You have nothing to fear, if you have nothing to hide
I was always suspicious about the success of "cloud" Web mail services starting with Hotmail.
There was something fishy here including the purchase of Hotmail by Microsoft.
The problem is that if your emails are being stored "in the cloud" each single email is exposed
as if it permanently "in transit". Moreover the collection of email in your Inbox is a more valuable
set of information the any single email and tells much more about you that any intercepted email
can. Even set of headers (and your address book) constitute something
much more dangerous then a single email. Such a collection provides much more revealing information
voluntarily stored by you (is not this stupid ?) in the place over which you've absolutely no control (and as such
you should have no expectation of privacy) . I can see why Brazil and Germany are now concerned
about NSA. I can't understand why they are not concerned about stupidity of their citizens opening accounts
and putting confidential information on the Webmail systems such as Hotmail, Yahoo mail and Gmail
(all three are mentioned in Prism slide above ;-). Is not this a new mass form of masochism?
As we have all found out, that trust is misplaced, as "cloud" services were systematically abused.
In a way after Snowden revelations we all now need to learn Aesop language (slang is actually almost in-penetratable to computer
unless they are specifically programmed for particular one) and be more careful. Many people understand why
"Fecebook" users should be very concerned. Facebook is nothing but a database about their users. That's their
primary business model. So it is users data is what Facebook actually sells. But we now need
to understand that Yahoo, Microsoft and Google are no different.
But from the other point of view, Fecebook skillfully promoted this "exhibitionism orgy",
and they got what they deserve. See
Big Uncle is Watching You.
In a current NSA-inspired debate about the moral consequences of digital technologies, it is important
to realize the danger of seamless integration of services under Google (especially within
android) as well as other Internet Oligopolies (I doubt that Microsoft with its Windows 10 is much
better). When everyone using an android smartphone is forced to wear Google's digital straitjacket.
This can be a very bad thing. It essentially invites snooping, especially government snooping
as the less entities government need to deal with, the cheaper is such mass collection of
information on each citizen. Whether this is done in the name of fighting terrorism,
communist agents, or infiltration of Martians does not matter. As long as access to such data is
cheap it will be abused by the government and accesses without any court orders. In other words if technical means of snooping
they will be used and abused. It is duty of concerned citizens who object this practice to make them less effective.
First of all we must fight against this strange "self-exposure" mania under which people
have become enslaved to and endangered by the "cloud" tools they use. Again this nothing more nothing
less then digital masochism. But there is another important aspect of this problem which is different
from the problem of unhealthy
self-revelation zeal that large part of Facebook population demonstrates on the Net.
This second problem is often discussed under the meme Is Google evil
? and it is connected with inevitable corruption of Internet by large Internet Oligopolies such
as Google, Yahoo, Facebook, etc. And they become oligopolies because we agree to use them as primary
sources, for example Google for search, independently whether it is good for all types of searches or
not. That mean the diversification is now a duty of concerned Internet users. And if you did not put
several search providers like say, duckduckgo.com in your browser and don't rotate them periodically,
you are making a mistake. First of all you deprive yourself from the possibility to learn strong and
weak point of different search engines. The second Google stores all searches, possibly indefinitely,
so you potentially expose yourself to a larger extent by using a single provider. NSA is only one of
possibly several agencies that can access your data. . See
Alternative Search Engines to Google
As Eugeny Morozov argued in
Net Delusion The Dark Side of Internet Freedom “Internet solutionism” exemplified by Google,
is the dangerous romantic utopia of our age. He regards Google-style "cloud uber alles" push
as counter-productive, even dangerous:
...Wouldn’t it be nice if one day, told that Google’s mission is to “organize the world’s information
and make it universally accessible and useful,” we would finally read between the lines and discover
its true meaning: “to monetize all of the world’s information and make it universally inaccessible
and profitable”? With this act of subversive interpretation, we might eventually hit upon the
greatest emancipatory insight of all: Letting Google organize all of the world’s information
makes as much sense as letting Halliburton organize all of the world’s oil.
The reason why the digital debate feels so empty and toothless is simple: framed as a debate over
“the digital” rather than “the political” and “the economic,” it’s conducted on terms that are already
beneficial to technology companies. Unbeknownst to most of us, the seemingly exceptional nature of
commodities in question – from “information” to “networks” to “the Internet” – is coded into our
language. It’s this hidden exceptionalism that allows Silicon Valley to dismiss its critics as Luddites
who, by opposing “technology,” “information” or “the Internet”-- they don’t do plurals in Silicon
Valley, for the nuance risks overwhelming their brains – must also be opposed to “progress.”
Internet started as a network of decentralized servers, and now it probably will eventually return
to it on a new level as the danger of cloud providers exceed their usefulness. In any case now it looks
like anybody who is greedy enough to use "free" (as in "The only free cheese is in the mouse trap")
Gmail instead of getting webmail account
via ISP with your own (let it call vanity, but it's your own :-) website is playing with fire. Even
if they are nothing to hide, if they use Hotmail of Gmail for anything but spam (aka registrations,
newsletters, etc) they are entering a dangerous virtual room with multiple hidden camera that record
and store information including all their emails and address book forever. Important email should probably
now be limited to regular SMTP accounts with client like Thunderbird (which actually is tremendously
better then Gmail Web mail client with its Google+ perversions).
For personal, private information, you need to have your own servers and keep nothing in the "cloud".
The network was originally designed to be "peer-to-peer" and the only hold back has been the cost of
local infrastructure to do it and the availability of local technical talent to keep those services
running. Now cost of hardware is trivial and services are so well known that running them is not a big
problem even at home, especially a pre-configured virtual machines with "business" cable ISP account
( $29 per month from Cablevision).
Maybe the huge centralized services like Google and Yahoo have really been temporary anomalies of
the adolescence of the Internet and given the breach of trust by governments and by these large corporations
the next step will be return on a new level to Internet decentralized roots. Maybe local services can
still be no less viable then cloud services. Even email, one of the most popular "in the cloud" services
can be split into a small part of pure SMTP delivery (important mails) and bulk mail which can stay
on Webmail (but preferably you private ISP, not those monsters like Google, Yahoo or Microsoft). That
does not exclude using "free" emails of this troika for storing spam :-). In short we actually don't
have to be on Gmail to send or read email. Google search is not the best search engine for everything.
Moreover it is not wise to put all eggs in one basket. Microsoft might be as bad, but spreading your
searches makes perfect sense. TCP connection to small ISP is as good and if you do not trust ISP you
can use you home server with cable provider ISP account.
Where I have concern is if the network itself got partitioned along national borders as a result
of NSA snooping, large portions of the net can become unreachable. That would be a balkanization we
would end up regretting. It would be far better if we take a preemptive action against this abuse and
limit the use of our Gmail, hotmail, Yahoo accounts for "non essential" correspondence, if we spread
our search activities among multiple search engines and have our web pages, if any on personal ISP account.
We need to enforce some level of privacy ourselves and don't behave like lemmings. Years ago there was
similar situation with telephones wiretaps, and before laws preventing abuse of this capability were
eventually passed people often used public phones for important calls they wanted to keep private.
In Australia any expectations of privacy isn't legally recognized by the Supreme Court once people
voluntarily offered data to the third party. And I think Australians are right. Here is a relevant
General Counsel of the Office of the Director of National Intelligence Robert S. Litt explained
that our expectation of privacy isn't legally recognized by the Supreme Court once we've offered
it to a third party.
'Why is it that people are willing to expose large quantities of information to private parties
but don't want the Government to have the same information?,' he asked."
... ... ...
While Snowden's leaks have provoked Jimmy Carter into labeling this government a sham,
and void of a functioning democracy, Litt presented how these wide data collection programs are in
fact valued by our government, have legal justification, and all the necessary parameters.
echoing the president and his boss James Clapper, explained thusly:
"We do not use our foreign intelligence collection capabilities to steal the trade secrets
of foreign companies in order to give American companies a competitive advantage. We do not indiscriminately
sweep up and store the contents of the communications of Americans, or of the citizenry of any
country. We do not use our intelligence collection for the purpose of repressing the citizens
of any country because of their political, religious or other beliefs. We collect metadata—information
about communications—more broadly than we collect the actual content of communications, because
it is less intrusive than collecting content and in fact can provide us information that helps
us more narrowly focus our collection of content on appropriate targets. But it simply is not
true that the United States Government is listening to everything said by every citizen of any
It's great that the U.S. government behaves better than corporations on privacy—too bad it trusts/subcontracts
corporations to deal with that privacy—but it's an uncomfortable thing to even be in a position of
having to compare the two. This is the point Litt misses, and it's not a fine one.
Technology development create new types of communications as well as new types of government surveillance
mechanisms (you can call them "externalities" of new methods of communication). Those externalities,
especially low cost of mass
surveillance (Wikipedia), unfortunately, bring us closer to the
Electronic police state
Security State whether we want it or not. A crucial element of such a state is that its data gathering,
sorting and correlation are continuous, cover a large number of citizens and all foreigners and
those activities are seldom exposed.
Cloud computing as a technology that presuppose storing the data "offsite" on third party servers
have several security problems, and one of them is that it is way too much "surveillance friendly"
of issues of security and trust). With cloud computing powers that be do not need to do complex
job of recreating TCP/IP conversations on router level to capture, say, all the emails or all your SMS.
You can access Web-based email mailbox directly with all mails in appropriate mailboxes and spam filtered.
Your address book is a bonus ;-). This is huge saving of computational efforts.
The modern capability of storage of data provide the capability of storing the following information
about you for several years (five years minimum), if not for a lifetime:
Your emails and, in case you are using Webmail providers, your address book. It is
reasonable to assume that all of them will be automatically analyzed using keyword database and
flagged if some of "suspicious" words are found. See
Total control: keywords in your posts that
might trigger surveillance. Your address book is also swiped, if you are using "cloud" provider
like Gmail, Hotmail, etc. Now you know who is hiding in this cloud ;-)
Metadata for your phone calls. This metadata is extremely revealing; investigators
mining it might be able to infer whether we have an illness or an addiction, what our religious
affiliations and political activities are, and so on.
Actual content (mp3 file or similar format) of all your Skype phone calls (the saying
is that "there is no free lunch" has now a new meaning here ). This is less important as getting
those calls transcribed is a difficult undertaking.
Metadata of pages that you assessed (visited websites). For a considerable period of
time (over a year) those data in a standard HTTP log
format are extremely revealing as for your political and social views, as well as well as
general interests. Sophisticated log analysis programs are available (so called proxy log analyzers).
This reveals all your downloads, software that you are using and many, many other things. Essentially
now you like a bug under the microscope.
Your purchases on major Internet sites (Amazon, eBay) and all purchases using major credit
cards. This is even more revealing then you web activity, as you put money were your interests
are. Buy books that interest you, and so on. Also extremely revealing as for your political and
social views, as well as well as general interests.
All the content you put on social sites such as Facebook. Here people usually reveal quite
a bit about themselves. As many people have presence simultaneously in Google, Facebook and
LinkedIn, total information includes your education, current qualification and possibly resume.
Address book and calendar on sides such Gmail, Hotmail or
Not only the USA government with its
is involved in this activity. British security services are probably even more intrusive. Most governments
probably try to do some subset of the above. Two important conclusions we can get are:
Due to development of technologies and availability of low cost high power computers and
storage profiling is now easy and automatic.
If something is available at los cost, most probably it will be abused.
It puts you essentially in a situation of a bug under microscope on Big Brother. And please understand
that modern storage capabilities are such that it is easy to store several years of at least some of
your communications, especially emails.
The same is true about your
phone calls metadata,
credit card transactions and your activities on major shopping sites such as Amazon, and eBay. But here
you can do almost nothing. Still I think our support of "brick" merchants is long overdue. Phones are
traditional target of government three letter agencies (WSJ)
since the WWII. Smartphones with GPS in addition to land line metadata also provide your current geo
location. I do not think you can do much here.
I think our support of "brick" merchants is long overdue. And paying cash in the store
in not something that you should try to avoid because credit card returns you 1% of the cost of
the purchase. This 1% is actually a privacy tax ;-)
The centralization of searches on Google (and to lesser extent on Bing) are also serious threats
to your privacy. Here diversification between three or more search engines might help a bit. Other then
that and generally limited your time behind the computer I do not think much can be done. Growth of
popularity of Duckduckgo suggests that people are
vary of Google monopolizing the search, but it is unclear how big are the advantages. You can also save
searches as many searches are recurrent and generally you can benefit from using your personal Web proxy
with private cashing DNS server. This way to can "shrink" your radar picture, but that's about it. Search
engines are now an integral part of our civilization whether we want it or not.
Collection of your searches for the last several years can pretty precisely outline sphere of your
interests. And again technical constrains on storage of data no longer exists: how we can talk about
privacy at the age of 3 TB harddrives for $99. There are approximately
of the US citizens and residents, so storing one gigabyte of information for each citizen requires just
400 petabytes. For comparison
In July 2012 it was revealed that
CERN amassed about 200 petabytes
of data from the more than 800 trillion collisions looking for the
In August 2012, Facebook's
Hadoop clusters include the largest single
HDFS cluster known, with more than
100 PB physical disk space in a single HDFS filesystem
By some estimates info storage capabilities of the US government are around 5 zeta bytes (5*1021)
Facebook has nothing without people
silly enough to exchange privacy for photosharing
The key problem with social sites is that many people voluntarily post excessive amount of personal
data about themselves, including keeping their photo archives online, etc. So while East Germany analog
of the Department of Homeland Security called Ministry for State Security (Stasi)
needed to recruit people to spy about you, now you yourself serves as a informer voluntarily providing
all the tracking information about your activities ;-).
Scientella, palo alto
...Facebook always had a very low opinion of peoples intelligence - and rightly so!
I can tell you Silicon Valley is scared. Facebook's very existence depends upon trusting young
persons, their celebrity wannabee parents and other inconsequential people being prepared to give
up their private information to Facebook.
Google, now that SOCIAL IS DEAD, at least has their day job also, of paid referral advertising
where someone can without divulging their "social" identity, and not linking their accounts, can
look for a product on line and see next to it some useful ads.
But Facebook has nothing without people silly enough to exchange privacy for photosharing.
... ... ...
Steve Fankuchen, Oakland CA
Cook, Brin, Gates, Zuckerberg, et al most certainly have lawyers and public relations hacks
that have taught them the role of "plausible deniability."
Just as in the government, eventually some low or mid-level flunkie will likely be hung out
to dry, when it becomes evident that the institution knew exactly what was going on and did nothing
to oppose it. To believe any of these companies care about their users as anything other than
cash cows is to believe in the tooth fairy.
The amount of personal data which users of site like Facebook put voluntarily on the Web is truly
astonishing. Now anybody using just Google search can get quit substantial information about anybody
who actively using social sites and post messages in discussion he/she particulates under his/her own
name instead of a nickname. Just try to see what is available about you and most probably your jaw would
Google Toolbar in advanced mode is another common snooping tool about your activities. It send each
URL you visit to Google and you can be sure that from Google several three letter agencies get this
information as well. After all Google has links to them from the very beginning:
This is probably right time for the users of social sites like Facebook, Google search, and Amazon
(that means most of us ;-) to think a little bit more about the risks we are exposing ourselves. We
all should became more aware about the risks involved as well as real implications of the catch phase
Privacy is Dead – Get Over It.
This is probably right time for the users of social sites like Facebook, Google search,
and Amazon (that means most of us ;-) to think a little bit more about the risks we are exposing
If there is one thing we can take away from the news of recent weeks it is this: the modern
American surveillance state is not really the stuff of paranoid fantasies; it has arrived.
Citizens of foreign countries have accounts at Facebook and mail accounts in Gmail, hotmail and Yahoo
mail are even in less enviable position then the US citizens. They are legitimate prey. No legal protection
for them exists, if they use those services. That means that they voluntarily open all the information
they posted about themselves to the US government in addition to their own government. And the net is
probably more wide then information leaked by NSA contractor Edward Snowden suggests. For any large
company, especially a telecom corporation, operating is the USA it might be dangerous to refuse to cooperate
Former Qwest CEO Joseph
Nacchio, convicted of insider trading in April 2007, alleged in appeal documents that the NSA
requested that Qwest participate in its wiretapping program more than six months before September
11, 2001. Nacchio recalls the meeting as occurring on February 27, 2001. Nacchio further claims that
the NSA cancelled a lucrative contract with Qwest as a result of Qwest's refusal to participate in
the wiretapping program.
Nacchio surrendered April 14, 2009 to a federal prison camp in Schuylkill, Pennsylvania to begin
serving a six-year sentence for the insider trading conviction. The United States Supreme Court denied
bail pending appeal the same day.
It is not the case of some special evilness of the US government. It simply is more agile to understand
and capitalize on those new technical opportunities. It is also conveniently located at the center of
Internet universe with most traffic is flowing via US owned or controlled routers (67% or more). But
it goes without saying that several other national governments and a bunch of large corporations also
try to mine this new gold throve of private information on citizens. Probably with less sophistication
and having less financial resources.
In many cases corporations themselves are interested in partnership with the government. Here is
one telling comment:
jrs says on June 8, 2013
Yea in my experience that’s how “public/private partnerships” really work:
Companies DO need protection FROM the government. An ill-conceived piece of legislation
can put a perfectly decent out of business. Building ties with the government is protection.
Government represents a huge market and eventually becomes one of the top customers
for I think most businesses (of course the very fact that a government agency is a main
customer is often kept hush hush even within the company and something you are not supposed
to speak of as an employee even though you are aware of it)
Of course not every company proceeds to step 3 -- being basically an arm of the government
That means that not only Chinese citizens already operate on the Internet without any real sense
of privacy. Even if you live outside the USA the chances are high that you automatically profiled by
the USA instead of or in addition to your own government. Kind of
neoliberalism in overdrive
mode: looks like we all are already citizens of a global empire (Let's call it " Empire of Peace" )
with the capital in Washington.
It is reasonable to assume that a massive eavesdropping apparatus now tracks at least an "envelope"
of every electronic communication you made during your lifetime. No need for somebody reporting about
you like in "old" totalitarian state like East Germany with its analog of the Department of Homeland
Security called the Ministry for State Security (Stasi).
So in this new environment, you are like Russians used to say about dissidents who got under KGB surveillance
is always "under the dome". In this sense this is just an old vine in a new bottles. But the global
scope and lifetime storage of huge amount of personal information for each and every citizen is something
new and was made possible the first time in world history by new technologies.
It goes without saying that records about time, sender and receiver of all your phone calls, emails,
Amazon purchases, credit card transactions, and Web activities for the last decade are stored somewhere
in a database and not necessary only government computers. And that means that your social circle (the
set of people you associate with), books and films that you bought, your favorite websites, etc can
be easily deducted from those records.
That brings us to an important question about whether we as consumers should support such ventures
as Facebook and Google++ which profile you and after several years have a huge amount of pretty private
and pretty damaging information about you, information which can get into wrong hands.
The most constructive approach to NSA is to view is a large government bureaucracy that expanded
to the extent that quantity turned into quality.
Any large bureaucracy
is a political coalition with the primary goal of preserving and enhancing of its own power (and,
closely related to power, the level of financing), no matter what are official declarations. And if breaching your
privacy helps with this noble goal, they will do it.
Which is what Bush government did after 9/11. The
question is how much bureaucratic bloat resulting in classic dynamics of organizational self-aggrandizement
and expansionism happened in NSA is open to review. We don't know how much we got in exchange for undermining internet
security and the US constitution. But we do know the intelligence establishment happily appropriated billions
of dollars, had grown by thousand of employees and got substantial "face lift" and additional power
within the executive branch of government. To the extent that sometimes it really looks like a shadow government
(with three branches NSA, CIA and FBI).
And now they will fight tooth-and nail to protect the fruits of a decade long bureaucratic expansion.
It is an Intelligence Church of sorts and like any religious organization they do not need facts to
support their doctrine and influence.
Typically there is a high level of infighting and many factions within any large hierarchical organization,
typically with cards hold close the west and limited or not awareness about those turf battles of the
outsiders. Basically any hierarchical institution corporate, religious, or military will abuse available
resources for internal political infighting. And with NSA "big data" push this is either happening or
just waiting to happen. This is a danger of any warrantless wiretapping program: it naturally convert
itself into a saga of eroding checks and disappearing balances. And this already happened in the past,
so in a way it is just act two of the same drama (WhoWhatWhy):
media revelations of intelligence abuses by the Nixon administration began to mount in the wake
of Watergate, NSA became the subject of Congressional ire in the form of the United States Senate
Select Committee to Study Governmental Operations with Respect to Intelligence Activities—commonly
known as the “Church Committee” after its chair, Senator Frank Church (D-ID)—established on January
17, 1975. This ad-hoc investigative body found itself unearthing troves of classified records from
the FBI, NSA, CIA and Pentagon that detailed the murky pursuits of each during the first decades
of the Cold War. Under the mantle of defeating communism, internal documents confirmed the executive
branch’s use of said agencies
in some of the most fiendish acts
of human imagination (including refined psychological torture techniques),
particularly by the Central Intelligence Agency.
That capability at any time could be turned around on the American people and no American
would have any privacy left, such is the capability to monitor everything. Telephone conversations,
telegrams, it doesn’t matter. There would be no place to hide. If this government ever became
a tyranny, if a dictator ever took charge in this country, the technological capacity that the
intelligence community has given the government could enable it to impose total tyranny, and there
would be no way to fight back, because the most careful effort to combine together in resistance
to the government, no matter how privately it was done, is within the reach of the government
to know. Such is the capability of this technology. I don’t want to see this country ever go across
the bridge. I know the capability that is there to make tyranny total in America, and we must
see to it that this agency and all agencies that possess this technology operate within the law
and under proper supervision, so that we never cross over that abyss. That is the abyss from which
there is no return.
The reforms that followed, as enshrined in the
Foreign Intelligence Surveillance Act (FISA) of 1978, included the establishment of the
Intelligence Surveillance Court (FISC): a specially-designated panel of judges who are allowed
to review evidence before giving NSA a warrant to spy on Americans (only in the case of overseas
communication). Hardly a contentious check or balance, FISC
rejectedzero warrant requests between its inception in 1979 and 2000, only asking that
two warrants be “modified” out of an estimated 13,000.
In spite of FISC’s rubberstamping, following 9/11 the Bush administration began deliberately bypassing
the court, because even its minimal evidentiary standard was too high a burden of proof for the blanket
surveillance they wanted. So began the dragnet monitoring of the American public by
tapping the country’s major electronic communication chokepoints in collusion with the nation’s
largest telecommunications companies.
Similarly we should naturally expect that the notion of "terrorist" is very flexible and in certain cases
can be equal to "any opponent of regime" (any "dissident" n soviet terms). While I sympathize NYT readers reaction to this incident (see
below), I think it is somewhat naive. They forget that they are living
under neoliberal regime which
like any rule of top 0.01% is afraid of and does not trust its own citizens. So massive surveillance
program is a self-preservation measure which allow the neoliberal elite to crush or subvert the opposition at early stages.
This is the same situation as existed with Soviet nomenklatura, with the only difference that Soviet
nomenklatura was more modest in pushing the USSR as a beacon of progress and bright hope for establishing
democratic governance for all mankind ;-). As
Ron Paul noted:
Many of us are not so surprised.
Some of us were arguing back in 2001 with the introduction of the so-called PATRIOT Act that it
would pave the way for massive US government surveillance—not targeting terrorists but rather
aimed against American citizens. We were told we must accept this temporary measure to provide
government the tools to catch those responsible for 9/11. That was nearly twelve years and at least
four wars ago.
We should know by now that when it comes to government power-grabs, we never go back to the
status quo even when the “crisis” has passed. That part of our freedom and civil liberties once
lost is never regained. How many times did the PATRIOT Act need renewed? How many times did FISA
authority need expanded? Why did we have to pass a law to grant immunity to companies who hand
over our personal information to the government?
And while revealed sources of NSA
include Apple, Google, Facebook, Microsoft, Yahoo and others major Internet players, that's probably
just a tip of the iceberg. Ask yourself a question, why Amazon and VISA and MasterCard are not on the
list? According to
The National Security Agency has obtained direct access to the systems of Google, Facebook,
Apple and other US internet giants, according to a top secret document obtained by the Guardian.
The NSA access is part of a previously undisclosed program called Prism, which allows
officials to collect material including search history, the content of emails, file transfers and
live chats, the document says.
... ... ...
Microsoft – which is currently running an advertising campaign with the slogan "Your privacy is
our priority" – was the first, with collection beginning in December 2007. It was followed by Yahoo
in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally
Apple, which joined the program in 2012. The program is continuing to expand, with other providers
due to come online.
Collectively, the companies cover the vast majority of online email, search, video and communications
... ... ...
A chart prepared by the NSA, contained within the top-secret document obtained by the Guardian,
underscores the breadth of the data it is able to obtain: email, video and voice chat, videos,
photos, voice-over-IP (Skype, for example) chats, file transfers, social networking details, and
So while the document does not list Amazon, but I would keep fingers crossed.
To be aware about a situation you need to be able to formulate and answer key questions about it.
The first and the most important question is whether the government is engaged in
cyberstalking of law abiding citizens. Unfortunately the answer is
definite yes, as oligarchy needs total control of prols. As a result National
Security State rise to prominence as a dominant social organization of
neoliberal societies, the societies
which characterized by very high level of inequality.
But there are some additional, albeit less important questions. The answers to them determine utility
or futility of small changes of our own behavior in view of uncovered evidence. Among possible set of
such question I would list the following:
Is the only way to have reasonable privacy with computer is to be physically disconnected
with the network?
Is limiting the usage of large providers like Google, Yahoo and Microsoft and usage of small
ISP for your email and personal Web pages makes you any more secure? After all it is much easier
to collect data from large providers then from hundreds of smaller providers. At the same time your
data are allowing via big routers in major telecom companies no matter whether you are using large
or small ISP.
Should you switch from Webmail back top POP3 account and deliver at the least most important
mail to your PC instead of keeping it stored on the web servers ? Please note that FBI developed
the computer programs "Magic
Lantern" and CIPAV, which they
can remotely install on a computer system (for example, using Microsoft Windows updates program),
in order to monitor a person's computer activity. But here you probably need a court order to install
Is Facebook and similar social sites provides any real value to you and your family? Is
your visibility of the Web is more important to you then your privacy, because two are generally
incompatible. Is all this vanity fair activity worth possible negative consequences (including stalking
of minors by criminals) that you and your family can face?
Should some group of specialists, for example psychiatrists resort back to handwriting on
paper and/or now write client notes in code as an attempt to reassert some level of confidentiality?
Note the PGP is not a panacea; it can be safely used only on non-network connected computers due
to existence of programs like
which can retrieve private keys directly from your computer. But transferring files via "air link"
is very inconvenient.
There are also some minor questions about efficiency of "total surveillance approach". Among them:
More people die daily from (1) car accidents and (2) gang violence in one day then people who
died due to 9-11 accident. Should not billions or dollars spent by NSA be utilized by different agencies
for preventing death toll mentioned above?
Even if NSA algorithms are incredibly clever they can't avoid producing large number of false
positives. The question arise how many innocent people are monitored as the result of this externality.
The other part of understand the threat is understanding is what data are collected. The short answer
is all your phone records and Internet activity (RT
The National Security Agency is collecting information on the Internet habits of millions of innocent
Americans never suspected of criminal involvement, new NSA documents leaked by former intelligence
contractor Edward Snowden suggest.
Britain’s Guardian newspaper reported Monday that
included in the trove of files supplied by the NSA contractor-turned-leaker Edward Snowden reveal
that the US intelligence community obtains and keeps information on American citizens accumulated
off the Internet without ever issuing a search warrant or opening an investigation into that person.
The information is obtained using a program codenamed Marina, the documents suggest, and is kept
by the government for up to a full year without investigators ever having to explain why the subject
is being surveilled.
“Marina has the ability to look back on the last 365 days' worth of DNI metadata seen by the
Sigint collection system, regardless whether or not it was tasked for collection,” the Guardian’s
James Ball quotes from the documents.
