an applicant who was denied a security clearance launched an appeal.
  • Armed with such intimate details of a person’s worst moments, foreign spies would have unprecedented advantage against their U.S. adversaries. And the news is especially bad for people who hold the highest levels of clearance, which require more rigorous background checks, noted Adams, the computer security expert. “The higher up you go in your sensitivity levels, the more data that’s in your adjudication file,” he said.
Gary Edwards

Obama gives himself control of all communication systems in America - RT - 0 views

rt.com/...ident-order-communications-770

Obammunism executive-orders

shared by Gary Edwards on 10 Jul 12 - No Cached
  • Gary Edwards on 10 Jul 12
     
    Awful stuff.  Another Obama executive order suspending the Constitution and terminating the Bill of Rights. Revoking the right of habeas corpus is unconstitutional. So is declaring a national emergency without congressional approval. The Constitution declares, "The Privilege of the Writ of Habeas Corpus shall not be suspended, unless when in cases of rebellion or invasion the public safety may require it." While Congress has passed many an unConstitutional Law regarding "National Emergency Powers", there is nothing in the Constitution granting any branch of the Federal government to tear up the Constitution and Bill of Rights.  Atrocities like FiSA, The Military Commissions Act, NSP51, HSPD20, the John Warner Defense Authorization Act, the National Emergencies Act, and the Patriot Act are un Constitutional to the core.   Only the American people, through their representatives in Congress, can declare a national emergency.  With the exception of the habeas corpus clause, the Constitution makes no allowance for the suspension of any of its provisions during a national emergency.  Many statist seeking to breach the Constitution and Bill of Rights argue that the granting of emergency powers by Congress is implicit in its Article I, section 8 authority to "provide for the common Defense and general Welfare," the commerce clause, its war, armed forces, and militia powers, and the "necessary and proper" clause empowering it to make such laws as are required to fulfill the executions of "the foregoing Powers, and all other Powers vested by this Constitution in the Government of the United States, or in any Department or Officer thereof." But this issue of "implied" powers defies an actual reading of the Constitution, and seeks to breach the meaning of that most basic of all Madisonian  Constitutional concepts embedded into the framework of limited government: "enumerated powers".  The United States is a government of enumerated powers.  N
Paul Merrell

European Lawmakers Demand Answers on Phone Key Theft - The Intercept - 0 views

firstlook.org/...gemalto-heist-shocks-europe

surveillance state Gemalto SIM-card-keys

shared by Paul Merrell on 24 Feb 15 - No Cached
  • European officials are demanding answers and investigations into a joint U.S. and U.K. hack of the world’s largest manufacturer of mobile SIM cards, following a report published by The Intercept Thursday. The report, based on leaked documents provided by NSA whistleblower Edward Snowden, revealed the U.S. spy agency and its British counterpart Government Communications Headquarters, GCHQ, hacked the Franco-Dutch digital security giant Gemalto in a sophisticated heist of encrypted cell-phone keys. The European Parliament’s chief negotiator on the European Union’s data protection law, Jan Philipp Albrecht, said the hack was “obviously based on some illegal activities.” “Member states like the U.K. are frankly not respecting the [law of the] Netherlands and partner states,” Albrecht told the Wall Street Journal. Sophie in ’t Veld, an EU parliamentarian with D66, the Netherlands’ largest opposition party, added, “Year after year we have heard about cowboy practices of secret services, but governments did nothing and kept quiet […] In fact, those very same governments push for ever-more surveillance capabilities, while it remains unclear how effective these practices are.”
  • “If the average IT whizzkid breaks into a company system, he’ll end up behind bars,” In ’t Veld added in a tweet Friday. The EU itself is barred from undertaking such investigations, leaving individual countries responsible for looking into cases that impact their national security matters. “We even get letters from the U.K. government saying we shouldn’t deal with these issues because it’s their own issue of national security,” Albrecht said. Still, lawmakers in the Netherlands are seeking investigations. Gerard Schouw, a Dutch member of parliament, also with the D66 party, has called on Ronald Plasterk, the Dutch minister of the interior, to answer questions before parliament. On Tuesday, the Dutch parliament will debate Schouw’s request. Additionally, European legal experts tell The Intercept, public prosecutors in EU member states that are both party to the Cybercrime Convention, which prohibits computer hacking, and home to Gemalto subsidiaries could pursue investigations into the breach of the company’s systems.
  • According to secret documents from 2010 and 2011, a joint NSA-GCHQ unit penetrated Gemalto’s internal networks and infiltrated the private communications of its employees in order to steal encryption keys, embedded on tiny SIM cards, which are used to protect the privacy of cellphone communications across the world. Gemalto produces some 2 billion SIM cards a year. The company’s clients include AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers. “[We] believe we have their entire network,” GCHQ boasted in a leaked slide, referring to the Gemalto heist.
  • ...4 more annotations...
  • While Gemalto was indeed another casualty in Western governments’ sweeping effort to gather as much global intelligence advantage as possible, the leaked documents make clear that the company was specifically targeted. According to the materials published Thursday, GCHQ used a specific codename — DAPINO GAMMA — to refer to the operations against Gemalto. The spies also actively penetrated the email and social media accounts of Gemalto employees across the world in an effort to steal the company’s encryption keys. Evidence of the Gemalto breach rattled the digital security community. “Almost everyone in the world carries cell phones and this is an unprecedented mass attack on the privacy of citizens worldwide,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology, a non-profit that advocates for digital privacy and free online expression. “While there is certainly value in targeted surveillance of cell phone communications, this coordinated subversion of the trusted technical security infrastructure of cell phones means the US and British governments now have easy access to our mobile communications.”
  • For Gemalto, evidence that their vaunted security systems and the privacy of customers had been compromised by the world’s top spy agencies made an immediate financial impact. The company’s shares took a dive on the Paris bourse Friday, falling $500 million. In the U.S., Gemalto’s shares fell as much 10 percent Friday morning. They had recovered somewhat — down 4 percent — by the close of trading on the Euronext stock exchange. Analysts at Dutch financial services company Rabobank speculated in a research note that Gemalto could be forced to recall “a large number” of SIM cards. The French daily L’Express noted today that Gemalto board member Alex Mandl was a founding trustee of the CIA-funded venture capital firm In-Q-Tel. Mandl resigned from In-Q-Tel’s board in 2002, when he was appointed CEO of Gemplus, which later merged with another company to become Gemalto. But the CIA connection still dogged Mandl, with the French press regularly insinuating that American spies could infiltrate the company. In 2003, a group of French lawmakers tried unsuccessfully to create a commission to investigate Gemplus’s ties to the CIA and its implications for the security of SIM cards. Mandl, an Austrian-American businessman who was once a top executive at AT&T, has denied that he had any relationship with the CIA beyond In-Q-Tel. In 2002, he said he did not even have a security clearance.
  • AT&T, T-Mobile and Verizon could not be reached for comment Friday. Sprint declined to comment. Vodafone, the world’s second largest telecom provider by subscribers and a customer of Gemalto, said in a statement, “[W]e have no further details of these allegations which are industrywide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations.” Deutsche Telekom AG, a German company, said it has changed encryption algorithms in its Gemalto SIM cards. “We currently have no knowledge that this additional protection mechanism has been compromised,” the company said in a statement. “However, we cannot rule out this completely.”
  • Update: Asked about the SIM card heist, White House press secretary Josh Earnest said he did not expect the news would hurt relations with the tech industry: “It’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so. So, I do think in fact that there are opportunities for the private sector and the federal government to coordinate and to cooperate on these efforts, both to keep the country safe, but also to protect our civil liberties.”
  • Paul Merrell on 24 Feb 15
     
    Watch for massive class action product defect litigation to be filed against the phone companies.and mobile device manufacturers.  In most U.S. jurisdictions, proof that the vendors/manufacturers  knew of the product defect is not required, only proof of the defect. Also, this is a golden opportunity for anyone who wants to get out of a pricey cellphone contract, since providing a compromised cellphone is a material breach of warranty, whether explicit or implied..   
Paul Merrell

Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise - The Intercept - 0 views

firstlook.org/...-nsa-gchq-rely-intel-expertise

surveillance state NSA-targets hackers

shared by Paul Merrell on 05 Feb 15 - No Cached
  • The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents. In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document. These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents—which come from the U.K. Government Communications Headquarters agency and NSA—shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.
  • By looking out for hacking conducted “both by state-sponsored and freelance hackers” and riding on the coattails of hackers, Western intelligence agencies have gathered what they regard as valuable content: Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect. The hackers targeted a wide range of diplomatic corps, human rights and democracy activists and even journalists: INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting: A = Indian Diplomatic & Indian Navy B = Central Asian diplomatic C = Chinese Human Rights Defenders D = Tibetan Pro-Democracy Personalities E = Uighur Activists F = European Special Rep to Afghanistan and Indian photo-journalism G = Tibetan Government in Exile
  • In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor “based on the level of sophistication and the victim set.” In instances where hacking may compromise data from the U.S. and U.K. governments, or their allies, notification was given to the “relevant parties.” In a separate document, GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” according to one document. GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012 document:
  • ...3 more annotations...
  • Documents published with this article: LOVELY HORSE – GCHQ Wiki Overview INTOLERANT – Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers – SIDtoday  HAPPY TRIGGER/LOVELY HORSE/Zool/TWO FACE – Open Source for Cyber Defence/Progress NATO Civilian Intelligence Council – Cyber Panel – US Talking Points
  • These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses. The U.S. Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker. Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq.” GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).
  • The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents. In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document. These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents—which come from the U.K. Government Communications Headquarters agency and NSA—shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.
Paul Merrell

