Skip to main content

Home/ Socialism and the End of the American Dream/ Group items tagged zero-day-exploits

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
Paul Merrell

Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say - NYTimes.com - 0 views

www.nytimes.com/...ernet-flaws-officials-say.html

surveillance state Obama NSA NSA-backdoors exploits must-read Iranian-nukes-myth Stuxnet

shared by Paul Merrell on 13 Apr 14 - No Cached
  • Stepping into a heated debate within the nation’s intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday.But Mr. Obama carved a broad exception for “a clear national security or law enforcement need,” the officials said, a loophole that is likely to allow the N.S.A. to continue to exploit security flaws both to crack encryption on the Internet and to design cyberweapons.
  • elements of the decision became evident on Friday, when the White House denied that it had any prior knowledge of the Heartbleed bug, a newly known hole in Internet security that sent Americans scrambling last week to change their online passwords. The White House statement said that when such flaws are discovered, there is now a “bias” in the government to share that knowledge with computer and software manufacturers so a remedy can be created and distributed to industry and consumers.Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community.“This process is biased toward responsibly disclosing such vulnerabilities,” she said.
  • The N.S.A. made use of four “zero day” vulnerabilities in its attack on Iran’s nuclear enrichment sites. That operation, code-named “Olympic Games,” managed to damage roughly 1,000 Iranian centrifuges, and by some accounts helped drive the country to the negotiating table.Not surprisingly, officials at the N.S.A. and at its military partner, the United States Cyber Command, warned that giving up the capability to exploit undisclosed vulnerabilities would amount to “unilateral disarmament” — a phrase taken from the battles over whether and how far to cut America’s nuclear arsenal.“We don’t eliminate nuclear weapons until the Russians do,” one senior intelligence official said recently. “You are not going to see the Chinese give up on ‘zero days’ just because we do.” Even a senior White House official who was sympathetic to broad reforms after the N.S.A. disclosures said last month, “I can’t imagine the president — any president — entirely giving up a technology that might enable him some day to take a covert action that could avoid a shooting war.”
  • ...2 more annotations...
  • One recommendation urged the N.S.A. to get out of the business of weakening commercial encryption systems or trying to build in “back doors” that would make it far easier for the agency to crack the communications of America’s adversaries. Tempting as it was to create easy ways to break codes — the reason the N.S.A. was established by Harry S. Truman 62 years ago — the committee concluded that the practice would undercut trust in American software and hardware products. In recent months, Silicon Valley companies have urged the United States to abandon such practices, while Germany and Brazil, among other nations, have said they were considering shunning American-made equipment and software. Their motives were hardly pure: Foreign companies see the N.S.A. disclosures as a way to bar American competitors.Continue reading the main story Continue reading the main story AdvertisementAnother recommendation urged the government to make only the most limited, temporary use of what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give an attacker access to a computer — and to any business, government agency or network connected to it. The flaws get their name from the fact that, when identified, the computer user has “zero days” to fix them before hackers can exploit the accidental vulnerability.
  • But documents released by Edward J. Snowden, the former N.S.A. contractor, make it clear that two years before Heartbleed became known, the N.S.A. was looking at ways to accomplish exactly what the flaw did by accident. A program code-named Bullrun, apparently named for the site of two Civil War battles just outside Washington, was part of a decade-long effort to crack or circumvent encryption on the web. The documents do not make clear how well it succeeded, but it may well have been more effective than exploiting Heartbleed would be at enabling access to secret data.The government has become one of the biggest developers and purchasers of information identifying “zero days,” officials acknowledge. Those flaws are big business — Microsoft pays up to $150,000 to those who find them and bring them to the company to fix — and other countries are gathering them so avidly that something of a modern-day arms race has broken out. Chief among the nations seeking them are China and Russia, though Iran and North Korea are in the market as well.
  • Paul Merrell on 13 Apr 14
     
    Note that this is only an elastic policy, not law. Also notice that NYT is now reporting as *fact* that the NSA did the cyber attack on the Iranian enrichment centrifuges. By any legal measure, if true that was an act of war, a war of aggression.  So why wasn't the American public informed that we were at war with Iran? 
Paul Merrell

EFF Pries More Information on Zero Days from the Government's Grasp | Electronic Fronti... - 0 views

www.eff.org/...cy-zero-days-governments-grasp

surveillance state zero-day-exploits FOIA litigation

shared by Paul Merrell on 26 Jan 16 - No Cached
  • Until just last week, the U.S. government kept up the charade that its use of a stockpile of security vulnerabilities for hacking was a closely held secret.1 In fact, in response to EFF’s FOIA suit to get access to the official U.S. policy on zero days, the government redacted every single reference to “offensive” use of vulnerabilities. To add insult to injury, the government’s claim was that even admitting to offensive use would cause damage to national security. Now, in the face of EFF’s brief marshaling overwhelming evidence to the contrary, the charade is over. In response to EFF’s motion for summary judgment, the government has disclosed a new version of the Vulnerabilities Equities Process, minus many of the worst redactions. First and foremost, it now admits that the “discovery of vulnerabilities in commercial information technology may present competing ‘equities’ for the [government’s] offensive and defensive mission.” That might seem painfully obvious—a flaw or backdoor in a Juniper router is dangerous for anyone running a network, whether that network is in the U.S. or Iran. But the government’s failure to adequately weigh these “competing equities” was so severe that in 2013 a group of experts appointed by President Obama recommended that the policy favor disclosure “in almost all instances for widely used code.” [.pdf].
  • The newly disclosed version of the Vulnerabilities Equities Process (VEP) also officially confirms what everyone already knew: the use of zero days isn’t confined to the spies. Rather, the policy states that the “law enforcement community may want to use information pertaining to a vulnerability for similar offensive or defensive purposes but for the ultimate end of law enforcement.” Similarly it explains that “counterintelligence equities can be defensive, offensive, and/or law enforcement-related” and may “also have prosecutorial responsibilities.” Given that the government is currently prosecuting users for committing crimes over Tor hidden services, and that it identified these individuals using vulnerabilities called a “Network Investigative Technique”, this too doesn’t exactly come as a shocker. Just a few weeks ago, the government swore that even acknowledging the mere fact that it uses vulnerabilities offensively “could be expected to cause serious damage to the national security.” That’s a standard move in FOIA cases involving classified information, even though the government unnecessarily classifies documents at an astounding rate. In this case, the government relented only after nearly a year and a half of litigation by EFF. The government would be well advised to stop relying on such weak secrecy claims—it only risks undermining its own credibility.
  • The new version of the VEP also reveals significantly more information about the general process the government follows when a vulnerability is identified. In a nutshell, an agency that discovers a zero day is responsible for invoking the VEP, which then provides for centralized coordination and weighing of equities among all affected agencies. Along with a declaration from an official at the Office of the Director of National Intelligence, this new information provides more background on the reasons why the government decided to develop an overarching zero day policy in the first place: it “recognized that not all organizations see the entire picture of vulnerabilities, and each organization may have its own equities and concerns regarding the prioritization of patches and fixes, as well as its own distinct mission obligations.” We now know the VEP was finalized in February 2010, but the government apparently failed to implement it in any substantial way, prompting the presidential review group’s recommendation to prioritize disclosure over offensive hacking. We’re glad to have forced a little more transparency on this important issue, but the government is still foolishly holding on to a few last redactions, including refusing to name which agencies participate in the VEP. That’s just not supportable, and we’ll be in court next month to argue that the names of these agencies must be disclosed. 
Paul Merrell

NSA contracted French cyber-firm for hacking help - RT USA - 0 views

rt.com/...nsa-vupen-exploit-hack-978

surveillance state NSA NSA-methods exploit-purchases

shared by Paul Merrell on 28 Mar 14 - No Cached
  • The latest revelation regarding the National Security Agency doesn't come courtesy of Edward Snowden. A Freedom of Information Act request has confirmed the NSA contracted a French company that makes its money by hacking into computers. It's no secret that the United States government relies on an arsenal of tactics to gather intelligence and wage operations against its adversaries, but a FOIA request filed by Muckrock's Heather Akers-Healy has confirmed that the list of Uncle Sam's business partners include Vupen, a French-based security company that specializes in selling secret codes used to crack into computers. Documents responsive to my request to #NSA for contracts with VUPEN, include 12/month exploit subscription https://t.co/x3qJbqSUpa — Heather Akers-Healy (@abbynormative) September 16, 2013 Muckrock published on Monday a copy of a contract between the NSA and Vupen in which the US government is shown to have ordered a one-year subscription to the firm's “binary analysis and exploits service” last September.
  • That service, according to the Vupen website, is sold only to government entities, law enforcement agencies and computer response teams in select countries, and provides clients with access to so-called zero-day exploits: newly-discovered security vulnerabilities that the products' manufacturers have yet to discover and, therefore, have had zero days to patch-up. “Major software vendors such as Microsoft and Adobe usually take 6 to 9 months to release a security patch for a critical vulnerability affecting their products, and this long delay between the discovery of a vulnerability and the release of a patch creates a window of exposure during which criminals can rediscover a previously reported but unpatched vulnerability, and target any organization running the vulnerable software,” Vupen says elsewhere on their website. Last year, Vupen researchers successfully cracked Google's Chrome browser, but declined to show developers how they did so — even for an impressive cash bounty. “We wouldn’t share this with Google for even $1 million,” Vupen CEO Chaouki Bekrar told Forbes' Andy Greenberg of the Chrome hack in 2012. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
  • And why the NSA and other clients may benefit from being privy to these vulnerabilities, knowing how to exploit security holes in adversarial systems is a crucial component to any government's offensive cyber-operations. Last month, the Washington Post published excerpts from the previously secretive “black budget,” a closely guarded ledger listing the funding requests made by America's intelligence community provided by NSA leaker Edward Snowden. According to that document, a substantial goal of the US in fiscal year 2013 was to use a portion of $52.6 billion in secretive funding towards improving offensive cyber-operations.
  • ...1 more annotation...
  • The portion of the contract obtained by Muckrock where the cost of the subscription is listed has been redacted, but a Vupen hacker who spoke to Greenberg last year said deals in the five-figures wasn't uncommon. "People seem surprised to discover that major government agencies are acquiring Vupen's vulnerability intelligence," Bekrar wrote in an email to Information Week's Matthew Schwartz after the NSA contract with his signature was published. "There is no news here, governments need to leverage the most detailed and advanced vulnerability research to protect their infrastructures and citizens against adversaries." Critics of Vupen and its competitors see government-waged cyber-operations in a different light, however. Christopher Soghoian of the American Civil Liberties Union's Speech, Privacy and Technology Project has spoken outright against companies that sell exploits and have equated the computer codes being sold for big money as a new sort of underground arms trade fueling an international, online battle. To Greenberg last year, Soghoian described Vupen as  a “modern-day merchant of death” selling “the bullets for cyberwar," and upon publishing of the NSA contract called the company a “cyber weapon merchant.” The NSA is a customer of French 0-day cyber weapon merchant VUPEN, FOIA docs reveal: (via @ramdac & @MuckRockNews) https://t.co/OPJ82miK3c — Christopher Soghoian (@csoghoian) September 16, 2013
Paul Merrell

Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise - The Intercept - 0 views

firstlook.org/...-nsa-gchq-rely-intel-expertise

surveillance state NSA-targets hackers

shared by Paul Merrell on 05 Feb 15 - No Cached
  • The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents. In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document. These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents—which come from the U.K. Government Communications Headquarters agency and NSA—shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.
  • By looking out for hacking conducted “both by state-sponsored and freelance hackers” and riding on the coattails of hackers, Western intelligence agencies have gathered what they regard as valuable content: Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect. The hackers targeted a wide range of diplomatic corps, human rights and democracy activists and even journalists: INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting: A = Indian Diplomatic & Indian Navy B = Central Asian diplomatic C = Chinese Human Rights Defenders D = Tibetan Pro-Democracy Personalities E = Uighur Activists F = European Special Rep to Afghanistan and Indian photo-journalism G = Tibetan Government in Exile
  • In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor “based on the level of sophistication and the victim set.” In instances where hacking may compromise data from the U.S. and U.K. governments, or their allies, notification was given to the “relevant parties.” In a separate document, GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” according to one document. GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012 document:
  • ...3 more annotations...
  • These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses. The U.S. Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker. Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq.” GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).
  • Documents published with this article: LOVELY HORSE – GCHQ Wiki Overview INTOLERANT – Who Else Is Targeting Your Target? Collecting Data Stolen by Hackers – SIDtoday  HAPPY TRIGGER/LOVELY HORSE/Zool/TWO FACE – Open Source for Cyber Defence/Progress NATO Civilian Intelligence Council – Cyber Panel – US Talking Points
  • The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents. In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document. These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents—which come from the U.K. Government Communications Headquarters agency and NSA—shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.
Paul Merrell

DOJ Seeks Removal Of Restrictions On Computer Search Warrants - 0 views

www.mintpressnews.com/...190535

surveillance state digital-privacy remote-computer-search 4th Amendment

shared by Paul Merrell on 13 May 14 - No Cached
  • The Justice Department recently submitted proposed new rules on the procedures and practices of the department’s agencies and bureaus. Among the suggested changes is a modification of the Federal Rules of Criminal Procedure Rule 41(b), which empowers a federal court to issue a warrant allowing the federal government to conduct a search of a computer or computer network involved in a criminal investigation. Under current regulations, a warrant issued by a federal court is only valid in that court’s district. As there are 94 federal judicial districts, investigating a widespread attack may require either petitioning dozens of district courts or acting extrajudicially by not seeking a warrant. An extrajudicial investigation, however, cannot be used if criminal convictions are sought, as evidence gathered in this manner is not typically admissible in court. The Justice Department is seeking to make remote access warrants to search, seize and copy electronic information valid for all federal districts.
  • The Justice Department argues that due to the sophistication of cyber-criminals, an offending computer or computer cluster can sit in a district separate from the district where the hackers that infected the target computer anonymously are and separate from the investigators’ district. “Criminals are using multiple computers in many districts simultaneously as part of complex criminal schemes, and effectively investigating and disrupting these schemes often requires remote access to Internet-connected computers in many different districts,” wrote then-acting Assistant Attorney General Mythili Raman in a September letter to the Advisory Committee on the Criminal Rules. “Botnets are a significant threat to the public: they are used to conduct large-scale denial of service attacks, steal personal and financial data, and distribute malware designed to invade the privacy of users of the host computers,” Raman continued. In the letter, Raman cited an investigation of a child porn site that uses The Onion Router Network, or Tor, to anonymize its traffic. The Justice Department argues that it knows the site’s hosting server location, but without a warrant local to the server, the department is prevented from retrieving the server’s user records — including IP and MAC addresses. In most cases, however, law enforcement do not know the physical location of the site’s server, making it impossible to request a specific warrant.
  • In these cases, the Justice Department could request a blanket warrant. This would allow the department to set up a “zero-day” attack on the server — an attack exploiting a manufacturer-unknown or -permitted security flaw, allowing access to the system’s operating software. However, a Texas judge denied the FBI access to such a warrant, saying the Justice Department’s use of “zero-day” attacks in its investigation exposes the public and the target to unknown risks. One typical type of a “zero-day” attack is an infected email that could affect a large number of innocent people if the target used a public computer to access his email. The FBI planned to install a Remote Administration Tool, or RAT, which would distribute such emails in a partially-targeted spam mail distribution. Last year, Federal Magistrate Judge Stephen Smith of the Houston Division of the Southern District of Texas ruled that this was a gross overreach of investigatory intrusion, blocking the plan temporarily. A “zero-day” attack has the potential to activate and control the targeted computer’s peripherals, such as webcams and microphones.
  • ...2 more annotations...
  • Following this ruling, based on the assumptions that federal law enforcement fundamentally act in good faith and that there may be a legitimate need for remote exploitation of computer data, the Justice Department sought to introduce changes to the rules that would overcome Smith’s objections. The proposed change to Rule 41(b) would allow magistrate judges “… to issue a warrant to use remote access to search electronic storage media and to seize electronically stored information located within or outside that district.” The Justice Department has indicated that it wants warrants permitting multiple computers to be searched at the same time, as well as permission to search all of the email and social media accounts accessible from a single computer. Such access would constitute a violation of the Electronic Communications Privacy Act, as the government, under the act, must make demonstrate probable cause to each targeted service provider and obtain and serve a warrant for each service provider. A warrant to search every account active on a computer would be actively bypassing the act’s numerous safeguards.
  • Privacy advocates fear that this rule change would allow prosecutors and the Justice Department to seek out magistrates likely to give them their requested warrants, creating a situation in which the federal government could have a “warrant shop” with just one judge for the whole of the nation. In light of allegations of federal government over-policing — including revelations of aggressive domestic and international electronic spying by the FBI and the National Security Agency — many advocates argue that an examination of the federal government’s commitment to the Fourth Amendment is needed. “The proposed amendment would significantly expand the government’s authority to conduct remote searches of electronic storage media,” the American Civil Liberties Union wrote in a memorandum early last month. “It would also expand the government’s power to engage in computer hacking in the course of criminal investigations, including through the use of malware and other techniques that pose a risk to internet security and that raise Fourth Amendment and policy concerns. “In light of these concerns, the ACLU recommends that the Advisory Committee exercise extreme caution before granting the government new authority to remotely search individuals’ electronic data.” The rules are scheduled to be discussed at the meeting of the Judiciary’s Committee on Rules of Practice and Procedure later this month.
  • Paul Merrell on 13 May 14
     
    The proposed rule change is at pp. 499-501 here. http://www.uscourts.gov/uscourts/RulesAndPolicies/rules/Agenda%20Books/Standing/ST2014-05.pdf#page499 (very large PDF).  This is not just about the government being granted permission to exploit vulnerabilities unknown to the computer owner; the issue arose in a case where the government sought judicial permission to implant a Trojan Horse in a suspect's computer. Moreover, the proposed rule goes far beyond the confines of that case, purporting to authorize the government to skip merrily along searching computers not specified in the warrant, along the purported botnet. To put the icing on the cake, the government wants to be relieved from the requirement that they apply for a warrant in the district in which the computer to be searched is located. ("Oh, Goody! Let's start shopping around for the judges we like instead of the ones we are now required to persuade. What? The Mississippi judge refused to sign the warrant? Oh well, let's try it with that other judge we like, the one in Gnome, Alaska.") In other words, what the government seeks is authority for "general warrants," the very evil that the 4th Amendment was designed to outlaw. Even more outrageously, the proposed rule provides in part: "For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant on the person whose property *was* searched or whose information *was* seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person." Not the use of the past tense "was." So after they have drained your computer of all its data, they may permissibly install a batch file that will display a copy of the warrant on your monitor the next time you boot your computer. With a big red lipstick imprint of a kiss imprinted in the warrant's bottom margin, no doubt
  • Paul Merrell on 13 May 14
     
    The proposed rule change is at pp. 499-501 here. http://www.uscourts.gov/uscourts/RulesAndPolicies/rules/Agenda%20Books/Standing/ST2014-05.pdf#page499 (very large PDF).  This is not just about the government being granted permission to exploit vulnerabilities unknown to the computer owner; the issue arose in a case where the government sought judicial permission to implant a Trojan Horse in a suspect's computer. Moreover, the proposed rule goes far beyond the confines of that case, purporting to authorize the government to skip merrily along searching computers not specified in the warrant, along the purported botnet. To put the icing on the cake, the government wants to be relieved from the requirement that they apply for a warrant in the district in which the computer to be searched is located. In other words, what the government seeks is authority for "general warrants," the very evil that the 4th Amendment was designed to outlaw. Even more outrageously, the proposed rule provides in part: "For a warrant to use remote access to search electronic storage media and seize or copy electronically stored information, the officer must make reasonable efforts to serve a copy of the warrant on the person whose property *was* searched or whose information *was* seized or copied. Service may be accomplished by any means, including electronic means, reasonably calculated to reach that person." Not the use of the past tense "was." So after they have drained your computer of all its data, they may permissibly install a batch file that will display a copy of the warrant on your monitor the next time you boot your computer. With a big red lipstick imprint of a kiss imprinted at the bottom.  To be continued after this is intially posted to Diigo so the content isn't cut off.   
Paul Merrell