According to a guide for intelligence analysts supplied by Mr. Snowden, “The Marina metadata
application tracks a user's browser experience, gathers contact information/content and develops
summaries of target.”
"This tool offers the ability to export the data in a variety of formats, as well as create
various charts to assist in pattern-of-life development,” it continues.
Ball writes that the program collects “almost anything” a Web user does online, “from
browsing history – such as map searches and websites visited – to account details, email activity,
and even some account passwords.”
Only days earlier,
attributed to Snowden revealed that the NSA was using a massive collection of metadata to create
complex graphs of social connections for foreign intelligence purposes, although that program
had pulled in intelligence about Americans as well.
After the New York Times broke news of that program, a NSA spokesperson said that “All data
queries must include a foreign intelligence justification, period.” As Snowden documents continue
to surface, however, it’s becoming clear that personal information pertaining to millions of US citizens
is routinely raked in by the NSA and other agencies as the intelligence community collects as much
data as possible.
In June, a top-secret document also attributed to Mr. Snowden revealed that the NSA was collecting
the telephony metadata for millions of Americans from their telecom providers. The government has
defended this practice by saying that the metadata — rough information that does not include the
content of communications — is not protected by the US Constitution’s prohibition against unlawful
search and seizure.
“Metadata can be very revealing,” George Washington University law professor Orin S. Kerr
told the Times this week. “Knowing things like the number someone just dialed or the location
of the person’s cellphone is going to allow them to assemble a picture of what someone is up to.
It’s the digital equivalent of tailing a suspect.”
According to the Guardian’s Ball, Internet metadata picked up by the NSA is routed to the Marina
database, which is kept separate from the servers where telephony metadata is stored.
Only moments after the Guardian wrote of its latest leak on Monday, Jesselyn Radack of the Government
Accountability Project read a statement before the European Parliament’s Committee on Civil Liberties,
Justice and Home Affairs penned by none other than Snowden himself.
“When I began my work, it was with the sole intention of making possible the debate we see
occurring here in this body,” Snowden said.
Snowden, who has been granted temporary asylum in Russia after being charged with espionage in
the US, said through Raddack that “The cost for one in my position of returning public knowledge
to public hands has been persecution and exile.”
There are limits of this "powerful analytical software" used. First of all the revelations constitute
a sever blow if not a knockout for all NSA activities against serious opponents. Now they are forewarned
and that mean forearmed. That simply means that they might start feeding NSA disinformation and that's
a tremendous danger that far outweigh the value of any real information collected.
There is another side of this story. As we mentioned above, even if NSA algorithms are incredibly
clever they can't avoid producing large number of false positives taking into account that they are
drinking from a fire hose. Especially now when people will try to bury useful signal in noise. And it
is not that difficult to replay somebody else Web logs on a periodic basis -- that means that the task
of analysis of web logs became more complex -- assumption that that the set of visited sites represents
real activity of users no longer holds.
Inefficiency is nother problems. After two year investigation into the post 9/11 intelligence agencies,
the Washington Post came to conclusion that they were collecting far more information than anyone can
comprehend (aka "drowning is a sea of data"):
Every day, collection systems at the National Security Agency intercept and store 1.7 billions
e-mails, phone calls and other types of communications. The NSA sorts a fraction of those into
70 separate databases"
Such volume along creates a classic problem of "signal vs. noise" (infoglut).
...Infoglut raises disturbing questions regarding new operations of power and control
in a world of algorithms." —Jodi Dean, author of Democracy and Other Neoliberal Fantasies
...Andrejevic argues that people prioritize correlation over comprehension - "what" and
facts are more important than "why" and reasons.
Presence of noise in the channel makes signal much more difficult to detect. As Washington Post noted:
Analysts who make sense of document and conversations obtained by foreign and domestic spying
share their judgment by publishing 50,000 intelligence reports each year -- a volume so large
that many are routinely ignored
The enormity of the database exacerbate the problems. That's why NSA is hunting for email on cloud
providers, where they are already filtered from spam, and where processing required is so much less
then for the same information intercepted from the wire. Still even with the direct access to user accounts,
the volume of data, especially graphic info (pictures), sound and video data, is really huge and that
stress the limits of processing capabilities and storage.
Existence of Snowden saga when a single analyst was able to penetrate the system and extract considerable
amount information with impunity suggests that the whole Agency is a mess with a lot of incompetents
at the helm. Which is typical for government agencies and large corporations. Still the level of logs
collection and monitoring proved to be surprisingly weak, as those are indirect signs of other rot.
It looks like the agency does not even know what reports Snowden get into his hands. Unless this is
a very clever inside operation, we need to assume that Edward Snowden stole thousands of documents,
abused his sysadmin position in the NSA, and was never caught. Here is one relevant comment from
Oh NSA......that´s fine that you cannot find something......what did you tell us, the World
and the US Congress about the "intelligence" of Edward Snowden and the low access he had?
SNOWDEN SUSPECTED OF BYPASSING ELECTRONIC LOGS
WASHINGTON (AP) -- The U.S. government's efforts to determine which highly classified materials
leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden's
sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs,
government officials told The Associated Press. Such logs would have showed what information
Snowden viewed or downloaded.
The government's forensic investigation is wrestling with Snowden's apparent ability
to defeat safeguards established to monitor and deter people looking at information without
proper permission, said the officials, who spoke on condition of anonymity because they
weren't authorized to discuss the sensitive developments publicly.
On the other hand government agencies were never good in making huge and complex software projects
work. and large software projects are a very difficult undertaking in any case. Even in industry 50%
of software projects fail, and anybody who works in the industry knows, that the more complex the project
is the higher are chances that it will be mismanaged and its functionality crippled due to architectural
defects ("a camel is a horse designed by a committee"). It is given that such project will be
over budget. Possibly several times over,
But if money is not a problem such system will eventually be completed ("with enough thrust pigs
can fly"). Still there’s no particular reason to think that corruption (major work was probably
outsourced) and incompetence (on higher management levels and, especially on architectural level as
in "camel is a horse designed by a committee") don't affect the design and functionality of this government
project. Now when this activity come under fire some adjustments might be especially badly thought out
and potentially cripple the existing functionality.
As J. Kirk Wiebe, a NSA insider,noted
"The way the government was going about those digital data flows was poor formed, uninformed.
There seen to be more of a desire to contract out and capture money flow then there was a [desire}
to actually perform the mission".
See the interview of a trio of former National Security Agency whistle-blowers to USA TODAY ( J.
Kirk Wiebe remarks starts at 2:06 and the second half of it continues from 6:10):
In military organizations the problem is seldom with the talent (or lack of thereof) of individual
contributors. The problem is with the bureaucracy that is very effective in preventing people from exercising
their talents at the service of their country. Such system is deformed in such a way that it hamstrings
the men who are serving in it. As a results, more often then not the talents are squandered or misused
by patching holes created by incompetence of higher-up or or just pushed aside in the interdepartmental
In a way, incompetence can be defined as the inability to avoid mistakes which, in a "normal"
course of project development could and should be avoided. And that's the nature of military bureaucracy
with its multiple layer of command and compete lack of accountability on higher levels.
In addition, despite the respectable name of the organization many members of technical staff are
amateurs. They never managed to sharpen their technical skills, while at the same time acquiring the
skills necessary to survive the bureaucracy. Many do not have basic academic education and are self-taught
hackers and/or "grow on the job". Typically people at higher level of hierarchy, are simply not experts
in software engineering, but more like typical corporate "PowerPoint" warriors. They can be very shred
managers and accomplished political fighters, but that's it.
This is the same situation that exists in security departments of large multinationals, so we can
extrapolate from that. The word of Admiral Nelson "If the enemy would know what officer corps will confront
them, it will be trembling, like I am". Here is Bill Gross apt recollection of his service as naval
Tipping Point) that illustrate the problems:
A few years ago I wrote about the time that our ship (on my watch) was almost cut in half by an
auto-piloted tanker at midnight, but never have I divulged the day that the USS Diachenko came within
one degree of heeling over during a typhoon in the South China Sea. “Engage emergency ballast,” the
Captain roared at yours truly – the one and only chief engineer. Little did he know that Ensign Gross
had slept through his classes at Philadelphia’s damage control school and had no idea what he was
talking about. I could hardly find the oil dipstick on my car back in San Diego, let alone conceive
of emergency ballast procedures in 50 foot seas. And so…the ship rolled to starboard, the ship rolled
to port, the ship heeled at the extreme to 36 degrees (within 1 degree, as I later read in
the ship’s manual, of the ultimate tipping point). One hundred sailors at risk, because of one twenty-three-year-old
mechanically challenged officer, and a Captain who should have known better than to trust him.
Huge part of this work is outsourced to various contractors and this is where corruption really creeps
in. So the system might be not as powerful as many people automatically assume when they hear the abbreviation
of NSA. So in a way when news about such system reaches public it might serve not weakening but strengthening
of the capabilities of the system. Moreover, nobody would question the ability of such system to store
huge amount of raw or semi-processed data including all metadata for your transactions on the Internet.
Also while it is a large agency with a lot of top mathematic talent, NSA is not NASA and motivation
of the people (and probably quality of architectural thinking about software projects involved) is different
despite much better financing. While they do have high quality people, like most US agencies in general,
large bureaucracies usually are unable to utilize their talent. Mediocrities with sharp elbows, political
talent, as well as sociopaths typically rule the show.
That means two things:
The easy part of this is the "total surveillance of electronic communications" project: to
store the "envelope" of each phone message, email, credit card transaction, etc. Analyze and correlated
the set of this envelopes to discover daily activity patterns, their change over time, social circle,
etc. That collection will contain some junk, but generally completely gives up your social circle
and your interests. Such records are pretty compact so the lifespan of your communications stored
is at least five and probably for more then ten years. So assumption of a lifespan storage is the
most realistic one. You can introduce some noise into some of those collection channels (for example,
by using a robot visiting certain sites such as Sport Illustrated, and Washington Post will distort
the picture of your Internet activities) but it is much more difficult to introduce noise into phone
call records and emails.
Several other nations have access to the metadata for the USA originated phone calls (for
providers they serve) via outsourcers of phone billing, such as Israel's Amdocs, the largest phone-billing
services company in the world:
The difficult part is the analysis of the messages body. For example:
Automatic transcribing of phone messages is a very difficult problem. Even the slightest
noise is deadly as we can see from the experience with Dragon (let's say that NSA solved the problem
of adapting to a new voice which Dragon can't solve). Dragon 12 running of dual core 3.8GHz PC
demonstrates the difficulties very well. Even a small amount of noise kills the quality of automatic
Analysis of email body for certain keywords easily can be perform automatically, but to
understand the context of usage of "trigger" words is extremely difficult. This task is still
on the cutting edge of modern computer science. From the public document that exists (see
Total control: keywords in your posts that
might trigger surveillance) I have impression that they try to overreach (which is standard
bureaucratic tendency in such cases). That means that such an extraction might produces too many
false positives, and needs to be manually correlated with other data.
Recognition of faces from street and security cameras is even more difficult problem.
Data mining of blogs is difficult for a different reason: not only detecting who is
who requires getting IP from particular provider (this is an easy part), just the total volume
is enormous. Many people create dozens of messages a day. There is a special category of graphomans,
that specialize on participating in various forums and those are people who have high change to
trigger "blind" keyword search. The USA government can afford to have, say, several zetabytes
of storage capacity in NSA-controlled datacenters, but its capabilities are still limited. It
can't replicate all the Internet over time. Videos are especially problematic and are more difficult
to analyze then text or HTML, or XML documents.
Video streams are huge and probably impossible to store. In a way the fact that most
modern computer have face camera is not only creating problem for NSA, it actually create the
problem for Internet as a whole ;-). Indiscriminate interception and storage are out of question:
lovers of "here is what my dog is doing" clips are able to saturate all available storage in no
So even with huge amount of subcontractors they can chase mostly "big fish". Although one nasty question
is why with all those treasure trove of data organized crime is so hard to defeat. Having dataset like
this should generally expose all the members of any gang. Or, say, network of blue collar insider traders.
So in an indirect way the fact that organized crime not only exists and in some cities even flourish
can suggest one of two things:
NSA generally limits availability of those "integrated" data sets to terrorism networks, political
protest, foreign organizations and "suspicious nationals" activities. It is difficult and inefficient
"to cover the whole field" although spying after activities of a foreign corporation can be more
lucrative them spying after a member of terrorist networks ;-). Some sources mention the current
capabilities as around 100K-200K people who can be "electronically followed" simultaneously. It is
reasonably to expect high level of secrecy and that means that data are not shared unless absolutely
The presentation claims Prism was introduced to overcome what the NSA regarded as shortcomings
of Fisa warrants in tracking suspected foreign terrorists. It noted that the US has a "home-field
advantage" due to housing much of the internet's architecture. But the presentation claimed "Fisa
constraints restricted our home-field advantage" because Fisa required individual warrants and
confirmations that both the sender and receiver of a communication were outside the US. "Fisa
was broken because it provided privacy protections to people who were not entitled to them," the
presentation claimed. "
It took a Fisa court order to collect on foreigners overseas who were communicating with other
foreigners overseas simply because the government was collecting off a wire in the United States.
There were too many email accounts to be practical to seek Fisas for all."
... ... ...
A senior administration official said in a statement: "The Guardian and Washington Post articles
refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance
Act. This law does not allow the targeting of any US citizen or of any person located within the
"The program is subject to oversight by the Foreign Intelligence Surveillance Court, the Executive
Branch, and Congress. It involves extensive procedures, specifically approved by the court, to
ensure that only non-US persons outside the US are targeted, and that minimize the acquisition,
retention and dissemination of incidentally acquired information about US persons.
Methods based on "beyond the envelope" analysis are not efficient against reasonably sophisticated
opponents, who understand the fact that the communication will be intercepted and possibly
(superficially) analyzed. In a typical "bullet-armor" competition, that opens new impetus for
"bad guys" inventing new and improving old steganography methods. As with interception of talk between
Soviet fighter pilots and their command posts had shown, usage of slang makes the voice data almost
inpenetratable. Another example would be calling Goldman Sacks "a vampire squid", which implies that
your counterpart read
Matt Taibby article or related financial blogs, or to call Facebook "lichiko" which implies knowing
Russian. Person without this context can't make a connection. With such substitutions you need a
huge amount of ( rapidly shifting ) cultural context to understand the meaning of even simple phases.
This context is missing on the other side of the pond. And even specialists can represent certain
problems. For example Jargon
File (and more) is needed to understand the talk of hackers. Fenia,
the language of the thieves is Russia was so distinct from ordinary Russian that it almost qualifies
as a separate language which makes it foreign for outsiders. The same it true about criminal subculture
in other countries (see
Police and criminal
Storage of actual data involves certain technical difficulties and first on all physical limitations
of available storage. We probably can talk about several thousand
Petabytes that government can
store. In comparison:
Google processed about
24 petabytes of data per day in 2009
AT&T transfers about
30 petabytes of data through its networks each day
The Internet Archive
contains about 10 petabytes of cultural material as of October 2012
In August 2011, IBM was reported to have built the largest storage array ever, with a capacity
of 120 petabytes
In July 2012 it was revealed that
CERN amassed about 200 petabytes
of data from the more than 800 trillion collisions looking for the
In August 2012, Facebook's
Hadoop clusters include the largest single
HDFS cluster known, with more
than 100 PB physical disk space in a single HDFS filesystem
In May 2013, Microsoft
announce that as part of their migration of Hotmail accounts to the new Outlook.com email system,
they'd migrated over 150 Petabytes of user data in six weeks.
There is also a question of complexity of analysis:
We can assume that simple things are extracted correctly. But more complex things might be
not. There is no question that a map of your phone calls, your Amazon and eBay purchases, credit
card transactions and other straightforward things can be recreated "exactly". Also can be recreated
data that can tell approximately where you were and what you was doings on any particular day. The
map of your phone contacts (people who called you and people who you call) and your emails gives
a pretty good estimate of your social circle. With multiple data sources any individual posting
in blogs can be identified with 90% or better accuracy, no matter what nicknames he/she uses
and whether he/she avoids registration and provide truthful information during it. So in a way there
is no need to do something complex as simple methods provide treasure trove of data.
There are also “junk in, junk out” issues including spam in email, telemarketers calling
your land line, there are always "strange" sites you accidentally visit during your browsing. While
they can be filtered, signal can be filtered with them (why bad guys can not disguise themselves
as telemarketers or porno sites owners?) and then system became useless against bad guys. If not
that noise subtly corrupts the data, noise and data can be really undistinguishable. BTW closed source
security-related software will always be somewhat more problematical then open source, since algorithms
used may be far from perfect and are result more of a "trading horses" between power groups involved
in development, then honest scientific research. Open source software such as CPU emulators can be
used as steganography engine that requires particular processor on the other side for recreation
of the message. And you can chose some really exotic CPU like Knuth Mix.
Mass collection of data represent dangers outside activities of three latter agencies. Data collected
about you by Google, Facebook, etc are also very dangerous. And they are for sell. Errors in algorithms
and bugs in data mining programs can bite some people in a different way then branding them as "terrorists".
Such people have no way of knowing why all of a sudden, for example, they are paying a more for
insurance, why their credit score is so low no matter what they do, etc.
In no way government in the only one who are using the mass of data collected via Google / Facebook
/ Yahoo / Microsoft / Verizon / Optonline / AT&T / Comcast, etc. It also can lead to certain subtle
types of bias if not error. And there are always problems of intentional misuse of data sets having
extremely intimate knowledge about you such as your medical history.
Corporate corruption can lead to those data that are shared with the government can also be shared
for money with private actors. Inept use of this unconstitutionally obtained data is a threat to all
Then there can be cases when you can be targeted just because you are critical to the particular
area of government policy, for example the US foreign policy. This is "Back in the USSR" situation
in full swing, with its prosecution of dissidents. Labeling you as a "disloyal/suspicious element"
in one of government "terrorism tracking" databases can have drastic result to your career and you never
even realize whats happened. Kind of Internet era
Obama claims that the government is aware about this danger and tried not to overstep, but he is
an interested party in this discussion. In a way all governments over the world are pushed into this
shady area by the new technologies that open tremendous opportunities for collecting data and making
That's why even if you are doing nothing wrong, it is still important to know your enemy, as well
as avoid getting into some traps. As we already mentioned several times before, one typical trap is
excessive centralization of your email on social sites, including using a single Webmail provider. It
is much safer to have mail delivery to your computer via POP3 and to use Thunderbird or other email
client. If your computer is a laptop, you achieve, say, 80% of portability that Web-based email providers
like Google Gmail offers. That does not mean that you should close your Gmail or Yahoo account. More
important is separating email accounts into "important" and "everything else". "Junk mail" can be stored
on Web-based email providers without any problems. Personal emails is completely another matter.
Email security is a large and complex subject. It is
a typical "bullet vs. armor" type of topic. In this respect the fact the US government
were highly alarmed by Snowden revelations is understandable as this shift the balance from dominance
of "bullet" by stimulating the development of various "armor" style methods to enhance email privacy.
It also undermines/discredits cloud-based email services, especially large one such as Hotmail, Gmail,
and Yahoo mail, which are the most important providers of emails.
You can't hide your correspondents so recreation of network of your email correspondents is a fact
of life that you can do nothing about. But you can make searching emails for keywords and snooping of
the text of your email considerably more difficult. And those methods not necessary means using PGP
(actually from NSA point of view using PGP is warning sign that you has something to hide and that increase
interest to your mailbox; and this is a pretty logical assumption).
First of all using traditional POP3 account now makes much more sense (although on most ISPs undelivered
mail is available via Web interface). In case of email security those who know Linux/Unix have a distinct
advantage. Those OSes provide the ability to have a home server that performs most functions of the
cloud services at a very moderate cost (essentially the cost of web connection, or an ISP Web account;
sometime you need to convert you cable Internet account to "business" to open ports). Open source software
for running Webmail on your own server is readily available and while it has its security holes at least
they are not as evident as those in Gmail, Hotmail and Yahoo mail. And what is the most important you
escape aggregation of your emails on a large provider.
IMHO putting content in attachment, be it gif of a handwritten letter in DOC document, or
MP3 file presents serious technical problems for snoopers. First of all any multimedia attachment, such
a gif of your handwriting (plus a jpeg of your favorite cat ;-), dramatically increase the
necessary storage and thus processing time.
Samsung Note 10.1 and
Microsoft Surface PRO tablets provide opportunity
to add both audio and handwriting files to your letter with minimal effort. If you have those device,
use them. Actually this is one of few areas when tablets are really useful. Sending content as a multimedia
file makes snooping more difficult for several reasons:
While recognition of handwriting is well studied area of computer science, number of mistakes
that are made are considerable. Especially, if you do not write is a straight line.
Captcha provides infinite source
of inspiration here. There are automatic program that allow you to generate captcha graphic, but
this is an overkill outside small specialized areas such as sending new passwords, etc.
For MP3 with your voice there are objective limits of software technologies used in voice
recognition, no matter how powerful are the computers, that are used for decoding. Human ability
to recognize speech despite some level of noise is nothing but simply amazing. Even with slightest
background noise (your favorite song, etc) the message became almost unpenetratable for computers.
That actually is a pretty powerful protection from automatic snooping. Of course if you are designated
as an "object of interest" this does not help, but for commoners this is an almost perfect way to
keep sensitive information more or less private (and generally it is a bad idea to send sensitive
information via email).
Another important privacy enhancing feature of emails is related to a classic "noise vs. useful signal"
problem. In this respect the existence of spam looks like a blessing. In case of mimicry filtering "signal
from noise" became a complex problem. That's why NSA prefers accessing mail at final destination as
we saw from slides published in Guardian. But using local delivery and Thunderbird or any other mail
client make this avenue of snooping easily defeatable. Intercepted on the router, spam can clog
arteries of automatic processing really fast. It also might slightly distort your "network of contacts"
So if you switch off ISP provided spam filter and filter spam locally on your computer, the problem
of "useful signal vs. noise" is offloaded to those who try to snoop your mail. And there are ways to
ensure that they will filter out wrong emails ;-). Here is a one day sample of spam:
Subject: Gold Watches
Subject: Join us and Lose 8-12 lbs. in Only 7-10 Days!
Subject: New private social network for Ukrainian available ladies and foreign men.
Subject: Fresh closed social network for Russian attractive girls and foreigners.
Subject: Daily Market Movers Digest
Subject: IMPORTANT - WellsFargo
Subject: New private social network for beautiful Ukrainian women and foreign men.
Subject: Fresh closed social network for Russian sexy women and foreign men.
Subject: (SECURE)Electronic Account Statement 0558932870_06112013
Subject: (SECURE)Electronic Account Statement 0690671601_06112013
Subject: Returned mail: see transcript for details
Subject: Bothered with censorship restrictions on Social networks?
Subject: Delivery Status Notification (Failure) - [AKO Content Violation - SPAM]Are
Subject: (SECURE)Electronic Account Statement 0355009837_06112013
Subject: You need Ukrainian with large breasts that Madame ready to correspond to intimate topics?
Subject: You need a Russian woman with beautiful eyes is ready to correspond to private theme?
Subject: Mail delivery failed: returning message to sender
Subject: Are you bored with censorship limits at Social networks?
Subject: Join us and Lose 8-12 lbs. in Only 7-10 Days!
Subject: Important Activation needed
Subject: WebSayt Sadece 35 Azn
Subject: Join us and Lose 8-12 lbs. in Only 7-10 Days!
Note the line "Subject: Mail delivery failed: returning message to sender". That means that
in the spam filter you need to fight with the impersonalization (fake sender) as well. While typically
this is easy based on content of "Received:" headers, there are some complex cases, especially with
bounced mails and "onetime" identities (when the sender each time assumes a different identity at the
same large provider). See also
Using “impersonalization” in your email campaigns.
BTW fake erotic spam provides tremendous steganography
opportunities. Here is a very simplistic example.
Subject: Do you want a Ukrainian girl with large breasts ready to chat with you on intimate
New closed social network with hot Ukrainian ladies is open. If you want to talk on erotic themes,
with sweet women then this is for you!
I dropped my previous girlfriend. Things deteriorates dramatically here and all my plans are
now on hold.
So I decided to find a lady friend for regular erotic conversations! And I am now completely satisfied
Does the second paragraph starting with the phrase "I dropped my previous girlfriend..." in the email
below contain real information masked in erotic spam, or the message is a regular junk?
Typical spam filter would filter this message out as spam, especially with such a subject line ;-).
You can also play a practical joke imitating spammer activity. Inform a couple of your friends about
it and then send similar letter from one of your Gmail account to your friends. Enjoy change in advertisements
In many cases what you want to send via email, can be done more securely using phone. Avoid unnecessary
emails like a plague. And not only because of NSA existence.
Snooping into your mailbox is not limited to three-letter
I always wondered why Facebook -- a cluelessly designed site which imitates AOL, the hack written
in PHP which provide no, or very little value to users, other then a poorly integrated environment for
personal Web page (simple "vanity fair" pages), blog and email. It is definitely oriented on the most
clueless or at least less sophisticated users and that's probably why it has such a level of popularity.
They boast almost billion customers, although I suspect that half of those customers check their account
only once a month or so. Kind of electronic tombstone to people's vanity...
The interface is second rate and just attests a very mediocre level of software engineering. It is
difficult to imagine that serious guys are using Facebook. And those who do use it, usually are of no
interest to three letter agencies. Due to this ability of the government to mine Facebook might be a
less of a problem then people assume, much less of a problem than mining Hotmail or Gmail.
But that does not mean that Facebook does not have value. Just those entities for whom it provides
tremendous value are not users ;-) Like WikiLeaks founder Julian Assange stated Facebook, Google, and
Yahoo are actually extremely powerful tools for centralized information gathering that can used
by advertisers, merchants, government, financial institutions and other powerful/wealthy players.
Such sites are also very valuable tools for advertisers who try to capitalize of the information
about your Facebook or Google profile, Gmail messages content, network of fiends and activities. And
this is pretty deep pool of information.
"Facebook in particular is the most appalling spying machine that
has ever been invented," Assange said in the interview, which was videotaped and published
on the site. "Here we have the world's most comprehensive database about
people, their relationships, their names, their addresses, their locations and the communications
with each other, their relatives, all sitting within the United States, all accessible ..."
That's why Google, who also lives and dies by advertising revenue put so much efforts at Google+.
And promotes so heavily +1 button. They sense the opportunity for additional advertising revenue
due to more precise targeting and try to replicate Facebook success on a better technological platform
(Facebook is a hack written in PHP -- and writing in PHP tells a lot about real technological level
of Mark Zuckerberg and friends).
But government is one think, advertisers is another. The magnitude of online information Facebook
has available about each of us for targeted marketing is stunning. In Europe, laws give people
the right to know what data companies have about them, but that is not the case in the United States.
Here is what
writes about Facebook data mining efforts:
There have been some concerns expressed regarding the use of Facebook as a means of surveillance
and data mining. The Facebook
"We may use information about you that we collect from other sources, including but not
limited to newspapers and Internet sources such as blogs, instant messaging services and other
users of Facebook, to supplement your profile."
However, the policy was later updated and now states: "We may use information about you that we
collect from other Facebook users to supplement your profile (such as when you are tagged in a photo
or mentioned in a status update). In such cases we generally give you the ability to remove the content
(such as allowing you to remove a photo tag of you) or limit its visibility on your profile."
The terminology regarding the use of collecting information from other sources, such as newspapers,
blogs, and instant messaging services, has been removed.
The possibility of data mining by private individuals unaffiliated with Facebook has been
a concern, as evidenced by the fact that two
Institute of Technology (MIT) students were able to download, using an automated script, over
70,000 Facebook profiles from four schools (MIT,
University of Oklahoma,
and Harvard University)
as part of a research project on Facebook privacy published on December 14, 2005.
Since then, Facebook has bolstered security protection for users, responding: "We’ve built numerous
defenses to combat phishing and malware, including complex automated systems that work behind the
scenes to detect and flag Facebook accounts that are likely to be compromised (based on anomalous
activity like lots of messages sent in a short period of time, or messages with links that are known
to be bad)."