CSIS asked foreign agencies to spy on Canadians, kept court in dark, judge says - 0 views

www.ottawacitizen.com/...story.html

surveillance state Canada CSIS courts blowback

shared by Paul Merrell on 27 Dec 13 - No Cached
  • OTTAWA — Canada’s foremost jurist on national security law has slammed CSIS for deliberately keeping the Federal Court of Canada “in the dark” about outsourcing its spying on Canadians abroad to foreign agencies, according to a redacted version of a classified court decision made public Friday.In a thundering rebuke, Federal Court Judge Richard Mosley said the Canadian Security Intelligence Service (CSIS) purposely misled him when he granted it numerous warrants beginning in 2009 to intercept the electronic communications of unidentified Canadians abroad suspected as domestic security threats.“This was a breach of the duty of candour owed by the service and their legal advisers to the court,” Mosley said in his Further Reasons for Order.CSIS also mistakenly assigned powers to the warrants that the court never authorized and which do not exist in law, he said.“It is clear that the exercise of the court’s warrant issuing authority has been used as protective cover for activities that it has not authorized,” Mosley wrote.Furthermore, tasking foreign security intelligence services to spy on Canadians overseas “carries the risk of the detention of or other harm to a Canadian person based on that information.“Given the unfortunate history of information sharing with foreign agencies over the past decade and the reviews conducted by several royal commissions, there can be no question that the Canadian agencies are aware of those hazards. It appears to me that they are using the warrants as authorization to assume those risks.”
  • Legal observers say this case and Mosley’s scolding will harm CSIS’s credibility and raise questions about whether the service has broken Criminal Code provisions dealing with the invasion of privacy.“When a judge says the government breached its duty of candour that is a very big ‘ouch’ moment,” Craig Forcese, a national security law scholar at the University of Ottawa, wrote in a recent blog posting.At the time the first warrants were issued, CSIS told the court “on clearly stated grounds” that the electronic intercepts would be carried out from within Canada by the Communications Security Establishment Canada (CSEC), the country’s foreign signals intelligence spy service.CSIS is largely restricted to domestic spying operations. If an investigation involves the use of intrusive techniques, such as electronic intercepts, Section 21 of the CSIS Act requires it to obtain a warrant approved by a Federal Court judge to guard the Charter right to a reasonable expectation of privacy.CSEC, meanwhile, is not allowed to spy on Canadians anywhere unless it is to provide technical and operational assistance to federal law enforcement and security agencies such as CSIS.And the federal court only has jurisdiction to authorize warrants under the CSIS Act as long as the communications in question are intercepted within Canada.
  • Yet once the so-called 30-08 warrants were approved by the court, CSEC, on behalf of CSIS, turned around and handed the jobs to one or more of its partners in the “Five Eyes” intelligence-gathering alliance between Canada, the United States, Great Britain, Australia and New Zealand.Mosley found out about the situation late this summer and summoned CSIS, CSEC and government officials and lawyers to court to explain themselves. The public version of his reasons for order was released Friday.
  • ...2 more annotations...
  • Some excerpts:• “I am satisfied that a decision was made by CSIS officials in consultation with their legal advisers to strategically omit information in applications for 30-08 warrants about their intention to seek the assistance of the foreign partners. As a result, the court was led to believe that all of the interception activity would take place in or under the control of Canada.”• “The principle of comity between nations that implies the acceptance of foreign laws and procedures when Canadian officials are operating abroad ends where clear violations of international law and human rights begin. In tasking the other members of the Five Eyes to intercept the communications of the Canadian targets, CSIS and CSEC officials knew ... this would involve the breach of international law by the requested second parties.”• “There is nothing in any of the material that I have read ... that persuades me that it was the intent of Parliament to give the service authority to engage the collection resources of the second party allies to intercept the private communications of Canadians.”• “It must be made clear, in any grant of a 30-08 warrant, that the warrant does not authorize the interception of the communications of a Canadian person by any foreign service on behalf of the service either directly or through the assistance of CSEC.”• “There must be no further suggestion in any reference to the use of second party assets by CSIS and CSEC, or their legal advisers, that it is being done under the authority of a (section) 21 warrant issued by this court.”
  • Forcese, meanwhile, raises some intriguing questions:• If Five Eyes assistance was not authorized, and CSEC and CSIS nevertheless sought it, are they still protected from Criminal Code, Part VI (invasion of privacy) culpability? Culpability, he writes, is only avoided where the intercept is lawfully authorized. If the parameters of the warrant were disregarded, does that vitiate the lawful access?• If CSEC and CSIS called on Five Eyes agencies to intercept communications, was the intercept still territorial, thus satisfying the international law concerns raised in the two warrant applications?“Outsourcing an international violation does not diminish state responsibility for that international violation. In a different context, that would be like asking bounty hunters to do your kidnapping of fugitives on the territory of a foreign state. Still a violation of international law.”CSIS has a choice, Forcese concludes: “Conduct extraterritorial spying without recourse to the courts, at risk of ultimately being called to account under domestic law, or honour the federal court’s construal of international law — and CSIS’s jurisdiction — and pull in its truly international surveillance operations, potentially blinding the country’s chief security intelligence agency.
  • Paul Merrell on 27 Dec 13
     
    Canadian Security Intelligence Service is in politically explosive deep doo-doo. 
Paul Merrell

Hacker claims to have breached CIA director's personal email - 0 views

bigstory.ap.org/...d-cia-directors-personal-email

surveillance state CIA DHS email-hacks spying-on-spies

shared by Paul Merrell on 20 Oct 15 - No Cached
  • An anonymous hacker claims to have breached CIA Director John Brennan's personal email account and has posted documents online, including a list of email addresses purportedly from Brennan's contact file. The CIA said it referred the matter to the proper authorities, but would not comment further. The hacker spoke to the New York Post, which described him in an article published Sunday as "a stoner high school student," motivated by his opposition to U.S. foreign policy and support for Palestinians. His Twitter account, @phphax, includes links to files that he says are Brennan's contact list, a log of phone calls by then-CIA deputy director Avril Haines, and other documents.
  • The hacker also claimed to have breached a Comcast account belonging to Homeland Security Secretary Jeh Johnson, and released what appeared to be personal information. One document purporting to come from Brennan's AOL email account contains a spreadsheet of people, including senior intelligence officials, along with their Social Security numbers, although the hacker redacted the numbers in the version he posted on Twitter. It's unclear why Brennan would have stored such a document in his private email account. Based on the titles, the document appears to date from 2009 or before. When people visit the White House and other secure facilities, they are required to supply their Social Security numbers. Brennan could have been forwarding a list of invitees to the White House when he was President Barack Obama's counter terrorism adviser, the job he held before he became CIA director in 2013.
  • The hacker told the Post he had obtained a 47-page version of Brennan's application for a security clearance, known as an SF86. That document — millions of which were stolen from the federal personnel office last year by hackers linked to China — contains detailed information about past jobs, foreign contacts, finances and other sensitive personal details. No such document appears to be posted on the hacker's Twitter account, but it's not clear whether the hacker posted it elsewhere.
  • Paul Merrell on 20 Oct 15
     
    Got to love it. I can think of few people more deserving of getting their email accounts cracked.
Paul Merrell

Resurrecting the Dubious State Secrets Privilege | John Dean | Verdict | Legal Analysis... - 0 views

verdict.justia.com/...ubious-state-secrets-privilege

Dark-State state-secrets government secrecy Restis DoJ Holder

shared by Paul Merrell on 19 Sep 14 - No Cached
  • In an unusual move, the U.S. Department of Justice has filed a motion to make a private lawsuit simply disappear. While the U.S. Government is not a party to this defamation lawsuit—Victor Restis et al. v. American Coalition Against Nuclear Iran, Inc.—filed July 19, 2013, in the U.S. District Court for the Southern District of New York, Attorney General Eric Holder is concerned that the discovery being undertaken might jeopardize our national security.
  • The government’s argument for intervening in this lawsuit is technical and thin.
  • The strongest precedent in the government’s brief in the current case is the 1985 case of Fitzgerald v. Penthouse Intern., Ltd. Fitzgerald had sued Penthouse Magazine for an allegedly libelous article, but the U.S. Navy moved to intervene on the ground that the government had a national security interest which would not be adequately protected by the parties, so the government requested the action be dismissed, after invoking the state secrets privilege. The federal district court granted the motions and dismissed the case, which the U.S. Court of Appeals for Fourth Circuit affirmed. So there is precedent for this unusual action by the government in a private lawsuit, but the legitimacy of the state secrets privilege remains subject to question.
  • ...9 more annotations...
  • In February 2000, Judith Loether, a daughter of one of the three civilians killed in the 1948 B-29 explosion, discovered the government’s once-secret accident report for the incident on the Internet. Loether had been seven weeks old when her father died but been told by her mother what was known of her father’s death and the unsuccessful efforts to find out what had truly happened. When Loether read the accident report she was stunned. There were no national security secrets whatsoever, rather there was glaringly clear evidence of the government’s negligence resulting in her father’s death. Loether shared this information with the families of the other civilian engineers who had been killed in the incident and they joined together in a legal action to overturn Reynolds, raising the fact that the executive branch of the government had misled the Supreme Court, not to mention the parties to the earlier lawsuit.
  • Lou Fisher looked closely at the state secrets privilege in his book In The Name of National Security, as well as in follow-up articles when the Reynolds case was litigated after it was discovered, decades after the fact, that the government had literally defrauded the Supreme Court in Reynolds, e.g., “The State Secrets Privilege: Relying on Reynolds.” The Reynolds ruling emerged from litigation initiated by the widows of three civilian engineers who died in a midair explosion of a B-29 bomber on October 6, 1948. The government refused to provide the widows with the government’s accident report. On March 9, 1953, the Supreme Court created the state secrets privilege when agreeing the accident report did not have to be produced since the government claimed it contained national security secrets. In fact, none of the federal judges in the lower courts, nor the justices on the Supreme Court, were allowed to read the report.
  • Lowell states in his letter: “By relying solely upon ex parte submissions to justify its invocation of the state secrets privilege, especially in the unprecedented circumstance of private party litigation without an obvious government interest, the Government has improperly invoked the state secrets privilege, deprived Plaintiffs of the opportunity to test the Government’s claims through the adversarial process, and limited the Court’s opportunity to make an informed judgment. “ Lowell further claims that in “the typical state secrets case, the Government will simultaneously file both a sealed declaration and a detailed public declaration.” (Emphasis in Lowell’s letter.) To bolster this contention, he provided the court with an example, and offered to provide additional examples if so requested.
  • The Justice Department’s memorandum of law accompanying its motion to intervene states that once the state secrets privilege has been asserted “by the head of the department with control over the matter in question . . . the scope of judicial review is quite narrow.” Quoting from the U.S. Supreme Court ruling establishing this privilege in 1953, U.S. v. Reynolds, the brief adds: “the sole determination for the court is whether, ‘from all the circumstances of the case . . . there is a reasonable danger that compulsion of the evidence will expose military [or other] matters which, in the interest of national security, should not be divulged.’”In short, all the Justice Department need claim is the magic phrase—”state secrets”—after assuring the court that the head of department or agency involved has personally decided it is information that cannot be released. That ends the matter. This is what has made this privilege so controversial, not to mention dubious. Indeed, invocation by the executive branch effectively removes the question from judicial determination, and the information underlying the decision is not even provided to the court.
  • As Fisher and other scholars note, there is much more room under the Reynolds ruling for the court to take a hard look at the evidence when the government claims state secrets than has been common practice. Fisher reminds: “The state secrets privilege is qualified, not absolute. Otherwise there is no adversary process in court, no exercise of judicial independence over what evidence is needed, and no fairness accorded to private litigants who challenge the government . . . . There is no justification in law or history for a court to acquiesce to the accuracy of affidavits, statements, and declarations submitted by the executive branch.” Indeed, he noted to do so is contrary to our constitutional system of checks and balances.
  • Time to Reexamine Blind Adherence to the State Secrets PrivilegeIn responding to the government’s move to intervene, invoke state secrets, and dismiss the Restis lawsuit, plaintiffs’ attorney Abbe Lowell sent a letter to Judge Edgardo Ramos, the presiding judge on the case on September 17, 2014, contesting the Department of Justice’s ex parte filings, and requesting that Judge Ramos “order the Government to file a public declaration in support of its filing that will enable Plaintiffs to meaningfully respond.” Lowell also suggested as an alternative that he “presently holds more than sufficient security clearances to be given access to the ex parte submission,” and the court could do here as in other national security cases, and issue a protective order that the information not be shared with anyone. While Lowell does not so state, he is in effect taking on the existing state secrets privilege procedure where only the government knows what is being withheld and why, and he is taking on Reynolds.
  • To make a long story short, the Supreme Court was more interested in the finality of their decisions than the fraud that had been perpetrated upon them. They rejected the direct appeal, and efforts to relegate the case through the lower courts failed. As Fisher notes, the Court ruled in Reynolds based on “vapors and allusions,” rather than facts and evidence, and today it is clear that when it uncritically accepted the government’s word, the Court abdicated its duty to protect the ability of each party to present its case fairly, not to mention it left the matter under the control of a “self-interested executive” branch.
  • Lowell explains it is not clear—and suggests the government is similarly unclear in having earlier suggested a “law enforcement privilege”—as to why the state secrets privilege is being invoked, and argues this case can be tried without exposing government secrets. Citing the Fitzgerald ruling, Lowell points out dismissal is appropriate “[o]nly when no amount of effort and care on the part of the court and the parties will safeguard privileged material is dismissal warranted.”
  • No telling how Judge Ramos will rule, and the government has a remarkable record of prevailing with the deeply flawed state secrets privilege. But Lowell’s letter appears to say, between the lines, that he has a client who is prepared to test this dubious privilege and the government’s use of it in this case if Judge Ramos dismisses this lawsuit. The U.S. Court of Appeals for the Second Circuit, where that ruling would be reviewed, sees itself every bit the intellectual equal of the U.S. Supreme Court and it is uniquely qualified to give this dubious privilege and the Reynolds holding a reexamination. It is long past time this be done.
  • Paul Merrell on 19 Sep 14
     