Leaked docs show spyware used to snoop on US computers | Ars Technica - 0 views

arstechnica.com/...-used-to-snoop-on-us-computers

surveillance state Gamma-Group FinFisher zero-day-exploits Vupen-Security MSOffice MSIE Acrobat

shared by Paul Merrell on 10 Aug 14 - No Cached
  • Software created by the controversial UK-based Gamma Group International was used to spy on computers that appear to be located in the United States, the UK, Germany, Russia, Iran, and Bahrain, according to a leaked trove of documents analyzed by ProPublica. It's not clear whether the surveillance was conducted by governments or private entities. Customer e-mail addresses in the collection appeared to belong to a German surveillance company, an independent consultant in Dubai, the Bosnian and Hungarian Intelligence services, a Dutch law enforcement officer, and the Qatari government.
  • The leaked files—which were posted online by hackers—are the latest in a series of revelations about how state actors including repressive regimes have used Gamma's software to spy on dissidents, journalists, and activist groups. The documents, leaked last Saturday, could not be readily verified, but experts told ProPublica they believed them to be genuine. "I think it's highly unlikely that it's a fake," said Morgan Marquis-Bore, a security researcher who while at The Citizen Lab at the University of Toronto had analyzed Gamma Group's software and who authored an article about the leak on Thursday. The documents confirm many details that have already been reported about Gamma, such as that its tools were used to spy on Bahraini activists. Some documents in the trove contain metadata tied to e-mail addresses of several Gamma employees. Bill Marczak, another Gamma Group expert at the Citizen Lab, said that several dates in the documents correspond to publicly known events—such as the day that a particular Bahraini activist was hacked.
  • The leaked files contain more than 40 gigabytes of confidential technical material, including software code, internal memos, strategy reports, and user guides on how to use Gamma Group software suite called FinFisher. FinFisher enables customers to monitor secure Web traffic, Skype calls, webcams, and personal files. It is installed as malware on targets' computers and cell phones. A price list included in the trove lists a license of the software at almost $4 million. The documents reveal that Gamma uses technology from a French company called Vupen Security that sells so-called computer "exploits." Exploits include techniques called "zero days" for "popular software like Microsoft Office, Internet Explorer, Adobe Acrobat Reader, and many more." Zero days are exploits that have not yet been detected by the software maker and therefore are not blocked.
  • ...2 more annotations...
  • Many of Gamma's product brochures have previously been published by the Wall Street Journal and Wikileaks, but the latest trove shows how the products are getting more sophisticated. In one document, engineers at Gamma tested a product called FinSpy, which inserts malware onto a user's machine, and found that it could not be blocked by most antivirus software. Documents also reveal that Gamma had been working to bypass encryption tools including a mobile phone encryption app, Silent Circle, and were able to bypass the protection given by hard-drive encryption products TrueCrypt and Microsoft's Bitlocker.
  • The documents also describe a "country-wide" surveillance product called FinFly ISP which promises customers the ability to intercept Internet traffic and masquerade as ordinary websites in order to install malware on a target's computer. The most recent date-stamp found in the documents is August 2, coincidung with the first tweet by a parody Twitter account, @GammaGroupPR, which first announced the hack and may be run by the hacker or hackers responsible for the leak. On Reddit, a user called PhineasFisher claimed responsibility for the leak. "Two years ago their software was found being widely used by governments in the middle east, especially Bahrain, to hack and spy on the computers and phones of journalists and dissidents," the user wrote. The name on the @GammaGroupPR Twitter account is also "Phineas Fisher." GammaGroup, the surveillance company whose documents were released, is no stranger to the spotlight. The security firm F-Secure first reported the purchase of FinFisher software by the Egyptian State Security agency in 2011. In 2012, Bloomberg News and The Citizen Lab showed how the company's malware was used to target activists in Bahrain. In 2013, the software company Mozilla sent a cease-and-desist letter to the company after a report by The Citizen Lab showed that a spyware-infected version of the Firefox browser manufactured by Gamma was being used to spy on Malaysian activists.
Paul Merrell

If GCHQ wants to improve national security it must fix our technology | Technology | th... - 0 views

www.theguardian.com/...q-national-security-technology

surveillance state cyberwar vulnerabilities secure-computing Doctorow

shared by Paul Merrell on 10 Apr 14 - No Cached
  • In a recent column, security expert Bruce Schneier proposed breaking up the NSA – handing its offensive capabilities work to US Cyber Command and its law enforcement work to the FBI, and terminating its programme of attacking internet security. In place of this, Schneier proposed that “instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.” This is a profoundly good idea for reasons that may not be obvious at first blush.People who worry about security and freedom on the internet have long struggled with the problem of communicating the urgent stakes to the wider public. We speak in jargon that’s a jumble of mixed metaphors – viruses, malware, trojans, zero days, exploits, vulnerabilities, RATs – that are the striated fossil remains of successive efforts to come to grips with the issue. When we do manage to make people alarmed about the stakes, we have very little comfort to offer them, because Internet security isn’t something individuals can solve.
  • I remember well the day this all hit home for me. It was nearly exactly a year ago, and I was out on tour with my novel Homeland, which tells the story of a group of young people who come into possession of a large trove of government leaks that detail a series of illegal programmes through which supposedly democratic governments spy on people by compromising their computers.
  • I explained the book’s premise, and then talked about how this stuff works in the real world. I laid out a parade of awfuls, including a demonstrated attack that hijacked implanted defibrillators from 10 metres’ distance and caused them to compromise other defibrillators that came into range, implanting an instruction to deliver lethal shocks at a certain time in the future. I talked about Cassidy Wolf, the reigning Miss Teen USA, whose computer had been taken over by a “sextortionist” who captured nude photos of her and then threatened to release them if she didn’t perform live sex shows for him. I talked about the future of self-driving cars, smart buildings, implanted hearing aids and robotic limbs, and explained that the world is made out of computers that we put our bodies into, and that we put inside our bodies.These computers are badly secured. What’s more, governments and their intelligence agencies are actively working to undermine the security of our computers and networks. This was before the Snowden revelations, but we already knew that governments were buying “zero-day vulnerabilities” from security researchers. These are critical bugs that can be leveraged to compromise entire systems. Until recently, the normal response to the discovery of one of these “vulns” was to report them to the vendor so they could be repaired.
  • ...6 more annotations...
  • But spy-agencies and law-enforcement have created a bustling marketplace for “zero-days,” which are weaponised for the purpose of attacking the computers and networks of “bad guys”. The incentives have shifted, and now a newly discovered bug had a good chance of remaining unpatched and live in the field because governments wanted to be able to use it to hack their enemies.
  • Last year, when I finished that talk in Seattle, a talk about all the ways that insecure computers put us all at risk, a woman in the audience put up her hand and said, “Well, you’ve scared the hell out of me. Now what do I do? How do I make my computers secure?”And I had to answer: “You can’t. No one of us can. I was a systems administrator 15 years ago. That means that I’m barely qualified to plug in a WiFi router today. I can’t make my devices secure and neither can you. Not when our governments are buying up information about flaws in our computers and weaponising them as part of their crime-fighting and anti-terrorism strategies. Not when it is illegal to tell people if there are flaws in their computers, where such a disclosure might compromise someone’s anti-copying strategy.But: If I had just stood here and spent an hour telling you about water-borne parasites; if I had told you about how inadequate water-treatment would put you and everyone you love at risk of horrifying illness and terrible, painful death; if I had explained that our very civilisation was at risk because the intelligence services were pursuing a strategy of keeping information about pathogens secret so they can weaponise them, knowing that no one is working on a cure; you would not ask me ‘How can I purify the water coming out of my tap?’”
  • Because when it comes to public health, individual action only gets you so far. It doesn’t matter how good your water is, if your neighbour’s water gives him cholera, there’s a good chance you’ll get cholera, too. And even if you stay healthy, you’re not going to have a very good time of it when everyone else in your country is striken and has taken to their beds.If you discovered that your government was hoarding information about water-borne parasites instead of trying to eradicate them; if you discovered that they were more interested in weaponising typhus than they were in curing it, you would demand that your government treat your water-supply with the gravitas and seriousness that it is due.The public health analogy is suprisingly apt here. The public health threat-model is in a state of continuous flux, because our well-being is under continuous, deliberate attack from pathogens for whom we are, at best, host organisms, and at worst, dinner. Evolution drives these organisms to a continuously shifting array of tactics to slide past our defenses.Public health isn’t just about pathogens, either – its thorniest problems are about human behaviour and social policy. HIV is a blood-borne disease, but disrupting its spread requires changes to our attitudes about sex, pharmaceutical patents, drugs policy and harm minimisation. Almost everything interesting about HIV is too big to fit on a microscope slide.
  • And so it is for security: crypto is awesome maths, but it’s just maths. Security requires good password choice, good password management, good laws about compelled crypto disclosure, transparency into corporate security practices, and, of course, an end to the governmental practice of spending $250M/year on anti-security sabotage through the NSA/GCHQ programmes Bullrun and Edgehill.
  • But for me, the most important parallel between public health and internet security is their significance to our societal wellbeing. Everything we do today involves the internet. Everything we do tomorrow will require the internet. If you live near a nuclear power plant, fly in airplanes, ride in cars or trains, have an implanted pacemaker, keep money in the bank, or carry a phone, your safety and well-being depend on a robust, evolving, practice of network security.This is the most alarming part of the Snowden revelations: not just that spies are spying on all of us – that they are actively sabotaging all of our technical infrastructure to ensure that they can continue to spy on us.There is no way to weaken security in a way that makes it possible to spy on “bad guys” without making all of us vulnerable to bad guys, too. The goal of national security is totally incompatible with the tactic of weakening the nation’s information security.
  • “Virus” has been a term of art in the security world for decades, and with good reason. It’s a term that resonates with people, even people with only a cursory grasp of technology. As we strive to make the public and our elected representatives understand what’s at stake, let’s expand that pathogen/epidemiology metaphor. We’d never allow MI5 to suppress information on curing typhus so they could attack terrorists by infecting them with it. We need to stop allowing the NSA and GCHQ to suppress information on fixing bugs in our computers, phones, cars, houses, planes, and bodies.If GCHQ wants to improve the national security of the United Kingdom – if the NSA want to impove the American national security – they should be fixing our technology, not breaking it. The technology of Britons and Americans is under continuous, deadly attack from criminals, from foreign spies, and from creeps. Our security is better served by armouring us against these threats than it is by undermining security so that cops and spies have an easier time attacking “bad guys.”
Paul Merrell