A second clause that brought criticism from some users allowed Facebook the right to sell users'
data to private companies, stating "We may share your information with third parties, including responsible
companies with which we have a relationship." This concern was addressed by spokesman Chris Hughes,
who said "Simply put, we have never provided our users' information to third party companies, nor
do we intend to."
Previously, third party applications had access to almost all user information. Facebook's privacy
policy previously stated: "Facebook does not screen or approve Platform Developers and cannot control
how such Platform Developers use any personal information."
However, that language has since been removed. Regarding use of user data by third party applications,
In order to provide you with useful social experiences off of Facebook, we occasionally need to
provide General Information about you to pre-approved third party websites and applications that
use Platform at the time you visit them (if you are still logged in to Facebook). Similarly, when
one of your friends visits a pre-approved website or application, it will receive General Information
about you so you and your friend can be connected on that website as well (if you also have an
account with that website). In these cases we require these websites and applications to go through
an approval process, and to enter into separate agreements designed to protect your privacy…You
can disable instant personalization on all pre-approved websites and applications using your Applications
and Websites privacy setting. You can also block a particular pre-approved website or application
by clicking "No Thanks" in the blue bar when you visit that application or website. In addition,
if you log out of Facebook before visiting a pre-approved application or website, it will not
be able to access your information.
In the United Kingdom, the
Trades Union Congress
(TUC) has encouraged employers to allow their staff to access Facebook and other social-networking
sites from work, provided they proceed with caution.
In September 2007, Facebook drew a fresh round of criticism after it began allowing non-members
to search for users, with the intent of opening limited "public profiles" up to search engines such
as Google in the following months.
Facebook's privacy settings, however, allow users to block their profiles from search engines.
Concerns were also raised on the
programme in October 2007 when Facebook was shown to be an easy way in which to collect an individual's
personal information in order to facilitate identity theft.
However, there is barely any personal information presented to non-friends - if users leave the privacy
controls on their default settings, the only personal information visible to a non-friend is the
user's name, gender, profile picture, networks, and user name.
In addition, a New York
Times article in February 2008 pointed out that Facebook does not actually provide a mechanism
for users to close their accounts, and thus raised the concern that private user data would remain
indefinitely on Facebook's servers.
However, Facebook now gives users the options to deactivate or delete their accounts, according to
but it will not be deleted. We save your profile information (connections, photos, etc.) in case
you later decide to reactivate your account." The policy further states: "When you delete
an account, it is permanently deleted from Facebook."
A third party site,
USocial, was involved in a controversy surrounding the sale of fans and friends. USocial received
a cease-and-desist letter
from Facebook and has stopped selling friends.
Inability to voluntarily terminate accounts
Facebook had allowed users to deactivate their accounts but not actually remove account content
from its servers. A Facebook representative explained to a student from the
of British Columbia that users had to clear their own accounts by manually deleting all of the
content including wall posts, friends, and groups. A New York Times article noted the issue, and
also raised a concern that emails and other private user data remain indefinitely on Facebook's servers.
Facebook subsequently began allowing users to permanently delete their accounts in 2010. Facebook's
... ... ...
Quit Facebook Day
Quit Facebook Day was an online event which took place on May 31, 2010 (coinciding with Memorial
Day), in which Facebook users stated that they would quit the social network, due to privacy concerns.
It was estimated that 2% of Facebook users coming from the United States would delete their accounts.
However, only 33,000 users quit the site.
... ... ...
Facebook has been criticized heavily for 'tracking' users, even when logged out of the site.
Australian technologist Nik Cubrilovic discovered that when a user logs out of Facebook, the cookies
from that login are still kept in the browser, allowing Facebook to track users on websites that
include "social widgets" distributed by the social network. Facebook has denied the claims, saying
they have 'no interest' in tracking users or their activity. They also promised after the discovery
of the cookies that they would remove them, saying they will no longer have them on the site. A group
of users in the United States have sued Facebook for breaching privacy laws.
Google wants to be a sole intermediary between you and Internet. As Rebecca Solnit pointed out (Google
eats the world):
Google, the company with the motto "Don't be evil", is rapidly becoming an empire. Not
an empire of territory, as was Rome or the Soviet Union, but an empire controlling our access to
data and our data itself. Antitrust lawsuits proliferating around the company demonstrate its quest
for monopoly control over information in the information age.
Its search engine has become indispensable for most of us, and as Google critic and media professor
Siva Vaidhyanathan puts it in his 2012 book The Googlization of Everything,
"[W]e now allow Google to determine what is important, relevant, and true on the Web and in
the world. We trust and believe that Google acts in our best interest. But we have surrendered
control over the values, methods, and processes that make sense of our information ecosystem."
And that's just the search engine. About three-quarters of a billion people use Gmail, which conveniently
gives Google access to the content of their communications (scanned in such a way that they can target
ads at you).
Now with Prism-related revelations, those guys are on the defensive as they sense a threat to their
franchise. And the threat is quite real: if Google, Microsoft, Yahoo all work for NSA, why not feed
them only a proportionate amount of your searches. And why not feed them with "search spam"?
Now with Prism-related revelations, those guys are on the defensive as they sense a threat
to their franchise. And the threat is quite real: if Google, Microsoft, Yahoo all work for NSA,
why not feed them only a proportionate amount of your searches. And why not feed them with "search
One third to Google and one third to Bing with the rest to
https://duckduckgo.com/ (Yahoo uses Bing internally).
You can rotate days and hope that the level of integration of searches from multiple providers is a
weak point of the program ;-). After all while Google is still better on some searches, Bing comes close
on typical searches and is superior in searches about Microsoft Windows and similar Microsoft related
themes. It is only fair to diversify providers.
Google’s motto may be ‘don’t be evil’ but people are increasingly unconvinced that it is as good
as it says it is. The Guardian is currently running a poll asking users ‘Does Google ‘do evil’?’
and currently the Guardian reading public seems to think yes it does. This is partially about Google's
attempt to minimize taxes in the UK but there are other concerns that are much more integral to what
Google is about. At its core Google is an information business, so accusations that it is a threat
to privacy strike at what it does rather than just its profits.
Google recently got a slap on the wrist by Germany for its intrusion of privacy through its street
view and received a $189,225 fine. This was followed in April with several European privacy regulators
ones it had. Unfortunately it was not transparent in how it implemented the changes bringing the
ire of the European regulators. This was followed by not implementing their suggested changes leading
to the regulators considering more fines.
Facebook’s inventory of data and its revenue from advertising are small potatoes compared to Google.
Google took in more than 10 times as much, with an estimated $36.5 billion in advertising revenue in
2011, by analyzing what people sent over Gmail and what they searched on the Web, and then using that
data to sell ads. Hundreds of other companies (Yahoo, Microsoft, Amazon to name a few) have also staked
claims on people’s online data by depositing cookies or other tracking mechanisms on people’s browsers.
If you’ve mentioned anxiety in an e-mail, done a Google search for “stress” or started using an online
medical diary that lets you monitor your mood, expect ads for medications and services to treat your
In other words stereotyping rules in data aggregation. Your application for credit could
be declined not on the basis of your own finances or credit history, but
basis of aggregate data — what other people whose likes and dislikes are similar to yours have done.
If guitar players or divorcing couples are more likely to renege on their credit-card bills, then the
fact that you’ve looked at guitar ads or sent an e-mail to a divorce lawyer might cause a data aggregator
to classify you as less credit-worthy. When an Atlanta man returned from his honeymoon, he found that
his credit limit had been lowered to $3,800 from $10,800. The switch was not based on anything he had
done but on aggregate data. A letter from the company told him, “Other customers who have used their
card at establishments where you recently shopped have a poor repayment history with American Express.”
Even though laws allow people to challenge false information in credit reports, there are no laws
that require data aggregators to reveal what they know about you. If I’ve Googled “diabetes” for
my mother or “date rape drugs” for a mystery I’m writing, data aggregators assume those searches reflect
my own health and proclivities. Because no laws regulate what types of data these aggregators can collect,
they make their own rules.
It’s amazing that there are naive people who worry about government intrusion into our privacy
when we already gave away our civil rights to the billionaires in Silicon Valley. The NSA is taking
note of our calls and emails, but anyone – me included! — who uses the internet and social media
already sold out our privacy rights to the trillion dollar multinational companies now dominating
our lives and – literally – buying and selling us.
The NSA isn’t our biggest worry when it comes to who is using our calls, emails and records for
purposes we didn’t intend. We are going to pay forever for trusting Google, Facebook. Microsoft,
AOL and all the rest. They and the companies that follow them are the
real threat to liberty and privacy.
The government may be wrong in how it is trying to protect us but at least it isn’t literally
selling us. Google’s and Facebook’s et al highest purpose is to control our lives, what we buy,
sell, like and do for money. Broken as our democracy is we citizens at least still have a voice and
ultimately decide on who runs Congress.
and company answer to no one. They see themselves as an elite and superior to everyone else.
In fact they are part of a business culture that sees itself not only above the law but believes
it’s run by
beings. Google even has its own bus line, closed to the public, so its “genius” employees don’t
have to be bothered mingling with us regular folk. A top internet exec
just ruined the America’s Cup race by making it so exclusive that so far only four groups have
been able to sign up for the next race to be held in San Francisco because all but billionaires are
now excluded because this internet genius changed the rules to favor his kind of elite.
Google and Facebook have done
little-to-nothing to curb human trafficking pleading free speech as the reason their search engines
and social networks have become the new slave ships “carrying” child rape victims to their new masters
internationally. That’s just who and what these internet profiteers are.
Face it: the big tech companies aren’t run by nice people even if they do make it pleasant for
their workers by letting them skateboard in the hallways and offering them free sushi. They aren’t
smarter than anyone else, just lucky to be riding a new tech wave. That wave is cresting.
Lots of us lesser mortals are wondering just what we get from people storing all our private data.
For a start we have a generation hooked on a mediated reality. They look at the world through
In other words these profiteers are selling reality back to us, packaged by them into entertainment.
And they want to put a computer on every desk to make sure that no child ever develops an attention
span long enough so that they might actually read a book or look up from whatever tech device they
are holding. These are the billionaires determined to make real life so boring that you won’t be
able to concentrate long enough pee without using an app that makes bodily functions more entertaining.
These guys are also the world’s biggest hypocrites. The New York Times published a story
about how some of the top executives in Silicon Valley send their own children to a school that does
not allow computers. In “A
Silicon Valley School That Doesn’t Compute” (October 22, 2011) the Times revealed that
the leaders who run the computer business demand a computer-free, hands-on approach to education
for their own children.
This new situation makes usage of Web proxy at home a must. Not to protect yourself ( this is still
impossible ), but to control what information you release and to whom. See
Squid. It provides powerful means to analyze your Web traffic
as well as
In my experience, Squid’s built-in blocking mechanism or access control is the easiest method
to use for implementing web site blocking policy. All you need to do is modify the Squid configuration
Before you can implement web site blocking policy, you have to make sure that you have already
installed Squid and that it works. You can consult the
Squid web site to get the latest version
of Squid and a guide for installing it.
To deploy the web-site blocking mechanism in Squid, add the following entries to your Squid configuration
file (in my system, it’s called squid.conf and it’s located in the /etc/squid
acl bad url_regex "/etc/squid/squid-block.acl"
http_access deny bad
The file /etc/squid/squid-block.acl contains web sites or words you want to block.
You can name the file whatever you like. If a site has the URL or word listed in squid-block.acl
file, it won’t be accessible to your users. The entries below are found in squid-block.acl
file used by my clients:
With the squid-block.acl file in action, internet users cannot access the following
Sites that have addresses ending with .oracle.com
Sites that have addresses ending with .playboy.com.br
Sites containing the word “sex” in its pages
You should beware that by blocking sites containing the word “sex”, you will also block sites
such as Middlesex University, Sussex University, etc. To resolve this problem, you can put those
sites in a special file called squid-noblock.acl:
You must also put the “no-block” rule before the “block” rule in the Squid configuration file:
acl special_urls url_regex "/etc/squid/squid-noblock.acl"
http_access allow admin_ips special_urls
acl bad url_regex "/etc/squid/squid-block.acl"
http_access deny bad
Sometimes you also need to add a no-block file to allow access to useful sites
After editing the ACL files (squid-block.acl and squid-noblock.acl),
you need to restart Squid. If you install the RPM version, usually there is a script in the
/etc/rc.d/init.d directory to help you manage Squid:
# /etc/rc.d/init.d/squid reload
To test to see if your Squid blocking mechanism has worked, you can use your browser. Just enter
a site whose address is listed on the squid-block.acl file in the URL address.
In the example above, I block .oracle.com, and when I try to access oracle.com, the
browser returns an error page.
Vanity fair posting should probably now be severely limited. Self-exposure entails dangers that can
became evident only in retrospect. The key problem is that nothing that you post is ever erased. Ever.
Limiting your activity in social network to few things that are of real
value, or what is necessary for business or professional development, not just vanity
fair staff or, God forbid, shady activities is now a must.
And remember that those days information about your searches, books that you bought on Amazon, your
friends in Facebook, your connections in LinkedIn, etc are public. If you want to buy a used book without
it getting into your database, go to the major city and buy with cash.
Also getting you own email address and simple web site at any hosting site is easy and does not require
extraordinary technical sophistication. Prices are starting from $3 per month. Storing your data on
Facebook servers might cost you more. See
Guide for selecting Web hosting provider
with SSH access for some ideas for programmers and system administrators.
In a way the situation with cloud sites providing feeds to spy on the users is a version of autoimmune
disease: defense systems are attacking other critical systems instead of rogue agents.
As we mentioned before, technological development has their set of externalities. One side effect
of internet technologies and, especially, cloud technologies as well as wide proliferation of smartphones
is that they greatly simplify "total surveillance." Previously total surveillance was a very expensive
proposition, now it became vey cheap. In a way technological genie is out of the bottle. And it is impossible
to put him back. Youtube (funny, it's another site targeted by NSA) contains several informative talks
about this issue. From the talk:
“This is the current state of affairs. There is no more sense of privacy. Not because
it’s been ripped away from you in some Orwellian way, but because you flushed it down the toilet”.
All-in-all on Internet on one hand provides excellent, unique capability of searching information
(and search sites are really amplifiers of human intelligence) , but on the other put you like a bug
under microscope. Of course, as so many Internet users exists, the time to store all the information
about you is probably less then your lifespan, but considerable part of it can be stored for a long
time (measured in years, not months, or days) and some part is stored forever. In other words both government
and several large companies and first of all Facebook and Google are constantly profiling you. That's
why we can talk about death of privacy.
Add to this a real possibility that malware is installed on your PC (and Google Bar and similar applications
are as close to spyware as one can get) and situation became really interesting.
Give me a break. Why wouldn’t the Feds use these tools? They’d be idiots if they didn’t. Repeat
Privacy is a bit of a joke online and you willingly give it up.
People share everything on social networks (lunch,
vacation plans, whereabouts, drivel no one cares about).
This information is increasingly public.
Let’s face it; folks are broadcasting everything from the breakfast they eat to their bowel movements
to when and where they are on vacation. They use services that track every movement they make
(willingly!) on Foursquare and Google Latitude. Why wouldn’t an FBI agent chasing a perp get into
some idiot’s network so he can track him everywhere? It’s called efficiency people.
Here are some simple measures that might help, although they can't change the situation:
If you are technically savvy think about replacing major cloud providers with small ISP accounts.
Webmail and personal Web site creation activities can be done equally well on that platform with
less risk of total surveillance.
Avoid "vanity fair on social sites and "overexposure".
Don't put all eggs in one "cloud-based" basket. Use two or more email accounts with only
non-essential mails stored "in the cloud".
Use multimedia instead of plain text for your emails whenever possible. More widely your
camera (with which you can make a picture of your handwritten letter) and video information. On Samsung
tablets with stylus, use stylus for writing emails.
Move your sensitive information to removable media and use retro-computing for its processing.
Create you own home DMZ with caching DNS server.
Use IE "InPrivate" browsing mode as you primary browsing mode. Block cookies from Facebook
and, possibly, some other over-snooping" sites of your choice. .
Use "less-snooping" search engine.
Again, none of those measures change the situation dramatically, but each of them slightly increase
the level of your privacy.
The globalist mafia is trying to destroy Trump. There might be the same part of intelligence
community which is still loyal to Bill and Hillary Clinton.
Still Flynn discussing sanctions, which could have been a violation of an 18th century
law, the Logan Act, that bars unauthorized citizens from brokering deals with foreign governments
involved in disputes with the United States.
Keith Kellogg links with Oracle my be as asset to Trump team.
As far back as the passage of the Patriot Act after 9/11, civil libertarians worried about
the surveillance state, the Panopticon, the erosion of privacy rights and due process in the name
of national security.
Paranoid fantasies were floated that President George W. Bush was monitoring the library cards
of political dissidents. Civil libertarians hailed NSA contractor Edward Snowden as a hero, or at
least accepted him as a necessary evil, for exposing the extent of Internet surveillance under President
Will civil libertarians now speak up for former National Security Adviser Michael Flynn, whose
career has been destroyed with a barrage of leaked wiretaps? Does anyone care if those leaks were
accurate or legal?
Over the weekend, a few honest observers of the Flynn imbroglio
noted that none of the strategically leaked intercepts of his conversations with Russian Ambassador
Sergey Kislyak proved he actually did anything wrong .
The media fielded accusations that Flynn discussed lifting the Obama administration's sanctions
on Russia – a transgression that would have been a serious violation of pre-inauguration protocol
at best, and a prosecutable offense at worst. Flynn ostensibly sealed his fate by falsely assuring
Vice President Mike Pence he had no such discussions with Kislyak, prompting Pence to issue a robust
defense of Flynn that severely embarrassed Pence in retrospect.
On Tuesday, Eli Lake of
Bloomberg News joined the chorus of skeptics who said the hive of anonymous leakers infesting
the Trump administration never leaked anything that proved Flynn lied to Pence:
He says in his resignation letter that he did not deliberately leave out elements of his conversations
with Ambassador Sergey Kislyak when he recounted them to Vice President Mike Pence. The New York
Times and Washington Post reported that the transcript of the phone call reviewed over the weekend
by the White House could be read different ways. One White House official with knowledge of the
conversations told me that the Russian ambassador raised the sanctions to Flynn and that Flynn
responded that the Trump team would be taking office in a few weeks and would review Russia policy
and sanctions . That's neither illegal nor improper.
Lake also noted that leaks of sensitive national security information, such as the transcripts
of Flynn's phone calls to Kislyak, are extremely rare. In their rush to collect a scalp from
the Trump administration, the media forgot to tell its readers how unusual and alarming the Flynn-quisition
It's very rare that reporters are ever told about government-monitored communications of U.S.
citizens, let alone senior U.S. officials. The last story like this to hit Washington was in 2009
when Jeff Stein, then of CQ, reported on intercepted phone calls between a senior Aipac lobbyist
and Jane Harman, who at the time was a Democratic member of Congress.
Normally intercepts of U.S. officials and citizens are some of the most tightly held government
secrets. This is for good reason. Selectively disclosing details of private conversations monitored
by the FBI or NSA gives the permanent state the power to destroy reputations from the cloak of
anonymity. This is what police states do.
In the past it was considered scandalous for senior U.S. officials to even request the identities
of U.S. officials incidentally monitored by the government (normally they are redacted from intelligence
reports). John Bolton's nomination to be U.S. ambassador to the United Nations was derailed in
2006 after the NSA confirmed he had made 10 such requests when he was Undersecretary of State
for Arms Control in George W. Bush's first term. The fact that the intercepts of Flynn's conversations
with Kislyak appear to have been widely distributed inside the government is a red flag.
While President Trump contemplated Flynn's fate on Monday evening, the
Wall Street Journal suggested: "How about asking if the spooks listening to Mr. Flynn
obeyed the law?" Among the questions the WSJ posed was whether intelligence agents secured proper
FISA court orders for the surveillance of Flynn.
That s the sort of question that convulsed the entire political spectrum, from liberals to libertarians,
after the Snowden revelations. Not long ago, both Democrats and Republicans were deeply concerned
about accountability and procedural integrity for the sprawling surveillance apparatus developed
by our law enforcement and intelligence agencies. Those are among the most serious concerns of the
Information Age, and they should not be cast aside in a mad dash to draw some partisan blood.
There are several theories as to exactly who brought Flynn down and why. Was it an internal White
House power struggle, the work of Obama administration holdovers, or the alligators of the "Deep
State" lunging to take a bite from the president who promised to "drain the swamp?"
Washington Free Beacon has sources who say Flynn's resignation is "the culmination of
a secret, months-long campaign by former Obama administration confidantes to handicap President Donald
Trump's national security apparatus and preserve the nuclear deal with Iran."
Flynn has prominently opposed that deal. According to the Free Beacon, this "small task
force of Obama loyalists" are ready to waylay anyone in the Trump administration who threatens the
Iran deal, their efforts coordinated by the sleazy Obama adviser who boasted of his ability to manipulate
the press by feeding them lies, Ben Rhodes.
Some observers are chucking at the folly of Michael Flynn daring to take on the intelligence community,
and paying the price for his reckless impudence. That is not funny – it is terrifying. In
fact, it is the nightmare of the rogue NSA come to life, the horror story that kept privacy advocates
tossing in their sheets for years.
Michael Flynn was appointed by the duly elected President of the United States. He certainly should
not have been insulated from criticism, but if he was brought down by entrenched, unelected agency
officials, it is nearly a coup – especially if, as Eli Lake worried on Twitter, Flynn's resignation
inspires further attacks with even higher-ranking targets:
Among the many things hideously wrong with this sentiment is that the American people know absolutely
nothing about the leakers who brought Flynn down, and might be lining up their next White House targets
at this very moment. We have no way to evaluate their motives or credibility. We didn't vote for
them, and we will have no opportunity to vote them out of office if we dissent from their agenda.
As mentioned above, we do not know if the material they are leaking is accurate .
Byron York of the Washington Examiner addressed the latter point by calling for full disclosure:
Important that entire transcript of Flynn-Kislyak conversation be released. Leakers have already
cherrypicked. Public needs to see it all.
That is no less important with Flynn's resignation in hand. We still need to know the full story
of his downfall. The American people deserve to know who is assaulting the government they voted
for in 2016. They deserve protection from the next attempt to manipulate our government with cherry
They also deserve some intellectual consistency from those who have long and loudly worried about
the emergence of a surveillance state, and from conservatives who claim to value the rule of law.
Unknown persons with a mysterious agenda just made strategic use of partial information from a surveillance
program of uncertain legality to take out a presidential adviser.
Whether it's an Obama shadow government staging a Beltway insurrection, or Deep State officials
protecting their turf, this is the nightmare scenario of the post-Snowden era or are we not having
that nightmare anymore, if we take partisan pleasure in the outcome?
Net neutrality has always been confined to the narrowest of meanings to a
point of being self-defeating by simply self-kettling ourselves into such
limited fights/expectations. I know you coastal and big city elites (that's
half snark) will never understand much more empathize or rally with us flyover
deplorables who are limited to 10 gigs a month no matter what provider we use,
no matter how much we pay. I recently read that most homes with fiber now
utilize over a thousand gigs a month that one HD movie can be much more
bandwidth than my entire monthly 70 bucks can buy.
Over twenty years ago the entire U.S. should have established high speed
affordable unlimited fiber to every home on the grid and that's where the
argument should be today. It covers the neutrality issue and so, so very much
more. And it is far more inclusive of many more people who would benefit in so
many ways. It's way past time to remove the internet highway system. Separate
the content providers, the monitors, data mining, from the public highway
system itself. That's where the beginning of neutrality should begin.
So yes, point out the most egregious hypocrites in the misleadership class,
but don't let them all win by keeping us divided and losing within the
extremely limited confines of their argument.
Among the many promises that Barry broke was the one to provide hi speed
internet. One grifter follows another!
We the people need to set some discrete goals and protest. Calling or
writing to the Congress critters will not work. We need to storm their
office on behalf each issue.
"Separate the content providers, the monitors, data mining, from the
public highway system itself. That's where the beginning of neutrality
That is the key point.
Trump would be an idiot if he allowed the likes of Google/UTube,
Facebook, big tech boys to be able to start rigging the content because his
campaign relied hugely on the Internet. A lot of his support by-passed the
traditional TV/Newspaper media. I heard that Twitter are apparantly using
ways and means to make his Twitter acccount only see hostile responses for
the first 100 or so responses. Have no idea if that's true but some of these
firms are getting very close to utility status.
Anti trust laws should be wheeled out. They are already on the books.
Companies such as Netflix are essentially subsidized by telecom
providers. So this is a model that somewhat reminds me of Uber.
The same is true for Google (especially YouTube part of it) and
Facebook. When somebody tries to download 4.7Gb movie that affects
other people on the same subnet,
On the other hand if, for example, popular blogs are forced to pay
per gigabyte of consumed bandwidth, that is as close to censorship as
we can get. 1000 gigabytes per month that is consumed by a medium site
even at $1 per gigabyte is $1000 per month rent. And guess who will be
able to afford it.
There are a lot complex nuances here. For example, everybody who
use wireless at home are not in the same group as who are using
landlines (fiber or cable) even if they live in metropolitan areas.
They are closer to flyover country residents.
Also as soon as something is not metered some sophisticated forms
of abuse emerge. For example, some corporations are abusing public
networks by switching to "home office" model which dramatically cuts
the required office and parking space. Several corporations built
their new headquarters with the assumption that only half of employees
are present at any given day (so called hotel model). When employees
view some clueless corporate video conference via VPN that affects
their neighborhood the same way as heavy Netflix users. Excessive
WebEx videoconferences have a similar effect.
Go back to Bill Clinton's administration when Verizon was a fledgling
company and the government gave massive subsidies to the Telecoms to do exactly
what Eureka Springs notes: bring fast, reliable internet service across the
country. Fast forward to today - those companies took all the subsidies, didn't
build out shit for network capacity, and now spend all their money lobbying to
give themselves more power and limit net neutrality.
If there were a microcosm for this whole problem, this is it. Dems give big
subsidies to corporate players, dont track the work/take for granted that they
"did something" and then get caught flat footed. Now we are all left to battle
it out for the scraps. Exactly where we were 20 years ago.
Watching the Oroville Dam, juxtaposing with all this "infrastructure
spending" talk - everyone should be weary b/c we've been here before with
Guess what happened to Southern Pacific Railroad Company, who benefited
greatly from this government intervention? Later, they turned into Sprint (
I really wish I could get more worked up about Net Neutrality, but I can't.
I'm deeply concerned about the high prices and lack of availability in much of
the country, but I find that much of the debate boils down to conflict between
Silicon Valley and the Telcos about who controls the internet. Content
providers (Facebook, Google, Netflix) want to use the network effects to
manipulate public opinion in their favored version of Net Neutrality, which
seems to involve universal unmetered broadband, which ISPs must build out to
meet demand, shifting costs from the providers to the ISPs, while profits go
the other way. Meanwhile the ISPs do the tricks described in the post and
overchange customers for poor service. I have little sympathy for either group.
My general belief is that broadband should be cheap, universal, regulated,
and, yes, metered. The latter would encourage high volume users and content
providers to change their behavior and technology to use bandwidth more
efficiently, which would reduce the size of the infrastructure needed over the
long-term. I would also include search neutrality at the same time, but for
some reason that doesn't have the same level of support among the technology
"... Use a linux system Kirk, no need for firewalls, Firefox with duckduckgo search, set options to clear after every session, Adblocker, it's not Tor, but the best open option. ..."
"... I am using DuckDuckGo.Com for search (and looking at YaCy) ..."
"... I also use Firefox for my browser, with AdBlockplus, Flasblock, EFF's Privacy Badger, and a password management app called LastPass (which gives me unique, 16-character, random passwords for each of my sites). ..."
"... Another thing to suggest is to use a private e-mail. ..."
"... I long ago gave up yahoo and g-mail(never had one) ..."
Readers of the Washington Post received some alarming news yesterday when the paper published
a story alleging that those pesky "Russian hackers" were up to their no good tricks
again and had managed to "penetrate the U.S. electricity grid through a utility in Vermont."