    Interesting take on the Restis case by former Nixon White House Counsel John Dean. Where the State Secrets Privilege is at its very nastiest, in my opinion, is in criminal prosecutions where the government withholds potentially exculpatory evidence on grounds of state secrecy. I think the courts have been far too lenient in allowing people to be tried without production of such evidence. The work-around in the Guantanamo Bay inmate cases has been to appoint counsel who have security clearances, but in those cases the lawyer is forbidden from discussing the classified information with the client, who could have valuable input if advised what the evidence is. It's also incredibly unfair in the extraordinary rendition cases, where the courts have let the government get away with having the cases dismissed on state secrecy grounds, even though the tortures have been the victim of criminal official misconduct.  It forces the victims to appeal clear to the Supreme Court before they can start over in an international court with jurisdiction over human rights violations, where the government loses because of its refusal to produce the evidence.  (Under the relevant treaties that the U.S. is a party to, the U.S. is required to provide a judicial remedy without resort to claims of national security secrecy.) Then the U.S. refuses to pay the judgments of the International courts, placing the U.S. in double breach of its treaty obligations. We see the same kinds of outrageous secrecy playing out in the Senate Intellience Committee's report on CIA torture, where the Obama Administration is using state secrecy claims to delay release of the report summary and minimize what is in it. It's highly unlikely that I will live long enough to read the full report. And that just is not democracy in action. Down with the Dark State!   
Paul Merrell

What GOP Senators Don't Understand About Iran | Al Jazeera America - 0 views

america.aljazeera.com/...not-understand-about-iran.html

war & peace U.S.-foreign-policy Iranian-nukes-myth Security Council Obama negotiations

shared by Paul Merrell on 13 Mar 15 - No Cached
  • There’s a charming naiveté to the open letter [PDF] by 47 Republican senators that condescendingly seeks to explain features of the U.S. constitutional system to Iran’s leaders that they otherwise “may not fully understand.” The missive warns that, with respect to “your nuclear negotiations with our government ... any agreement regarding your nuclear-weapons program that is not approved by the Congress” could be revoked by the next president “with the stroke of a pen and future Congresses could modify the terms of the agreement at any time.”
  • Beyond the amusing inaccuracies about U.S. parliamentary order, it seems there are some features of the nuclear negotiations that the signatory senators don’t fully understand — not only on the terms of the deal, but also on who would be party to an agreement. There are no negotiations on Iran’s “nuclear-weapons program” because the world’s intelligence agencies (including those of the U.S. and Israel) do not believe Iran is currently building nuclear weapons, nor has it made a strategic decision to use its civilian nuclear infrastructure to produce a bomb. An active Iranian nuclear-weapons program would render moot the current negotiations, because Iran would be in fundamental violation of the Nuclear Non-Proliferation Treaty (NPT). As things stand, Tehran remains within the terms of the NPT, which allows nuclear technology for peaceful purposes, but monitors member states to prevent weaponization. Tehran and the IAEA remain in dispute over full compliance with all transparency requirements of the NPT, particularly over alleged previous research into weapons design. But Iran’s nuclear facilities remain under constant monitoring by international inspectors who certify that no nuclear material is being diverted.
  • The current negotiations are focused on strengthening verifiable safeguards against weaponization over-and-above those required by the NPT, yet the Republican-led Congress, egged on by Israeli Prime Minister Benjamin Netanyahu, is warning that those goals are insufficient, and the terms and time-frame of the deal are unacceptable. The key element missing from the GOP Senators’ letter, however, is that the deal is not being negotiated between Iran and the United States; it is being negotiated between Iran and the P5+1 group, in which the U.S. is joined by Britain, France, Germany, Russia and China. Even if the U.S. is the key player in that group, the deal being pursued reflects an international consensus — the same consensus that has made sanctions against Iran so effective. This was likely in the mind of Iran’s foreign minister, Javad Zarif, who dismissed the letter as “of no legal value” and a “propaganda ploy.” Zarif noted that the deal would indeed be an international agreement adopted by the U.N. Security Council, which a new administration would be obliged to uphold — and that any attempt by the White House or Congress to abrogate, unilaterally modify or impede such an agreement would be a breach of U.S. obligations. 
  • Paul Merrell on 13 Mar 15
     
    "Zarif noted that the deal would indeed be an international agreement adopted by the U.N. Security Council, which a new administration would be obliged to uphold - and that any attempt by the White House or Congress to abrogate, unilaterally modify or impede such an agreement would be a breach of U.S. obligations." Apparently, I was wrong. I thought Obama would work around the demand for Congressional input by letting the other P5+1 members ink the deal but the U.S. not signing. But a U.N. Security Council Resolution is even stronger medicine for the War Party, since the SC has the power to forbid economic sanctions as well. Take that, Mr. Netanyahu and Mr. Boehner!
  • Paul Merrell on 13 Mar 15
     
    Could anything make it more clear that Netanyahu's speech to Congress was only to aid in his reelection in Israel? Israel has been briefed on the negotiations all along, so Netanyahu surely knew that the goal was a Security Council resolution that Congress could not affect. And while admittedly, the fact that it was a Security Council Resolution in the making was not widely known, are we to believe that the Speaker of the House of Representatives did not know that too? So are now not down to the entire spectacle of Netanyahu's speech being political, Netanyahu electioneering and Boehner mud-slinging the President?
Paul Merrell

Security Experts Oppose Government Access to Encrypted Communication - The New York Times - 0 views

www.nytimes.com/...o-encrypted-communication.html

encryption government-backdoors expert-report

shared by Paul Merrell on 08 Jul 15 - No Cached
  • An elite group of security technologists has concluded that the American and British governments cannot demand special access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.A new paper from the group, made up of 14 of the world’s pre-eminent cryptographers and computer scientists, is a formidable salvo in a skirmish between intelligence and law enforcement leaders, and technologists and privacy advocates. After Edward J. Snowden’s revelations — with security breaches and awareness of nation-state surveillance at a record high and data moving online at breakneck speeds — encryption has emerged as a major issue in the debate over privacy rights.
  • That has put Silicon Valley at the center of a tug of war. Technology companies including Apple, Microsoft and Google have been moving to encrypt more of their corporate and customer data after learning that the National Security Agency and its counterparts were siphoning off digital communications and hacking into corporate data centers.
  • Yet law enforcement and intelligence agency leaders argue that such efforts thwart their ability to monitor kidnappers, terrorists and other adversaries. In Britain, Prime Minister David Cameron threatened to ban encrypted messages altogether. In the United States, Michael S. Rogers, the director of the N.S.A., proposed that technology companies be required to create a digital key to unlock encrypted data, but to divide the key into pieces and secure it so that no one person or government agency could use it alone.The encryption debate has left both sides bitterly divided and in fighting mode. The group of cryptographers deliberately issued its report a day before James B. Comey Jr., the director of the Federal Bureau of Investigation, and Sally Quillian Yates, the deputy attorney general at the Justice Department, are scheduled to testify before the Senate Judiciary Committee on the concerns that they and other government agencies have that encryption technologies will prevent them from effectively doing their jobs.
  • ...2 more annotations...
  • The new paper is the first in-depth technical analysis of government proposals by leading cryptographers and security thinkers, including Whitfield Diffie, a pioneer of public key cryptography, and Ronald L. Rivest, the “R” in the widely used RSA public cryptography algorithm. In the report, the group said any effort to give the government “exceptional access” to encrypted communications was technically unfeasible and would leave confidential data and critical infrastructure like banks and the power grid at risk. Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm — most recently at the United States Office of Personnel Management, the State Department and the White House — the security specialists said authorities could not be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, China and other governments in foreign markets would be spurred to do the same.
  • “Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,” the report said. “The costs would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the developed countries’ soft power and to our moral authority would also be considerable.”
  • Paul Merrell on 08 Jul 15
     