In Keeping Grip on Data Pipeline, Obama Does Little to Reassure Industry - NYTimes.com - 0 views

www.nytimes.com/...ttle-to-reassure-industry.html

surveillance state NSA Obama Obama-speech sound-of-silence

shared by Paul Merrell on 18 Jan 14 - No Cached
  • Google, which briefly considered moving all of its computer servers out of the United States last year after learning how they had been penetrated by the National Security Agency, was looking for a public assurance from President Obama that the government would no longer secretly suck data from the company’s corner of the Internet cloud.Microsoft was listening to see if Mr. Obama would adopt a recommendation from his advisers that the government stop routinely stockpiling flaws in its Windows operating system, then using them to penetrate some foreign computer systems and, in rare cases, launch cyberattacks.
  • Intel and computer security companies were eager to hear Mr. Obama embrace a commitment that the United States would never knowingly move to weaken encryption systems. They got none of that.
  • Perhaps the most striking element of Mr. Obama’s speech on Friday was what it omitted: While he bolstered some protections for citizens who fear the N.S.A. is downloading their every dial, tweet and text message, he did nothing, at least yet, to loosen the agency’s grip on the world’s digital pipelines. White House officials said that Mr. Obama was committed to studying the complaints by American industry that the revelations were costing them billions of dollars in business overseas, by giving everyone from the Germans to the Brazilians to the Chinese an excuse to avoid American hardware and cloud services. “The most interesting part of this speech was not how the president weighed individual privacy against the N.S.A.,” said Fred H. Cate, the director of the Center of Applied Cybersecurity Research at Indiana University, “but that he said little about what to do about the agency’s practice of vacuuming up everything it can get its hands on.”
  • ...4 more annotations...
  • In fact, behind the speech lies a struggle Mr. Obama nodded at but never addressed head on. It pits corporations that view themselves as the core of America’s soft power around the world — the country’s economic driver and the guardians of its innovative edge — against an intelligence community 100,000 strong that regards its ability to peer into any corner of the digital world, and manipulate it if necessary, as crucial to the country’s security.In public, the coalition was polite if unenthusiastic about the president’s speech. His proposals, the companies said in a statement, “represent positive progress on key issues,” even while “crucial details remain to be addressed on these issues, and additional steps are needed on other important issues.” But in the online chat rooms that users and employees of those services inhabit each day, the president’s words were mocked. “If they really cared about the security of US infrastructure, they’d divulge the vulnerabilities they found or bought from the black market that exploit the security of these systems, so those systems can be fixed, and no one else can exploit them with these exploits,” wrote a user called “higherpurpose” on Hacker News.
  • In an interview, a senior administration official acknowledged that the administration had weighed what the president could say in public about the delicate problems of encryption, or the N.S.A.’s use of “zero day” flaws in software, the name for security holes that have never been seen before. It is a subject the intelligence agencies have refused to discuss in public, and Mr. Obama determined that it was both too secret, and too fluid, to discuss in the speech, officials said.In response to questions, the White House said the president had asked his special assistant for cybersecurity, Michael Daniel, and the president’s office of science and technology policy to study a recent advisory panel’s recommendation that the government get out of the business of corrupting the encryption systems created by American companies.
  • It will not be an easy task. One of the recent disclosures, first reported by Reuters, indicated that the N.S.A. paid millions of dollars to RSA, a major encryption firm, to incorporate a deliberately weakened algorithm into some of its products, giving the government a “back door” to read whatever it wanted. But when the advisory panel concluded that the United States should not “in any way subvert, weaken or make vulnerable generally available commercial software,” the intelligence agencies protested.“Some in the intelligence community saw that as a call for the N.S.A. to get out of cryptography, which is the reason they were created,” the senior official said. He added: “We’ve said that we are very much supportive of U.S. industry and making sure that U.S. industry remains competitive, and able to produce really good products. And N.S.A. has been out there saying they have no interest in breaking encryption that guards global commerce.”
  • But as Mr. Obama himself acknowledged, the United States has a credibility problem that will take years to address. The discovery that it had monitored the cellphone of Chancellor Angela Merkel of Germany, or that it has now found a way to tap into computers around the world that are completely disconnected from the Internet — using covert radio waves — only fuels the argument that American products cannot be trusted.That argument, heard these days from Berlin to Mexico City, may only be an excuse for protectionism. But it is an excuse that often works.
Paul Merrell

Mozilla Wants Heads-Up From FBI on Tor Browser Hack - 0 views

theintercept.com/...p-from-fbi-on-tor-browser-hack

surveillance state Firefox Tor zero-day-exploits FBI

shared by Paul Merrell on 31 May 16 - No Cached
  • The maker of the Firefox browser is wading into an increasingly contentious court battle over an undisclosed security vulnerability the FBI used to track down anonymous users of a child-porn site. The FBI took over a dark web child-pornography site called Playpen last year and, rather than shut it down, used a secret, still-undisclosed vulnerability in the Tor Browser to install malware on the computers of more than 1,000 users that allowed the FBI to determine their locations. But in Tacoma, Washington, lawyers for a school administrator caught in the dragnet have successfully demanded the right to review the malware in order to pursue their argument that it, rather than he, was responsible for the illicit material ending up on his computer. The Tor Browser is a free browser that shields a user’s identity. It is also based on code from the Firefox browser. Mozilla, the organization behind Firefox, has long worried that the Tor Browser vulnerability might still be out there, could be exploited by bad actors, and could exist in Firefox, which is much more widely used than the Tor Browser.
  • So while it seems likely that the FBI will go to great lengths not to turn over the code – possibly dropping the case altogether – Mozilla’s top lawyer, Denelle Dixon-Thayer, is now arguing “that the government must disclose the vulnerability to us before it is disclosed to any other party.” She explained: “Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community. In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly.” Dixon-Thayer noted that Mozilla isn’t taking sides, pro- or anti-disclosure. It just wants to make sure that if there is disclosure, Mozilla gets it first. Here is the legal brief Mozilla filed on Wednesday. The issue of when the government should disclose security vulnerabilities is a hotly contested issue outside the courtroom as well.
  • The Obama administration’s policy is that when the government learns of a new flaw, it has to submit the flaw to an interagency group. The White House says that group has a “strong bias” toward disclosure to vendors so that they can fix them, rather than just letting the agencies keep the flaws secret and continue to use them. But the evidence suggests that is not the case.
Paul Merrell

Canadian Government Says Free Speech is for Offending Muslims - Not Opposing Israel - T... - 0 views

firstlook.org/...ecute-advocates-israel-boycott

tyranny free-speech BDS anti-BDS Zionists Harper CBC

shared by Paul Merrell on 13 May 15 - No Cached
  • Canadian Prime Minister Stephen Harper, January 8, 2015, on Charlie Hebdo shootings: “When a trio of hooded men struck at some of our most cherished democratic principles, freedom of expression, freedom of the press, they assaulted democracy everywhere . . . They have declared war on anybody who does not think and act exactly as they wish they would think and act . . . . they have declared war on any country, like ourselves, that values freedom, openness and tolerance.”
  • CBC, today: “Ottawa threatening hate charges against those who boycott Israel” The Harper government is signaling its intention to use hate crime laws against Canadian advocacy groups that encourage boycotts of Israel. Such a move could target a range of civil society organizations, from the United Church of Canada and the Canadian Quakers to campus protest groups and labour unions. If carried out, it would be a remarkably aggressive tactic, and another measure of the Conservative government’s lockstep support for Israeli Prime Minister Benjamin Netanyahu. . . . The government’s intention was made clear in a response to inquiries from CBC News about statements by federal ministers of a “zero tolerance” approach to groups participating in a loose coalition called Boycott, Divest and Sanction (BDS), which was begun in 2006 at the request of Palestinian non-governmental organizations.
  • Has a #JeSuisBDS hashtag started trending yet on Twitter? Under the new Charlie Hebdo standard — it’s not enough to defend free speech; one must praise and even express the speech targeted with suppression — have all of the newfound free speech crusaders begun organizing pro-Israel-boycott rallies in order to defy these suppression efforts? In a zillion years, could anyone imagine the popularity-craving officials who run PEN America bestowing one of their glamorous awards on advocates of the Israel-targeted Boycott/Divestment/Sanctions movement? The answer to all of those questions is and will remain “no,” because (as I discussed last week here with Bob Wright) the Charlie Hebdo ritual (for most, not all) was about many agendas having nothing to do with the free expression banner under which it paraded. In that regard, Stephen Harper is the perfect Poster Boy for how free expression is tribalistically manipulated and exploited in the West. When the views being suppressed are ones amenable to those in power (e.g., cartoons mocking Islam), free speech is venerated; attempts to suppress those kinds of ideas show that “they have declared war on any country, like ourselves, that values freedom, openness and tolerance.” We get to celebrate ourselves as superior and progressive and victimized, and how good that feels. But when ideas are advocated that upset those in power (e.g. speech by Muslims critical of Western nations and their allies), the very same people acquiesce to, or expressly endorse, full-scale suppression. Thus can the Canadian Prime Minister pompously parade around as some sort of Guardian of Enlightenment Ideals only, three months later, to act like the classic tyrant.
  • ...3 more annotations...
  • Asked to explain what zero tolerance means, and what is being done to enforce it, a spokesperson for Public Safety Minister Steven Blaney replied, four days later, with a detailed list of Canada’s updated hate laws, noting that Canada has one of the most comprehensive sets of such laws “anywhere in the world.”
  • As I’ve argued many times — most comprehensively here — all applications of hate speech laws are inherently tyrannical, dangerous and wrong, and it’s truly mystifying (and scary) that people convince themselves that their judgment is so unerring and their beliefs so sacrosanct that it should be illegal to question or dissent from them. But independent of that, what we see here again is the utter foolishness of endorsing such laws on pragmatic grounds: they will inevitably be used against not just the ideas you hate but the ones you like, and when that happens, if you cheered when such laws were used to suppress the ideas you hate, then you will have no valid ground to object.
  • UPDATE: Various Israel devotees such as David Frum spent the morning insisting the CBC story is false, and now the Canadian government has followed suit, issuing a statement denouncing it. Unfortunately for them, the full email exchange between the CBC reporter, Neil Macdonald, and a spokesman for the Public Safety Department can be read here, and it proves that the CBC story is 100% accurate.
Gary Edwards