Not surprised. I wonder if ZH users are also under cyber attack. Today I noticed that my desktop
browser (Firefox and Chrome) deny me access to any ZH link or pages. I get the "URL does not exist".
Have to use Tor browser to get to ZH.
Anyone know what's going on, and what the RX is? Thanks.
Good R x , however I would use the firewall -- best to not tempt fate. There are rootkits
That said, it is stable and quite usable.
I am using DuckDuckGo.Com for search (and looking at YaCy), also using TutaNova.Com
encrypted email, looking at Frendica to replace Facebook, using
http://Gab.ai as a Twitter replacement, Thunderbird
(replace Outlook) with Enigmail for encryption and email signing.
I also use Firefox for my browser, with AdBlockplus, Flasblock, EFF's Privacy Badger, and
a password management app called LastPass (which gives me unique, 16-character, random passwords
for each of my sites).
The open, free, reliable solutions are out there.
Side note: Enable two-factor login for all your accounts, you won't regret it.
"... President Obama will go down in history as the man who helped entrench history's largest and most powerful surveillance state ..."
"... Obama didn't just fall short of progressive hopes - he went in the opposite direction ..."
"... he broke a campaign promise and voted for a bill expanding government surveillance and granting immunity to telecommunications companies who helped Bush spy on Americans. ..."
"... Upon becoming president, the already vast surveillance powers of the United States have expanded . By 2010, the NSA was collecting 1.7 billion emails, phone calls, and other types of communications. By 2012, XKeyscore - which sweeps up "everything a user typically does on the internet" - was storing as much as forty-one billion records in thirty days. This gargantuan volume of data has the ironic effect of making it harder to detect security threats. ..."
"... The use of secret laws - hidden from public eyes and often related to surveillance activities - shot up under Obama. The administration tried (and failed) to force Apple to insert security flaws in its phones, to give law enforcement a potential "back door" around encryption. ..."
"... But this would not have happened - and the scope of US surveillance would have stayed secret - had it not been for the disclosures by Edward Snowden, whom Obama criticized and refused to pardon in the waning days of his administration, even as he claimed to " welcome " a debate on surveillance. ..."
President Obama will go down in history as the man who helped entrench history's largest and most
powerful surveillance state, providing it with a liberal legitimacy that left it largely immune from
criticism during his two terms. As President Trump takes the reins of that surveillance state's power
in whatever terrifying ways he chooses, we should remember that it was Obama who paved the way for
Obama has often been painted as a disappointing president, one who reached for the stars but ultimately,
whether due to Republican obstructionism or the disappointing realities of governing, fell short.
In the area of state surveillance, however, Obama didn't just fall short of progressive hopes - he
went in the opposite direction.
Obama built his career opposing the Patriot Act and Bush-era secrecy. He made this opposition
a centerpiece of his presidential campaign,
promising "no more illegal wiretapping of American citizens. No more national security
letters to spy on citizens who are not suspected of a crime . . . No more ignoring the law when it
The first sign of his waning commitment came three months after a
Times op-ed declared him potentially the first civil libertarian president, when
he broke a campaign promise and
voted for a bill expanding
government surveillance and
granting immunity to telecommunications companies who helped Bush spy on Americans.
Upon becoming president, the already vast surveillance powers of the United States have
expanded . By 2010, the NSA was collecting
1.7 billion emails, phone calls, and other types of communications. By 2012, XKeyscore
- which sweeps up "everything a user typically does on the internet" - was storing as much as
forty-one billion records in thirty days. This gargantuan volume of data has the ironic
making it harder to detect security threats.
The use of
secret laws - hidden from public eyes and often related to surveillance activities -
shot up under Obama.
The administration tried (and failed) to force Apple to
security flaws in its phones, to give law enforcement a potential "back door" around encryption.
It extended controversial Patriot Act provisions year after year. Less than a week before Donald
Trump, a man he has called "unfit" for office, took power, Obama
expanded the NSA's power to share its data with other agencies. Meanwhile, the FBI is
paying Best Buy employees to snoop through your computer.
Where there have been privacy wins on Obama's watch, they have largely been inadvertent. The NSA
much smaller proportion of Americans' phone records today than it did eleven years ago
because cell phone use has exploded. Furthermore, the USA Freedom Act passed in 2015,
ending bulk collection of US phone records ( only of phone records, it must
be said), something Obama tried to claim as part of his legacy in his farewell speech.
But this would not have happened - and the scope of US surveillance would have stayed secret -
had it not been for the disclosures by Edward Snowden, whom Obama
criticized and refused to pardon in the waning days of his administration, even as he claimed
welcome " a debate on surveillance.
All of this happened under a liberal former constitutional law professor. The question must be
asked: What will follow under Trump?
The mainstream hysteria over Russia has led to dubious or
downright false stories that have deepened the New Cold War
, January 16, 2017
In the middle of a major domestic crisis over the U.S. charge that Russia had
interfered with the US election, the Department of Homeland Security (DHS) triggered
a brief national media hysteria by creating and spreading a bogus story of Russian
hacking into US power infrastructure.
DHS had initiated the now-discredited tale of
a hacked computer at the Burlington, Vermont Electricity Department by sending the
utility's managers misleading and alarming information, then leaked a story they
certainly knew to be false and continued to put out a misleading line to the media.
Even more shocking, however, DHS had previously circulated a similar bogus story
of Russian hacking of a Springfield, Illinois water pump in November 2011.
The story of how DHS twice circulated false stories of Russian efforts to sabotage
US "critical infrastructure" is a cautionary tale of how senior leaders in a
bureaucracy-on-the-make take advantage of every major political development to
advance its own interests, with scant regard for the truth.
The DHS had carried out a major public campaign to focus on an alleged Russian
threat to US power infrastructure in early 2016. The campaign took advantage of a US
accusation of a Russian cyber-attack against the Ukrainian power infrastructure in
December 2015 to promote one of the agency's major functions - guarding against
cyber-attacks on America's infrastructure.
Beginning in late March 2016, DHS and FBI conducted a series of 12 unclassified
briefings for electric power infrastructure companies in eight cities titled,
"Ukraine Cyber Attack: implications for US stakeholders." The DHS declared publicly,
"These events represent one of the first known physical impacts to critical
infrastructure which resulted from cyber-attack."
That statement conveniently avoided mentioning that the first cases of such
destruction of national infrastructure from cyber-attacks were not against the United
States, but were inflicted on Iran by the Obama administration and Israel in 2009 and
Beginning in October 2016, the DHS emerged as one of the two most important
players – along with the CIA-in the political drama over the alleged Russian effort
to tilt the 2016 election toward Donald Trump. Then on Dec. 29, DHS and FBI
distributed a "Joint Analysis Report" to US power utilities across the country with
what it claimed were "indicators" of a Russian intelligence effort to penetrate and
compromise US computer networks, including networks related to the presidential
election, that it called "GRIZZLY STEPPE."
The report clearly conveyed to the utilities that the "tools and infrastructure"
it said had been used by Russian intelligence agencies to affect the election were a
direct threat to them as well. However, according to Robert M. Lee, the founder and
CEO of the cyber-security company Dragos, who had developed one of the earliest US
government programs for defense against cyber-attacks on US infrastructure systems,
the report was certain to mislead the recipients.
"Anyone who uses it would think they were being impacted by Russian operations,"
said Lee. "We ran through the indicators in the report and found that a high
percentage were false positives."
Lee and his staff found only two of a long list of malware files that could be
linked to Russian hackers without more specific data about timing. Similarly a large
proportion of IP addresses listed could be linked to "GRIZZLY STEPPE" only for
certain specific dates, which were not provided.
The Intercept discovered, in fact, that 42 percent of the 876 IP addresses listed
in the report as having been used by Russian hackers were exit nodes for the Tor
Project, a system that allows bloggers, journalists and others – including some
military entities – to keep their Internet communications private.
Lee said the DHS staff that worked on the technical information in the report is
highly competent, but the document was rendered useless when officials classified and
deleted some key parts of the report and added other material that shouldn't have
been in it. He believes the DHS issued the report "for a political purpose," which
was to "show that the DHS is protecting you."
Planting the Story, Keeping it Alive
Upon receiving the DHS-FBI report the Burlington Electric Company network security
team immediately ran searches of its computer logs using the lists of IP addresses it
had been provided. When one of IP addresses cited in the report as an indicator of
Russian hacking was found on the logs, the utility immediately called DHS to inform
it as it had been instructed to do by DHS.
In fact, the IP address on the Burlington Electric Company's computer was simply
the Yahoo e-mail server, according to Lee, so it could not have been a legitimate
indicator of an attempted cyber-intrusion. That should have been the end of the
story. But the utility did not track down the IP address before reporting it to DHS.
It did, however, expect DHS to treat the matter confidentially until it had
thoroughly investigated and resolved the issue.
"DHS wasn't supposed to release the details," said Lee. "Everybody was supposed to
keep their mouth shut."
Instead, a DHS official called The Washington Post and passed on word that one of
the indicators of Russian hacking of the DNC had been found on the Burlington
utility's computer network. The Post failed to follow the most basic rule of
journalism, relying on its DHS source instead of checking with the Burlington
Electric Department first. The result was the Post's sensational Dec. 30 story under
the headline "Russian hackers penetrated US electricity grid through a utility in
Vermont, US officials say."
DHS official evidently had allowed the Post to infer that the Russians hack had
penetrated the grid without actually saying so. The Post story said the Russians "had
not actively used the code to disrupt operations of the utility, according to
officials who spoke on condition of anonymity in order to discuss a security matter,"
but then added, and that "the penetration of the nation's electrical grid is
significant because it represents a potentially serious vulnerability."
The electric company quickly issued a firm denial that the computer in question
was connected to the power grid. The Post was forced to retract, in effect, its claim
that the electricity grid had been hacked by the Russians. But it stuck by its story
that the utility had been the victim of a Russian hack for another three days before
admitting that no such evidence of a hack existed.
The day after the story was published, the DHS leadership continued to imply,
without saying so explicitly, that the Burlington utility had been hacked by
Russians. Assistant Secretary for Pubic Affairs J. Todd Breasseale gave CNN a
statement that the "indicators" from the malicious software found on the computer at
Burlington Electric were a "match" for those on the DNC computers.
As soon as DHS checked the IP address, however, it knew that it was a Yahoo cloud
server and therefore not an indicator that the same team that allegedly hacked the
DNC had gotten into the Burlington utility's laptop. DHS also learned from the
utility that the laptop in question had been infected by malware called "neutrino,"
which had never been used in "GRIZZLY STEPPE."
Only days later did the DHS reveal those crucial facts to the Post. And the DHS
was still defending its joint report to the Post, according to Lee, who got part of
the story from Post sources. The DHS official was arguing that it had "led to a
discovery," he said. "The second is, 'See, this is encouraging people to run
Original DHS False Hacking Story
The false Burlington Electric hack scare is reminiscent of an earlier story of
Russian hacking of a utility for which the DHS was responsible as well. In November
2011, it reported an "intrusion" into a Springfield, Illinois water district computer
that similarly turned out to be a fabrication.
Like the Burlington fiasco, the false report was preceded by a DHS claim that US
infrastructure systems were already under attack. In October 2011, acting DHS deputy
undersecretary Greg Schaffer was quoted by The Washington Post as warning that "our
adversaries" are "knocking on the doors of these systems." And Schaffer added, "In
some cases, there have been intrusions." He did not specify when, where or by whom,
and no such prior intrusions have ever been documented.
On Nov. 8, 2011, a water pump belonging to the Curran-Gardner township water
district near Springfield, Illinois, burned out after sputtering several times in
previous months. The repair team brought in to fix it found a Russian IP address on
its log from five months earlier. That IP address was actually from a cell phone call
from the contractor who had set up the control system for the pump and who was
vacationing in Russia with his family, so his name was in the log by the address.
Without investigating the IP address itself, the utility reported the IP address
and the breakdown of the water pump to the Environmental Protection Agency, which in
turn passed it on to the Illinois Statewide Terrorism and Intelligence Center, also
called a fusion center composed of Illinois State Police and representatives from the
FBI, DHS and other government agencies.
On Nov. 10 – just two days after the initial report to EPA – the fusion center
produced a report titled "Public Water District Cyber Intrusion" suggesting a Russian
hacker had stolen the identity of someone authorized to use the computer and had
hacked into the control system causing the water pump to fail.
The contractor whose name was on the log next to the IP address later told Wired
magazine that one phone call to him would have laid the matter to rest. But the DHS,
which was the lead in putting the report out, had not bothered to make even that one
obvious phone call before opining that it must have been a Russian hack.
The fusion center "intelligence report," circulated by DHS Office of Intelligence
and Research, was picked up by a cyber-security blogger, who called The Washington
Post and read the item to a reporter. Thus the Post published the first sensational
story of a Russian hack into a US infrastructure on Nov. 18, 2011.
After the real story came out, DHS disclaimed responsibility for the report,
saying that it was the fusion center's responsibility. But a Senate subcommittee
in a report a year later that even after the initial report had been
discredited, DHS had not issued any retraction or correction to the report, nor had
it notified the recipients about the truth.
DHS officials responsible for the false report told Senate investigators such
reports weren't intended to be "finished intelligence," implying that the bar for
accuracy of the information didn't have to be very high. They even claimed that
report was a "success" because it had done what "what it's supposed to do – generate
Both the Burlington and Curran-Gardner episodes underline a central reality of the
political game of national security in the New Cold War era: major bureaucratic
players like DHS have a huge political stake in public perceptions of a Russian
threat, and whenever the opportunity arises to do so, they will exploit it.
DHS security honchos want to justify their existence. There is not greater danger to national
security then careerists in position of security professionals. Lying and exaggerating the
treats to get this dollars is is what many security professionals do for living. They are
"... In the middle of a major domestic crisis over the U.S. charge that Russia had interfered with the US election, the Department of Homeland Security (DHS) triggered a brief national media hysteria by creating and spreading a bogus story of Russian hacking into US power infrastructure. ..."
"... Even more shocking, however, DHS had previously circulated a similar bogus story of Russian hacking of a Springfield, Illinois water pump in November 2011. ..."
"... Beginning in late March 2016, DHS and FBI conducted a series of 12 unclassified briefings for electric power infrastructure companies in eight cities titled, "Ukraine Cyber Attack: implications for US stakeholders." The DHS declared publicly, "These events represent one of the first known physical impacts to critical infrastructure which resulted from cyber-attack." ..."
"... That statement conveniently avoided mentioning that the first cases of such destruction of national infrastructure from cyber-attacks were not against the United States, but were inflicted on Iran by the Obama administration and Israel in 2009 and 2012. ..."
"... Beginning in October 2016, the DHS emerged as one of the two most important players – along with the CIA-in the political drama over the alleged Russian effort to tilt the 2016 election toward Donald Trump. Then on Dec. 29, DHS and FBI distributed a "Joint Analysis Report" to US power utilities across the country with what it claimed were "indicators" of a Russian intelligence effort to penetrate and compromise US computer networks, including networks related to the presidential election, that it called "GRIZZLY STEPPE." ..."
"... according to Robert M. Lee, the founder and CEO of the cyber-security company Dragos, who had developed one of the earliest US government programs for defense against cyber-attacks on US infrastructure systems, the report was certain to mislead the recipients. ..."
"... "Anyone who uses it would think they were being impacted by Russian operations," said Lee. "We ran through the indicators in the report and found that a high percentage were false positives." ..."
"... The Intercept discovered, in fact, that 42 percent of the 876 IP addresses listed in the report as having been used by Russian hackers were exit nodes for the Tor Project, a system that allows bloggers, journalists and others – including some military entities – to keep their Internet communications private. ..."
"... Instead, a DHS official called The Washington Post and passed on word that one of the indicators of Russian hacking of the DNC had been found on the Burlington utility's computer network. The Post failed to follow the most basic rule of journalism, relying on its DHS source instead of checking with the Burlington Electric Department first. The result was the Post's sensational Dec. 30 story under the headline "Russian hackers penetrated US electricity grid through a utility in Vermont, US officials say." ..."
"... DHS official evidently had allowed the Post to infer that the Russians hack had penetrated the grid without actually saying so. The Post story said the Russians "had not actively used the code to disrupt operations of the utility, according to officials who spoke on condition of anonymity in order to discuss a security matter," but then added, and that "the penetration of the nation's electrical grid is significant because it represents a potentially serious vulnerability." ..."
"... The electric company quickly issued a firm denial that the computer in question was connected to the power grid. The Post was forced to retract, in effect, its claim that the electricity grid had been hacked by the Russians. But it stuck by its story that the utility had been the victim of a Russian hack for another three days before admitting that no such evidence of a hack existed. ..."
"... Only days later did the DHS reveal those crucial facts to the Post. And the DHS was still defending its joint report to the Post, according to Lee, who got part of the story from Post sources. The DHS official was arguing that it had "led to a discovery," he said. "The second is, 'See, this is encouraging people to run indicators.'" ..."
"... The false Burlington Electric hack scare is reminiscent of an earlier story of Russian hacking of a utility for which the DHS was responsible as well. In November 2011, it reported an "intrusion" into a Springfield, Illinois water district computer that similarly turned out to be a fabrication. ..."
"... The contractor whose name was on the log next to the IP address later told Wired magazine that one phone call to him would have laid the matter to rest. But the DHS, which was the lead in putting the report out, had not bothered to make even that one obvious phone call before opining that it must have been a Russian hack. ..."
The mainstream hysteria over Russia has led to dubious or downright false stories that have
deepened the New Cold War
In the middle of a major domestic crisis over the U.S. charge that Russia had interfered with
the US election, the Department of Homeland Security (DHS) triggered a brief national media hysteria
by creating and spreading a bogus story of Russian hacking into US power infrastructure.
DHS had initiated the now-discredited tale of a hacked computer at the Burlington, Vermont Electricity
Department by sending the utility's managers misleading and alarming information, then leaked a story
they certainly knew to be false and continued to put out a misleading line to the media.
Even more shocking, however, DHS had previously circulated a similar bogus story of Russian hacking
of a Springfield, Illinois water pump in November 2011.
The story of how DHS twice circulated false stories of Russian efforts to sabotage US "critical
infrastructure" is a cautionary tale of how senior leaders in a bureaucracy-on-the-make take advantage
of every major political development to advance its own interests, with scant regard for the truth.
The DHS had carried out a major public campaign to focus on an alleged Russian threat to US power
infrastructure in early 2016. The campaign took advantage of a US accusation of a Russian cyber-attack
against the Ukrainian power infrastructure in December 2015 to promote one of the agency's major
functions - guarding against cyber-attacks on America's infrastructure.
Beginning in late March 2016, DHS and FBI conducted a series of 12 unclassified briefings for
electric power infrastructure companies in eight cities titled, "Ukraine Cyber Attack: implications
for US stakeholders." The DHS declared publicly, "These events represent one of the first known physical
impacts to critical infrastructure which resulted from cyber-attack."
That statement conveniently avoided mentioning that the first cases of such destruction of national
infrastructure from cyber-attacks were not against the United States, but were inflicted on Iran
by the Obama administration and Israel in 2009 and 2012.
Beginning in October 2016, the DHS emerged as one of the two most important players – along with
the CIA-in the political drama over the alleged Russian effort to tilt the 2016 election toward Donald
Trump. Then on Dec. 29, DHS and FBI distributed a "Joint Analysis Report" to US power utilities across
the country with what it claimed were "indicators" of a Russian intelligence effort to penetrate
and compromise US computer networks, including networks related to the presidential election, that
it called "GRIZZLY STEPPE."
The report clearly conveyed to the utilities that the "tools and infrastructure" it said had been
used by Russian intelligence agencies to affect the election were a direct threat to them as well.
However, according to Robert M. Lee, the founder and CEO of the cyber-security company Dragos, who
had developed one of the earliest US government programs for defense against cyber-attacks on US
infrastructure systems, the report was certain to mislead the recipients.
"Anyone who uses it would think they were being impacted by Russian operations," said Lee. "We
ran through the indicators in the report and found that a high percentage were false positives."
Lee and his staff found only two of a long list of malware files that could be linked to Russian
hackers without more specific data about timing. Similarly a large proportion of IP addresses listed
could be linked to "GRIZZLY STEPPE" only for certain specific dates, which were not provided.
The Intercept discovered, in fact, that 42 percent of the 876 IP addresses listed in the report
as having been used by Russian hackers were exit nodes for the Tor Project, a system that allows
bloggers, journalists and others – including some military entities – to keep their Internet communications
Lee said the DHS staff that worked on the technical information in the report is highly competent,
but the document was rendered useless when officials classified and deleted some key parts of the
report and added other material that shouldn't have been in it. He believes the DHS issued the report
"for a political purpose," which was to "show that the DHS is protecting you."
Planting the Story, Keeping it Alive
Upon receiving the DHS-FBI report the Burlington Electric Company network security team immediately
ran searches of its computer logs using the lists of IP addresses it had been provided. When one
of IP addresses cited in the report as an indicator of Russian hacking was found on the logs, the
utility immediately called DHS to inform it as it had been instructed to do by DHS.
In fact, the IP address on the Burlington Electric Company's computer was simply the Yahoo e-mail
server, according to Lee, so it could not have been a legitimate indicator of an attempted cyber-intrusion.
That should have been the end of the story. But the utility did not track down the IP address before
reporting it to DHS. It did, however, expect DHS to treat the matter confidentially until it had
thoroughly investigated and resolved the issue.
"DHS wasn't supposed to release the details," said Lee. "Everybody was supposed to keep their
Instead, a DHS official called The Washington Post and passed on word that one of the indicators
of Russian hacking of the DNC had been found on the Burlington utility's computer network. The Post
failed to follow the most basic rule of journalism, relying on its DHS source instead of checking
with the Burlington Electric Department first. The result was the Post's sensational Dec. 30 story
under the headline "Russian hackers penetrated US electricity grid through a utility in Vermont,
US officials say."
DHS official evidently had allowed the Post to infer that the Russians hack had penetrated the
grid without actually saying so. The Post story said the Russians "had not actively used the code
to disrupt operations of the utility, according to officials who spoke on condition of anonymity
in order to discuss a security matter," but then added, and that "the penetration of the nation's
electrical grid is significant because it represents a potentially serious vulnerability."
The electric company quickly issued a firm denial that the computer in question was connected
to the power grid. The Post was forced to retract, in effect, its claim that the electricity grid
had been hacked by the Russians. But it stuck by its story that the utility had been the victim of
a Russian hack for another three days before admitting that no such evidence of a hack existed.
The day after the story was published, the DHS leadership continued to imply, without saying so
explicitly, that the Burlington utility had been hacked by Russians. Assistant Secretary for Pubic
Affairs J. Todd Breasseale gave CNN a statement that the "indicators" from the malicious software
found on the computer at Burlington Electric were a "match" for those on the DNC computers.
As soon as DHS checked the IP address, however, it knew that it was a Yahoo cloud server and therefore
not an indicator that the same team that allegedly hacked the DNC had gotten into the Burlington
utility's laptop. DHS also learned from the utility that the laptop in question had been infected
by malware called "neutrino," which had never been used in "GRIZZLY STEPPE."
Only days later did the DHS reveal those crucial facts to the Post. And the DHS was still defending
its joint report to the Post, according to Lee, who got part of the story from Post sources. The
DHS official was arguing that it had "led to a discovery," he said. "The second is, 'See, this is
encouraging people to run indicators.'"
Original DHS False Hacking Story
The false Burlington Electric hack scare is reminiscent of an earlier story of Russian hacking
of a utility for which the DHS was responsible as well. In November 2011, it reported an "intrusion"
into a Springfield, Illinois water district computer that similarly turned out to be a fabrication.
Like the Burlington fiasco, the false report was preceded by a DHS claim that US infrastructure
systems were already under attack. In October 2011, acting DHS deputy undersecretary Greg Schaffer
was quoted by The Washington Post as warning that "our adversaries" are "knocking on the doors of
these systems." And Schaffer added, "In some cases, there have been intrusions." He did not specify
when, where or by whom, and no such prior intrusions have ever been documented.
On Nov. 8, 2011, a water pump belonging to the Curran-Gardner township water district near Springfield,
Illinois, burned out after sputtering several times in previous months. The repair team brought in
to fix it found a Russian IP address on its log from five months earlier. That IP address was actually
from a cell phone call from the contractor who had set up the control system for the pump and who
was vacationing in Russia with his family, so his name was in the log by the address.
Without investigating the IP address itself, the utility reported the IP address and the breakdown
of the water pump to the Environmental Protection Agency, which in turn passed it on to the Illinois
Statewide Terrorism and Intelligence Center, also called a fusion center composed of Illinois State
Police and representatives from the FBI, DHS and other government agencies.
On Nov. 10 – just two days after the initial report to EPA – the fusion center produced a report
titled "Public Water District Cyber Intrusion" suggesting a Russian hacker had stolen the identity
of someone authorized to use the computer and had hacked into the control system causing the water
pump to fail.
The contractor whose name was on the log next to the IP address later told Wired magazine
that one phone call to him would have laid the matter to rest. But the DHS, which was the lead in
putting the report out, had not bothered to make even that one obvious phone call before opining
that it must have been a Russian hack.
The fusion center "intelligence report," circulated by DHS Office of Intelligence and Research,
was picked up by a cyber-security blogger, who called The Washington Post and read the item to a
reporter. Thus the Post published the first sensational story of a Russian hack into a US infrastructure
on Nov. 18, 2011.
After the real story came out, DHS disclaimed responsibility for the report, saying that it was
the fusion center's responsibility. But a Senate subcommittee investigation
a report a year later that even after the initial report had been discredited, DHS had not issued
any retraction or correction to the report, nor had it notified the recipients about the truth.
DHS officials responsible for the false report told Senate investigators such reports weren't
intended to be "finished intelligence," implying that the bar for accuracy of the information didn't
have to be very high. They even claimed that report was a "success" because it had done what "what
it's supposed to do – generate interest."
Both the Burlington and Curran-Gardner episodes underline a central reality of the political game
of national security in the New Cold War era: major bureaucratic players like DHS have a huge political
stake in public perceptions of a Russian threat, and whenever the opportunity arises to do so, they
will exploit it.
"... William Binney,another NSA whistleblower and hero, stated on his Truthdig interview with Sheer (who talked and repeated himself way too much, not leaving much time for Binney to talk) that Snowden knew from watching what happened to the five of them (among them,Thomas Drake/currently pensionless and an apple store worker ) and that Snowden did it the only way it could be done and did the leak well by gathering so much information up there was no chance of plausible deniability. ..."
"... First they gaslight you. "There is no surveillance. You have no evidence." ..."
"... As soon as there's evidence, they downplay it. "Everyone knew there was surveillance. This is nothing new!" ..."
"... Snowden's leaks were crucial and necessary. State surveillance had been normalized long before him. He only told us it had happened. What happens next is a battle that is still being fought, despite the best efforts of people who weasel about "ambivalence". ..."
"... Exposing the workings of the deep state is necessary if we are to ever reclaim democracy, if in fact we ever had it. ..."
"... Greenwald isn't defending the Russians– he is asking for evidence so we don't have to rely on the intelligence community. ..."
William Binney,another NSA whistleblower and hero, stated
on his Truthdig interview with Sheer (who talked and repeated
himself way too much, not leaving much time for Binney to talk)
that Snowden knew from watching what happened to the five of
them (among them,Thomas Drake/currently pensionless and an apple
store worker ) and that Snowden did it the only way it could
be done and did the leak well by gathering so much information
up there was no chance of plausible deniability.
Your "ambivalence" is one of the favorite tactics of people in
CTR, who start off all their comments with "I love Bernie, but ".
Here's how it works:
1. First they gaslight you. "There is no surveillance. You have
2. As soon as there's evidence, they downplay it. "Everyone knew
there was surveillance. This is nothing new!"
Snowden's leaks were crucial and necessary. State surveillance
had been normalized long before him. He only told us it had
happened. What happens next is a battle that is still being fought,
despite the best efforts of people who weasel about "ambivalence".