    Our system of government does not expect that every criminal will be apprehended and convicted. There are numerous values our society believes are more important. Some examples: [i] a presumption of innocence unless guilt is established beyond any reasonable doubt; [ii] the requirement that government officials convince a neutral magistrate that they have probable cause to believe that a search or seizure will produce evidence of a crime; [iii] many communications cannot be compelled to be disclosed and used in evidence, such as attorney-client communications, spousal communications, and priest-penitent communications; and [iv] etc. Moral of my story: the government needs a much stronger reason to justify interception of communications than saying, "some crooks will escape prosecution if we can't do that." We have a right to whisper to each other, concealing our communicatons from all others. Why does the right to whisper privately disappear if our whisperings are done electronically? The Supreme Court took its first step on a very slippery slope when it permitted wiretapping in Olmstead v. United States, 277 U.S. 438, 48 S. Ct. 564, 72 L. Ed. 944 (1928). https://goo.gl/LaZGHt It's been a long slide ever since. It's past time to revisit Olmstead and recognize that American citizens have the absolute right to communicate privately. "The President … recognizes that U.S. citizens and institutions should have a reasonable expectation of privacy from foreign or domestic intercept when using the public telephone system." - Brent Scowcroft, U.S. National Security Advisor, National Security Decision Memorandum 338 (1 September 1976) (Nixon administration), http://www.fas.org/irp/offdocs/nsdm-ford/nsdm-338.pdf   
Gary Edwards

Arnold Ahlert: Russia Would Love a Third Obama Term - The Patriot Post - 0 views

patriotpost.us/43984

Hillary

shared by Gary Edwards on 09 Aug 16 - No Cached
  • New York Post columnist John Crudele obliterates the despicable word-parsing. “Clinton was so careless when using her BlackBerry that the Russians stole her password,” he writes. “All Russian President Vladimir Putin’s gang had to do was log into Clinton’s account and read whatever they wanted.” When it comes to the DNC hack, “The Russians did it” is the theme-du-jour. Clinton campaign manager, Robby Mook stated Sunday that “experts are telling us that Russian state actors broke into the DNC, stole these emails, [and are] releasing these emails for the purpose of helping Donald Trump.” The campaign itself echoed that assertion. “This is further evidence the Russian government is trying to influence the outcome of the election.”
  • The reliably leftist Politico — so far left that reporter Ken Vogel remains employed there despite sending a story to the DNC before he sent it to his own editor — is quite comfortable advancing that agenda, using it as a vehicle to buff up Clinton’s tenure as secretary of state. “Former U.S. officials who worked on Russia policy with Clinton say that Putin was personally stung by Clinton’s December 2011 condemnation of Russia’s parliamentary elections, and had his anger communicated directly to President Barack Obama,” Politico reports. “They say Putin and his advisers are also keenly aware that, even as she executed Obama’s ‘reset’ policy with Russia, Clinton took a harder line toward Moscow than others in the administration. And they say Putin sees Clinton as a forceful proponent of ‘regime change’ policies that the Russian leader considers a grave threat to his own survival.” Yet even Politico is forced to admit the payback angle is “speculation,” and that some experts remain “unconvinced that Putin’s government engineered the DNC email hack or that it was meant to influence the election in Trump’s favor as opposed to embarrassing DNC officials for any number of reasons.”
  • Americans would also be wise to remain highly skeptical of this claim for any number of reasons. WikiLeaks founder Julian Assange asserts there is “there is no proof whatsoever” Russia is behind the hack and that “this is a diversion that’s being pushed by the Hillary Clinton campaign.” To be fair, Assange is a Russian sympathizer, and leftists aren’t the only ones attributing the hack to the Russians. The same FBI that gave Clinton a pass will be investigating the DNC hack, and at some point the bureau will reach a conclusion. In the meantime, it might be worth considering that this smacks of a carefully orchestrated disinformation campaign similar to the one Clinton and several other Obama administration officials engineered with regard to Benghazi. While Clinton was never held personally or legally accountable for the deaths of four Americans, it is beyond dispute that she lied unabashedly about a video causing the attack, while sending her daughter a damning email at 11:12 p.m. on Sept. 11, 2012, admitting the administration knew “the attack had nothing to do with the film. It was a planned attack, not a protest.” The theme of this coordinated narrative? Clinton campaign chair John Podesta referred Monday night to “a kind of bromance going on” between Putin and Trump. Clinton campaign manager Robby Mook echoed that assertion, insisting the email dump comes on the heels of “changes to the Republican platform to make it more pro-Russian.”
  • ...3 more annotations...
  • The Leftmedia were equally obliging. “The theory that Moscow orchestrated the leaks to help Trump … is fast gaining currency within the Obama administration because of the timing of the leaks and Trump’s own connections to the Russian government,” reports the Daily Beast. Other Leftmedia examples abound. “Until Friday, that charge, with its eerie suggestion of a Kremlin conspiracy to aid Donald J. Trump, has been only whispered,” shouted the New York Times. “Because the leaks are widely suspected of being the result of a Russian hacking operation, they can be used to reinforce the narrative that Russian President Vladimir Putin is rooting for Trump and that Trump, in turn, would be too accommodating to Moscow,” adds the Los Angeles Times. “Why would Russian President Vladimir Putin want to help Donald Trump win the White House?” asks NPR. “If you want to indulge in a bit of conspiracy theory, remember that Russian President Vladimir Putin has praised candidate Trump as recently as June,” states the Burlington Free Press.
  • Ultimately, here’s the question: If the Russians could access the DNC server, they could certainly access Clinton’s unsecure server. And if they could access Clinton’s server, including the 33,000 emails she deleted (maybe some were about how the Clintons profited from selling American uranium to Russia), ask yourself who they’d rather have in the Oval Office: Donald Trump, who professed admiration for Putin but remains a highly unpredictable individual — or Hillary Clinton, who could be subjected to blackmail for as long as eight years? Russia’s clear objective would be to have the weakest American leadership they can get. Blackmail aside, what would be weaker than an extension of Obama’s presidency?
  • Moreover, it is just as likely a number of the so-called “experts” as well as Clinton’s useful idiot media apparatchiks have considered the blackmail possibility and are trying to divert attention from it with a phony Trump connection story. Democrats can theorize, complain and blame to their hearts' content, but none of it obscures the reality that the DNC — and by extension Hillary Clinton and the entire Democrat Party — are a conglomeration of morally bereft, utterly incompetent individuals wholly ill-equipped to handle internal security, much less national security. And they are aided and abetted by an equally corrupt media, more than willing to abide that potentially catastrophic reality as long as it gets a Democrat in the Oval Office. WikiLeaks has promised additional dumps with be forthcoming. How much deeper Democrats sink is anyone’s guess.
  • Gary Edwards on 09 Aug 16
     
    "If one lives by the vulnerable server, one dies by the vulnerable server. As the week unfolds, America is witnessing the ultimate unmasking of the Democrat Party, an entity whose self-aggrandizing claims of unity, fairness and intellectual honesty have been revealed as utterly fraudulent by a flood of DNC emails released by WikiLeaks. Moreover, a stunning level of hypocrisy attends the entire exposure, as DNC Chairwoman Debbie Wasserman Schultz is sent packing for this breach of confidential party information, while Hillary Clinton, whose equally accessible private server contained far more critical top-secret information, officially became the party's standard-bearer. But not to worry, assured FBI Director James Comey, who insisted there was no direct evidence that Clinton's server had been hacked by hostile actors - before adding it was possible that hostile actors "gained access" to Clinton's accounts. Clinton was equally adept at making semantical distinctions. "If you go by the evidence, there is no evidence that the system was breached or hacked successfully," Clinton said. "And I think that what's important here is follow the evidence. And there is no evidence. And that can't be said about a lot of other systems, including government systems.""
Paul Merrell

Obama to propose legislation to protect firms that share cyberthreat data - The Washing... - 0 views