Works and Days » Zero Jobs 101 - the Psychology of Alienating Employers - 0 views

pajamasmedia.com/...job-killing-101

VDH Obammunism financial-collapse crony-socialism

shared by Gary Edwards on 07 Sep 11 - No Cached
  • Here is the lament I heard: the near $5 trillion in borrowing in just three years, the radical growth in the size of the federal government and its regulatory zeal, ObamaCare, the Boeing plant closure threat, the green jobs sweet-heart deals and Van Jones-like “Millions of Green Jobs” nonsense, the vast expansion in food stamps and unemployment pay-outs, the reversal of the Chrysler creditors, politically driven interference in the car industry, the failed efforts to get card check and cap and trade, the moratoria on new drilling in the Gulf, the general antipathy to new fossil fuel exploitation coupled with new finds of vast new reserves, the new financial regulations, an aggressive EPA oblivious to the effects of its advocacy on jobs, the threatened close-down of energy plants, the support for idling thousands of acres of irrigated farmland due to environmental regulations, the constant talk of higher taxes, the needlessly provocative rhetoric of “fat cat”, “millionaires and billionaires,” “corporate jet owners,” etc. juxtaposed, in hypocritical fashion, to Martha’s Vineyard, Costa del Sol, and Vail First Family getaways — all of these isolated strains finally are becoming a harrowing opera to business people.
  • “This bunch doesn’t like me much and I’m going to hunker down, hoard my cash, and sit out the next year and a half until they are gone.”
  • And the administration’s efforts to counteract these symbols and impressions by courting a high-profile, hyper-capitalist Warren Buffett, or a GE CEO Jeffrey Immelt have proven even more ironic:
  • ...3 more annotations...
  • the former calls for higher taxes that his firms seek to avoid, or targets his post-mortem wealth to (more efficient?) private foundations that rob the Treasury of billions in lost inheritance taxes, or knows higher taxes won’t much matter to his tens of billions in net worth;
  • the latter’s firm paid no 2010 U.S. income taxes on many of its profits and outsourced jobs overseas.
  • Borrow another $5 trillion?
  • Gary Edwards on 07 Sep 11
     
    Nobody lays it out so quickly and too the point as VDH..... awesome summary of sweeping reach.  I've been hesitant to apply the term "crony capitalism" to Obama even though his Bankster relationships and continuing bailouts scream loudly.  It seems to me that the term "crony socialism" better fits the full range of fascist power brokering Obama engages in.  Big Government, Big Banksters, Big Unions, Big Media, Big Education.  If anything, Obammunism is BIG! VDH excerpt: Here is the lament I heard: the near $5 trillion in borrowing in just three years, the radical growth in the size of the federal government and its regulatory zeal, ObamaCare, the Boeing plant closure threat, the green jobs sweet-heart deals and Van Jones-like "Millions of Green Jobs" nonsense, the vast expansion in food stamps and unemployment pay-outs, the reversal of the Chrysler creditors, politically driven interference in the car industry, the failed efforts to get card check and cap and trade, the moratoria on new drilling in the Gulf, the general antipathy to new fossil fuel exploitation coupled with new finds of vast new reserves, the new financial regulations, an aggressive EPA oblivious to the effects of its advocacy on jobs, the threatened close-down of energy plants, the support for idling thousands of acres of irrigated farmland due to environmental regulations, the constant talk of higher taxes, the needlessly provocative rhetoric of "fat cat", "millionaires and billionaires," "corporate jet owners," etc. juxtaposed, in hypocritical fashion, to Martha's Vineyard, Costa del Sol, and Vail First Family getaways - all of these isolated strains finally are becoming a harrowing opera to business people.
Paul Merrell

U.S. Military and Intelligence Officials to Obama: "Assad NOT Responsible for Chemical ... - 1 views

www.globalresearch.ca/...5348576

war & peace Syria false-flag must-read

shared by Paul Merrell on 06 Sep 13 - No Cached
  • MEMORANDUM FOR: The President FROM: Veteran Intelligence Professionals for Sanity (VIPS) SUBJECT: Is Syria a Trap? Precedence: IMMEDIATE We regret to inform you that some of our former co-workers are telling us, categorically, that contrary to the claims of your administration, the most reliable intelligence shows that Bashar al-Assad was NOT responsible for the chemical incident that killed and injured Syrian civilians on August 21, and that British intelligence officials also know this. In writing this brief report, we choose to assume that you have not been fully informed because your advisers decided to afford you the opportunity for what is commonly known as “plausible denial.” We have been down this road before – with President George W. Bush, to whom we addressed our first VIPS memorandumimmediately after Colin Powell’s Feb. 5, 2003 U.N. speech, in which he peddled fraudulent “intelligence” to support attacking Iraq. Then, also, we chose to give President Bush the benefit of the doubt, thinking he was being misled – or, at the least, very poorly advised.
  • The fraudulent nature of Powell’s speech was a no-brainer. And so, that very afternoon we strongly urged your predecessor to “widen the discussion beyond …  the circle of those advisers clearly bent on a war for which we see no compelling reason and from which we believe the unintended consequences are likely to be catastrophic.” We offer you the same advice today. Our sources confirm that a chemical incident of some sort did cause fatalities and injuries on August 21 in a suburb of Damascus. They insist, however, that the incident was not the result of an attack by the Syrian Army using military-grade chemical weapons from its arsenal. That is the most salient fact, according to CIA officers working on the Syria issue. They tell us that CIA Director John Brennan is perpetrating a pre-Iraq-War-type fraud on members of Congress, the media, the public – and perhaps even you. We have observed John Brennan closely over recent years and, sadly, we find what our former colleagues are now telling us easy to believe. Sadder still, this goes in spades for those of us who have worked with him personally; we give him zero credence. And that goes, as well, for his titular boss, Director of National Intelligence James Clapper, who has admitted he gave “clearly erroneous” sworn testimony to Congress denying NSA eavesdropping on Americans.
  • That Secretary of State John Kerry would invoke Clapper’s name this week in Congressional testimony, in an apparent attempt to enhance the credibility of the four-page “Government Assessment” strikes us as odd. The more so, since it was, for some unexplained reason, not Clapper but the White House that released the “assessment.” This is not a fine point. We know how these things are done. Although the “Government Assessment” is being sold to the media as an “intelligence summary,” it is a political, not an intelligence document. The drafters, massagers, and fixers avoided presenting essential detail. Moreover, they conceded upfront that, though they pinned “high confidence” on the assessment, it still fell “short of confirmation.”
  • ...3 more annotations...
  • There is a growing body of evidence from numerous sources in the Middle East — mostly affiliated with the Syrian opposition and its supporters — providing a strong circumstantial case that the August 21 chemical incident was a pre-planned provocation by the Syrian opposition and its Saudi and Turkish supporters. The aim is reported to have been to create the kind of incident that would bring the United States into the war. According to some reports, canisters containing chemical agent were brought into a suburb of Damascus, where they were then opened. Some people in the immediate vicinity died; others were injured. We are unaware of any reliable evidence that a Syrian military rocket capable of carrying a chemical agent was fired into the area. In fact, we are aware of no reliable physical evidence to support the claim that this was a result of a strike by a Syrian military unit with expertise in chemical weapons. In addition, we have learned that on August 13-14, 2013, Western-sponsored opposition forces in Turkey started advance preparations for a major, irregular military surge. Initial meetings between senior opposition military commanders and Qatari, Turkish and U.S. intelligence officials took place at the converted Turkish military garrison in Antakya, Hatay Province, now used as the command center and headquarters of the Free Syrian Army (FSA) and their foreign sponsors.
  • Senior opposition commanders who came from Istanbul pre-briefed the regional commanders on an imminent escalation in the fighting due to “a war-changing development,” which, in turn, would lead to a U.S.-led bombing of Syria. At operations coordinating meetings at Antakya, attended by senior Turkish, Qatari and U.S. intelligence officials as well as senior commanders of the Syrian opposition, the Syrians were told that the bombing would start in a few days. Opposition leaders were ordered to prepare their forces quickly to exploit the U.S. bombing, march into Damascus, and remove the Bashar al-Assad government The Qatari and Turkish intelligence officials assured the Syrian regional commanders that they would be provided with plenty of weapons for the coming offensive. And they were. A weapons distribution operation unprecedented in scope began in all opposition camps on August 21-23. The weapons were distributed from storehouses controlled by Qatari and Turkish intelligence under the tight supervision of U.S. intelligence officers.
  • We hope your advisers have warned you that retaliation for attacks on Syrian are not a matter of IF, but rather WHERE and WHEN. Retaliation is inevitable. For example, terrorist strikes on U.S. embassies and other installations are likely to make what happened to the U.S. “Mission” in Benghazi on Sept. 11, 2012, look like a minor dust-up by comparison. One of us addressed this key consideration directly a week ago in an article titled “Possible Consequences of a U.S. Military Attack on Syria – Remembering the U.S. Marine Barracks Destruction in Beirut, 1983.”
  • Paul Merrell on 06 Sep 13
     
    This report by Veteran Intelligence Professionals for Sanity is almost certainly the most credible report contradicting the White House's "intelligence summary" that included zero evidence supporting the claim that Syrian government forces had unleashed the August 21, 2013 chemical attack in Ghoutu, near Damascus and less than five miles away from the just-arrived UN investigative team.  Spread it far and wide. 
  • Gary Edwards on 06 Sep 13
     
    Wow!! The cover-up of this false flag operation designed to get us into another civil war is incredible. Yet the truth continues to leak out. The ruling elites must be so pissed right now. The Internet is changing the world balance of power - in real time no less. And we are witness. Awesome stuff Paul.
Paul Merrell

F.B.I. Informant Is Tied to Cyberattacks Abroad - NYTimes.com - 0 views

www.nytimes.com/...ed-to-cyberattacks-abroad.html

surveillance state cyberwar FBI targets Anyonymous

shared by Paul Merrell on 24 Apr 14 - No Cached
  • An informant working for the F.B.I. coordinated a 2012 campaign of hundreds of cyberattacks on foreign websites, including some operated by the governments of Iran, Syria, Brazil and Pakistan, according to documents and interviews with people involved in the attacks.Exploiting a vulnerability in a popular web hosting software, the informant directed at least one hacker to extract vast amounts of data — from bank records to login information — from the government servers of a number of countries and upload it to a server monitored by the F.B.I., according to court statements.
  • The attacks were coordinated by Hector Xavier Monsegur, who used the Internet alias Sabu and became a prominent hacker within Anonymous for a string of attacks on high-profile targets, including PayPal and MasterCard. By early 2012, Mr. Monsegur of New York had been arrested by the F.B.I. and had already spent months working to help the bureau identify other members of Anonymous, according to previously disclosed court papers.One of them was Jeremy Hammond, then 27, who, like Mr. Monsegur, had joined a splinter hacking group from Anonymous called Antisec. The two men had worked together in December 2011 to sabotage the computer servers of Stratfor Global Intelligence, a private intelligence firm based in Austin, Tex.
  • Shortly after the Stratfor incident, Mr. Monsegur, 30, began supplying Mr. Hammond with lists of foreign websites that might be vulnerable to sabotage, according to Mr. Hammond, in an interview, and chat logs between the two men. The New York Times petitioned the court last year to have those documents unredacted, and they were submitted to the court last week with some of the redactions removed.Continue reading the main story “After Stratfor, it was pretty much out of control in terms of targets we had access to,” Mr. Hammond said during an interview this month at a federal prison in Kentucky, where he is serving a 10-year sentence after pleading guilty to the Stratfor operation and other computer attacks inside the United States. He has not been charged with any crimes in connection with the hacks against foreign countries.
  • ...2 more annotations...
  • according to an uncensored version of a court statement by Mr. Hammond, leaked online the day of his sentencing in November, the target list was extensive and included more than 2,000 Internet domains. The document said Mr. Monsegur had directed Mr. Hammond to hack government websites in Iran, Nigeria, Pakistan, Turkey and Brazil and other government sites, like those of the Polish Embassy in Britain and the Ministry of Electricity in Iraq.
  • The hacking campaign appears to offer further evidence that the American government has exploited major flaws in Internet security — so-called zero-day vulnerabilities like the recent Heartbleed bug — for intelligence purposes. Recently, the Obama administration decided it would be more forthcoming in revealing the flaws to industry, rather than stockpiling them until the day they are useful for surveillance or cyberattacks. But it carved a broad exception for national security and law enforcement operations.
  • Paul Merrell on 24 Apr 14
     