SantaFe you said "his career was literally made by a document dump from
guy who increasungly appears to be much more nefarious". Glenn Greenwald's
"career" was made long before Snowden appeared on the scene. That's why
Snowden chose him to release the documents to. He has long been known as a
journalist who speaks truth to power. And what do you mean by this; " He is
quickly losing credibility among many who admired him." ? Yourself? I see no
reason why Greenwald should be losing credibility. Primarily what he is
doing is in this particular instance is questioning the veracity of the
documents being used against Trump and the means by which they are being
"released". That is one of Greenwald's greatest strengths. He plays no
favorites. As far as the WSJ article on Snowden, I assume you are referring
to the now discredited op-ed (not an article) piece by Epstein? This self
serving op-ed was clearly written by Epstein to promote his recent book and
the "points" he made about Snowden have been discredited by many sources.
Speak for yourself. Greenwald isn't defending the Russians– he is asking
for evidence so we don't have to rely on the intelligence community. And
while Assange appears motivated by animus against Clinton, I have yet to see
anything about Snowden that would make me distrust him more than the press.
What I do see are a lot of centrist liberals acting like Joseph McCarthy.
And even with Assange, wikileaks has been invaluable. The mainstream
press largely gored its most interesting revelations - for instance, the
Clinton camp privately acknowledged that the Saudi government supports ISIS.
We hear much more shooting the messenger stories about dissenters than we
hear stories about the message.
"Days before far-right President-elect Donald Trump is sworn in, President Barack Obama has expanded
all intelligence agencies' access to private communications obtained via warrentless spying.
An executive order allows the National Security Agency (NSA) to share data collected via its global
surveillance dragnet with all other U.S. intelligence agencies, without redacting untargeted American
citizens' private information.
"... The message was accompanied by a parting gift...an apparently complete NSA backdoor kit targeting the Windows operating system. The kit is comprised of 61 malicious Windows executables, only one of which was previously known to antivirus vendors... ..."
mysterious hacking group has been bedeviling the U.S. intelligence community for months, releasing a
tranche of secret National Security Agency hacking tools to the public while offering to sell even more
for the right price. Now with barely a week to go before Donald Trump's inauguration, the self-styled
"Shadow Brokers" on Thursday announced that they were packing it in.
"So long, farewell peoples. TheShadowBrokers is going dark, making exit," the group wrote on its
The message was accompanied by a parting gift...an apparently complete NSA backdoor
kit targeting the Windows operating system. The kit is comprised of 61 malicious Windows executables,
only one of which was previously known to antivirus vendors...
... ... ...
The Shadow Brokers emerged in August with the announcement that they'd stolen the hacking tools used
by a sophisticated computer-intrusion operation known as the Equation Group, and were putting them up
for sale to the highest bidder. It was a remarkable claim, because the Equation Group is generally understood
to be part of the NSA's elite Tailored Access Operations program and is virtually never detected, much
... ... ...
Released along with the announcement was a huge cache of specialized malware, including dozens of
backdoor programs and 10 exploits, two of them targeting previously unknown security holes in Cisco
routers-a basic building block of the internet. While Cisco and other companies scrambled for a fix,
security experts pored over the Shadow Brokers tranche like it was the Rosetta Stone. "It was the first
time, as threat-intelligence professionals, that we've had access to what appears to be a relatively
complete toolkit of a nation-state attacker," says Jake Williams, founder of Rendition Infosec. "It
was excitement in some circles, dismay in other circles, and panic and a rush to patch if you're running
"... By Michael Arria, an associate editor at AlterNet and AlterNet's labor editor. Follow @MichaelArria on Twitter. Originally published at Alternet ..."
"... The lawsuit was filed by a former product manager who claims that the alleged program violates California labor law. The same person filed a National Labor Relations Board complaint against Google and its sister firm Nest this June. The NLRB complaint alleged that the employee was terminated after making a social media post that was critical of the company. The allegation also contends that the companies illegally monitored workers' electronic devices to prevent them from airing criticisms of Google. ..."
"... Google could be fined up to $100 for each of the 12 alleged violations in the suit, multiplied by 65,000 employees. If an allegedly unlawful policy lasted for more than one pay period, the fine doubles to $200 per pay period, per employee, for up to a year. If 'Doe' prevails on every allegation in the lawsuit, the maximum fine would be $3.8 billion, with about $14,600 going to each Google employee. ..."
"... Company with business model based entirely around mass surveillance enforces a "transparency" (just another word for it) culture among its employees? Who could've knew I'm really interested how the lawsuit works out. ..."
From a legal standpoint, the arguments that Google is making in its defense in an employee lawsuit
are lame. Of course, it could be saving its real case for the court. Oddly, the summary below omits
a key issue as to why Google's surveillance and secrecy policies are problematic. From the underlying
story at Information:
The lawsuit alleges that Google warns employees to not put into writing concerns about potential
illegal activity within Google, even to the company's own attorneys, because the disclosures could
fall into the hands of regulators and law enforcement. It also alleges that confidentiality provisions
include a prohibition on employees writing "a novel about someone working at a tech company in
Silicon Valley," without Google signing off on the final draft.
Among other things, this makes it impossible for Google to have any sort of internal whistleblower
program, even when most are strictly cosmetic. Most corporate governance experts deem them to be
necessary as a liability shield for management. Moreover, these agreements also violate the SEC's
whistleblower rules, which bar companies from hindering employees contacting agency officials regarding
suspected abuses. Google's top brass appear convinced that their internal code of omerta plus their
connections means that they can dispense with that sort of thing.
Google's internal non-disclosure agreements apparently didn't contain standard "outs," the most
important being that the signer can disclose information when compelled to by judicial decree, as
long as they inform the company first and give them the opportunity to contest the order.
I hope California readers will tell me about the reputation of the firm suing Google.
The claim looks to be spare (a good sign) and well argued. Even though the usual rule of thumb
with employee suits is that the big companies have a huge advantage by being able to hire better
counsel, Google looks to have overreached to such a remarkable degree that the employee may well
prevail. It would also help if outside parties take interest and provide amicus briefs on behalf
of the plaintiff.
By Michael Arria, an associate editor at AlterNet and AlterNet's labor editor. Follow @MichaelArria
on Twitter. Originally published at
Tech news site the Information reports that a former Google employee is suing the company, claiming
it maintained an internal spying program that encouraged workers to rat each other out.
The lawsuit was filed by a former product manager who claims that the alleged program violates
California labor law. The same person filed a National Labor Relations Board complaint against Google
and its sister firm Nest this June. The NLRB complaint
alleged that the employee was terminated after making a social media post that was critical of
the company. The allegation also contends that the companies illegally monitored workers' electronic
devices to prevent them from airing criticisms of Google.
The lawsuit points out that employees should be able to discuss workplace conditions without fearing
Google has called the lawsuit "baseless." The Information piece quotes a statement from the company:
We're very committed to an open internal culture, which means we frequently share with employees
details of product launches and confidential business information. Transparency is a huge part
of our culture. Our employee confidentiality requirements are designed to protect proprietary
business information, while not preventing employees from disclosing information about terms and
conditions of employment, or workplace concerns.
If the lawsuit ends up being successful, it could be extremely expensive for Google. The Information
report breaks down the math:
Google could be fined up to $100 for each of the 12 alleged violations in the suit, multiplied
by 65,000 employees. If an allegedly unlawful policy lasted for more than one pay period, the
fine doubles to $200 per pay period, per employee, for up to a year. If 'Doe' prevails on every
allegation in the lawsuit, the maximum fine would be $3.8 billion, with about $14,600 going to
each Google employee.
Read the entire article at the Information's
Company with business model based entirely around mass surveillance enforces a "transparency"
(just another word for it) culture among its employees? Who could've knew I'm really interested
how the lawsuit works out.
... About that press
conference. Here are some of the things we learned:
■ The reason he hasn't shown up to answer questions from
reporters since July is "inaccurate news."
■ The Russians don't have any secret tapes of him behaving
badly in a hotel room because every time he goes to hotels
abroad, he warns everybody: "Be very careful, because in your
hotel rooms and no matter where you go, you're gonna probably
have cameras." Of everything Trump said during the press
conference, this was perhaps the most convincing.
What can to prevent a Geek Squad
employee from planting compromising material on one's computer out of pure greed, or
if the FBI wants is out to get someone? How do you prove that the image or file or
whatever wasn't planted?
January 10, 2017
Yves here. There is an additional layer to this ugly picture. I have
whistleblowers as contacts, and one is particularly technology savvy. He has
long been above-board in how he conducts his personal and business affairs. His
big worry has been that it is not hard to plant information on devices.
Did you know that Best Buy's central computer repair facility - their
so-called "Geek Squad" - contains at least three employees who are also regular
informers for the FBI? And that these employees routinely search through
computers and other devices that Best Buy customers send in for repair? And
when they find something they think the FBI would be interested in, they turn
over the information for rewards of up to $500?
That's a sideline business you probably didn't imagine existed - outside of
the old Soviet Union or communist East Germany.
I want to look briefly at two aspects of this - first, the story itself
(it's chilling) and second, its
The Story - Best Buy Repair Techs Routinely Inform on Their Computer
Repair Customers to the FBI
Let's look first at the story via the
in Orange County,
California. Note, as you read, the use of phrases like "FBI informant" and
"paid FBI informant." We'll also look at other versions of this story. In all
versions, Best Buy repair employees routinely search customers' computers for
information they can sell to the FBI, and get paid if the FBI wants the info.
In the FBI-centered versions, the Best Buy employees act on their own and
get paid as "honest citizens," as it were, merely offering tips, even though
this practice seems to be routine. For the FBI, the fact that the same
employees frequently offer tips for which they get paid doesn't make them "paid
informers" in the sense that a regular street snitch regularly sells tips to
For the Best Buy customer in question, that's a distinction without a
difference. But you'll see that distinction made in articles about this
incident, depending on whose side the writer seems to favor.
[Dr. Mark A.] Rettenmaier is a prominent Orange County physician and
surgeon who had no idea that a Nov. 1, 2011, trip to a Mission Viejo Best
Buy would jeopardize his freedom and eventually raise concerns about, at a
minimum, FBI competency or, at worst, corruption. Unable to boot his HP
Pavilion desktop computer, he sought the assistance of the store's Geek
Squad. At the time, nobody knew
the company's repair technicians
routinely searched customers' devices for files that could earn them $500
windfalls as FBI informants
. This case produced that national
According to court records, Geek Squad technician John "Trey" Westphal,
, reported he accidentally [sic] located on Rettenmaier's
computer an image of "a fully nude, white prepubescent female on her hands
and knees on a bed, with a brown choker-type collar around her neck."
Westphal notified his boss, Justin Meade,
also an FBI informant
alerted colleague Randall Ratliff,
another FBI informant
at Best Buy,
as well as the FBI. Claiming the image met the definition of child
pornography and was tied to a series of illicit pictures known as the
"Jenny" shots, agent Tracey Riley seized the hard drive.
The story goes on to detail rights violations committed by the FBI on its
own, such as these:
Setting aside the issue of whether the search of Rettenmaier's computer
an illegal search by private individuals acting as government
, the FBI undertook a series of dishonest measures in hopes of
building a case, according to James D. Riddet, Rettenmaier's San
Clemente-based defense attorney. Riddet says
agents conducted two
additional searches of the computer without obtaining necessary warrants
trick a federal magistrate judge into authorizing a search
, then tried to
cover up their misdeeds by initially hiding
To convict someone of child-pornography charges, the government must
prove the suspect knowingly possessed the image. But in Rettenmaier's case,
the alleged "Jenny" image was found on unallocated "trash" space, meaning it
could only be retrieved by "carving" with costly, highly sophisticated
forensics tools. In other words, it's arguable a computer's owner wouldn't
know of its existence. (For example, malware can secretly implant files.)
Worse for the FBI, a federal appellate court unequivocally declared in
February 2011 (
USA v. Andrew Flyer
) that pictures found on
unallocated space did not constitute knowing possession because it is
impossible to determine when, why or who downloaded them.
The doctor's lawyer, of course, is contesting all of this, and the article's
main point is that these discoveries have the FBI on the defensive. From the
article's lead paragraph:
[A]n unusual child-pornography-possession case has placed officials on
the defensive for nearly 26 months. Questions linger about law-enforcement
honesty, unconstitutional searches, underhanded use of informants and
twisted logic. Given that a judge recently ruled against government demands
to derail a defense lawyer's dogged inquiry into the mess,
of America v. Mark A. Rettenmaier
is likely to produce additional
courthouse embarrassments in 2017.
I want to ignore the wrangling between the court, the FBI and the attorneys
for this piece and focus on the practices of Best Buy's employees and the
government's defense of those practices. After discussing attempts to
manipulate the court by withholding information in order to get authorization
for a raid, the author notes:
Assistant U.S. Attorney M. Anthony Brown believes the "Jenny" image
shouldn't be suppressed because it's only
"wild speculation" that the
Geek Squad performed searches at FBI instigation
. To him, the defense is
pushing a "flawed" theory
slyly shifting focus to innocent FBI agents
he maintains that Rettenmaier-who is smart enough to have taught medicine at
USC and UCLA-was dumb enough to seek Best Buy recovery of all of his
computer files after knowingly storing child porn there.
Reading this, it's easy to see that the issue of what constitutes a "paid
informant" is being obscured. After all, what counts as "FBI instigation"? If
someone pays you regularly for something that she never directly asks for, is
that "innocent" behavior or caused behavior ("instigation")?
Yes, Best Buy Did This Regularly
The article answers the questions above:
But the biggest issue remains whether Geek Squad technicians acted as
secret law-enforcement agents and, thus, violated Fourth Amendment
prohibitions against warrantless government searches. Riddet [the
defendant's lawyer] claims
records show "FBI and Best Buy made sure that
during the period from 2007 to the present, there was always at least one
supervisor who was an active informant."
He also said, "
appears to be able to access data at [Best Buy's main repair facility in
Brooks, Kentucky] whenever they want
." Calling the relationship between
the agency and the Geek Squad relevant to pretrial motions, [Judge] Carney
approved Riddet's request to question agents under oath.
The writer goes on to discuss the ins and outs of this particular case. But
consider just what's above:
Best Buy routinely takes in customer computers for repair.
Those computers are, at least frequently, sent to a Best Buy's national
repair facility in Kentucky.
Multiple people at that facility appear to be regular FBI informants.
From 2007 on, at least one supervisor on duty at any times was "an
active informant" for the FBI.
And finally, from the article's lead:
Informing like for the FBI pays at least $500 each incident.
The LA Times handles this question similarly in
when the case first broke (my emphasis):
An employee at Best Buy's nationwide computer repair center served as a
who for years tipped off agents to illicit material found on customers' hard
drives, according to the lawyer for a Newport Beach doctor facing child
pornography charges as a result of information from the employee.
Federal authorities deny they directed the man
to actively look
for illegal activity. But the attorney alleges the FBI essentially used the
employee to perform warrantless searches on electronics that passed through
the massive maintenance facility outside Louisville, Ky., where technicians
known as Geek Squad agents work on devices from across the country.
The Geek Squad
had to use specialized technical tools to recover the
because they were either damaged or had been deleted, according
to court papers.
This contrasts with the Best Buy assertion that "Geek Squad technician John
"Trey" Westphal, an FBI informant, reported he
image] on Rettenmaier's computer".
The Times thinks this case could turn into a constitutional issue,
regardless of whether the doctor is guilty or innocent. (For the record, I'll
note that the later (perhaps illegal as well) search of the doctor's other
devices turned up what is asserted to be more incriminating pictures, mere
possession of which is a "sex crime" in the U.S.)
- This is an eager prosecutorial society; we really are a
punishing bunch, we Americans. We've never left the world of Hawthorne's
. So we give our police great latitude, allowing them to
shoot and kill almost anyone for almost any reason, so long as the stated
reason is in the form "I was afraid for my safety." Our prosecutors have great
latitude in putting as many of our fellows in prison as possible. Our judges
routinely clear their court calendars using plea-bargained guilty verdicts
This is the American judicial system, and it looks nothing like
, which is mainly propaganda.
And we, the spectators, are happy as clams to see the guilty (and the
innocent) tortured and punished - witness our entertainment and the many
popular programs that vilify the unworthy, from
and her ilk,
knockoffs, to all of those
(extremely popular, by the way) on MSNBC. We love to see the "wicked" get it,
in media and in life, much more so than people in many other first-world
countries do. Witness our incarceration rate, the
in the world
Thus we give our "law enforcement" personnel - cops of all stripes,
prosecutors, courts of all stripes (including the secret ones) - great latitude
in finding people to punish and then making them truly miserable for as long as
possible. We have been like this as a society for some time, all done with most
- With a Democrat in the White House, we're inclined to
think this setup is mainly well-managed (even when it obviously isn't). Thus it
has our blessing, more or less - or at least it has the blessing of middle
class and working class white people - the bulk of people who vote.
- We therefore fail to ask the most obvious questions.
For example, about this Best Buy case, we ought to be asking this:
How common is the practice of paid FBI informants spying on fellow
citizens in the ordinary performance of their jobs?
Are other computer repair companies and facilities similarly infected
(infiltrated) by government agents?
Are other businesses also infiltrated to this degree?
Are "sex crimes" the only activity paid FBI informers watch for?
Is political activity subject to this kind of spying?
How much will this practice widen under AG Beauregard Sessions and
Much to think about. I don't see the practice ending soon. I do see this as
the tip of what could be a very large iceberg.
January 10, 2017 at 5:44 am
Some professionals are required by law or professional ethics to report
wrong doing by others. So this isn't new. You should expect, at least in some
cases, that anything you do online or offline is public knowledge and can be
used against you in a court of law (or by a blackmailer) by both good and bad
actors. You may or may not have a right to privacy, but in actual practice, it
is primarily the needle in the haystack that protects you it isn't easy to
uncover bad behavior in the midst of countless pointless information.
I know a private businessman who repairs computers. Even he has formal
paperwork to cover both himself (while working on your computer) and to cover
his customer, in regards to what junk you have on your hard drive. He doesn't
want to be an accessory to a crime by a customer. And the customer needs
reassurance that he isn't trolling the customers data (more profitable to
borrow financial info, not porn).
Sorry, but computer repair techs who are secretly on the payroll of the
FBI and this apparently being normal and routine (ensuring that at least one
supervisor was always an informant) is absolutely shocking and extreme. As
are routine computer searches by personnel acting on behalf of the FBI
without a warrant - searches that extend into unallocated areas of the hard
drive requiring special software - this was not an accidental or inadvertent
discovery, it was a purposeful fishing expedition.
To pooh pooh the severity of the surveillance does no one any favors. We
may not have privacy in practice but de jure we have something called the
Fourth Amendment. Behavior like this from our institutions does nothing but
confirm RT's line that the United States is a surveillance state of
historically unprecedented levels. Sadly the same people who pretend to
champion the Bill of Rights in other contexts (such as gun rights) don't
care a snapped twig about all our other rights that are routinely and with
malice dismantled by the government acting under the cover of private
While I sympathize with your quaint notion of civil rights that was
pretty much cancelled by the NDAA of 2012, and the carte blanche given by
the secret court of warrants. A legal fig leaf perhaps. If you want
better civil rights, you have to abolish the secret court of warrants,
and any other Star Chamber. Also get rid of the NDAA and the Patriot Act
The FBI and CIA are, and have always been, in competition and that
leads to an always expanding need to tabulate everything and examine
anything. Ultimately those who seek safety, lose liberty. RT is
completely correct (when they want to be) about the US. Of course, even
France 24 has its own agenda too.
"searches that extend into unallocated areas of the hard drive
requiring special software"
This is BS. Stop repeating it. It's a very weak case, and only serves
to make people feel secure in their insecurity.
When you are looking at a hard drive you look at the whole hard drive.
You have to. Just because windoze and apple don't let you see this,
doesn't mean it doesn't happen every second of everyday in the
If you are going to try to legislate that *anyone* can only look at
"allocated" data, then, well, you can't turn a computer on. The entire
boot sector isn't "allocated" (in the way that you are using the term),
and you'd need *special software* to read it (an OS, or a disk utility)
I'm not in favor of what BB is doing, but this is completely believable. He
sent the drive to be analyzed (recovery of lost files). They analyzed it and
found his deleted files.
This is pretty basic computer stuff.
The Geek Squad had to use specialized technical tools to recover the photos
because they were either damaged or had been deleted, according to court
This contrasts with the Best Buy assertion that "Geek Squad technician John
"Trey" Westphal, an FBI informant, reported he accidentallylocated [the image]
on Rettenmaier's computer"."
I've done it before with my own drives that have failed. You find all of the
files that were "deleted" but not overwritten.
This is why you NEVER, EVER get rid of a hard drive without physically
destroying it first. You might not be able to access the failed drive to write
over the old data anymore (drive failure). Lots of times, you can still access
the drive to READ it.
"Rettenmaier's hard drive was shipped to Geek Squad City in Brooks,
Ky., a suburb of Louisville.
"Prosecutors said that the Geek Squad technician who searched the
unallocated space was merely trying to recover all the data Rettenmaier
had asked to be restored. Riddet argued that the technician was going
beyond the regular search to deleted material to find evidence the FBI
It seems as if the people working for BB in Louiville were data
recovery people. You can't really be surprised that A) they recovered
data or B) that the FBI might be interested in knowing people who work
there - they were paying them.
Speaking of privacy, I believe that all those numbers appended to
the end of the WAPO link you posted lead straight back to your
computer and the chain of links you used to find it.
Sometimes you can strip them out and get to the link without them.
Other times you cannot. Anyone savvy enough to explain an easy formula
anonymize the link by removing all or part of those numbers?
H.P.? Serves him right for buying Hewlett Packard shit and for
trusting Best Buy.
Thanks to Carly Fiorina, ALL H.P. products have become absolute
The way to get back at Best Buy is to use them as a free rental service;
i.e. Buy a product you want to use for a little while, keep the receipt
and then return it within the allowed period and get your money back.
Any corporation that allows the nonsense profiled in this article
deserves the corporate death penalty.
If you have an old hard drive you can do the following to disable it
Drill multiple holes, at least half an inch in diameter, all the way
through the casing and the disk of the hard drive so you can look through
the holes. You will need a vice and high quality drill bits. Don't do
this unless you are familiar with tools and take safety precautions. Your
hand is worth more than your privacy.
Make as least several holes, and make sure they are not opposite each
other on the disc. This will cause it to blow up when it's spinning at x
Pour glue into the holes and tip the casing on its edge so the glue flows
inside the hard drive casing.
Not only that there can be stuff hiding in un-allocated space – it can be
sucked into allocated space when new stuff is created when sloppy – or
performance fetishistic – programmers do not zero out memory on allocation.
So, you create a new file / document / image and now inside the binary
blob that contains your data, other stuff now lurks.
Tuff Titties if you send a picture of your dog in Christmas Dress to
Granny and the "padding" added to align the image data with physical sectors
on the hard disk suck in a "Jenny thumbnail" that Firefox cached for you
when some pr0n site did a popup.
Once on the net, STASI's robots will sniff that out because "padding
space" is EXACTLY one of the channels that "Evul Terrierists" would use to
hide nefarious plots – Prosecutions will follow, because they have blown
billions on this surveillance machine so they always need cases to prove the
worth of the "investment".
In the US, "Progress" is commonly measured in "Effort Spent" so it does
not matter that the charges will eventually be dismissed.
I often buy used business computers through vendors like Arrow Value
Recovery. I do this to save money, because nothing radically good has come
up for some years now making a 2 year old computer perfectly good especially
at 1/3 of the new-price and also for environmental reasons.
I never keep the original hard drive that come with the computer, I
replace it with a new SSD and reinstall from original media. Why?
Because even though the drive has been initialized by the vendor of the
used PC, there may be stuff lurking in there that I don't want to maybe take
through customs or airport security! Or maybe known things I don't want
running on the inside of my firewall. Lenovo is kinda in-famous for that,
others haven't been outed yet, one must assume.
You seem to discount what the article says when you say:
> They analyzed it and found his deleted files.
It is quite a jump to identify this as his or even necessarily as a
deleted file given this:
But in Rettenmaier's case, the alleged "Jenny" image was found on
unallocated "trash" space, meaning it could only be retrieved by
"carving" with costly, highly sophisticated forensics tools. In other
words, it's arguable a computer's owner wouldn't know of its existence.
(For example, malware can secretly implant files.)
To the best of my limited understanding deleted files go to Windows
"Trash" in Windows space, not to unallocated space. If someone could explain
how lost files could move out of the Windows partition to unallocated space,
or clarify how else the term "unallocated" might be interpreted here I would
Files in "Trash" aren't really deleted until the trash (or Recycling
Bin, or whatever) is emptied. But even then the data isn't really gone.
The 1s and 0s that make up the "Jenny" image or your 1040 or the torrid
letter to your mistress are still there.
The operating system just erases the pointer or bookmark that tells it
"this is a file" and marks the space as unallocated, meaning it can now
store other stuff there. But until it does so any program that can read
the data directly – not through the operating system – can still find and
view the contents of those files.
At $500 a pop, an hourly Geek Squad worker has plenty of incentive to
make up whatever is needed to keep the FBI happy. Think they have too much
integrity or there's too much oversight of their actions? What about the
multiple incidents where these same technicians charge for services that
aren't warranted or weren't performed or save off copies of their customers'
nude photos and share them with the entire internet?
Great article. Thanks, Yves.
Perhaps it was a little too early in the morn for me to read it, however. I
remain stunned (which is rare following this past election season).
At $500 a pop, it seems the temptation would be huge for the Geeks to plant
things on your computer to get a 'reward' from the FBI.
This 'private spy' practice is wrong on so many levels.
I've never used the Geek Squad & now I certainly never would.
Apparently, they are just one more enemy to avoid. Wowsers. I'll be forwarding
this article to friends. Best Buy is now Big Brother.
You'd have more incentive since your hourly wage, from what is probably a
part time job or "part time" i.e. just few enough hours to deny you full
time is pretty meager. At $500 a tip, you can be sure that at least the
temptation is there to give the Feds what they want.
Great article. I would love to know whether or not the Apple Stores do this,
especially since Macs are largely not self repairable, even at the most basic
level. i.e. Went into get a cracked screen/battery fixed, ended up with a
I took a friend into an apple store a couple days ago because she was
having problems getting in/passed her own password. Within minutes they
literally put her entire hd in the cloud and then told her after the fact. I
lost it when they asked if I wanted the same.
A family member of mine frequently has problems with a windows based
laptop and best buy geeks just accesses her entire computer remotely. I've
never understood why someone would allow such a thing. Can't wait to send
her this article/link.
I don't know but assume the worst considering the value to so many
and the difficulty of truly erasing files from ones own hd. The apple
store "cloud" was a room full of large servers just behind the
counter. They don't ask, or charge for that 'service' so once again,
we must be the product.
And as for the police state and the courts . could we find a mafia
more intrusive, less trustworthy? As I keep thinking, why oh why
aren't computers and phones the very expanded definition of papers and
I'm wondering just how big the data file capacity of the Utah
federal server farm really is. It is "common knowledge" that the,
say, military regularly hides the true capabilities of it's
machinery on the basis of combat efficiency. "Keep 'em guessing" is
the idea. This gives one a potential edge if real conflict should
occur. Logically, the same should apply to federal cyber
capabilities. So, how much of the nation's cyber traffic can be
stored and analyzed? All of it? The mind boggles.
Here, the quality of algorithmic sorting functions is key. Sloppy
searches will yield excesses of false positive prosecutions. It
would be easy for "revenge" prosecutions and "silencing" actions to
be inserted and hidden this way. Thus, the "powers" actually have a
disincentive to perfect their sorting algorithms. Bad days ahead.
Once data is out of your hands you have to assume it's public.
For example: you tell Apple to delete your data. How do they do it?
The same way your computer does it, their system deletes the pointer
to that data (file) from an "index" of the data (files) disk. In other
words it does
delete the data from the disk, it only
tells itself to ignore it in the future. If someone comes along later,
and wants to scan the disk and recover deleted files they can do just
what the Geek guy did.
Quick answer: No, once files are in the iCloud they are effectively
It's "standard protocol" for any professional level computer tech
to image the drive before they do anything else. In case they do
something that wipes out the rest of the data while working on it.