www.washingtonpost.com/...4-bcfb-059ec7a93ddc_story.html

surveillance state U.S. digital-privacy legislation

shared by Paul Merrell on 19 Jan 15 - No Cached
  • President Obama plans to announce legislation Tuesday that would shield companies from lawsuits for sharing computer threat data with the government in an effort to prevent cyber­attacks. On the heels of a destructive attack at Sony Pictures Entertainment and major breaches at JPMorgan Chase and retail chains, Obama is intent on capitalizing on the heightened sense of urgency to improve the security of the nation’s networks, officials said. “He’s been doing everything he can within his executive authority to move the ball on this,” said a senior administration official who spoke on the condition of anonymity to discuss legislation that has not yet been released. “We’ve got to get something in place that allows both industry and government to work more closely together.”
  • The legislation is part of a broader package, to be sent to Capitol Hill on Tuesday, that includes measures to help protect consumers and students against ­cyberattacks and to give law enforcement greater authority to combat cybercrime. The provision’s goal is to “enshrine in law liability protection for the private sector for them to share specific information — cyberthreat indicators — with the government,” the official said. Some analysts questioned the need for such legislation, saying there are adequate measures in place to enable sharing between companies and the government and among companies.
  • “We think the current information-sharing regime is adequate,” said Mark Jaycox, legislative analyst at the Electronic Frontier Foundation, a privacy group. “More companies need to use it, but the idea of broad legal immunity isn’t needed right now.” The administration official disagreed. The lack of such immunity is what prevents many companies from greater sharing of data with the government, the official said. “We have heard that time and time again,” the official said. The proposal, which builds on a 2011 administration bill, grants liability protection to companies that provide indicators of cyberattacks and threats to the Department of Homeland Security.
  • ...5 more annotations...
  • But in a provision likely to raise concerns from privacy advocates, the administration wants to require DHS to share that information “in as near real time as possible” with other government agencies that have a cybersecurity mission, the official said. Those include the National Security Agency, the Pentagon’s ­Cyber Command, the FBI and the Secret Service. “DHS needs to take an active lead role in ensuring that unnecessary personal information is not shared with intelligence authorities,” Jaycox said. The debates over government surveillance prompted by disclosures from former NSA contractor Edward Snowden have shown that “the agencies already have a tremendous amount of unnecessary information,” he said.
  • The administration official stressed that the legislation will require companies to remove unnecessary personal information before furnishing it to the government in order to qualify for liability protection. It also will impose limits on the use of the data for cybersecurity crimes and instances in which there is a threat of death or bodily harm, such as kidnapping, the official said. And it will require DHS and the attorney general to develop guidelines for the federal government’s use and retention of the data. It will not authorize a company to take offensive cyber-measures to defend itself, such as “hacking back” into a server or computer outside its own network to track a breach. The bill also will provide liability protection to companies that share data with private-sector-developed organizations set up specifically for that purpose. Called information sharing and analysis organizations, these groups often are set up by particular industries, such as banking, to facilitate the exchange of data and best practices.
  • Efforts to pass information-sharing legislation have stalled in the past five years, blocked primarily by privacy concerns. The package also contains provisions that would allow prosecution for the sale of botnets or access to armies of compromised computers that can be used to spread malware, would criminalize the overseas sale of stolen U.S. credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk people or commit identity theft, and would give courts the authority to shut down botnets being used for criminal activity, such as denial-of-service attacks.
  • It would reaffirm that federal racketeering law applies to cybercrimes and amends the Computer Fraud and Abuse Act by ensuring that “insignificant conduct” does not fall within the scope of the statute. A third element of the package is legislation Obama proposed Monday to help protect consumers and students against cyberattacks. The theft of personal financial information “is a direct threat to the economic security of American families, and we’ve got to stop it,” Obama said. The plan, unveiled in a speech at the Federal Trade Commission, would require companies to notify customers within 30 days after the theft of personal information is discovered. Right now, data breaches are handled under a patchwork of state laws that the president said are confusing and costly to enforce. Obama’s plan would streamline those into one clear federal standard and bolster requirements for companies to notify customers. Obama is proposing closing loopholes to make it easier to track down cybercriminals overseas who steal and sell identities. “The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy,” he said.
  • In October, Obama signed an order to protect consumers from identity theft by strengthening security features in credit cards and the terminals that process them. Marc Rotenberg, executive director of the Electronic Privacy Information Center, said there is concern that a federal standard would “preempt stronger state laws” about how and when companies have to notify consumers. The Student Digital Privacy Act would ensure that data entered would be used only for educational purposes. It would prohibit companies from selling student data to third-party companies for purposes other than education. Obama also plans to introduce a Consumer Privacy Bill of Rights. And the White House will host a summit on cybersecurity and consumer protection on Feb. 13 at Stanford University.
Paul Merrell

Cy Vance's Proposal to Backdoor Encrypted Devices Is Riddled With Vulnerabilities | Jus... - 0 views

www.justsecurity.org/...evices-riddled-vulnerabilities

surveillance state encryption-backdoors Vance tyranny right-to-whisper

shared by Paul Merrell on 11 Dec 15 - No Cached
  • Less than a week after the attacks in Paris — while the public and policymakers were still reeling, and the investigation had barely gotten off the ground — Cy Vance, Manhattan’s District Attorney, released a policy paper calling for legislation requiring companies to provide the government with backdoor access to their smartphones and other mobile devices. This is the first concrete proposal of this type since September 2014, when FBI Director James Comey reignited the “Crypto Wars” in response to Apple’s and Google’s decisions to use default encryption on their smartphones. Though Comey seized on Apple’s and Google’s decisions to encrypt their devices by default, his concerns are primarily related to end-to-end encryption, which protects communications that are in transit. Vance’s proposal, on the other hand, is only concerned with device encryption, which protects data stored on phones. It is still unclear whether encryption played any role in the Paris attacks, though we do know that the attackers were using unencrypted SMS text messages on the night of the attack, and that some of them were even known to intelligence agencies and had previously been under surveillance. But regardless of whether encryption was used at some point during the planning of the attacks, as I lay out below, prohibiting companies from selling encrypted devices would not prevent criminals or terrorists from being able to access unbreakable encryption. Vance’s primary complaint is that Apple’s and Google’s decisions to provide their customers with more secure devices through encryption interferes with criminal investigations. He claims encryption prevents law enforcement from accessing stored data like iMessages, photos and videos, Internet search histories, and third party app data. He makes several arguments to justify his proposal to build backdoors into encrypted smartphones, but none of them hold water.
  • Before addressing the major privacy, security, and implementation concerns that his proposal raises, it is worth noting that while an increase in use of fully encrypted devices could interfere with some law enforcement investigations, it will help prevent far more crimes — especially smartphone theft, and the consequent potential for identity theft. According to Consumer Reports, in 2014 there were more than two million victims of smartphone theft, and nearly two-thirds of all smartphone users either took no steps to secure their phones or their data or failed to implement passcode access for their phones. Default encryption could reduce instances of theft because perpetrators would no longer be able to break into the phone to steal the data.
  • Vance argues that creating a weakness in encryption to allow law enforcement to access data stored on devices does not raise serious concerns for security and privacy, since in order to exploit the vulnerability one would need access to the actual device. He considers this an acceptable risk, claiming it would not be the same as creating a widespread vulnerability in encryption protecting communications in transit (like emails), and that it would be cheap and easy for companies to implement. But Vance seems to be underestimating the risks involved with his plan. It is increasingly important that smartphones and other devices are protected by the strongest encryption possible. Our devices and the apps on them contain astonishing amounts of personal information, so much that an unprecedented level of harm could be caused if a smartphone or device with an exploitable vulnerability is stolen, not least in the forms of identity fraud and credit card theft. We bank on our phones, and have access to credit card payments with services like Apple Pay. Our contact lists are stored on our phones, including phone numbers, emails, social media accounts, and addresses. Passwords are often stored on people’s phones. And phones and apps are often full of personal details about their lives, from food diaries to logs of favorite places to personal photographs. Symantec conducted a study, where the company spread 50 “lost” phones in public to see what people who picked up the phones would do with them. The company found that 95 percent of those people tried to access the phone, and while nearly 90 percent tried to access private information stored on the phone or in other private accounts such as banking services and email, only 50 percent attempted contacting the owner.
  • ...8 more annotations...
  • In addition to his weak reasoning for why it would be feasible to create backdoors to encrypted devices without creating undue security risks or harming privacy, Vance makes several flawed policy-based arguments in favor of his proposal. He argues that criminals benefit from devices that are protected by strong encryption. That may be true, but strong encryption is also a critical tool used by billions of average people around the world every day to protect their transactions, communications, and private information. Lawyers, doctors, and journalists rely on encryption to protect their clients, patients, and sources. Government officials, from the President to the directors of the NSA and FBI, and members of Congress, depend on strong encryption for cybersecurity and data security. There are far more innocent Americans who benefit from strong encryption than there are criminals who exploit it. Encryption is also essential to our economy. Device manufacturers could suffer major economic losses if they are prohibited from competing with foreign manufacturers who offer more secure devices. Encryption also protects major companies from corporate and nation-state espionage. As more daily business activities are done on smartphones and other devices, they may now hold highly proprietary or sensitive information. Those devices could be targeted even more than they are now if all that has to be done to access that information is to steal an employee’s smartphone and exploit a vulnerability the manufacturer was required to create.
  • Privacy is another concern that Vance dismisses too easily. Despite Vance’s arguments otherwise, building backdoors into device encryption undermines privacy. Our government does not impose a similar requirement in any other context. Police can enter homes with warrants, but there is no requirement that people record their conversations and interactions just in case they someday become useful in an investigation. The conversations that we once had through disposable letters and in-person conversations now happen over the Internet and on phones. Just because the medium has changed does not mean our right to privacy has.
  • Vance attempts to downplay this serious risk by asserting that anyone can use the “Find My Phone” or Android Device Manager services that allow owners to delete the data on their phones if stolen. However, this does not stand up to scrutiny. These services are effective only when an owner realizes their phone is missing and can take swift action on another computer or device. This delay ensures some period of vulnerability. Encryption, on the other hand, protects everyone immediately and always. Additionally, Vance argues that it is safer to build backdoors into encrypted devices than it is to do so for encrypted communications in transit. It is true that there is a difference in the threats posed by the two types of encryption backdoors that are being debated. However, some manner of widespread vulnerability will inevitably result from a backdoor to encrypted devices. Indeed, the NSA and GCHQ reportedly hacked into a database to obtain cell phone SIM card encryption keys in order defeat the security protecting users’ communications and activities and to conduct surveillance. Clearly, the reality is that the threat of such a breach, whether from a hacker or a nation state actor, is very real. Even if companies go the extra mile and create a different means of access for every phone, such as a separate access key for each phone, significant vulnerabilities will be created. It would still be possible for a malicious actor to gain access to the database containing those keys, which would enable them to defeat the encryption on any smartphone they took possession of. Additionally, the cost of implementation and maintenance of such a complex system could be high.
  • Vance also suggests that the US would be justified in creating such a requirement since other Western nations are contemplating requiring encryption backdoors as well. Regardless of whether other countries are debating similar proposals, we cannot afford a race to the bottom on cybersecurity. Heads of the intelligence community regularly warn that cybersecurity is the top threat to our national security. Strong encryption is our best defense against cyber threats, and following in the footsteps of other countries by weakening that critical tool would do incalculable harm. Furthermore, even if the US or other countries did implement such a proposal, criminals could gain access to devices with strong encryption through the black market. Thus, only innocent people would be negatively affected, and some of those innocent people might even become criminals simply by trying to protect their privacy by securing their data and devices. Finally, Vance argues that David Kaye, UN Special Rapporteur for Freedom of Expression and Opinion, supported the idea that court-ordered decryption doesn’t violate human rights, provided certain criteria are met, in his report on the topic. However, in the context of Vance’s proposal, this seems to conflate the concepts of court-ordered decryption and of government-mandated encryption backdoors. The Kaye report was unequivocal about the importance of encryption for free speech and human rights. The report concluded that:
  • States should promote strong encryption and anonymity. National laws should recognize that individuals are free to protect the privacy of their digital communications by using encryption technology and tools that allow anonymity online. … States should not restrict encryption and anonymity, which facilitate and often enable the rights to freedom of opinion and expression. Blanket prohibitions fail to be necessary and proportionate. States should avoid all measures that weaken the security that individuals may enjoy online, such as backdoors, weak encryption standards and key escrows. Additionally, the group of intelligence experts that was hand-picked by the President to issue a report and recommendations on surveillance and technology, concluded that: [R]egarding encryption, the U.S. Government should: (1) fully support and not undermine efforts to create encryption standards; (2) not in any way subvert, undermine, weaken, or make vulnerable generally available commercial software; and (3) increase the use of encryption and urge US companies to do so, in order to better protect data in transit, at rest, in the cloud, and in other storage.
  • The clear consensus among human rights experts and several high-ranking intelligence experts, including the former directors of the NSA, Office of the Director of National Intelligence, and DHS, is that mandating encryption backdoors is dangerous. Unaddressed Concerns: Preventing Encrypted Devices from Entering the US and the Slippery Slope In addition to the significant faults in Vance’s arguments in favor of his proposal, he fails to address the question of how such a restriction would be effectively implemented. There is no effective mechanism for preventing code from becoming available for download online, even if it is illegal. One critical issue the Vance proposal fails to address is how the government would prevent, or even identify, encrypted smartphones when individuals bring them into the United States. DHS would have to train customs agents to search the contents of every person’s phone in order to identify whether it is encrypted, and then confiscate the phones that are. Legal and policy considerations aside, this kind of policy is, at the very least, impractical. Preventing strong encryption from entering the US is not like preventing guns or drugs from entering the country — encrypted phones aren’t immediately obvious as is contraband. Millions of people use encrypted devices, and tens of millions more devices are shipped to and sold in the US each year.
  • Finally, there is a real concern that if Vance’s proposal were accepted, it would be the first step down a slippery slope. Right now, his proposal only calls for access to smartphones and devices running mobile operating systems. While this policy in and of itself would cover a number of commonplace devices, it may eventually be expanded to cover laptop and desktop computers, as well as communications in transit. The expansion of this kind of policy is even more worrisome when taking into account the speed at which technology evolves and becomes widely adopted. Ten years ago, the iPhone did not even exist. Who is to say what technology will be commonplace in 10 or 20 years that is not even around today. There is a very real question about how far law enforcement will go to gain access to information. Things that once seemed like merely science fiction, such as wearable technology and artificial intelligence that could be implanted in and work with the human nervous system, are now available. If and when there comes a time when our “smart phone” is not really a device at all, but is rather an implant, surely we would not grant law enforcement access to our minds.
  • Policymakers should dismiss Vance’s proposal to prohibit the use of strong encryption to protect our smartphones and devices in order to ensure law enforcement access. Undermining encryption, regardless of whether it is protecting data in transit or at rest, would take us down a dangerous and harmful path. Instead, law enforcement and the intelligence community should be working to alter their skills and tactics in a fast-evolving technological world so that they are not so dependent on information that will increasingly be protected by encryption.
Paul Merrell