    Has no one in government ever heard of the concept of leadership by example? Or the Golden Rule?
Paul Merrell

You Should Really Consider Installing Signal, an Encrypted Messaging App for iPhone - T... - 0 views

firstlook.org/...essaging-app-now-supports-text

surveillance state encryption iPhone Android Open-Whisper

shared by Paul Merrell on 06 Mar 15 - No Cached
  • In the age of ubiquitous government surveillance, the only way citizens can protect their privacy online is through encryption. Historically, this has been extremely difficult for mere mortals; just watch the video Edward Snowden made to teach Glenn Greenwald how to encrypt his emails to see how confusing it gets. But all of this is quickly changing as high-quality, user-friendly encryption software becomes available. App maker Open Whisper Systems took an important step in this direction today with the release of a major new version of its Signal encrypted calling app for iPhones and iPads. The new version, Signal 2.0, folds in support for encrypted text messages using a protocol called TextSecure, meaning users can communicate using voice and text while remaining confident nothing can be intercepted in transit over the internet. That may not sound like a particularly big deal, given that other encrypted communication apps are available for iOS, but Signal 2.0 offers something tremendously useful: peace of mind. Unlike other text messaging products, Signal’s code is open source, meaning it can be inspected by experts, and the app also supports forward secrecy, so if an attacker steals your encryption key, they cannot go back and decrypt messages they may have collected in the past.
  • Signal is also one special place on the iPhone where users can be confident all their communications are always fully scrambled. Other apps with encryption tend to enter insecure modes at unpredictable times — unpredictable for many users, at least. Apple’s iMessage, for example, employs strong encryption, but only when communicating between two Apple devices and only when there is a proper data connection. Otherwise, iMessage falls back on insecure SMS messaging. iMessage also lacks forward secrecy and inspectable source code. Signal also offers the ability for power users to verify the identity of the people they’re talking to, confirming that the encryption isn’t under attack. With iMessage, you just have to take Apple’s word for it. Strong, reliable, predictably-applied encryption is especially important at a time when the world just found out, via a report by The Intercept, that American and British spies hacked into the world’s largest SIM card manufacturer and stole the encryption keys that are used to protect communication between handsets and cell phone towers. With these keys, spies can eavesdrop on phone calls and texts just by passively listening to the airwaves.
  • iPhone users can find Signal here. For Android users, the product is, at the moment, split into two apps: TextSecure for private texting and RedPhone for private voice calls. “We’re working towards a single unified Signal app for Android, iPhone and the desktop,” says Marlinspike. It’s important to keep in mind that no technology is 100 percent secure, and an encrypted messaging app can only be as secure as the device you install it on. Intelligence agencies and other hackers can still exploit security bugs that have not been fixed, known as zero day exploits, to take over smartphones and bypass the encryption that privacy apps employ. But apps like Signal go a long way to making mass surveillance of billions of innocent people infeasible.
Gary Edwards

The Daily Bell - Richard Ebeling on Higher Interest Rates, Collectivism and the Coming ... - 0 views