What they do with that image, and how they store it, is the tricky
It's much easier and quicker to "image" a hard drive, than to
securely delete a hard drive.
How long does it take to fill up a 500 GB hard drive? It's going to
take at least that long, and probably several multiples of that time,
to securely delete that drive by OVERWRITING the drives.
I think DOD level "wiping" calls for 20 overwrites.
Drives do 2 things- Read or write. There is no "delete".
Even the spooks in the plane over China a few years ago were forced
to use axes to "delete" the data, before the Chinese got to it. It's
They also, on that level, weren't deleting the data. When trying to
defend against a state level attack, all you're doing is increasing
the time that it will take them to recover the data, or most of the
Old Jake, other NC readers may have similar concerns about data
security, and your other comments seem to indicate some familiarity
with computers. What would you advise people to do post-Apple or
Back things up on a dedicated, local drive. A true backup is not
kept in the same physical location as the computer is. Keep it in a
different building, in case of fire, or disaster.
If you're not backing your files up, don't have that drive
plugged in. Don't have it in the same place.
Don't ever "throw out" any computer, or anything with a hard
drive or storage. Don't assume that because you can't access it, no
Destroy it, or keep it forever. Those are the only two "safe"
"but i know someone who recycles computer equipment"
You mean they sell it? That's what "recycling" is in the tech
industry. I'd be very wary of anyone willing to "take a drive" off
my hands for me. They aren't going to securely delete it, they're
going to sell it for a few bucks to someone else. They certainly
aren't going to take the time to securely "wipe" the drive. That
takes hours, and lots of power. For a few dollars they are going to
get on the sale?
There are people who offer "shredding" (grinding the drive into
pieces with a big machine) or secure disk disposal. This costs
money. Yes, you will have to pay to get rid of it safely, and then
trust that whomever you pay actually does what they say they are
going to do.
"why do I have to pay to get rid of it? I have very good taste,
and spent a ton of money on that computer. It's worth something"
Never use "cloud based" backups, unless you are OK with the
files being up on the internet. YOU ARE PUTTING THEM ON THE
INTERNET. Cloud based backups are a great place for hackers to
target, lots of stuff there.
if you keep backups, you shouldn't have to ever bring your
computer in with anything on it. If you are in a situation where
you MUST leave the hard drive in the machine to get it serviced,
securely delete (overwrite the drive) and then restore the computer
to the zero day state of when you took it out of the box. This may
require another computer.
If you are in a situation where the drive is cooked(drive
failure), keep the drive, buy a new one, and restore from backups
to the new drive.
This is getting much harder. Getting install disks is very tough
these days. Disk imaging programs are better, but they are also
prone to hardware compatibility issues.
Before you use the computer, make sure you have a good backup
first. This means actually deleting and re-writing the disk from
backups. You don't know if it will work until you try. You don't
want to find out it doesn't work when you are scrambling to get
90% of "computer problems" are disk and/or OS related issues.
Done right, this can save a ton of time, and risk.
I'm 99% positive that apple is probably worse. Apple and time machine are
"cloud" based. No need for the FBI, or paid agents of the FBI, to look at
the physical drive to see your files. All they have to do is look at the
cloud, which may be done with or without apple's help or permission.
Not that apple has any problem cooperating with authoritarian govs-
All of us who work or have worked in consumer-oriented technical service are
well aware that it's an unscalable business. Unless something else is going on
that favors an organization. This doesn't surprise me one bit.
Computerologists and digitologists and coderologists assume that every
American is ( or should be) a computerologist or a digitologist or a
coderologist. Most of us are no such thing. Most of us are various levels
of analog holdovers, helpless and afraid . . . victims of a world we
So what looks like a tempest in a teapot to you might look like
botulism in the beans to many.
In the aughts, the Geek Squad in CA copied our credit card, which we had
used to charge a repair to a laptop, to purchase a trip for two to
Italy took months to get the charge reversed, as they also hacked all our
personal info as well, making it appear that we had indeed booked the trip ..
Well, I'll NEVER use those turds. I haven't actually bought a computer since
1998. Since that time I buy parts and construct my own PC, buy software and
install (or re-install) that, and if there's any problems I do the
fixing/replacing. Now I know to NEVER get lazy and let those asshats do the
work for me.
SDD's. They are harder to delete, in some respects. Some very knowledgeable
people have claimed that it's 1) impossible to wipe an SSD, and 2) it's
impossible to truly encrypt them because of the way the that the flash
controllers interface with the computer. I'm not so sure that it's a flaw.
Yves, thanks for posting this – I thought I couldn't be shocked anymore, but
I had no idea this was happening. What's to prevent a Geek Squad employee from
planting compromising material on one's computer, if the FBI wants is out to
get someone? Nothing is ever really deleted, but how do you prove something
wasn't planted? I'm sending this around to my relatives, because they use GS
Actually, doesn't it make PERFECT SENSE that a large chain retail
appliance store with an in-house repair team branded as "geeks" would be
EXACTLY the new Stasi? It's sort of perfect.
It's literally the TV show
, only in the real world, the
CIA is bad, so Chuck is bad, and Buy More is bad. Which really shouldn't be
surprising, if you think about it for two seconds.
On a somewhat related note, the CIA really wants its Russian War, doesn't
it? I can't believe mainstream publications are publishing "golden showers"
allegations about the incoming President. This can't work, can it? And if it
doesn't, won't Trump shut them down the second his hand lifts off the Bible
on Inauguration Day? I'm starting to have a lot of respect for Donald Trump
on a personal level. I mean, I guess he never anticipated facing this degree
of meretricious, toxic nonsense when he got into the race, but he seems to
have been forewarned about today's attack.
"... I'd wager that most people know that cell phones can track their location, hoover up their personal info, record their conversations, etc, etc but that doesn't stop most people from owning one anyway. The populace has been convinced that owning the device that constantly spies on them is a necessity. ..."
"... I've often wondered whether the relatively high difficulty in buying a smartphone with less than two cameras has something to do with the SIGINT Enabling Project. ..."
I'd wager that most people know that cell phones can track their
location, hoover up their personal info, record their conversations, etc,
etc but that doesn't stop most people from owning one anyway. The
populace has been convinced that owning the device that constantly spies
on them is a necessity.
Don't think learning that Echo is doing the same thing would deter
most people from using it. 'Convenience' and all
Fortunately, I can barely hear the person I'm talking to through my
smartphone, so I am not optimistic that it can actually hear me from
someplace else in the house, especially compared to someone's Echo I
have experience with. But point taken.
The microphoneS (often there is an extra mic to cancel ambient
noise) in a phone are exquisitely sensitive. The losses you're
hearing are those from crushing that comparatively high-fidelity
signal into a few thousand bits per second for transmission to/from
the base station.
I've often wondered whether the relatively high difficulty
in buying a smartphone with less than two cameras has something to
do with the SIGINT Enabling Project.
Wonder if Mr. B gave Mr. T and all the other attendees an Echo at Mr.
T's tech summit. ATT and all the other big telcom players all said,
scout's honor, they don't listen in on their customer's phone calls, so
no worries because Fortune 500 companies are such ethical people. That
may even be technically true because the 3 letter agencies and their
minions (human or otherwise) are doing the actual listening. So if you
are too lazy to go to Amazon.com to delete your idle chit chat, I can
sell you a cloth to wipe it with (maybe I'll even list it on Amazon's
on Wednesday December 14, 2016 @05:00AM
Twitter CEO Jack Dorsey
Edward Snowden via Periscope
about the wide world of technology. The NSA
the data that many online companies continue to collect about their users
creating a 'quantified world' -- and more opportunities for government
surveillance," reports TechCrunch. Snowden said, "If you are being tracked,
this is something you should agree to, this is something you should understand,
this is something you should be aware of and can change at any time."
Snowden acknowledged that there's a distinction between
collecting the content of your communication (i.e., what you said during a
phone call) and the metadata (information like who you called and how long it
lasted). For some, surveillance that just collects metadata might seem less
alarming, but in Snowden's view, "That metadata is in many cases much more
dangerous and much more intrusive, because it can be understood at scale." He
added that we currently face unprecedented perils because of all the data
that's now available -- in the past, there was no way for the government to get
a list of all the magazines you'd read, or every book you'd checked out from
the library. "[In the past,] your beliefs, your future, your hopes, your dreams
belonged to you," Snowden said. "Increasingly, these things belong to
companies, and these companies can share them however they want, without a lot
of oversight." He wasn't arguing that companies shouldn't collect user data at
all, but rather that "the people who need to be in control of that are the
users." "This is the central problem of the future, is how do we return control
of our identities to the people themselves?" Snowden said.
Posted by EditorDavid
on Sunday December 11, 2016 @11:34AM
morale at the National Security Agency is causing some of the agency's most
to leave in favor of private sector jobs
, former NSA Director Keith
Alexander told a room full of journalism students, professors and cybersecurity
executives Tuesday. The retired general and other insiders say a combination of
economic and social factors including negative press coverage -- have played a
part... "I am honestly surprised that some of these people in cyber companies
make up to seven figures. That's five times what the chairman of the Joint
Chiefs of Staff makes. Right? And these are people that are 32 years old. Do
the math. [The NSA] has great competition," he said.
The rate at which these cyber-tacticians are exiting public service has
increased over the last several years and has gotten considerably worse over
the last 12 months, multiple former NSA officials and D.C. area-based
cybersecurity employers have told CyberScoop in recent weeks... In large part,
Alexander blamed the press for propagating an image of the NSA that causes
people to believe they are being spied on at all times by the U.S. government
regardless of their independent actions.
"What really bothers me is that the people of NSA, these folks who take paltry
government salaries to protect this nation, are made to look like they are
doing something wrong," the former NSA Director added. "They are doing exactly
what our nation has asked them to do to protect us. They are the heroes."
Posted by msmash
on Tuesday December 06, 2016 @11:00AM
Security experts consider the aging FTP and Telnet protocols unsafe, and HP has
decided to clamp down on access to networked printers through the remote-access
. From a report on PCWorld:
Some of HP's new business printers
will, by default, be closed to remote access via protocols like FTP and Telnet.
However, customers can activate remote printing access through those protocols
if needed. "HP has started the process of closing older, less-maintained
interfaces including ports, protocols and cipher suites" identified by the U.S.
National Institute of Standards and Technology as less than secure, the company
said in a statement. In addition, HP also announced firmware updates to
existing business printers with improved password and encryption settings, so
hackers can't easily break into the devices.
on Tuesday December 06, 2016 @08:25PM
An anonymous reader quotes a report from BleepingComputer:
For the past two
months, a new exploit kit has been
serving malicious code hidden in the pixels of banner ads via a malvertising
that has been active on several high profile websites.
Discovered by security researchers from ESET
, this new exploit kit is named
Stegano, from the word
, which is a technique of hiding content inside other files.
In this particular scenario, malvertising campaign operators hid malicious code
inside PNG images used for banner ads. The crooks took a PNG image and altered
the transparency value of several pixels. They then packed the modified image
as an ad, for which they bought ad displays on several high-profile websites.
Since a large number of advertising networks allow advertisers to deliver
parse the image, extract the pixel transparency values, and using a
mathematical formula, convert those values into a character. Since images have
millions of pixels, crooks had all the space they needed to pack malicious code
inside a PNG photo. When extracted, this malicious code would redirect the user
to an intermediary ULR, called gate, where the host server would filter users.
This server would only accept connections from Internet Explorer users. The
reason is that the gate would exploit the CVE-2016-0162 vulnerability that
allowed the crooks to determine if the connection came from a real user or a
reverse analysis system employed by security researchers. Additionally, this IE
exploit also allowed the gate server to detect the presence of antivirus
software. In this case, the server would drop the connection just to avoid
exposing its infrastructure and trigger a warning that would alert both the
user and the security firm. If the gate server deemed the target valuable, then
it would redirect the user to the final stage, which was the exploit kit
itself, hosted on another URL. The Stegano exploit kit would use three Adobe
Flash vulnerabilities (CVE-2015-8651, CVE-2016-1019 or CVE-2016-4117) to attack
the user's PC, and forcibly download and launch into execution various strains
Posted by msmash
on Wednesday December 07, 2016 @12:20PM
Many network security cameras made by Sony could be taken over by hackers and
infected with botnet malware if their firmware is not updated to the latest
version. Researchers from SEC Consult have
found two backdoor accounts that exist in 80 models of professional Sony
, mainly used by companies and government agencies given
their high price, PCWorld reports. From the article:
One set of hard-coded
credentials is in the Web interface and allows a remote attacker to send
requests that would enable the Telnet service on the camera, the SEC Consult
researchers said in an advisory Tuesday. The second hard-coded password is for
the root account that could be used to take full control of the camera over
Telnet. The researchers established that the password is static based on its
cryptographic hash and, while they haven't actually cracked it, they believe
it's only a matter of time until someone does. Sony released a patch to the
affected camera models last week.
Posted by msmash
on Thursday December 08, 2016 @11:45AM
Yahoo says it has fixed a severe security vulnerability in its email service
allowed an attacker to read a victim's email inbox
. From a report on ZDNet:
The cross-site scripting (XSS) attack only required a victim to view an email
in Yahoo Mail. The internet giant paid out $10,000 to security researcher Jouko
Pynnonen for privately disclosing the flaw through the HackerOne bug bounty, In
a write-up, Pynnonen said that the flaw was similar to last year's Yahoo Mail
bug, which similarly let an attacker compromise a user's account. Yahoo filters
HTML messages to ensure that malicious code won't make it through into the
user's browser, but the researcher found that the filters didn't catch all of
the malicious data attributes.
on Friday December 09, 2016 @05:00AM
quotes a report
from On the Wire:
Malware gangs, like sad wedding bands bands, love to play
the hits. And one of the hits they keep running back over and over is the Zeus
banking Trojan, which has been in use for many years in a number of different
forms. Researchers have
unearthed a new piece of malware called Floki Bot that is based on the
venerable Zeus source code
and is being used to infect point-of-sale
systems, among other targets. Flashpoint
conducted the analysis
of Floki Bot with Cisco's Talos research team, and
the two organizations said that the author behind the bot maintains a presence
on a number of different underground forums, some of which are in Russian or
other non-native languages for him. Kremez said that attackers sometimes will
participate in foreign language forums as a way to expand their knowledge.
Along with its PoS infection capability, Floki Bot also has a feature that
allows it to use the Tor network to communicate.
"During our analysis of
Floki Bot, Talos identified modifications that had been made to the dropper
mechanism present in the leaked Zeus source code in an attempt to make Floki
Bot more difficult to detect. Talos also observed the introduction of new code
that allows Floki Bot to make use of the Tor network. However, this
functionality does not appear to be active for the time being," Cisco's Talos
said in its analysis
A patch was pushed to the mainline Linux kernel December 2, four days after it
was privately disclosed. Pettersson has developed a proof-of-concept exploit
specifically for Ubuntu distributions, but told Threatpost his attack could be
ported to other distros with some changes. The vulnerability is a race
condition that was discovered in the
implementation in the
Linux kernel, and Pettersson said that a local attacker could exploit the bug
to gain kernel code execution from unprivileged processes. He said the bug
cannot be exploited remotely.
"Basically it's a bait-and-switch," the researcher told Threatpost. "The bug
allows you to trick the kernel into thinking it is working with one kind of
object, while you actually switched it to another kind of object before it
Posted by EditorDavid
on Sunday December 11, 2016 @01:34PM
"By convincing a user to visit a specially crafted web site, a remote attacker
may execute arbitrary commands with root privileges on affected routers," warns
a new vulnerability notice
from Carnegie Mellon University's CERT. Slashdot reader
Ledger's story about certain models of Netgear's routers:
22.214.171.124_1.1.93 (and possibly earlier) for the R7000 and version 126.96.36.199_1.0.4
(and possibly earlier) for the R6400 are
known to contain the arbitrary command injection vulnerability
. CERT cited
"community reports" that indicate the R8000, firmware version 188.8.131.52_1.1.2, is
also vulnerable... The flaw was found in new firmware that runs the Netgear
R7000 and R6400 routers. Other models and firmware versions may also be
affected, including the R8000 router, CMU CERT warned.
With no work around to the flaw, CERT recommended that Netgear customers
disable their wifi router until a software patch from the company that
addressed the hole was available... A search of the public internet using the
Shodan search engine finds around 8,000 R6450 and R7000 devices that can be
reached directly from the Internet and that would be vulnerable to takeover
attacks. The vast majority of those are located in the United States.
Proof-of-concept exploit code was released by a Twitter user who, according to
the article, said "he informed Netgear of the flaw more than four months ago,
but did not hear back from the company since then."
on Wednesday December 14, 2016 @07:45PM
An anonymous reader quotes a report from BleepingComputer:
Malicious ads are
serving exploit code to infect routers
, instead of browsers, in order to
insert ads in every site users are visiting. Unlike previous malvertising
campaigns that targeted users of old Flash or Internet Explorer versions, this
campaign focused on Chrome users, on both desktop and mobile devices. The
malicious ads included in this malvertising campaign contain exploit code for
166 router models, which allow attackers to take over the device and insert ads
on websites that didn't feature ads, or replace original ads with the
attackers' own. Researchers
haven't yet managed to determine an exact list of affected router models
but some of the brands targeted by the attackers include Linksys, Netgear,
D-Link, Comtrend, Pirelli, and Zyxel. Because the attack is carried out via the
user's browser, using strong router passwords or disabling the administration
interface is not enough. The only way users can stay safe is if they update
their router's firmware to the most recent versions, which most likely includes
protection against the vulnerabilities used by this campaign.
"campaign" is called DNSChanger EK and works when attackers buy ads on
WebRTC request to a Mozilla STUN server to determine the user's local IP
address," according to BleepingComputer. "Based on this local IP address, the
malicious code can determine if the user is on a local network managed by a
small home router, and continue the attack. If this check fails, the attackers
just show a random legitimate ad and move on. For the victims the crooks deem
valuable, the attack chain continues. These users receive a tainted ad which
redirects them to the DNSChanger EK home, where the actual exploitation begins.
The next step is for the attackers to send an image file to the user's browser,
which contains an AES (encryption algorithm) key embedded inside the photo
using the technique of steganography. The malicious ad uses this AES key to
decrypt further traffic it receives from the DNSChanger exploit kit. Crooks
encrypt their operations to avoid the prying eyes of security researchers."
on Wednesday December 14, 2016 @08:25PM
An anonymous reader quotes a report from Motherboard:
The Shadow Brokers --
a hacker or group of hackers that stole computer exploits from the National
Security Agency -- has been quiet for some time. After their auction and
crowd-funded approach for selling the exploits met a lukewarm reception, the
group seemingly stopped posting new messages in October. But a newly uncovered
website, which includes a file apparently signed with The Shadow Brokers'
cryptographic key, suggests the group is
trying to sell hacking tools directly to buyers one by one
, and a cache of
files appears to include more information on specific exploits. On Wednesday,
someone calling themselves Boceffus Cleetus
published a Medium post
called "Are the Shadow Brokers selling NSA tools on
ZeroNet?" Cleetus, who has
an American flag with
as their profile picture, also tweeted the post from a Twitter
account created this month. The site includes a long list of supposed items for
sale, with names like ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. Each is sorted
into a type, such as "implant," "trojan," and "exploit," and comes with a price
tag between 1 and 100 bitcoins ($780 -- $78,000). Customers can purchase the
whole lot for 1000 bitcoins ($780,000). The site also lets visitors download a
selection of screenshots and files related to each item. Along with those is a
file signed with a PGP key with an identical fingerprint to that linked to the
original Shadow Brokers dump of exploits from August. This newly uncovered file
was apparently signed on 1 September; a different date to any of The Shadow
previously signed messages
Posted by EditorDavid
on Saturday December 17, 2016 @10:34AM
The Department of Homeland Security's CERT issued a warning last week that
not using some models of NetGear routers, and the list expanded
this week to include 11 different models. Netgear's now updated their web page,
announcing eight "beta" fixes, along with three more "production" fixes.
company said the new [beta] firmware has not been fully tested and "
not work for all users
." The company offered it as a "temporary solution"
to address the security hole. "Netgear is working on a production firmware
version that fixes this command injection vulnerability and will release it as
quickly as possible," the company said in a post to its online knowledgebase
The move follows publication of a warning from experts at Carnegie Mellon on
December 9 detailing a serious "arbitrary command injection" vulnerability in
the latest version of firmware used by a number of Netgear wireless routers.
The security hole could allow a remote attacker to take control of the router
by convincing a user to visit a malicious web site... The vulnerability was
discovered by an individual...who says
he contacted Netgear about the flaw four months ago
, and went public with
information on it after the company failed to address the issue on its own.
Posted by EditorDavid
on Saturday December 17, 2016 @06:34PM
"Following a failed takedown attempt, changes made to the Mirai malware variant
responsible for building one of today's biggest botnets of IoT devices will
make it incredibly harder for authorities and security firms to shut it down,"
reports Bleeping Computer. An anonymous reader writes:
Level3 and others"
have been very close to taking down one of the biggest Mirai botnets around,
the same one that attempted to
knock the Internet offline in Liberia
, and also hijacked 900,000 routers
German ISP Deutsche Telekom
.The botnet narrowly escaped due to the fact
that its maintainer, a hacker known as BestBuy, had implemented a
domain-generation algorithm to generate random domain names where he hosted his
Currently, to avoid further takedown attempts from similar security firms,
started moving the botnet's command and control servers to Tor
. "It's all
good now. We don't need to pay thousands to ISPs and hosting. All we need is
one strong server," the hacker said. "Try to shut down .onion 'domains' over
Tor," he boasted, knowing that nobody can.
Posted by EditorDavid
on Sunday December 18, 2016 @02:34PM
Less than four weeks after Microsoft formally
acquired LinkedIn for $26 billion
, there's been a database breach. An
anonymous reader writes:
LinkedIn is sending emails to 9.5 million users of
Lynda.com, its online learning subsidiary,
warning the users of a database breach by "an unauthorized third party"
The affected database included contact information for at least some of the
users. An email to customers says "while we have no evidence that your specific
account was accessed or that any data has been made publicly available, we
wanted to notify you as a precautionary measure." Ironically, the breach comes
less than a month after Russia
blocked access to LinkedIn over privacy concerns
LinkedIn has also reset the passwords for 55,000 Lynda.com accounts (though
apparently many of its users don't have accounts with passwords).
Posted by EditorDavid
on Sunday December 18, 2016 @04:44PM
This week the FBI arrested a 26-year-old southern California man for launching
a DDoS attack against online chat service Chatango at the end of 2014 and in
early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire"
services. An anonymous reader writes:
Sean Krishanmakoto Sharma, a computer
science graduate student at USC, is now
facing up to 10 years in prison
and/or a fine of up to $250,000.
describe a service called Xtreme Stresser as "basically a
Linux botnet DDoS tool," and allege that Sharma rented it for an attack on
Chatango, an online chat service. "Sharma is now free on a $100,000 bail,"
reports Bleeping Computer, adding "As part of his bail release agreement,
Sharma is banned from accessing certain sites such as HackForums and tools such
"Sharma's arrest is part of
a bigger operation against DDoS-for-Hire services, called Operation Tarpit
the article points out. "Coordinated by Europol, Operation Tarpit took place
between December 5 and December 9, and concluded with the arrest of 34 users of
DDoS-for-hire services across the globe, in countries such as Australia,
Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal,
Romania, Spain, Sweden, the United Kingdom and the United States." It grew out
of an earlier investigation into a U.K.-based DDoS-for-hire service which had
400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.
Most of the other suspects arrested were under the age of 20.
on Thursday December 22, 2016 @06:25PM
quotes a report from
A hacking group linked to the Russian government and high-profile
cyber attacks against Democrats during the U.S. presidential election likely
malware implant on Android devices to track and target Ukrainian artillery
from late 2014 through 2016, according to a
released Thursday. The malware was able to retrieve
communications and some locational data from infected devices, intelligence
that would have likely been used to strike against the artillery in support of
pro-Russian separatists fighting in eastern Ukraine, the report from cyber
security firm CrowdStrike found. The hacking group, known commonly as Fancy
Bear or APT 28, is believed by U.S. intelligence officials to work primarily on
behalf of the GRU, Russia's military intelligence agency. The implant leveraged
a legitimate Android application developed by a Ukrainian artillery officer to
process targeting data more quickly, CrowdStrike said. Its deployment "extends
Russian cyber capabilities to the front lines of the battlefield," the report
said, and "could have facilitated anticipatory awareness of Ukrainian artillery
force troop movement, thus providing Russian forces with useful strategic
on Thursday November 24, 2016 @08:00AM
As if we don't already have enough devices that can listen in on our
conversations, security researchers at Israel's Ben Gurion University have
created malware that will turn your headphones into microphones
slyly record your conversations. TechCrunch reports:
turned headphones connected to a PC into microphones and then tested the
quality of sound recorded by a microphone vs. headphones on a target PC. In
short, the headphones were nearly as good as an unpowered microphone at picking
up audio in a room. It essentially "retasks" the RealTek audio codec chip
output found in many desktop computers into an input channel. This means you
can plug your headphones into a seemingly output-only jack and hackers can
still listen in. This isn't a driver fix, either. The embedded chip does not
allow users to properly prevent this hack which means your earbuds or nice cans
could start picking up conversations instantly. In fact, even if you disable
your microphone, a computer with a RealTek chip could still be hacked and
exploited without your knowledge. The sound quality, as shown by this chart, is
pretty much the same for a dedicated microphone and headphones.
published a video
on YouTube demonstrating how this malware works.
Posted by msmash
on Thursday November 24, 2016 @10:04AM
Hackers gained access to sensitive information, including Social Security
134,386 current and former U.S. sailors, the U.S. Navy has said
It said a laptop used by a Hewlett Packard Enterprise Services
employee working on a U.S. Navy contract was hacked. Hewlett Packard informed
the Navy of the breach on Oct. 27 and the affected sailors will be notified in
the coming weeks, the Navy said. "The Navy takes this incident extremely
seriously - this is a matter of trust for our sailors," Chief of Naval
Personnel Vice Admiral Robert Burke said in a statement.
on Tuesday November 29, 2016 @09:05PM
An anonymous reader quotes a report from Ars Technica:
The attacker who
infected servers and desktop computers
at the San Francisco Metropolitan
Transit Agency (SFMTA) with ransomware on November 25 apparently
gained access to the agency's network by way of a known vulnerability in an
Oracle WebLogic server
. That vulnerability is similar to the one used to
hack a Maryland hospital network's systems in April and infect multiple
hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't
specifically targeted by the attackers; the agency just came up as a target of
opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA
spokesperson Paul Rose said that on November 25, "we became aware of a
potential security issue with our computer systems, including e-mail." The
ransomware "encrypted some systems mainly affecting computer workstations," he
said, "as well as access to various systems. However, the SFMTA network was not
breached from the outside, nor did hackers gain entry through our firewalls.
Muni operations and safety were not affected. Our customer payment systems were
not hacked. Also, despite media reports, no data was accessed from any of our
servers." That description of the ransomware attack is not consistent with some
of the evidence of previous ransomware attacks by those behind the SFMTA
incident -- which Rose said primarily affected about 900 desktop computers
throughout the agency. Based on communications uncovered from the ransomware
operator behind the Muni attack published by
security reporter Brian Krebs
, an SFMTA Web-facing server was likely
compromised by what is referred to as a "deserialization" attack after it was
identified by a vulnerability scan. A security researcher told Krebs that he
had been able to gain access to the mailbox used in the malware attack on the
Russian e-mail and search provider Yandex by guessing its owner's security
question, and he provided details from the mailbox and another linked mailbox
on Yandex. Based on details found in e-mails for the accounts, the attacker ran
a server loaded with open source vulnerability scanning tools to identify and
compromise servers to use in spreading the ransomware,
known as HDDCryptor and Mamba
, within multiple organizations' networks.