Verizon's New, Encrypted Calling App Plays Nice With the NSA - Businessweek - 0 views

www.businessweek.com/...pp-comes-prehacked-for-the-nsa

surveillance state Verizon backdoors pseudo-encryption

shared by Paul Merrell on 13 Dec 14 - No Cached
  • Verizon is the latest big company to enter the post-Snowden market for secure communication, and it's doing so with an encryption standard that comes with a way for law enforcement to access ostensibly secure phone conversations.Verizon Voice Cypher, the product introduced on Thursday with the encryption company Cellcrypt, offers business and government customers end-to-end encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app. The encryption software provides secure communications for people speaking on devices with the app, regardless of their wireless carrier, and it can also connect to an organization's secure phone system. Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they're able to prove that there's a legitimate law enforcement reason for doing so. Seth Polansky, Cellcrypt's vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. "It's only creating a weakness for government agencies," he says. "Just because a government access option exists, it doesn't mean other companies can access it." 
  • Phone carriers like Verizon are required by U.S. law to build networks that can be wiretapped. But the legislation known as the Communications Assistance for Law Enforcement Act requires phone carriers to decrypt communications for the government only if they have designed their technology to make it possible to do so. If Verizon and Cellcrypt had structured their encryption so that neither company had the information necessary to decrypt the calls, they would not have been breaking the law.
  • There has been increased interest in encryption from individual consumers, too, largely thanks to the NSA revelations leaked by Edward Snowden. Yahoo and Google began offering end-to-end encrypted e-mail services this year. Silent Circle, a startup catering to consumer and enterprise clients, has been developing end-to-end voice encryption for phones calls. Verizon's service, with a monthly price of $45 per device, isn't targeting individual buyers and won't be offered to average consumers in the near future.But Verizon's partner, Cellcrypt, looks upon selling to large organizations as the first step toward bringing down the price before eventually offering a consumer-level encryption service. "At the end of the day, we'd love to have this be a line item on your Verizon bill," says Polansky.
  • ...2 more annotations...
  • Other companies have designed their encryption in this way, including AT&T, which offers encrypted phone service for business customers. Apple and Android recently began protecting content stored on users's phones in a way that would keep the tech companies from being able to comply with requests from law enforcement. The move drew public criticism from FBI Director James Comey, and some security experts expect that a renewed effort to stir passage of legislation banning such encryption will accompany Silicon Valley's increased interest in developing these services. Verizon believes major demand for its new encryption service will come from governmental agencies conveying sensitive but unclassified information over the phone, says Tim Petsky, a senior product manager for Verizon Wireless. Corporate customers who are concerned about corporate espionage are also itching for answers. "You read about breaches in security almost every week in the press," says Petsky. "Enterprise customers have been asking about ways to secure their communications and up until this point, we didn't have a solution." 
  • Many people in the security industry believe that a designed access point creates a vulnerability for criminals or spies to exploit. Last year reports surfaced that the FBI was pushing legislation that would require many forms of Internet communication to be wiretap-ready. A group of prominent security experts responded strongly: "Requiring software vendors to build intercept functionality into their products is unwise and will be ineffective, with the result being serious consequences (PDF) for the economic well-being and national security of the United States," they wrote in a report issued in May. 
Paul Merrell