www.thedailybell.com/...tivism-and-the-Coming-Collapse

Richard-Ebeling The-Daily-Bell Austrian-Economics Liberty-Tryanny

shared by Gary Edwards on 17 Jun 13 - No Cached
  • The "larger dysfunction," as you express it, arises out of a number of factors. The primary one, in my view, is a philosophical and psychological schizophrenia among the American people.
  • While many on "the left" ridicule the idea, there is a strong case for the idea of "American exceptionalism," meaning that the United States stands out as something unique, different and special among the nations of the world.
  • the American Founding Fathers constructed a political system in the United States based on a concept on which no other country was consciously founded:
  • ...95 more annotations...
  • But the American Revolution and the US Constitution hailed a different conception of man, society and government.
  • n the rest of the world, and for all of human history, the presumption has been that the individual was a slave or a subject to a higher authority. It might be the tribal chief; or the "divinely ordained" monarch who presumed to rule over and control people in the name of God; or, especially after the French Revolution and the rise of modern socialism, "the nation" or "the people" who laid claim to the life and work of the individual.
  • the idea of individual rights.
  • That is, as long as the individual did not violate the equal rights of others to their life, liberty and property, each person was free to shape and guide his own future, and give meaning and value to his own life as he considered best in the pursuit of that happiness that was considered the purpose and goal of each man during his sojourn on this Earth.
  • Governments did not exist to give or bestow "rights" or "privileges" at its own discretion.
  • Governments were to secure and protect each individual's rights, which he possessed by "the nature of things."
  • The individual was presumed to own himself. He was "sovereign."
  • The real and fundamental notion of "self-government" referred to the right of each individual to rule over himself.
  • Each individual, by his nature and his reason, had a right to his life, his liberty and his honestly acquired property.
  • during the first 150 years of America's history there was virtually no Welfare State and relatively few government regulations, controls and restrictions on the choices and actions of the free citizen.
  • But for more than a century, now, an opposing conception of man, society and government has increasingly gained a hold over the ideas and attitudes of people in the US.
  • It was "imported" from Europe in the form of modern collectivism.
  • The individual was expected to see himself as belonging to something "greater" than himself. He was to sacrifice for "great national causes."
  • He was told that if life had not provided all that he desired or hoped for, it was because others had "exploited" him in some economic or social manner, and that government would redress the "injustice" through redistribution of wealth or regulation of the marketplace.
  • If he had had financial and material success, the individual should feel guilty and embarrassed by it, because, surely, if some had noticeably more, it could only be because others had been forced to live with noticeably less.
  • left on its own, free competition tends to evolve into harmful monopolies and oligopolies, with the wealthy "few" benefiting at the expense of the "many."
  • They are the crises of the Interventionist-Welfare State: the attempt to impose reactionary collectivist policies of political paternalism and redistributive plunder on a society still possessing parts of its original individualist and rights-based roots.
  • it is in the form of communism's and socialism's critique of capitalism.
  • Unregulated capitalism leads to "unearned" and "excessive" profits; unbridled markets generate the business cycle and the hardships of recessions and depressions;
  • These two conflicting conceptions of man, society and government have been and are at war here in the United States.
  • And if it cannot be gotten and guaranteed through the redistributive mechanisms of the European Union and the euro, well, maybe we should return power to our own nation-states to provide the jobs, the social "safety nets" and the financial means to pay for it through, once again, printing our own national paper currencies.
  • This is the political-philosophical bankruptcy of the West and the dead ends of the collectivist promises of the last 100 years.
  • Ludwig von Mises's book, Socialism: An Economic and Sociological Analysis, originally published in 1922, demonstrated how and why a socialist, centrally planned system was inherently unworkable.
  • The nationalization of productive property, the abolition of markets and the prohibition of all competitive exchange among the members of society would prevent the emergence and operation of a price system, without which it is impossible to know people's demands for desired goods and the relative value they place on them.
  • It also prevents the emergence of prices for the factors of production (land, labor, capital) and makes it impossible to know their opportunity costs – the value of those factors of production in alternative competing uses among entrepreneurs desiring to employ them.
  • Without such a price system the central planners are flying blind, unable to rationally know or decide how best to utilize labor, capital and resources in productively efficient ways to make the goods and services most highly valued by the consuming public.
  • Thus, Mises concluded, comprehensive socialist central planning would lead to "planned chaos."
  • And, therefore, there is no guarantee that the amount of investments undertaken and their time horizons are compatible with the available resources not also being demanded and used for more immediate consumer goods production in the society.
  • As a consequence, financial markets do not work like real markets.
  • Thus, the interventionist state leads to waste, inefficiency and misuses of resources that lower the standards of living that we all, otherwise, could have enjoyed.
  • We cannot be sure what the amount of real savings may be in the society to support real and sustainable investment and capital formation.
  • Government intervention prevents prices from "telling the truth" about the real supply and demand conditions thus leading to imbalances and distortions in the market.
  • We cannot know what the "real cost" of borrowing should be, since interest rates are not determined by actual, private sector savings and investment decisions.
  • Government production regulations, controls, restrictions and prohibitions prevent entrepreneurs from using their knowledge, ability and capital in ways that most effectively produce the goods consumers actually want and at the most cost-competitive prices possible.
  • This is why countries around the world periodically experience booms and busts, inflations and recessions − not because of some inherent instabilities or "irrationalities" in financial markets, but because of monetary central planning through central banking that does not allow market-based financial intermediation to develop and work as it could and would in a real free-market setting.
  • But in the United States and especially in Europe, government "austerity" means merely temporarily reducing the rate of increase in government spending, slowing down the rate at which new debt is accumulating and significantly raising taxes in an attempt to close the deficit gap.
  • The fundamental problem is that over the decades, the size and scope of governments in the Western world have been growing far more than the rates at which their economies have been expanding, so that the "slice" of the national economic "pie" eaten by government has been growing larger and larger, even when the "pie" in absolute terms is bigger than it was, say, 30 or 40 years ago.
  • European governments, in general, take the view that "austerity" means squeezing the private sector more through taxes and other revenue sources to avoid any noticeable and significant cuts in what government does and spends.
  • So there is "austerity" for the private sector and a mad rush for financial "safety nets" for the government and those who live off the State.
  • In reality, of course, it is the burdens of government regulation, taxation and impediments to more flexible labor and related markets that have generated the high unemployment rates and the retarded recovery from the recession.
  • Instead, the "common market" ideal has been transformed into the goal of a European Union "Super-State" to which the individual countries and their citizens would be subservient and obedient.
  • Keynesian policies offer people and politicians what they want to hear. Claiming that any sluggish business or lost jobs are due to a lack of "aggregate demand," Keynes argued that full employment and profitable business could only be reestablished and maintained through "activist" government monetary and fiscal policy – print money and run budget deficits.
  • What Britain and Europe should have as its goal is the ideal of the classical liberal free traders of the 19th century – non-intervention by governments in people's lives, at home and abroad. That is, a de-politicization of society, so people may freely work, trade and travel as they peacefully wish, with government merely the protector of people's individual rights.
  • Take the benefits away and tell people they are free to come and work to support themselves and their families. Restore more flexibility and competitiveness to labor markets and reduce taxes and business regulations.
  • Then those who come to Britain's shores will be those wanting freedom and opportunity without being a burden upon others.
  • What was needed was a change in ideas from the statist mentality to one of individual freedom and unhampered free markets.
  • In an epoch of collectivist ideas, don't be surprised if governments regulate, control, intervene and redistribute wealth.
  • The tentacle of regulations, restrictions and politically-correct social controls are spreading out in every direction from Brussels and its European-wide manipulating and mismanaging bureaucracy.
  • In the name of assuring "national prosperity," politicians could spend money to buy the votes that get them elected and reelected to government offices.
  • And every special interest group could make the case that government-spending programs that benefitted them were all reasonable and necessary to assure a fully employed and growing economy.
  • Furthermore, the Keynesian rationale for government deficit spending enabled politicians to seem to be able to offer something for nothing. They could offer, say, $100 of government spending to voters and special interest groups but the tax burden imposed in the present might only be $75, since the remainder of the money to pay for that government spending was borrowed. And that borrowed money would not have to be repaid until some indefinite time in the future by unspecific taxpayers when that "tomorrow" finally arrived.
  • instability
  • Keynes argued that the market economy's inherent
  • arose from the
  • who were subject to irrational and unpredictable waves of "optimism" and "pessimism."
  • animal spirits" of businessmen
  • Mises argued that there was nothing inherent in the market economy to bring about these swings of economic booms followed by periods of depression and unemployment.
  • If markets got out of balance with the necessity of an eventual correction in the economy to, once again, set things right, the source of this instability was government monetary policy.
  • Central banks too often followed a policy of trying to create "good times" in the economy by expanding the money supply through the banking system.
  • With new, excess funds created by the central bank available for lending, banks lower rates of interest to attract borrowers.
  • But this throws savings and investment out of balance, since the rate of interest no longer serves as a reliable indicator and signal concerning the availability of real savings in the economy in relation to those wanting to borrow funds for various investment purposes.
  • The economic crisis comes when it is discovered that all the claims on resources, capital and labor for all the attempted consumption and investment activities in the economy are greater than the actual and available amounts of such scarce resources.
  • The recession period, in Mises's view, is the necessary "correction" period when in the post-boom era, people must adapt and adjust to the newly discovered "real" supply and demand conditions in the market.
  • Any interference with the "rebalancing" of the economy by government raising taxes, imposing more regulations, or new artificial government "stimulus" activities merely makes it more difficult and time-consuming for people in the private sector to get the economy back on an even keel.
  • Friedrich A. Hayek, once observed, unemployment is not "caused" by stopping an inflation, but rather inflation induces the artificial employments that cannot be sustained and which inevitably disappear once the inflation is reined in.
  • The recession of 2008-2009 was the result of several years of central bank stimulus.
  • From 2003 to 2008, the Federal Reserve increased the money supply by about 50 percent.
  • Interest rates for much of this time, when adjusted for inflation, were either zero or negative.
  • Awash in cash, banks extended loans to virtually anyone, with no serious and usual concern about the borrower's credit-worthiness.
  • This was most notably true in the housing market, where government agencies like Fannie May and Freddie Mac were pressuring banks to make mortgage loans by promising a guarantee that they would make good on any bad home loans.
  • Since 2008-2009, the Federal Reserve has, again, turned on the monetary spigot, increasing its own portfolio by almost $3 trillion, by buying US Treasuries, US mortgages and other assets.
  • So why has there not been a complementary explosion of price inflation?
  • In some areas there has been, most clearly in the stock market and the bond market, But the reason why all that newly created money has not brought about a higher price inflation is due to the fact that a large part of all newly created money is sitting as unlent reserves in banks.
  • This is because the Federal Reserve has been paying banks a rate of interest slightly above the market interest rates to induce banks not to lend.
  • (a) general "regime uncertainty," that is, no one knows what government policy will be tomorrow; will ObamaCare be fully implemented after January 2014?;
  • Among the reasons for the sluggish jobs growth in the US are:
  • (b) what will taxes be for the rest of the current president's term in the White House
  • (c) what will the regulatory environment be like for the next three years – in 2012, the government implemented around 80,000 pages of regulations as printed in the Federal Registry;
  • (d) how will the deficit and debt problems play out between Congress and the White House and will it threaten the general financial situation in the country; an
  • (e) what wars, if any, will the government find itself involved in, in places like the Middle East?
  • China
  • is still a controlled and commanded society, with a government that works hard to try to determine what people read, see and think.
  • All these building projects have been brought into existence by a government that not only controls the money supply and manipulates interest rates but also heavy-handedly tells banks whom to specifically loan to and for what investment activities.
  • Central planning is alive and well in China, with the motives being both power and profits for those inside and outside the Communist Party having the most influence and connections in "high" places.
  • In my opinion, China is heading for a great economic crisis, resulting from a highly imbalanced and distorted economic system still guided far more by politics than sound market decision-making.
  • global financial markets in any foreseeable future. It is a money that still primarily exists to serve the political purposes of those who sit in the "inner circles" of power in Beijing.
  • One hundred years ago, in 1913, how many could have predicted that a year later a European-wide war would break out that would lead to the destruction of great European empires and set the stage for the rise of totalitarian collectivism that resulted in an even worse global war two decades later?
  • Thus, whether, at the end of the day, freedom triumphs and the future is one of liberty and prosperity is partly on each one of us.
  • Near the end of his great book, Socialism, Ludwig von Mises said:
  • "Everyone carries a part of society on his shoulders; no one is relieved of his share of responsibility by others. And no one can find a safe way out for himself if society is sweeping towards destruction. Therefore, everyone, in his own interest, must thrust himself vigorously into the intellectual battle. None can stand aside with unconcern; the interests of everyone hang on the result. Whether he chooses or not, every man is drawn into the great historical struggle, the decisive battle into which our epoch has plunged us . . . Whether society shall continue to evolve or where it shall decay lies . . . in the hands of man."
  • In my view, the idea of a "soft landing" is an illusion based on the idea held by central bankers, themselves, that they have the wisdom and ability to know how to "micro-manage" the all the changes and adjustments resulting from their own manipulations of the monetary aggregates. They do not have this wisdom and ability. So hold on for what is most likely to be another rocky road.
  • It was Mises's clear vision that once society has broken the relationship between value and payment, sooner or later people would not know the price of anything.
  • At this point, investment ceases and business becomes furtive and transactional.
  • People cannot plan for the future because they do not understand the reality of the present.
  • Society begins to sink.
  • Gary Edwards on 17 Jun 13
     
    Incredible.  A simple explanation that explains everything.  Rchard Ebeling's "Unified Theory of Everything" is something every American can understand.  If only they would take a break from "Dancing with the Stars" and pay attention to the future of their country and the world.  It's a future where either "individual freedom", as defined by our Constitution and Declaration of Independence, will win out; or, the forces of fascist socialism / marxism will continue to roll and rule.  Incredible read!!!!
Paul Merrell

Legislative Cyber Threats: CISA's Not The Only One | Just Security - 0 views

www.justsecurity.org/...egislative-cyber-threats-cisas

shared by Paul Merrell on 31 Jul 15 - No Cached
  • If anyone in the United States Senate had any doubts that the proposed Cyber Information Sharing Act (CISA) was universally hated by a range of civil society groups, a literal blizzard of faxes should’ve cleared up the issue by now. What’s not getting attention is a CISA “alternative” introduced last week by Sens. Mark Warner (D-Va) and Susan Collins (R-Me). Dubbed the “FISMA Reform Act,” the authors make the following claims about the bill:  This legislation would allow the Secretary of Homeland Security to operate intrusion detection and prevention capabilities on all federal agencies on the .gov domain. The bipartisan bill would also direct the Secretary of Homeland Security to conduct risk assessments of any network within the government domain. The bill would allow the Secretary of Homeland Security to operate defensive countermeasures on these networks once a cyber threat has been detected. The legislation would strengthen and streamline the authority Congress gave to DHS last year to issue binding operational directives to federal agencies, especially to respond to substantial cyber security threats in emergency circumstances.
  • The bill would require the Office of Management and Budget to report to Congress annually on the extent to which OMB has exercised its existing authority to enforce government wide cyber security standards. On the surface, it actually sounds like a rational response to the disastrous OPM hack. Unfortunately, the Warner-Collins bill has some vague or problematic language and non-existent definitions that make it potentially just as dangerous for data security and privacy as CISA. The bill would allow the Secretary of Homeland Security to carry out cyber security activities “in conjunction with other agencies and the private sector” [for] “assessing and fostering the development of information security technologies and capabilities for use across multiple agencies.” While the phrase “information sharing” is not present in this subsection, “security technologies and capabilities” is more than broad — and vague — enough to allow it.
  • The bill would also allow the secretary to “acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on agency information systems and deploy countermeasures with regard to the communications and system traffic.”
  • ...2 more annotations...
  • The bill also allows the head of a federal agency or department “to disclose to the Secretary or a private entity providing assistance to the Secretary…information traveling to or from or stored on an agency information system, notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary.” (Emphasis added.) So confidential, proprietary or other information otherwise precluded from disclosure under laws like HIPAA or the Privacy Act get waived if the Secretary of DHS or an agency head feel that your email needs to be shared with a government contracted outfit like the Hacking Team for analysis. And the bill explicitly provides for just this kind of cyber threat analysis outsourcing:
  • (3) PRIVATE ENTITIES. — The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic in accordance with this subsection. The bill further states that the content of your communications, will be retained only if the communication is associated with a known or reasonably suspected information security threat, and communications and system traffic will not be subject to the operation of a countermeasure unless associated with the threats. (Emphasis added.) “Reasonably suspected” is about as squishy a definition as one can find.
  • Paul Merrell on 31 Jul 15
     