Posted by msmash
on Friday December 02, 2016 @12:20PM
Russia said on Friday it had uncovered a plot by foreign spy agencies to sow
chaos in Russia's banking system via a
coordinated wave of cyber attacks and fake social media reports about banks
. From a report on Reuters:
Russia's domestic intelligence
agency, the Federal Security Service (FSB), said that the servers to be used in
the alleged cyber attack were located in the Netherlands and registered to a
Ukrainian web hosting company called BlazingFast. The attack, which was to
target major national and provincial banks in several Russian cities, was meant
to start on Dec. 5, the FSB said in a statement. "It was planned that the cyber
attack would be accompanied by a mass send-out of SMS messages and publications
in social media of a provocative nature regarding a crisis in the Russian
banking system, bankruptcies and license withdrawals," it said. "The FSB is
carrying out the necessary measures to neutralize threats to Russia's economic
and information security."
Posted by EditorDavid
on Sunday December 04, 2016 @02:39PM
After being let go over a series of "personal issues" with his employer, things
got worse for 26-year-old network administrator Dariusz J. Prugar, who will now
have to spend two years in prison for hacking the ISP where he'd worked. An
anonymous reader writes:
used his old credentials to log into the ISP's network and "take back" some of
and software he wrote... "Seeking to hide his tracks, Prugar
used an automated script that deleted various logs," reports Bleeping Computer.
"As a side effect of removing some of these files, the ISP's systems crashed,
affecting over 500 businesses and over 5,000 residential customers."
When the former ISP couldn't fix the issue, they asked Prugar to help. "During
negotiations, instead of requesting money as payment, Prugar insisted that he'd
be paid using the rights to the software and scripts he wrote while at the
company, software which was now malfunctioning, a week after he left." This
tipped off the company, who detected foul play, contacted the FBI and rebuilt
its entire network.
Posted by EditorDavid
on Sunday December 04, 2016 @07:39AM
quotes The Independent:
Criminals can work out the card number, expiration date, and security code for
a Visa debit or credit card
in as little as six seconds using guesswork
, researchers have found...
Fraudsters use a so-called Distributed Guessing Attack to get around security
features put in place to stop online fraud, and this may have been the method
the recent Tesco Bank hack
According to a study published in the academic journal IEEE Security & Privacy,
fraudsters could use computers to systematically
variations of security data at hundreds of websites simultaneously
seconds, by a process of elimination, the criminals could verify the correct
card number, expiration date and the three-digit security number on the back of
One of the researchers explained this attack combines two weaknesses into one
powerful attack. "Firstly, current online payment systems do not detect
multiple invalid payment requests from different websites... Secondly,
different websites ask for different variations in the card data fields to
validate an online purchase. This means it's quite easy to build up the
information and piece it together like a jigsaw puzzle."
"... this will probably be in tomorrow's washington post. "how putin sabotaged the election by hacking yahoo mail". and "proton" and "putin" are 2 syllable words beginning with "p", which is dispositive according to experts who don't want to be indentified. ..."
"... [Neo]Liberals have gone truly insane, I made the mistake of trying to slog through the comments the main "putin did it" piece on huffpo out of curiosity. Big mistake, liberals come across as right wing nutters in the comments, I never knew they were so very patriotic, they never really expressed it before. ..."
"... Be sure and delete everything from your Yahoo account BEFORE you push the big red button. They intentionally wait 90 days to delete the account in order that ECPA protections expire and content can just be handed over to the fuzz. ..."
"... It's a good thing for Obama that torturing logic and evasive droning are not criminal acts. ..."
"... "Relations with Russia have declined over the past several years" I reflexively did a Google search. Yep, Victoria Nuland is still employed. ..."
"... With all the concern expressed about Russian meddling in our election process why are we forgetting the direct quid pro quo foreign meddling evidenced in the Hillary emails related to the seldom mentioned Clinton Foundation or the more likely meddling by local election officials? Why have the claims of Russian hacking received such widespread coverage in the Press? ..."
"... I watched it too and agree with your take on it. For all the build up about this press conference and how I thought we were going to engage in direct combat with Russia for these hacks (or so they say it is Russia, I still wonder about that), he did not add any fuel to this fire. ..."
"... The whole thing was silly – the buildup to this press conference and then how Obama handled the hacking. A waste of time really. I don't sense something is going on behind the scenes but it is weird that the news has been all about this Russian hacking. He did not get into the questions about the Electoral College either and he made it seem like Trump indeed is the next President. I mean it seems like the MSM was making too much about this issue but then nothing happened. ..."
this will probably be in tomorrow's washington post. "how putin sabotaged the election
by hacking yahoo mail". and "proton" and "putin" are 2 syllable words beginning with "p",
which is dispositive according to experts who don't want to be indentified.
[Neo]Liberals have gone truly insane, I made the mistake of trying to slog through the
comments the main "putin did it" piece on huffpo out of curiosity. Big mistake, liberals come
across as right wing nutters in the comments, I never knew they were so very patriotic, they never
really expressed it before.
Be sure and delete everything from your Yahoo account BEFORE you push the big red button. They
intentionally wait 90 days to delete the account in order that ECPA protections expire and content
can just be handed over to the fuzz.
I don't think I've looked at my yahoo account in 8-10 years and I didn't use their email; just
had an address. I don't remember my user name or password. I did get an email from them (to my
not-yahoo address) advising of the breach.
I was amazed as I watched a local am news show in Pittsburgh recommend adding your cell phone
number in addition to changing your password. Yeah, that's a great idea, maybe my ss# would provide
even more security.
I use yahoo email. Why should I move? As I understood the breach it was primarily a breach
of the personal information used to establish the account. I've already changed my password -
did it a couple of days after the breach was reported. I had a security clearance with DoD which
requires disclosure of a lot more personal information than yahoo had. The DoD data has been breached
twice from two separate servers.
As far as reading my emails - they may prove useful for phishing but that's about all. I'm
not sure what might be needed for phishing beyond a name and email address - easily obtained from
many sources I have no control over.
So - what am I vulnerable to by remaining at yahoo that I'm not already exposed to on a more
Are you referring to Obama's press conference? If so, I am glad he didn't make a big deal out
of the Russian hacking allegations - as in it didn't sound like he planned a retaliation for the
fictional event and its fictional consequences. He rose slightly in stature in my eyes - he's
almost as tall as a short flea.
With all the concern expressed about Russian meddling in our election process why are we forgetting
the direct quid pro quo foreign meddling evidenced in the Hillary emails related to the seldom
mentioned Clinton Foundation or the more likely meddling by local election officials? Why have
the claims of Russian hacking received such widespread coverage in the Press?
Why is a lameduck
messing with the Chinese in the South China sea? What is the point of all the "fake" news hogwash?
Is it related to Obama's expression of concern about the safety of the Internet? I can't shake
the feeling that something is going on below the surface of these murky waters.
I watched it too and agree with your take on it. For all the build up about this press conference
and how I thought we were going to engage in direct combat with Russia for these hacks (or so
they say it is Russia, I still wonder about that), he did not add any fuel to this fire.
respond at one point to a reporter that the hacks from Russia were to the DNC and Podesta but
funny how he didn't say HRC emails. Be it as it may, I think what was behind it was HRC really
trying to impress all her contributors that Russia really did do her in, see Obama said so, since
she must be in hot water over all the money she has collected from foreign governments for pay
to play and her donors.
The whole thing was silly – the buildup to this press conference and then
how Obama handled the hacking. A waste of time really. I don't sense something is going on behind
the scenes but it is weird that the news has been all about this Russian hacking. He did not get
into the questions about the Electoral College either and he made it seem like Trump indeed is
the next President. I mean it seems like the MSM was making too much about this issue but then
Unfortunately the nightly news is focusing on Obama says Russia hacked the DNC and had it in
for Clinton!!! He warned them to stay out of the vote! There will be consequences! Russia demands
the evidence and then a story about the evidence. (This one might have a few smarter people going
"huh, that's it?!?!")
I do like the some private some public on that consequences and retaliation thing. You either
have to laugh or throw up about the faux I've got this and the real self-righteousness. Especially
since it is supposedly to remind people we can do it to you. Is there anyone left outside of America
who doesn't think they already do do it to anyone Uncle Sam doesn't want in office and even some
they do? Mind you I'm not sure how many harried people watching the news are actually going to
laugh at that one because they don't know how how much we meddle.
Given that the Donald Trump victory already made Yahoo less attractive for
Verizon, the latest billion-account-hack at Yahoo could let Verizon dump their
buy-out and still collect a
$145 million break-up fee .
Yahoo's stock plunged
over 6 percent after the company
admitted its customer data had been hacked again, with at least 1 billion
accounts exposed in 2014. The horribly bad news for Yahoo followed an equally bad
news report in September that
500 million e-mail account were hacked in 2013. Yahoo unfortunately now has
the distinction of suffering both of the history's largest client hacks.
SIGN UP FOR OUR NEWSLETTER
Verizon's top lawyer told reporters after the first Yahoo hack that the
disclosure constituted a "
potential material adverse event
" that would
allow for the mobile powerhouse to pull out of the $4.83 billion deal they
announced on July 25, 2016.
Less than 24 hours after Yahoo
even larger hack of client accounts by a "state-sponsored actor," Bloomberg
that Verizon is "
exploring a price cut or possible exit
" from its
proposed Yahoo acquisition.
reported that Google and other Silicon Valley companies were huge corporate
winners when Chairman Tom Wheeler and the other two Democrat political appointees
on the FCC voted on a party-line vote in mid-February 2015 for a new regulatory
structure called '
' Although Wheeler claimed, "
bright-line rules will ban paid prioritization, and the blocking and throttling of
lawful content and services
," they were a huge economic disaster for
Verizon's high-speed broadband business model.
Verizon responded last year by paying
$4.4 billion to buy AOL in order to pick up popular news sites, large
advertising business, and more than 2 million Internet dial-up subscribers. Buying
Yahoo was expected to give the former telephone company to achieve "scale" by
controlling a second web content pioneer.
After President and CEO Marissa Mayer began organizing an auction in March,
Yahoo stock doubled from $26 a share to $51 by September. But she announced on
Wednesday the new hack, Yahoo's stock has been plunging to $38.40 in after-market
The buyer normally has to pay a break-up fee if an acquisition fails. But Yahoo
chose to run its own
auction that "
communicated with a total of 51 parties to evaluate their
interest in a potential transaction
." Then between February and April 2016, a
"short list" of "
32 parties signed confidentiality agreements with Yahoo
including 10 strategic parties and 22 financial sponsors.
13D proxy statement filed with the SEC was mostly boilerplate disclosure, but
it seemed that something must have been a potential problem at Yahoo for the
company to offer a $145 million termination fee to Verizon if the deal did not
Yahoo on Wednesday issued a statement saying personal information from more
than a billion user accounts was stolen in 2014. The news followed the company's
announcement in September that hackers had stolen personal data from at least half
a billion accounts in 2013. Yahoo said it believes the two thefts were by
Yahoo admitted that both hacks were so extensive that they included users'
names, email addresses, phone numbers, dates of birth, scrambled passwords and
security questions and answers. But Yahoo stated, "
Payment card data and bank
account information are not stored in the system the company believes was affected
Yahoo said they have invalidated unencrypted security questions and answers in
user accounts. They are in the process of notifying potentially affected users and
is requiring them to change their passwords.
Yahoo was already facing nearly two dozen class-action lawsuits over the first
breach and the company's failure to report it on a timely basis. A federal 3 judge
panel last week consolidated 5 of the suits into a mass tort in the San Jose U.S.
Undoubtedly, there will be a huge number of user lawsuits filed against Yahoo
in the next few weeks.
Yahoo has discovered a 3-year-old security breach that enabled a hacker to compromise more than 1
billion user accounts, breaking the company's own humiliating record for the biggest security breach
The digital heist disclosed Wednesday occurred in August 2013, more than a year before a separate
hack that Yahoo announced nearly three months ago . That breach affected at least 500 million users,
which had been the most far-reaching hack until the latest revelation.
Yahoo has more than a billion monthly active users, although some have multiple accounts and others
have none at all. An unknown number of accounts were affected by both hacks.
In both attacks, the stolen information included names, email addresses, phone numbers, birthdates
and security questions and answers. The company says it believes bank-account information and payment-card
data were not affected.
"... the world's largest private surveillance operation ..."
"... Ha! I wish I'd thought of that line! I just laughed out loud on the train and my fellow commuter drones are shuffling and wondering to themselves if I'm on day release from an institution. ..."
"... Of course, the joke's on us, because that's exactly what they (Google) are with all the right friends in high places to boot ..."
"... Something that has been occurring lately with Chrome makes me think that Google is truly watching. A lot of sites (RT et al) are having the https// crossed out in red implying that the connection is no longer secure. ..."
Something that has been occurring lately with Chrome makes me think that Google is truly
watching. A lot of sites (RT et al) are having the https// crossed out in red implying that the
connection is no longer secure.
Probably TOR but I would caution
this is far from foolproof and may even incur The Panopticon's more intrusive surveillance attention.
I value my privacy as much as anyone but I don't use TOR or similar simply because if they
are not a guaranteed solution, what's the point? And besides, why should I have to? It's just
another tax on my time and resources.
"... A loss of the expectation of privacy in communications is a loss of something personal and intimate, and it will have broader implications. ..."
"... Mr. Hentoff sees the surveillance state as a threat to free speech, too ..."
"... An entrenched surveillance state will change and distort the balance that allows free government to function successfully. ..."
"... "When you have this amount of privacy invasion put into these huge data banks, who knows what will come out?" ..."
"... Asked about those attempts, he mentions the Alien and Sedition Acts of 1798, the Red Scare of the 1920s and the McCarthy era. Those times and incidents, he says, were more than specific scandals or news stories, they were attempts to change our nature as a people. ..."
"... What of those who say they don't care what the federal government does as long as it keeps us safe? The threat of terrorism is real, Mr. Hentoff acknowledges. Al Qaeda is still here, its networks are growing. But you have to be careful about who's running U.S. intelligence and U.S. security, and they have to be fully versed in and obey constitutional guarantees. ..."
"... Mr. Hentoff notes that J. Edgar Hoover didn't have all this technology. "He would be so envious of what NSA can do." ..."
...Among the pertinent definitions of privacy from the Oxford English Dictionary: "freedom from
disturbance or intrusion," "intended only for the use of a particular person or persons," belonging
to "the property of a particular person." Also: "confidential, not to be disclosed to others." Among
others, the OED quotes the playwright Arthur Miller, describing the McCarthy era: "Conscience was
no longer a private matter but one of state administration."
Privacy is connected to personhood. It has to do with intimate things-the innards of your head
and heart, the workings of your mind-and the boundary between those things and the world outside.
A loss of the expectation of privacy in communications is a loss of something personal and
intimate, and it will have broader implications. That is the view of Nat Hentoff, the great
journalist and civil libertarian. He is 88 now and on fire on the issue of privacy. "The media has
awakened," he told me. "Congress has awakened, to some extent." Both are beginning to realize "that
there are particular constitutional liberty rights that [Americans] have that distinguish them from
all other people, and one of them is privacy."
Mr. Hentoff sees excessive government surveillance as violative of the Fourth Amendment, which
protects "the right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures" and requires that warrants be issued only "upon probable cause
. . . particularly describing the place to be searched, and the persons or things to be seized."
But Mr. Hentoff sees the surveillance state as a threat to free speech, too. About a
year ago he went up to Harvard to speak to a class. He asked, he recalled: "How many of you realize
the connection between what's happening with the Fourth Amendment with the First Amendment?" He told
the students that if citizens don't have basic privacies-firm protections against the search and
seizure of your private communications, for instance-they will be left feeling "threatened." This
will make citizens increasingly concerned "about what they say, and they do, and they think." It
will have the effect of constricting freedom of expression. Americans will become careful about what
they say that can be misunderstood or misinterpreted, and then too careful about what they say that
can be understood. The inevitable end of surveillance is self-censorship.
All of a sudden, the room became quiet. "These were bright kids, interested, concerned, but they
hadn't made an obvious connection about who we are as a people." We are "free citizens in a self-governing
Mr. Hentoff once asked Justice William Brennan "a schoolboy's question": What is the most important
amendment to the Constitution? "Brennan said the First Amendment, because all the other ones come
from that. If you don't have free speech you have to be afraid, you lack a vital part of what it
is to be a human being who is free to be who you want to be." Your own growth as a person will in
time be constricted, because we come to know ourselves by our thoughts.
He wonders if Americans know who they are compared to what the Constitution says they are.
Mr. Hentoff's second point: An entrenched surveillance state will change and distort the balance
that allows free government to function successfully. Broad and intrusive surveillance will,
definitively, put government in charge. But a republic only works, Mr. Hentoff notes, if public officials
know that they-and the government itself-answer to the citizens. It doesn't work, and is distorted,
if the citizens must answer to the government. And that will happen more and more if the government
knows-and you know-that the government has something, or some things, on you. "The bad thing is you
no longer have the one thing we're supposed to have as Americans living in a self-governing republic,"
Mr. Hentoff said. "The people we elect are not your bosses, they are responsible to us." They must
answer to us. But if they increasingly control our privacy, "suddenly they're in charge if they know
what you're thinking."
This is a shift in the democratic dynamic. "If we don't have free speech then what can we do if
the people who govern us have no respect for us, may indeed make life difficult for us, and in fact
If massive surveillance continues and grows, could it change the national character? "Yes, because
it will change free speech."
What of those who say, "I have nothing to fear, I don't do anything wrong"? Mr. Hentoff suggests
that's a false sense of security.
"When you have this amount of privacy invasion put into these huge data banks, who knows
what will come out?"
Or can be made to come out through misunderstanding the data, or finagling, or mischief of one
sort or another.
"People say, 'Well I've done nothing wrong so why should I worry?' But that's too easy a way
to get out of what is in our history-constant attempts to try to change who we are as Americans."
Asked about those attempts, he mentions the Alien and Sedition Acts of 1798, the Red Scare
of the 1920s and the McCarthy era. Those times and incidents, he says, were more than specific scandals
or news stories, they were attempts to change our nature as a people.
What of those who say they don't care what the federal government does as long as it keeps
us safe? The threat of terrorism is real, Mr. Hentoff acknowledges. Al Qaeda is still here, its networks
are growing. But you have to be careful about who's running U.S. intelligence and U.S. security,
and they have to be fully versed in and obey constitutional guarantees.
"There has to be somebody supervising them who knows what's right. . . . Terrorism is not going
to go away. But we need someone in charge of the whole apparatus who has read the Constitution."
Advances in technology constantly up the ability of what government can do. Its technological
expertise will only become deeper and broader.
"They think they're getting to how you think. The technology is such that with the masses of
databases, then privacy will get even weaker."
Mr. Hentoff notes that J. Edgar Hoover didn't have all this technology. "He would be so envious
of what NSA can do."
"... Far from being seen as the guardian of a free and open online medium, the US has been painted as an oppressor, cynically using its privileged position to spy on foreign nationals. The result, warn analysts, could well be an acceleration of a process that has been under way for some time as other countries ringfence their networks to protect their citizens' data and limit the flow of information. ..."
"... At the most obvious level, the secret data-collection efforts being conducted by the US National Security Agency threaten to give would-be censors of the internet in authoritarian countries rhetorical cover as they put their own stamp on their local networks. ..."
"... But the distrust of the US that the disclosures are generating in the democratic world, including in Europe , are also likely to have an impact. From the operation of a nation's telecoms infrastructure to the regulation of the emerging cloud computing industry, changes in the architecture of networks as countries seek more control look set to cause a sea change in the broader internet. ..."
Far from being seen as the guardian of a free and open online medium, the US has been painted as
an oppressor, cynically using its privileged position to spy on foreign nationals. The result, warn
analysts, could well be an acceleration of a process that has been under way for some time as other
countries ringfence their networks to protect their citizens' data and limit the flow of information.
"It is difficult to imagine the internet not becoming more compartmentalised and Balkanised," says
Rebecca MacKinnon, an expert on online censorship. "Ten years from now, we will look back on the
free and open internet" with nostalgia, she adds.
At the most obvious level, the secret data-collection efforts being conducted by the US National
Security Agency threaten to give would-be censors of the
internet in authoritarian countries rhetorical cover as they put their own stamp on their local
But the distrust of the US that the disclosures are generating in the democratic world,
in Europe, are also likely to have an impact. From the operation of a nation's telecoms infrastructure
to the regulation of the emerging cloud computing industry, changes in the architecture of networks
as countries seek more control look set to cause a sea change in the broader internet.
Two weeks ago, the Guardian began publishing a series of eye-opening revelations about the National
Security Agency and its surveillance
efforts both in the United States
and overseas. These stories raised long-moribund and often-ignored questions about the pervasiveness
of government surveillance and the extent to which privacy rights are being violated by this secret
and seemingly unaccountable security apparatus.
However, over the past two weeks, we've begun to get a clearer understanding of the story and
the implications of what has been published – informed in part by a new-found (if forced upon them)
transparency from the intelligence community. So here's one columnist's effort to sort the wheat
from the chaff and offer a few answers to the big questions that have been raised.
These revelations are a big deal, right?
To fully answer this question, it's important to clarify the revelations that have sparked such
controversy. The Guardian (along with the Washington Post) has broken a number of stories, each of
which tells us very different things about what is happening inside the US government around matters
of surveillance and cyber operations. Some are relatively mundane, others more controversial.
The story that has shaped press coverage and received the most attention was the first one – namely,
the publication of a judicial order from the
Fisa court to Verizon that
indicated the US is "hoovering" up millions of phone records (so-called "metadata") into a giant
NSA database. When it broke, the
story was quickly portrayed as a frightening tale of government overreach and violation of privacy
rights. After all, such metadata – though it contains no actual content – can be used rather easily
as a stepping-stone to more intrusive forms of surveillance.
But what is the true extent of the story here: is this picture of government Big Brotherism correct
or is this massive government surveillance actually quite benign?
First of all, such a collection of data is not, in and of itself, illegal. The
was clearly acting within the constraints of federal law and received judicial approval for this
broad request for data. That doesn't necessarily mean that the law is good or that the
government's interpretation of that law is not too broad, but unlike the Bush "warrantless wiretapping"
stories of several years ago, the US government is here acting within the law.
The real question that should concern us is one raised by the
TV writer David Simon in a widely cited blogpost looking at the issues raised by the Guardian's
"Is government accessing the data for the legitimate public safety needs of the society, or
are they accessing it in ways that abuse individual liberties and violate personal privacy – and
in a manner that is unsupervised."
We know, for example, that the NSA is required to abide by laws that prevent the international
targeting of American citizens (you can
read more about that
here). So, while metadata about phone calls made can be used to discover information about the
individuals making the calls, there are "minimization" rules, procedures and laws that guide the
use of such data and prevent possible abuse and misuse of protected data.
Sure, the potential for abuse exists – but so, too, does the potential for the lawful use of metadata
in a way that protects the privacy of individual Americans – and also assists the US government in
pursuit of potential terrorist suspects. Of course, without information on the specific procedures
used by the NSA to minimize the collection of protected data, it is impossible to know that no laws
are being broken or no abuse is occurring.
In that sense, we have to take the government's word for it. And that is especially problematic
when you consider the Fisa court decisions authorizing this snooping are secret and the congressional
intelligence committees tasked with conducting oversight tend to be toothless.
But assumptions of bad faith and violations of privacy by the US government are just that assumptions.
When President Obama says that the NSA is not violating privacy rights because it would be against
the law, we can't simply disregard such statements as self-serving. Moreover, when one considers
the privacy violations that Americans willingly submit to at airports, what personal data they give
to the government in their tax returns, and what is regularly posted voluntarily on Facebook, sent
via email and searched for online, highly-regulated data-mining by the NSA seems relatively tame.
One of the key questions that have emerged over this story is the motivation of the leaker in
question, Edward Snowden. In
his initial public interview, with Glenn Greenwald on 9 June, Snowden explained his actions,
in part, thus:
"I'm willing to sacrifice because I can't in good conscience allow the US government to destroy
privacy, internet freedom and basic liberties for people around the world with this massive surveillance
machine they're secretly building."
Now, while one can argue that Snowden's actions do not involve personal sacrifice, whether they
are heroic is a much higher bar to cross. First of all, it's far from clear that the US government
is destroying privacy, internet freedom and basic liberties for people around the world.
Snowden may sincere about being "valiant for truth", but he wouldn't be the first person to believe
himself such and yet be wrong.
Second, one can make the case that there is a public interest in knowing that the US is collecting
reams of phone records, but where is the public interest – and indeed, to Snowden's own justification,
the violation of privacy – in leaking a presidential directive on cyber operations or leaking that
the US is spying on the Russian president?
The latter is both not a crime it's actually what the NSA was established to do! In his
recent online chat hosted by the Guardian, Snowden suggested that the US should not be spying
on any country with whom it's not formally at war. That is, at best, a dubious assertion, and one
that is at odds with years of spycraft.
On the presidential directive on cyber operations, the damning evidence that Snowden revealed
was that President Obama has asked his advisers to create a list of potential targets for cyber operations
– but such planning efforts are rather routine contingency operations. For example, if the
US military drew up war
plans in case conflict ever occurred between the US and North Korea – and that included offensive
operations – would that be considered untoward or perhaps illegitimate military planning?
This does not mean, however, that Snowden is a traitor. Leaking classified data is a serious offense,
but treason is something else altogether.
The problem for Snowden is that he has now also
leaked classified information about ongoing US intelligence-gathering efforts to foreign governments,
including China and Russia. That may be crossing a line, which means that the jury is still out on
what label we should use to describe Snowden.
Shouldn't Snowden be protected as a whistleblower?
This question of leakers v whistleblowers has frequently been conflated in the public reporting
about the NSA leak (and many others). But this is a crucial error. As Tara Lee, a lawyer at the law
firm DLA Piper, with expertise in defense industry and national security litigation said to me there
is an important distinction between leakers and whistleblowers, "One reports a crime; and one
commits a crime."
Traditionally (and often technically), whistleblowing refers to specific actions that are taken
to bring to attention illegal behavior, fraud, waste, abuse etc. Moreover, the US government provides
federal employees and contractors with the protection to blow the whistle on wrongdoing. In the case
of Snowden, he could have gone to the inspector general at the Department of Justice or relevant
From all accounts, it appears that he did not go down this path. Of course, since the material
he was releasing was approved by the Fisa court and had the sign-off of the intelligence committee,
he had good reason to believe that he would have not received the most receptive hearing for his
Nevertheless, that does not give him carte blanche to leak to the press – and certainly doesn't
give him carte blanche to leak information on activities that he personally finds objectionable but
are clearly legal. Indeed, according to the
Whistleblower Protection Act (ICWPA), whistleblowers can make complaints over matter of what
the law calls "urgent concern", which includes "a serious or flagrant problem, abuse, violation of
law or executive order, or deficiency relating to the funding, administration, or operations of an
intelligence activity involving classified information, but does not include differences of opinion
concerning public policy matters [my italics]."
In other words, simply believing that a law or government action is wrong does not give one the
right to leak information; and in the eyes of the law, it is not considered whistleblowing. Even
if one accepts the view that the leaked Verizon order fell within the bounds of being in the "public
interest", it's a harder case to make for the presidential directive on cyber operations or the eavesdropping
on foreign leaders.
The same problem is evident in the incorrect description of
Bradley Manning as
a whistleblower. When you leak hundreds of thousands of documents – not all of which you reviewed
and most of which contain the mundane and not illegal diplomatic behavior of the US government –
you're leaking. Both Manning and now Snowden have taken it upon themselves to decide what
should be in the public domain; quite simply, they don't have the right to do that. If every government
employee decided actions that offended their sense of morality should be leaked, the government would
never be able to keep any secrets at all and, frankly, would be unable to operate effectively.
So, like Manning, Snowden is almost certainly not a whistleblower, but rather a leaker. And that
would mean that he, like Manning, is liable to prosecution for leaking classified material.
Are Democrats hypocrites
over the NSA's activities?
A couple of days ago, my Guardian colleague, Glenn Greenwald made the following assertion:
"The most vehement defenders of NSA surveillance
have been, by far, Democratic (especially Obama-loyal) pundits. One of the most significant
aspects of the Obama legacy has been the transformation of Democrats from pretend-opponents of
the Bush "war on terror" and national security state into their biggest proponents."