Spy Chief James Clapper Wins Rosemary Award - 0 views

www2.gwu.edu/...20140324

surveillance state NSA Rosemary-Award Obama Clapper Alexander

shared by Paul Merrell on 24 Mar 14 - No Cached
  • Director of National Intelligence James Clapper has won the infamous Rosemary Award for worst open government performance in 2013, according to the citation published today by the National Security Archive at www.nsarchive.org. Despite heavy competition, Clapper's "No, sir" lie to Senator Ron Wyden's question: "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" sealed his receipt of the dubious achievement award, which cites the vastly excessive secrecy of the entire U.S. surveillance establishment. The Rosemary Award citation leads with what Clapper later called the "least untruthful" answer possible to congressional questions about the secret bulk collection of Americans' phone call data. It further cites other Clapper claims later proved false, such as his 2012 statement that "we don't hold data on U.S. citizens." But the Award also recognizes Clapper's fellow secrecy fetishists and enablers, including:
  • Gen. Keith Alexander, director of the NSA, for multiple Rose Mary Woods-type stretches, such as (1) claiming that the secret bulk collection prevented 54 terrorist plots against the U.S. when the actual number, according to the congressionally-established Privacy and Civil Liberties Oversight Board (PCLOB) investigation (pp. 145-153), is zero; (2) his 2009 declaration to the wiretap court that multiple NSA violations of the court's orders arose from differences over "terminology," an explanation which the chief judge said "strains credulity;" and (3) public statements by the NSA about its programs that had to be taken down from its website for inaccuracies (see Documents 78, 85, 87 in The Snowden Affair), along with public statements by other top NSA officials now known to be untrue (see "Remarks of Rajesh De," NSA General Counsel, Document 53 in The Snowden Affair).
  • Robert Mueller, former FBI director, for suggesting (as have Gen. Alexander and many others) that the secret bulk collection program might have been able to prevent the 9/11 attacks, when the 9/11 Commission found explicitly the problem was not lack of data points, but failing to connect the many dots the intelligence community already had about the would-be hijackers living in San Diego. The National Security Division lawyers at the Justice Department, for misleading their own Solicitor General (Donald Verrilli) who then misled (inadvertently) the U.S. Supreme Court over whether Justice let defendants know that bulk collection had contributed to their prosecutions. The same National Security Division lawyers who swore under oath in the Electronic Frontier Foundation's Freedom of Information Act lawsuit for a key wiretap court opinion that the entire text of the opinion was appropriately classified Top Secret/Sensitive Compartmented Information (release of which would cause "exceptionally grave damage" to U.S. national security). Only after the Edward Snowden leaks and the embarrassed governmental declassification of the opinion did we find that one key part of the opinion's text simply reproduced the actual language of the 4th Amendment to the U.S. Constitution, and the only "grave damage" was to the government's false claims.
  • ...9 more annotations...
  • President Obama for his repeated misrepresentations about the bulk collection program (calling the wiretap court "transparent" and saying "all of Congress" knew "exactly how this program works") while in effect acknowledging the public value of the Edward Snowden leaks by ordering the long-overdue declassification of key documents about the NSA's activities, and investigations both by a special panel and by the Privacy and Civil Liberties Oversight Board. The PCLOB directly contradicted the President, pointing out that "when the only means through which legislators can try to understand a prior interpretation of the law is to read a short description of an operational program, prepared by executive branch officials, made available only at certain times and locations, which cannot be discussed with others except in classified briefings conducted by those same executive branch officials, legislators are denied a meaningful opportunity to gauge the legitimacy and implications of the legal interpretation in question. Under such circumstances, it is not a legitimate method of statutory construction to presume that these legislators, when reenacting the statute, intended to adopt a prior interpretation that they had no fair means of evaluating." (p. 101)
  • Even an author of the Patriot Act, Rep. Jim Sensenbrenner (R-WI), was broadsided by the revelation of the telephone metadata dragnet. After learning of the extent of spying on Americans that his Act unleashed, he wrote that the National Security Agency "ignored restrictions painstakingly crafted by lawmakers and assumed plenary authority never imagined by Congress" by cloaking its actions behind the "thick cloud of secrecy" that even our elected representatives could not breech. Clapper recently conceded to the Daily Beast, "I probably shouldn't say this, but I will. Had we been transparent about this [phone metadata collection] from the outset … we wouldn't have had the problem we had." The NSA's former deputy director, John "Chris" Inglis, said the same when NPR asked him if he thought the metadata dragnet should have been disclosed before Snowden. "In hindsight, yes. In hindsight, yes." Speaking about potential (relatively minimal) changes to the National Security Agency even the president acknowledged, "And all too often new authorities were instituted without adequate public debate," and "Given the unique power of the state, it is not enough for leaders to say: Trust us. We won't abuse the data we collect. For history has too many examples when that trust has been breached." (Exhibit A, of course, is the NSA "watchlist" in the 1960's and 1970's that targeted not only antiwar and civil rights activists, but also journalists and even members of Congress.)
  • The Archive established the not-so-coveted Rosemary Award in 2005, named after President Nixon's secretary, Rose Mary Woods, who testified she had erased 18-and-a-half minutes of a crucial Watergate tape — stretching, as she showed photographers, to answer the phone with her foot still on the transcription pedal. Bestowed annually to highlight the lowlights of government secrecy, the Rosemary Award has recognized a rogue's gallery of open government scofflaws, including the CIA, the Treasury Department, the Air Force, the FBI, the Federal Chief Information Officers' Council, and the career Rosemary leader — the Justice Department — for the last two years. Rosemary-winner James Clapper has offered several explanations for his untruthful disavowal of the National Security Agency's phone metadata dragnet. After his lie was exposed by the Edward Snowden revelations, Clapper first complained to NBC's Andrea Mitchell that the question about the NSA's surveillance of Americans was unfair, a — in his words — "When are you going to stop beating your wife kind of question." So, he responded "in what I thought was the most truthful, or least untruthful, manner by saying 'no.'"
  • After continuing criticism for his lie, Clapper wrote a letter to Chairman of the Senate Select Committee on Intelligence Dianne Feinstein, now explaining that he misunderstood Wyden's question and thought it was about the PRISM program (under Section 702 of the Foreign Intelligence Surveillance Act) rather than the telephone metadata collection program (under Section 215 of the Patriot Act). Clapper wrote that his staff "acknowledged the error" to Senator Wyden soon after — yet he chose to reject Wyden's offer to amend his answer. Former NSA senior counsel Joel Brenner blamed Congress for even asking the question, claiming that Wyden "sandbagged" Clapper by the "vicious tactic" of asking "Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?" Meanwhile, Steve Aftergood of the Federation of American Scientists countered that "it is of course wrong for officials to make false statements, as DNI Clapper did," and that in fact the Senate Intelligence Committee "became complicit in public deception" for failing to rebut or correct Clapper's statement, which they knew to be untruthful. Clapper described his unclassified testimony as a game of "stump the chump." But when it came to oversight of the National Security Agency, it appears that senators and representatives were the chumps being stumped. According to Representative Justin Amash (R-Mich), the House Intelligence Committee "decided it wasn't worthwhile to share this information" about telephone metadata surveillance with other members of Congress. Classified briefings open to the whole House were a "farce," Amash contended, often consisting of information found in newspapers and public statutes.
  • The Emmy and George Polk Award-winning National Security Archive, based at the George Washington University, has carried out thirteen government-wide audits of FOIA performance, filed more than 50,000 Freedom of Information Act requests over the past 28 years, opened historic government secrets ranging from the CIA's "Family Jewels" to documents about the testing of stealth aircraft at Area 51, and won a series of historic lawsuits that saved hundreds of millions of White House e-mails from the Reagan through Obama presidencies, among many other achievements.
  • Director Clapper joins an undistinguished list of previous Rosemary Award winners: 2012 - the Justice Department (in a repeat performance, for failure to update FOIA regulations for compliance with the law, undermining congressional intent, and hyping its open government statistics) 2011- the Justice Department (for doing more than any other agency to eviscerate President Obama's Day One transparency pledge, through pit-bull whistleblower prosecutions, recycled secrecy arguments in court cases, retrograde FOIA regulations, and mixed FOIA responsiveness) 2010 - the Federal Chief Information Officers' Council (for "lifetime failure" to address the crisis in government e-mail preservation) 2009 - the FBI (for having a record-setting rate of "no records" responses to FOIA requests) 2008 - the Treasury Department (for shredding FOIA requests and delaying responses for decades) 2007 - the Air Force (for disappearing its FOIA requests and having "failed miserably" to meet its FOIA obligations, according to a federal court ruling) 2006 - the Central Intelligence Agency (for the biggest one-year drop-off in responsiveness to FOIA requests yet recorded).   ALSO-RANS The Rosemary Award competition in 2013 was fierce, with a host of government contenders threatening to surpass the Clapper "least untruthful" standard. These secrecy over-achievers included the following FOI delinquents:
  • Admiral William McRaven, head of the Special Operations Command for the raid that killed Osama Bin Laden, who purged his command's computers and file cabinets of all records on the raid, sent any remaining copies over to CIA where they would be effectively immune from the FOIA, and then masterminded a "no records" response to the Associated Press when the AP reporters filed FOIA requests for raid-related materials and photos. If not for a one-sentence mention in a leaked draft inspector general report — which the IG deleted for the final version — no one would have been the wiser about McRaven's shell game. Subsequently, a FOIA lawsuit by Judicial Watch uncovered the sole remaining e-mail from McRaven ordering the evidence destruction, in apparent violation of federal records laws, a felony for which the Admiral seems to have paid no price. Department of Defense classification reviewers who censored from a 1962 document on the Cuban Missile Crisis direct quotes from public statements by Soviet Premier Nikita Khrushchev. The quotes referred to the U.S. Jupiter missiles in Turkey that would ultimately (and secretly) be pulled out in exchange for Soviet withdrawal of its missiles in Cuba. The denials even occurred after an appeal by the National Security Archive, which provided as supporting material the text of the Khrushchev statements and multiple other officially declassified documents (and photographs!) describing the Jupiters in Turkey. Such absurd classification decisions call into question all of the standards used by the Pentagon and the National Declassification Center to review historical documents.
  • Admiral William McRaven memo from May 13, 2011, ordering the destruction of evidence relating to the Osama bin Laden raid. (From Judicial Watch)
  • The Department of Justice Office of Information Policy, which continues to misrepresent to Congress the government's FOIA performance, while enabling dramatic increases in the number of times government agencies invoke the purely discretionary "deliberative process" exemption. Five years after President Obama declared a "presumption of openness" for FOIA requests, Justice lawyers still cannot show a single case of FOIA litigation in which the purported new standards (including orders from their own boss, Attorney General Eric Holder) have caused the Department to change its position in favor of disclosure.
Paul Merrell

Hacking Team Asks Customers to Stop Using Its Software After Hack | Motherboard - 0 views

motherboard.vice.com/...-using-its-software-after-hack

surveillance state Hacking-Team hacked

shared by Paul Merrell on 07 Jul 15 - No Cached
  • But the hack hasn’t just ruined the day for Hacking Team’s employees. The company, which sells surveillance software to government customers all over the world, from Morocco and Ethiopia to the US Drug Enforcement Agency and the FBI, has told all its customers to shut down all operations and suspend all use of the company’s spyware, Motherboard has learned. “They’re in full on emergency mode,” a source who has inside knowledge of Hacking Team’s operations told Motherboard.
  • Hacking Team notified all its customers on Monday morning with a “blast email,” requesting them to shut down all deployments of its Remote Control System software, also known as Galileo, according to multiple sources. The company also doesn’t have access to its email system as of Monday afternoon, a source said. On Sunday night, an unnamed hacker, who claimed to be the same person who breached Hacking Team’s competitor FinFisher last year, hijacked its Twitter account and posted links to 400GB of internal data. Hacking Team woke up to a massive breach of its systems.
  • A source told Motherboard that the hackers appears to have gotten “everything,” likely more than what the hacker has posted online, perhaps more than one terabyte of data. “The hacker seems to have downloaded everything that there was in the company’s servers,” the source, who could only speak on condition of anonymity, told Motherboard. “There’s pretty much everything here.” It’s unclear how the hackers got their hands on the stash, but judging from the leaked files, they broke into the computers of Hacking Team’s two systems administrators, Christian Pozzi and Mauro Romeo, who had access to all the company’s files, according to the source. “I did not expect a breach to be this big, but I’m not surprised they got hacked because they don’t take security seriously,” the source told me. “You can see in the files how much they royally fucked up.”
  • ...2 more annotations...
  • For example, the source noted, none of the sensitive files in the data dump, from employees passports to list of customers, appear to be encrypted. “How can you give all the keys to your infrastructure to a 20-something who just joined the company?” he added, referring to Pozzi, whose LinkedIn shows he’s been at Hacking Team for just over a year. “Nobody noticed that someone stole a terabyte of data? You gotta be a fuckwad,” the source said. “It means nobody was taking care of security.”
  • The future of the company, at this point, it’s uncertain. Employees fear this might be the beginning of the end, according to sources. One current employee, for example, started working on his resume, a source told Motherboard. It’s also unclear how customers will react to this, but a source said that it’s likely that customers from countries such as the US will pull the plug on their contracts. Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely. The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down—something that even customers aren’t told about. To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.
Paul Merrell

Watchdog: OPM ignored warnings about online background check system | TheHill - 0 views

thehill.com/...-about-background-check-system

Dark-State security-breach OPM

shared by Paul Merrell on 10 Jul 15 - No Cached
  • The Office of Personnel Management (OPM) had known since 2012 about security flaws in its online submission system, roughly three years before the agency finally shut down the system to repair it.“OPM has known about vulnerabilities in the system for years, but has not corrected them,” Michael Esser, the assistant inspector general for audits at the OPM, told a House subcommittee on Wednesday.ADVERTISEMENTIn late June, the OPM said it was suspending the Web-based platform, known as e-QIP, after a security review conducted in the wake of massive hacks at the agency uncovered significant defects.The OPM data breach has likely exposed upwards of 18 million people’s sensitive information and is raising pointed questions about why the agency hasn't moved more expediently over the years to correct glaring problems with its networks.The agency’s inspector general has said OPM officials repeatedly failed to heed its warnings, even refusing to shut down several of its weakest computer systems as recommended.
  • On Wednesday, Esser accused the agency of also not responding to alerts about the e-QIP system, which is used to file the background checks for security clearances.  The agency’s oversight arm detailed 18 security vulnerabilities starting in 2012, he said.“I do not know if those vulnerabilities were related to the reason the system was shut down last week,” Esser added.OPM Director Katherine Archuleta has maintained she always takes into account the watchdog’s recommendations. The agency kept the deficient computer systems running, she said, in order to avoid gaps in delivering employee's paychecks and benefits.
Paul Merrell