    "The bill also allows the head of a federal agency or department "to disclose to the Secretary or a private entity providing assistance to the Secretary…information traveling to or from or stored on an agency information system, notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary."" Let's see: if your information is intercepted by the NSA and stored on its "information system" in Bluffdale, Utah, then it can be disclosed to the Secretary of DHS or any private entity providing him/her with assistance, "notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary." And if NSA just happens to be intercepting every digital bit of data generated or received in the entire world, including the U.S., then it's all in play, "notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary.". Sheesh! Our government voyeurs never stop trying to get more nude pix and videos to view.  
Paul Merrell

What's Scarier: Terrorism, or Governments Blocking Websites in its Name? - The Intercept - 0 views

firstlook.org/...terally-blocking-websites-name

censorship-crimes web-site-blocking terrorism™ civil liberties discrimination War-on-Muslims

shared by Paul Merrell on 19 Mar 15 - No Cached
  • Forcibly taking down websites deemed to be supportive of terrorism, or criminalizing speech deemed to “advocate” terrorism, is a major trend in both Europe and the West generally. Last month in Brussels, the European Union’s counter-terrorism coordinator issued a memo proclaiming that “Europe is facing an unprecedented, diverse and serious terrorist threat,” and argued that increased state control over the Internet is crucial to combating it. The memo noted that “the EU and its Member States have developed several initiatives related to countering radicalisation and terrorism on the Internet,” yet argued that more must be done. It argued that the focus should be on “working with the main players in the Internet industry [a]s the best way to limit the circulation of terrorist material online.” It specifically hailed the tactics of the U.K. Counter-Terrorism Internet Referral Unit (CTIRU), which has succeeded in causing the removal of large amounts of material it deems “extremist”:
  • In addition to recommending the dissemination of “counter-narratives” by governments, the memo also urged EU member states to “examine the legal and technical possibilities to remove illegal content.” Exploiting terrorism fears to control speech has been a common practice in the West since 9/11, but it is becoming increasingly popular even in countries that have experienced exceedingly few attacks. A new extremist bill advocated by the right-wing Harper government in Canada (also supported by Liberal Party leader Justin Trudeau even as he recognizes its dangers) would create new crimes for “advocating terrorism”; specifically: “every person who, by communicating statements, knowingly advocates or promotes the commission of terrorism offences in general” would be a guilty and can be sent to prison for five years for each offense. In justifying the new proposal, the Canadian government admits that “under the current criminal law, it is [already] a crime to counsel or actively encourage others to commit a specific terrorism offence.” This new proposal is about criminalizing ideas and opinions. In the government’s words, it “prohibits the intentional advocacy or promotion of terrorism, knowing or reckless as to whether it would result in terrorism.”
  • If someone argues that continuous Western violence and interference in the Muslim world for decades justifies violence being returned to the West, or even advocates that governments arm various insurgents considered by some to be “terrorists,” such speech could easily be viewed as constituting a crime. To calm concerns, Canadian authorities point out that “the proposed new offence is similar to one recently enacted by Australia, that prohibits advocating a terrorist act or the commission of a terrorism offence-all while being reckless as to whether another person will engage in this kind of activity.” Indeed, Australia enacted a new law late last year that indisputably targets political speech and ideas, as well as criminalizing journalism considered threatening by the government. Punishing people for their speech deemed extremist or dangerous has been a vibrant practice in both the U.K. and U.S. for some time now, as I detailed (coincidentally) just a couple days before free speech marches broke out in the West after the Charlie Hebdo attacks. Those criminalization-of-speech attacks overwhelmingly target Muslims, and have resulted in the punishment of such classic free speech activities as posting anti-war commentary on Facebook, tweeting links to “extremist” videos, translating and posting “radicalizing” videos to the Internet, writing scholarly articles in defense of Palestinian groups and expressing harsh criticism of Israel, and even including a Hezbollah channel in a cable package.
  • ...2 more annotations...
  • Beyond the technical issues, trying to legislate ideas out of existence is a fool’s game: those sufficiently determined will always find ways to make themselves heard. Indeed, as U.S. pop star Barbra Streisand famously learned, attempts to suppress ideas usually result in the greatest publicity possible for their advocates and/or elevate them by turning fringe ideas into martyrs for free speech (I have zero doubt that all five of the targeted sites enjoyed among their highest traffic dates ever today as a result of the French targeting). But the comical futility of these efforts is exceeded by their profound dangers. Who wants governments to be able to unilaterally block websites? Isn’t the exercise of this website-blocking power what has long been cited as reasons we should regard the Bad Countries — such as China and Iran — as tyrannies (which also usually cite “counterterrorism” to justify their censorship efforts)?
  • s those and countless other examples prove, the concepts of “extremism” and “radicalizing” (like “terrorism” itself) are incredibly vague and elastic, and in the hands of those who wield power, almost always expand far beyond what you think it should mean (plotting to blow up innocent people) to mean: anyone who disseminates ideas that are threatening to the exercise of our power. That’s why powers justified in the name of combating “radicalism” or “extremism” are invariably — not often or usually, but invariably — applied to activists, dissidents, protesters and those who challenge prevailing orthodoxies and power centers. My arguments for distrusting governments to exercise powers of censorship are set forth here (in the context of a prior attempt by a different French minister to control the content of Twitter). In sum, far more damage has been inflicted historically by efforts to censor and criminalize political ideas than by the kind of “terrorism” these governments are invoking to justify these censorship powers. And whatever else may be true, few things are more inimical to, or threatening of, Internet freedom than allowing functionaries inside governments to unilaterally block websites from functioning on the ground that the ideas those sites advocate are objectionable or “dangerous.” That’s every bit as true when the censors are in Paris, London, and Ottawa, and Washington as when they are in Tehran, Moscow or Beijing.
Paul Merrell

A Zombie Bill Comes Back to Life: A Look at The Senate's Cybersecurity Information Shar... - 0 views

www.eff.org/...y-information-sharing-act-2014

surveillance state NSA legislation Cybersecurity Bill Feinstein

shared by Paul Merrell on 12 Jul 14 - No Cached
  • The Senate Intelligence Committee recently introduced the Cybersecurity Information Sharing Act of 2014. It’s the fourth time in four years that Congress has tried to pass "cybersecurity" legislation. Unfortunately, the newest Senate bill is one of the worst yet. Cybersecurity bills aim to facilitate information sharing between companies and the government, but they always seem to come with broad immunity clauses for companies, vague definitions, and aggressive spying powers. Given such calculated violence to users' privacy rights, it’s no surprise that these bills fail every year. What is a surprise is that the bills keep coming back from the dead. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs that are far more privacy protective than anything seen in recent cybersecurity bills. Despite this, members of Congress like Rep. Mike Rogers and Senator Dianne Feinstein keep on introducing bills that would destroy these privacy protections and grant new spying powers to companies.
  • Aside from its redundancy, the Senate's bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system. Combined, the two definitions could be read by companies to permit attacks on machines that unwittingly contribute to network congestion. The countermeasures clause will increasingly militarize the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user. Second, the bill adds a new authority for companies to monitor information systems to protect an entity's rights or property. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.
  • Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies like the NSA—"in real-time and simultaneous[ly]." DHS is even barred from "delay[ing]" or "interfer[ing]" with the information, which ensures that DHS's current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing. This leads to a question: What stops your sensitive personal information from being shared by companies to the government? Almost nothing. Companies must only remove personally identifiable information if the information is known to be US person information and not directly related to the threat. Such a willful blindness approach is inappropriate. Further, the bill does not even impose this weak minimization requirement on information shared by, and within, the government (including federal, state, local, and tribal governments) thereby allowing the government to share information containing personally identifiable information. The bill should require deletion of all information not directly related to a threat.
  • ...2 more annotations...
  • Once the information is sent to a government agency, it can use the information for reasons other than for cybersecurity purposes. One clause even allows the information to be used to prosecute violations of the Espionage Act—a World War I era law that was meant to prosecute spies but has been used in recent years primarily to go after journalists’ sources. The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes. The public won’t even know what information is being collected, shared, or used because the bill will exempt all of it from disclosure under the Freedom of Information Act.
  • The bill also retains near-blanket immunity for companies to monitor information systems, to share information, and to use countermeasures. The high bar immunizes an incredible amount of activity, including negligent damage to property and may deprive private entities of legal recourse if a computer security contractor is at fault for destruction of property. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It's also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reports and privately.
Paul Merrell

The New Snowden? NSA Contractor Arrested Over Alleged Theft Of Classified Data - 0 views

www.mintpressnews.com/...221187

surveillance state NSA zero-day-exploits leak arrest prosecution Martin

shared by Paul Merrell on 07 Oct 16 - No Cached
  • A contractor working for the National Security Agency (NSA) was arrested by the FBI following his alleged theft of “state secrets.” More specifically, the contractor, Harold Thomas Martin, is charged with stealing highly classified source codes developed to covertly hack the networks of foreign governments, according to several senior law enforcement and intelligence officials. The Justice Department has said that these stolen materials were “critical to national security.” Martin was employed by Booz Allen Hamilton, the company responsible for most of the NSA’s most sensitive cyber-operations. Edward Snowden, the most well-known NSA whistleblower, also worked for Booz Allen Hamilton until he fled to Hong Kong in 2013 where he revealed a trove of documents exposing the massive scope of the NSA dragnet surveillance. That surveillance system was shown to have targeted untold numbers of innocent Americans. According to the New York Times, the theft “raises the embarrassing prospect” that an NSA insider managed to steal highly damaging secret information from the NSA for the second time in three years, not to mention the “Shadow Broker” hack this past August, which made classified NSA hacking tools available to the public.
  • Snowden himself took to Twitter to comment on the arrest. In a tweet, he said the news of Martin’s arrest “is huge” and asked, “Did the FBI secretly arrest the person behind the reports [that the] NSA sat on huge flaws in US products?” It is currently unknown if Martin was connected to those reports as well.
  • It also remains to be seen what Martin’s motivations were in removing classified data from the NSA. Though many suspect that he planned to follow in Snowden’s footsteps, the government will more likely argue that he had planned to commit espionage by selling state secrets to “adversaries.” According to the New York Times article on the arrest, Russia, China, Iran, and North Korea are named as examples of the “adversaries” who would have been targeted by the NSA codes that Martin is accused of stealing. However, Snowden revealed widespread US spying on foreign governments including several US allies such as France and Germany. This suggests that the stolen “source codes” were likely utilized on a much broader scale.
1 - 19 of 19
Showing 20 items per page