N.S.A. Breached Chinese Servers Seen as Security Threat - NYTimes.com - 0 views

www.nytimes.com/...servers-seen-as-spy-peril.html

surveillance state NSA NSA-targets China Huawei

shared by Paul Merrell on 24 Mar 14 - No Cached
  • American officials have long considered Huawei, the Chinese telecommunications giant, a security threat, blocking it from business deals in the United States for fear that the company would create “back doors” in its equipment that could allow the Chinese military or Beijing-backed hackers to steal corporate and government secrets.But even as the United States made a public case about the dangers of buying from Huawei, classified documents show that the National Security Agency was creating its own back doors — directly into Huawei’s networks.
  • Paul Merrell on 24 Mar 14
     
    New York TImes version of same story published yesterday by Der Spiegel, with much more detail in this version. 
Paul Merrell

Obama's crackdown views leaks as aiding enemies of U.S. | McClatchy - 0 views

www.mcclatchydc.com/...-crackdown-views-leaks-as.html

government secrecy Obama

shared by Paul Merrell on 25 Jun 13 - No Cached
  • Even before a former U.S. intelligence contractor exposed the secret collection of Americans’ phone records, the Obama administration was pressing a government-wide crackdown on security threats that requires federal employees to keep closer tabs on their co-workers and exhorts managers to punish those who fail to report their suspicions. President Barack Obama’s unprecedented initiative, known as the Insider Threat Program, is sweeping in its reach. It has received scant public attention even though it extends beyond the U.S. national security bureaucracies to most federal departments and agencies nationwide, including the Peace Corps, the Social Security Administration and the Education and Agriculture departments. It emphasizes leaks of classified material, but catchall definitions of “insider threat” give agencies latitude to pursue and penalize a range of other conduct.
  • Government documents reviewed by McClatchy illustrate how some agencies are using that latitude to pursue unauthorized disclosures of any information, not just classified material. They also show how millions of federal employees and contractors must watch for “high-risk persons or behaviors” among co-workers and could face penalties, including criminal charges, for failing to report them. Leaks to the media are equated with espionage.
  • Employees must turn themselves and others in for failing to report breaches. “Penalize clearly identifiable failures to report security infractions and violations, including any lack of self-reporting,” the strategic plan says.The Obama administration already was pursuing an unprecedented number of leak prosecutions, and some in Congress – long one of the most prolific spillers of secrets – favor tightening restrictions on reporters’ access to federal agencies, making many U.S. officials reluctant to even disclose unclassified matters to the public. The policy, which partly relies on behavior profiles, also could discourage creative thinking and fuel conformist “group think” of the kind that was blamed for the CIA’s erroneous assessment that Iraq was hiding weapons of mass destruction, a judgment that underpinned the 2003 U.S. invasion. “The real danger is that you get a bland common denominator working in the government,” warned Ilana Greenstein, a former CIA case officer who says she quit the agency after being falsely accused of being a security risk. “You don’t get people speaking up when there’s wrongdoing. You don’t get people who look at things in a different way and who are willing to stand up for things. What you get are people who toe the party line, and that’s really dangerous for national security.”
  • ...3 more annotations...
  • The program could make it easier for the government to stifle the flow of unclassified and potentially vital information to the public, while creating toxic work environments poisoned by unfounded suspicions and spurious investigations of loyal Americans, according to these current and former officials and experts. Some non-intelligence agencies already are urging employees to watch their co-workers for “indicators” that include stress, divorce and financial problems.
  • The program, however, gives agencies such wide latitude in crafting their responses to insider threats that someone deemed a risk in one agency could be characterized as harmless in another. Even inside an agency, one manager’s disgruntled employee might become another’s threat to national security. Obama in November approved “minimum standards” giving departments and agencies considerable leeway in developing their insider threat programs, leading to a potential hodgepodge of interpretations. He instructed them to not only root out leakers but people who might be prone to “violent acts against the government or the nation” and “potential espionage.”
  • The Department of Education, meanwhile, informs employees that co-workers going through “certain life experiences . . . might turn a trusted user into an insider threat.” Those experiences, the department says in a computer training manual, include “stress, divorce, financial problems” or “frustrations with co-workers or the organization.”An online tutorial titled “Treason 101” teaches Department of Agriculture and National Oceanic and Atmospheric Administration employees to recognize the psychological profile of spies.
Paul Merrell

Operation Socialist: How GCHQ Spies Hacked Belgium's Largest Telco - 0 views

firstlook.org/...elgacom-hack-gchq-inside-story

surveillance state GCHQ NSA Regin-malware Belgacom

shared by Paul Merrell on 15 Dec 14 - No Cached
  • When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies. It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data. Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”
  • The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear. Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation. Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.
  • When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies. It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data. Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”
  • ...7 more annotations...
  • Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.” The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”
  • Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company. Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.
  • The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company. Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.
  • What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.
  • Between 2009 and 2011, GCHQ worked with its allies to develop sophisticated new tools and technologies it could use to scan global networks for weaknesses and then penetrate them. According to top-secret GCHQ documents, the agency wanted to adopt the aggressive new methods in part to counter the use of privacy-protecting encryption—what it described as the “encryption problem.” When communications are sent across networks in encrypted format, it makes it much harder for the spies to intercept and make sense of emails, phone calls, text messages, internet chats, and browsing sessions. For GCHQ, there was a simple solution. The agency decided that, where possible, it would find ways to hack into communication networks to grab traffic before it’s encrypted.
  • The Snowden documents show that GCHQ wanted to gain access to Belgacom so that it could spy on phones used by surveillance targets travelling in Europe. But the agency also had an ulterior motive. Once it had hacked into Belgacom’s systems, GCHQ planned to break into data links connecting Belgacom and its international partners, monitoring communications transmitted between Europe and the rest of the world. A map in the GCHQ documents, named “Belgacom_connections,” highlights the company’s reach across Europe, the Middle East, and North Africa, illustrating why British spies deemed it of such high value.
  • Documents published with this article: Automated NOC detection Mobile Networks in My NOC World Making network sense of the encryption problem Stargate CNE requirements NAC review – October to December 2011 GCHQ NAC review – January to March 2011 GCHQ NAC review – April to June 2011 GCHQ NAC review – July to September 2011 GCHQ NAC review – January to March 2012 GCHQ Hopscotch Belgacom connections
Paul Merrell

Why the Sony hack is unlikely to be the work of North Korea. | Marc's Security Ramblings - 0 views

marcrogers.org/...-to-be-the-work-of-north-korea

Sony-hack North-Korea false-flag FBI Obama

shared by Paul Merrell on 25 Dec 14 - No Cached
  • Everyone seems to be eager to pin the blame for the Sony hack on North Korea. However, I think it’s unlikely. Here’s why:1. The broken English looks deliberately bad and doesn’t exhibit any of the classic comprehension mistakes you actually expect to see in “Konglish”. i.e it reads to me like an English speaker pretending to be bad at writing English. 2. The fact that the code was written on a PC with Korean locale & language actually makes it less likely to be North Korea. Not least because they don’t speak traditional “Korean” in North Korea, they speak their own dialect and traditional Korean is forbidden. This is one of the key things that has made communication with North Korean refugees difficult. I would find the presence of Chinese far more plausible.
  • 3. It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as. 4. Whoever did this is in it for revenge. The info and access they had could have easily been used to cash out, yet, instead, they are making every effort to burn Sony down. Just think what they could have done with passwords to all of Sony’s financial accounts? With the competitive intelligence in their business documents? From simple theft, to the sale of intellectual property, or even extortion – the attackers had many ways to become rich. Yet, instead, they chose to dump the data, rendering it useless. Likewise, I find it hard to believe that a “Nation State” which lives by propaganda would be so willing to just throw away such an unprecedented level of access to the beating heart of Hollywood itself.
  • 5. The attackers only latched onto “The Interview” after the media did – the film was never mentioned by GOP right at the start of their campaign. It was only after a few people started speculating in the media that this and the communication from DPRK “might be linked” that suddenly it became linked. I think the attackers both saw this as an opportunity for “lulz” and as a way to misdirect everyone into thinking it was a nation state. After all, if everyone believes it’s a nation state, then the criminal investigation will likely die.
  • ...4 more annotations...
  • 6. Whoever is doing this is VERY net and social media savvy. That, and the sophistication of the operation, do not match with the profile of DPRK up until now. Grugq did an excellent analysis of this aspect his findings are here – http://0paste.com/6875#md 7. Finally, blaming North Korea is the easy way out for a number of folks, including the security vendors and Sony management who are under the microscope for this. Let’s face it – most of today’s so-called “cutting edge” security defenses are either so specific, or so brittle, that they really don’t offer much meaningful protection against a sophisticated attacker or group of attackers.
  • 8. It probably also suits a number of political agendas to have something that justifies sabre-rattling at North Korea, which is why I’m not that surprised to see politicians starting to point their fingers at the DPRK also. 9. It’s clear from the leaked data that Sony has a culture which doesn’t take security very seriously. From plaintext password files, to using “password” as the password in business critical certificates, through to just the shear volume of aging unclassified yet highly sensitive data left out in the open. This isn’t a simple slip-up or a “weak link in the chain” – this is a serious organization-wide failure to implement anything like a reasonable security architecture.
  • The reality is, as things stand, Sony has little choice but to burn everything down and start again. Every password, every key, every certificate is tainted now and that’s a terrifying place for an organization to find itself. This hack should be used as the definitive lesson in why security matters and just how bad things can get if you don’t take it seriously. 10. Who do I think is behind this? My money is on a disgruntled (possibly ex) employee of Sony.
  • EDIT: This appears (at least in part) to be substantiated by a conversation the Verge had with one of the alleged hackers – http://www.theverge.com/2014/11/25/7281097/sony-pictures-hackers-say-they-want-equality-worked-with-staff-to-break-in Finally for an EXCELLENT blow by blow analysis of the breach and the events that followed, read the following post by my friends from Risk Based Security – https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack EDIT: Also make sure you read my good friend Krypt3ia’s post on the hack – http://krypt3ia.wordpress.com/2014/12/18/sony-hack-winners-and-losers/
  • Paul Merrell on 25 Dec 14
     
    Seems that the FBI overlooked a few clues before it told Obama to go ahead and declare war against North Korea. 
1 - 20 of 72 Next › Last »
Showing 20 items per page