This is regular line of argument from Glenn, but it's one that, for a variety of reasons, I believe
is not fair. (I don't say this because I'm an Obama partisan – though I may be called one for writing
First, the lion's share of criticism of these recent revelations has come, overwhelmingly, from
Democrats and, indeed, from many of the same people, including Greenwald, who were up in arms when
the so-called warrantless wiretapping program was revealed in 2006. The reality is that outside a
minority of activists, it's not clear that many Americans – Democrats orRepublicans –
get all that excited about these types of stories. (Not that this is necessarily a good thing.)
Second, opposition to the Bush program was two-fold: first, it was illegal and was conducted with
no judicial or congressional oversight; second, Bush's surveillance policies did not occur in a vacuum
– they were part of a pattern of law-breaking, disastrous policy decisions and Manichean rhetoric
over the "war on terror". So, if you opposed the manner in which Bush waged war on the "axis of evil",
it's not surprising that you would oppose its specific elements. In the same way, if you now support
how President Obama conducts counter-terrorism efforts, it's not surprising that you'd be more inclined
to view specific anti-terror policies as more benign.
Critics will, of course, argue – and rightly so – that we are a country of laws first. In which
case it shouldn't matter who is the president, but rather what the laws are that govern his or her
conduct. Back in the world of political reality, though, that's not how most Americans think of their
government. Their perceptions are defined in large measure by how the current president conducts
himself, so there is nothing at all surprising about Republicans having greater confidence in a Republican
president and Democrats having greater confidence in a Democratic one, when asked about specific
Beyond that, simply having greater confidence in President Obama than President Bush to wield
the awesome powers granted the commander-in-chief to conduct foreign policy is not partisanship.
It's common sense.
George Bush was, undoubtedly,
one of the two or three worst foreign policy presidents in American history (and arguably, our worst
president, period). He and Dick Cheney habitually broke the law, including but not limited to the
abuse of NSA surveillance. President Obama is far from perfect: he made the terrible decision to
surge in Afghanistan, and
he's fought two wars of dubious legality in Libya and Pakistan, but he's very far from the sheer
awfulness of the Bush/Cheney years.
Unless you believe the US should have no NSA, and conduct no intelligence-gathering in the fight
against terrorism, you have to choose a president to manage that agency. And there is nothing hypocritical
or partisan about believing that one president is better than another to handle those responsibilities.
Has NSA surveillance prevented terrorist attacks, as claimed?
In congressional testimony this week, officials from the Department of Justice and the
NSA argued that surveillance efforts stopped "potential terrorist events over 50 times since
9/11". Having spent far too many years listening to public officials describe terrifying terror plots
that fell apart under greater scrutiny, this assertion sets off for me a set of red flags (even though
it may be true).
I have no doubt that NSA surveillance has contributed to national security investigations, but
whether it's as extensive or as vital as the claims of government officials is more doubtful. To
be honest, I'm not sure it matters. Part of the reason the US government conducts NSA surveillance
in the first place is not necessarily to stop every potential attack (though that would be nice),
but to deter potential terrorists from acting in the first place.
Critics of the program like to argue that "of course, terrorists know their phones are being tapped
and emails are being read", but that's kind of the point. If they know this, it forces them to choose
more inefficient means of communicating, and perhaps to put aside potential attacks for fear of being
We also know that not every terrorist has the skills of a Jason Bourne. In fact, many appear to
be not terribly bright, which means that even if they know about the NSA's enormous dragnet, it doesn't
mean they won't occasionally screw up and get caught.
Yet, this gets to a larger issue that is raised by the NSA revelations.
When is enough counter-terrorism enough?
Over the past 12 years, the US has developed what can best be described as a dysfunctional relationship
with terrorism. We've become obsessed with it and with a zero-tolerance approach to stopping it.
While the former is obviously an important goal, it has led the US to take steps that not only undermine
our values (such as torture), but also make us weaker (the invasion of
Iraq, the surge in Afghanistan,
To be sure, this is not true of every anti-terror program of the past dozen years. For example,
the US does a better job of sharing intelligence among government agencies, and of screening those
who are entering the country. And military efforts in the early days of the "war on terror" clearly
did enormous damage to al-Qaida's capabilities.
In general, though, when one considers the relatively low risk of terrorist attacks – and the
formidable defenses of the United States – the US response to terrorism has been one of hysterical
over-reaction. Indeed, the balance we so often hear about when it comes to protecting privacy while
also ensuring security is only one part of the equation. The other is how do we balance the need
to stop terrorists (who certainly aspire to attack the United States) and the need to prevent anti-terrorism
from driving our foreign policy to a disproportionate degree. While the NSA revelations might not
be proof that we've gone too far in one direction, there's not doubt that, for much of the past 12
years, terrorism has distorted and marred our foreign policy.
Last month, President Obama gave a seminal speech at the National Defense University, in which
he essentially declared the "war on terror" over. With troops coming home from Afghanistan, and drone
strikes on the decline, that certainly seems to be the case. But as the national freakout over the
Boston Marathon bombing – and the extraordinary over-reaction of a city-wide lockdown for one wounded
terrorist on the loose – remind us, we still have a ways to go.
Moreover, since no politician wants to find him- or herself in a situation after a terrorist attack
when the criticism "why didn't you do more?" can be aired, that political imperative of zero tolerance
will drive our counterterrorism policies. At some point, that needs to end.
In fact, nine years ago, our current secretary of state, John Kerry, made this exact point; it's
worth reviewing his words:
"We have to get back to the place we were, where terrorists are not the focus of our lives,
but they're a nuisance I know we're never going to end prostitution. We're never going to end
illegal gambling. But we're going to reduce it, organized crime, to a level where it isn't on
the rise. It isn't threatening people's lives every day, and fundamentally, it's something that
you continue to fight, but it's not threatening the fabric of your life.''
What the NSA revelations should spark is not just a debate on surveillance, but on the way we
think about terrorism and the steps that we should be willing to take both to stop it and ensure
that it does not control us. We're not there yet.
Re: How many Billions / Trillions are spent on these services?
The wonderful thing about living in a "Keynesian" perpetually increasing debt paradise is you
NEVER have to say you can't afford anything. (Well, unless you want to say it, but if you do it's
just political bullshit).
So, to answer your question... A "Keynesian" never asks how much, just how much do you want.
"When one considers the privacy violations that Americans willingly submit to at airports,
what personal data they give to the government in their tax returns, and what is regularly posted
voluntarily on Facebook, sent via email and searched for online, highly-regulated data-mining
by the NSA seems relatively tame."
Dear Sir: Please post your email addresses, bank accounts, and passwords. We'd like to look
"When one considers the privacy violations that Americans willingly submit to at airports,
what personal data they give to the government in their tax returns, and what is regularly
posted voluntarily on Facebook, sent via email and searched for online [...]"
Wow! I don't really care about my personal email. I do care about all political activists,
journalists, lawyers etc. That a journalist would support Stasi style surveillance state is astonishing.
I wish I had the time to go through this article and demolish it sentence by sentence as it
so richly deserves, but at the moment I don't. Instead, might I suggest to the author that he
go to the guardian archive, read every single story about this in chronological order and then
read every damn link posted in the comment threads on the three most recent stories.
Most especially the links in the comment threads. If after that, he cannot see why we "civil
libertarian freaks" are not just outraged, but frightened, he frankly lacks both historical knowledge
and any ability to analyze the facts that are staring him in the face. I can't believe I am going
to have to say this again but here goes: YOU do not get to give away my contitutional rights,
I don't give a shit how much you trust Obama compared to dubya. The Bill of Rights states in
clear, unambiguous language what the Federal government may NOT do do its citizens no matter WHO
"Russian security firm says iPhone secretly logs all your phone calls"
By Mike Wehner...Nov 17, 2016...10:36 AM
"A Russian security firm is casting doubt on just how big of an ally Apple is when it comes to
consumer privacy. In a new report, the company alleges that Apple's iCloud retains the entire call
history of every iPhone for as long as four months, making it an easy target for law enforcement
The firm, Elcomsoft, discovered that as long as a user has iCloud enabled, their call history
is synced and stored. The log includes phone numbers, dates and durations of the calls, and even
missed calls, but the log doesn't stop there; FaceTime call logs, as well as calls from apps that
utilize the "Call History" feature, such as Facebook and WhatsApp, are also stored.
There is also apparently no way to actually disable the feature without disabling iCloud entirely,
as there is no toggle for call syncing.
"We offer call history syncing as a convenience to our customers so that they can return calls
from any of their devices," an Apple spokesperson told The Intercept via email."Device data is encrypted
with a user's passcode, and access to iCloud data including backups requires the user's Apple ID
and password. Apple recommends all customers select strong passwords and use two-factor authentication."
But security from unauthorized eyes isn't what users should be worrying about, according to former
FBI agent and computer forensics expert Robert Osgood. "Absolutely this is an advantage [for law
enforcement]," Osgood told The Intercept. ""Four months is a long time [to retain call logs]. It's
generally 30 or 60 days for telecom providers, because they don't want to keep more [records] than
they absolutely have to."
If the name Elcomsoft sounds familiar, it's because the company's phone-cracking software was
used by many of the hackers involved in 2014's massive celebrity nudes leak. Elcomsoft's "Phone Breaker"
software claims the ability to crack iCloud backups, as well as backup files from Microsoft OneDrive
"... "Top US intelligence official: I submitted my resignation" As of January 20th or so. When he was going to be gone anyway. Just had to get his name in the news one more time. ..."
"... Clapper has been like a difficult to eradicate sexually transmitted disease in the intelligence community. Unfortunately, I suspect he may have already infected others who will remain and pass it around. ..."
Clapper has been like a difficult to eradicate sexually transmitted disease in the intelligence
community. Unfortunately, I suspect he may have already infected others who will remain and pass
"... What if the disk is passworded? What about that not all systems are exclusively for business/corporate use (see also BYOD) and therefore may be tuned to varying security postures owing to other factors? ..."
"... Physical access ≠ game over. Physical access + unguarded time + experience + tooling = game over. One used to could safely leave someone alone with their computer while one went to the kitchen for a glass of water. Now this tooling has made the time and experience components a bit less relevant to successful, quick pwnage with few or no tracks. Neato! ..."
The "Poison Tap" is not really that big of deal. It's usually trivially easy
to break into any computer that you can physically access. You can boot from a
CD or USB drive, for instance, or even just steal the hard drive. Security on USB
needs to be improved, but this is not even close to being the end of the world.
If you have the time with the physical machine anyway.
I could see kids having fun with this though. Going into a box store that has computers on display,
getting access (even better if they have a web cam on it). Upload porn or shocking material and showing
the customers and watching/recording the reactions and putting it on youtube.
Or more nefarious, the same thing but for casing a store (limited vantage from the web cam .but
may better than nothing).
Etc. lots you could do and more importantly not a lot of skill required. Lower bar for entry for
hacking mischief and a low cost.
LarryB, and how long will that take you? And will you have the computer back
together by the time they see you? And will logs suggest anything funny happened
around that time? What if the disk is passworded? What about that not all systems
are exclusively for business/corporate use (see also BYOD) and therefore may
be tuned to varying security postures owing to other factors?
Physical access ≠ game over. Physical access + unguarded time + experience + tooling = game over.
One used to could safely leave someone alone with their computer while one went to the kitchen for
a glass of water. Now this tooling has made the time and experience components a bit less relevant
to successful, quick pwnage with few or no tracks. Neato!
A widespread problem
In the last few years, the Federal Trade Commission has sued more than dozen
debt relief companies. "They simply lie to consumers," says the FTC's Alice Hrdy.
FTC ad IRS investigators have also found some counseling services that claim to be
non-profit when they are actually a for-profit company. The non-profit pitch can make
a potential client feel confident about signing up for the service. "They're preying
on the consumer's trust," Hrdy says.
Some of the bad apples in this industry mislead people about their charges. "They
either say there are no fees involved or just a small fee," Hrdy explains. Sometimes,
they don't mention fees at all.
Bruce, who lives near Seattle, signed up with a company that promised to lower his
interest rates. He was told to send them a check for $265.
"It was my clear understanding that money was going to pay off my credit card
bills," Bruce told me. It turned out to be a "referral fee" to find him a company
that would supposedly help him.
"It was a nasty experience," Bruce says. "They basically stole my money."
Warning: Debt settlement programs
Some companies now claim they can negotiate a one-time settlement with all
of your creditors that will reduce your principal by as much as 50 to 70 percent. By
doing this, they say, your monthly payments will drop dramatically.
"That is virtually impossible under any circumstances," says Travis Plunkett,
Legislative Director of the Consumer Federation of America. That's why CFA warns
consumers not to use debt settlement programs. "They are promising something they
can't deliver," Plunkett says.
Credit counselors - a better option
Charles Helms, president of Consumer Counseling Northwest, sees a lot of
people who have been burned by these phony debt relief programs. "It's horrible," he
says. Because most of them have a large up-front fee, they'll take anyone who can
"Their goal is to get you to sign up, not to successfully complete the program,"
Helms says. "So here's someone who is financially damaged to begin with and then
these companies just go out and take the last of their resources and kill any hope
they have of getting out of that situation."
With a legitimate credit counselor, there is no right answer for everyone. They
sit down with you and give you a free and objective assessment of your financial
situation. At Credit Counseling Northwest, they saw 6,000 people last year and found
that debt management was the right option for only 19 percent of them. The rest were
given a plan to work things out on their own.
With a customized consolidated payment plan you should be able to pay off your
credit card debt in 3 to 5 years. You write the counseling agency one check each
month and they pay all your creditors.
Do your homework
Facing mounting bills can be frightening, but getting debt relief is not a
decision that should be based on hearing a radio commercial or getting a sales call.
You want to find an organization that will design a debt relief plan specifically for
Shop around. Compare a couple of services and get a feel for how they operate. The
credit counselor should spend at least 20 to 30 minutes with you in order to get a
complete picture of your finances. If they don't do that, you're not really getting
Ask a lot of questions and get those answers in writing. Find out about the fees.
The Consumer Federation of America says you shouldn't pay more than $50 for the
set-up fee and no more than a $25 monthly maintenance fee. If the agency is vague or
reluctant to talk about fees, go someplace else.
Don't rely on names or the claim of a non-profit status. Check them out with the
Better Business Bureau or your local consumer protection office.
By doing your homework you should be able to find a service that doesn't
over-charge or over-promise. Here's a good place to start:
Foundation for Credit Counseling
. They'll help you find a certified counselor
This neocon propagandists (or more correctly neocon provocateur) got all major facts wrong. And
who unleashed Flame and
Stuxnet I would like to ask him.
Was it Russians? And who invented the concept of "color revolution" in which influencing of election
was the major part of strategy ? And which nation instituted the program of covert access to email boxes
of all major webmail providers? He should study the history of malware and the USA covert operations
before writing this propagandist/provocateur opus to look a little bit more credible...
"... Email, a main conduit of communication for two decades, now appears so vulnerable that the nation seems to be wondering whether its bursting inboxes can ever be safe. ..."
The 2016 presidential race will be remembered for many ugly moments, but the most lasting historical
marker may be one that neither voters nor American intelligence agencies saw coming: It is the first
time that a foreign power has unleashed cyberweapons to disrupt, or perhaps influence, a United States
And there is a foreboding sense that, in elections to come, there is no turning back.
The steady drumbeat of allegations of Russian troublemaking - leaks from stolen emails and probes
of election-system defenses - has continued through the campaign's last days. These intrusions, current
and former administration officials agree, will embolden other American adversaries, which have been
given a vivid demonstration that, when used with some subtlety, their growing digital arsenals can
be particularly damaging in the frenzy of a democratic election.
"Most of the biggest stories of this election cycle have had a cybercomponent to them - or the
use of information warfare techniques that the Russians, in particular, honed over decades," said
David Rothkopf, the chief executive and editor of Foreign Policy, who has written two histories of
the National Security Council. "From stolen emails, to WikiLeaks, to the hacking of the N.S.A.'s
tools, and even the debate about how much of this the Russians are responsible for, it's dominated
in a way that we haven't seen in any prior election."
The magnitude of this shift has gone largely unrecognized in the cacophony of a campaign dominated
by charges of groping and pay-for-play access. Yet the lessons have ranged from the intensely personal
to the geostrategic.
Email, a main conduit of communication for two decades, now appears so vulnerable that the
nation seems to be wondering whether its bursting inboxes can ever be safe. Election systems,
the underpinning of democracy, seem to be at such risk that it is unimaginable that the United States
will go into another national election without treating them as "critical infrastructure."
But President Obama has been oddly quiet on these issues. He delivered a private warning to President
Vladimir V. Putin of Russia during their final face-to-face encounter two months ago, aides say.
Still, Mr. Obama has barely spoken publicly about the implications of foreign meddling in the election.
His instincts, those who have worked with him on cyberissues say, are to deal with the problem by
developing new norms of international behavior or authorizing covert action rather than direct confrontation.
After a series of debates in the Situation Room, Mr. Obama and his aides concluded that any public
retaliation should be postponed until after the election - to avoid the appearance that politics
influenced his decision and to avoid provoking Russian counterstrikes while voting is underway. It
remains unclear whether Mr. Obama will act after Tuesday, as his aides hint, or leave the decision
about a "proportional response" to his successor.
Cybersleuths, historians and strategists will debate for years whether Russia's actions reflected
a grand campaign of interference or mere opportunism on the part of Mr. Putin. While the administration
has warned for years about the possibility of catastrophic attacks, what has happened in the past
six months has been far more subtle.
Russia has used the techniques - what they call "hybrid war," mixing new technologies with old-fashioned
propaganda, misinformation and disruption - for years in former Soviet states and elsewhere in Europe.
The only surprise was that Mr. Putin, as he intensified confrontations with Washington as part of
a nationalist campaign to solidify his own power amid a deteriorating economy, was willing to take
them to American shores.
The most common theory is that while the Russian leader would prefer the election of Donald J.
Trump - in part because Mr. Trump has suggested that NATO is irrelevant and that the United States
should pull its troops back to American shores - his primary motive is to undercut what he views
as a smug American sense of superiority about its democratic processes.
Madeleine K. Albright, a former secretary of state who is vigorously supporting Hillary Clinton,
wrote recently that Mr. Putin's goal was "to create doubt about the validity of the U.S. election
results, and to make us seem hypocritical when we question the conduct of elections in other countries."
If so, this is a very different use of power than what the Obama administration has long prepared
the nation for.
Four years ago, Leon E. Panetta, the defense secretary at the time, warned of an impending "cyber
Pearl Harbor" in which enemies could "contaminate the water supply in major cities or shut down the
power grid across large parts of the country," perhaps in conjunction with a conventional attack.
"Russia expects Washington to provide an explanation after a report claimed that Pentagon cyber-offensive
specialists have hacked into Russia's power grids, telecommunications networks, and the Kremlin's
command systems for a possible sabotage."
Presenting...the Clinton IT Department! This has not been an especially ennobling election.
Or a rewarding one. Or even entertaining. Pretty much everything about 2016 has been boorish and
grotesque. But finally it is time to laugh.
This has not been an especially ennobling election. Or a rewarding one. Or even entertaining.
Pretty much everything about 2016 has been boorish and grotesque. But finally it is time to laugh.
Ladies and gentlemen, I present the Clinton IT department.
Over the weekend we finally found out how Clinton campaign honcho John Podesta's emails were hacked.
But first a couple disclaimers:
1) Yes, it's unpleasant to munch on the fruit of the poisoned tree. But this isn't a court of
law and you can't just ignore information that's dragged into the public domain.
2) We're all vulnerable to hackers. Even if you're a security nut who uses VPNs and special email
encryption protocols, you can be hacked. The only real security is the anonymity of the herd. Once
a hacker targets you, specifically, you're toast.
I'm a pretty tech-savvy guy and if the Chinese decided to hack my emails tonight, you'd have everything
I've ever written posted to Wikileaks before the sun was up tomorrow.
But that is … not John Podesta's situation.
What happened was this: On March 19, Podesta got what looked--kind of, sort of--like an email
from Google's Gmail team. The email claimed that someone from the Ukraine had tried to hack into
Podesta's Gmail account and that he needed to change his password immediately.
This is what's called a "phishing" scam, where hackers send legitimate-looking emails that, when
you click on the links inside them, actually take you someplace dangerous. In Podesta's case, there
was a link that the email told him to click in order to change his password.
This was not an especially good bit of phishing.
Go have a look yourself. The email calls Podesta by his first name. It uses bit.ly as a link
shortener. Heck, the subject line is the preposterous "*someone has your password*". Why would Google
say "someone has your password?" They wouldn't. They'd say that there had been log-in attempts that
failed two-step authentication, maybe. Or that the account had been compromised, perhaps. If you've
spent any time using email over the last decade, you know exactly how these account security emails
And what's more, you know that you never click on the link in the email. If you get a notice from
your email provider or your bank or anyone who holds sensitive information of yours saying that your
account has been compromised, you leave the email, open your web browser, type in the URL of the
website, and then manually open your account information. Again, let me emphasize: You never click
on the link in the email!
But what makes this story so priceless isn't that John Podesta got fooled by an fourth-rate phishing
scam. After all, he's just the guy who's going to be running Hillary Clinton's administration. What
does he know about tech? And Podesta, to his credit, knew what he didn't know: He emailed the Clinton
IT help desk and said, Hey, is this email legit?
And the Clinton tech team's response was: Hell yes!
No, really. Here's what they said: One member of the team responded to Podesta by saying "The
gmail one is REAL." Another answered by saying "This is a legitimate email. John needs to change
his password immediately."
It's like the Clinton IT department is run by 90-year-old grandmothers. I half-expect the next
Wikileaks dump to have an email from one Clinton techie to another asking for help setting their
As the other guy likes to say, "only the best people."
Briefly, it seems Podesta received an email "You need to change your password", asked for professional
advice from his staff if it was legit, was told "Yes, you DO need to change your password", but
then clicked on the link in the original email, which was sent him with malicious intent, as he
suspected at first and then was inappropriately reassured about - rather than on the link sent
him by the IT staffer.
Result - the "phishing" email got his password info, and the world now
gets to see all his emails.
Personally, my hope is that Huma and HRC will be pardoned for all their crimes, by Obama, before
he leaves office.
Then I hope that Huma's divorce will go through, and that once Hillary is sworn
in she will at last be courageous enough to divorce Bill (who actually performed the Huma-Anthony
Weiner nuptials - you don't have to make these things up).
Then it could happen that the first
same-sex marriage will be performed in the White House, probably by the minister of DC's Foundry
United Methodist Church, which has a policy of LBGQT equality. Or maybe Hillary, cautious and
middle-of-the-road as usual, will go to Foundry UMC sanctuary for the ceremony, recognizing that
some Americans' sensibilities would be offended by having the rite in the White House.
As Nobel Laureate Bob Dylan wrote, "Love is all there is, it makes the world go round, love
and only love, it can't be denied. No matter what you think about it, you just can't live without
it, take a tip from one who's tried."
"... An important thing about that Time article regarding the Sony Hack is that it is almost two years old. Important because I'm still having to tell people that despite what the President and the government said North Korea didn't hack Sony because of a really bad movie, but that insiders did it for reasons that were never part of the media blitz about it. And believe me, considering that Clinton is lying through her teeth beyond even the government about this, I point this out a lot. ..."
"... Something that jumped out at me in December 2014 was a blog post by David E Martin. His blog post more or less laid out the whole game plan–and in so doing, I suspect he thwarted the planned story line. It was amazing to read that the whole plot had actually been presented to Congress years before. ..."
"... I'm inferring his intention in writing the post was to spill enough beans to prevent a catastrophic false flag event, as that is why he wrote his book "Coup d'Twelve" . (He spoke about this on numerous radio interviews at the time, and as also discussed it in person.) ..."
"... Never let an opportunity for a bit of Russian bashing go to waste it seems. Is there anything at all in the history of the entire world that the Russians aren't responsible for? ..."
An important thing about that Time article regarding the Sony Hack is that it is almost two
years old. Important because I'm still having to tell people that despite what the President and
the government said North Korea didn't hack Sony because of a really bad movie, but that insiders
did it for reasons that were never part of the media blitz about it. And believe me, considering
that Clinton is lying through her teeth beyond even the government about this, I point this out
Something that jumped out at me in December 2014 was a blog post by David E Martin. His
blog post more or less laid out the whole game plan–and in so doing, I suspect he thwarted
the planned story line. It was amazing to read that the whole plot had actually been presented
to Congress years before.
I'm inferring his intention in writing the post was to spill enough beans to prevent a catastrophic
false flag event, as that is why he wrote his book
"Coup d'Twelve" . (He spoke about this on numerous radio interviews at the time, and as also
discussed it in person.)
New evidence appears to show how hackers earlier this year stole more than 50,000 emails
of Hillary Clinton's campaign chairman, an audacious electronic attack blamed on Russia's government
and one that has resulted in embarrassing political disclosures about Democrats in the final
weeks before the U.S. presidential election.
The hackers sent John Podesta an official-looking email on Saturday, March 19, that appeared
to come from Google. It warned that someone in Ukraine had obtained Podesta's personal Gmail
password and tried unsuccessfully to log in, and it directed him to a website where he should
"change your password immediately."
Podesta's chief of staff, Sara Latham, forwarded the email to the operations help desk of
Clinton's campaign, where staffer Charles Delavan in Brooklyn, New York, wrote back 25 minutes
later, "This is a legitimate email. John needs to change his password immediately."
And if the ploy was that low-grade, that means that the Russki superbrains in the KGB didn't
have to be behind it. Dear Lord.
This really is a hubris followed by nemesis thing, isn't it? And how sad it is, how tragic,
that it was Brooklyn that brought Podesta down. Somehow I think Delavan is going to have
a hard time getting a job in politics again, but he did the country a great service.
Social engineering wins again. This was something I learned about long ago when Black Box Voting.org
started (approx. 2004). It was one of the many vulnerabilities in various points of election systems,
both with paper and paperless. Very easy to get officials to reveal passwords that allowed access–that's
in addition to the corruption situations. (Or rather, the social engineering angle would be just
one of the tools used by insiders.)
All their arguments does not stand even entry level programmer scrutiny. Especially silly are "Russian
keyboard and timestamps" argument. As if, say Israelis or, say, Estonians, or any other country with
sizable Russian speaking population can't use those to direct investigation at the wrong track ;-).
If I were a Russian hacker trying to penetrate into DNC servers I would use only NSA toolkit and
libraries that I can find on black market. First on all they are reasonably good. the second that help
to direct people to in a wrong direction. and if knew Spanish or English or French reasonably well I
would use them exclusively. If not I would pay for translation of set of variables into those languages
and "forget" to delete symbol table in one of the module giving raw meat to idiots like those.
Actually you can find a lot of such people even in London, Paris, Madrid and NYC, and some of them
really do not like the US neoliberal administration with its unending wars of expansion of neoliberal
empire :-) But still they are considered to be "security expert". When you hear now the word "security
expert", please substitute it for "security charlatan" for better comprehensions -- that's almost always
the case about people posing as security experts for MSM. The only reliable exception are whistleblowers
-- those people sacrifices their lucrative carriers for telling the truth, so they can usually be trusted.
They might exaggerate things on the negative side, though. I personally highly respect William Binney.
The "regular" security expects especially from tiny, struggling security companies in reality they
are low paid propagandists amplifying the set of prepared talking point. The arguments are usually pretty
childish. BTW, after the USA/Israeli operation against Iran using Stixnet and Flame in Middle East,
complex Trojans are just commonplace and are actually available to more or less qualified hacker, or
even a unqualified person with some money and desire to take risks.
I especially like the phrase "beyond a reasonable doubt that the hack was in fact an operation of
the Russian state." Is not this a slander, or what ? Only two cagagiry of peopel: impetcils and paid
presstitutes has think about complex hacking operation origin "beyond reasonable doubt")
How do we really know that the
breaches of the Democratic National Committee were conducted by organizations working on behalf
of the Russian state? With the CIA considering a major counterstrike against the superpower,
as NBC has reported , it's worthwhile for the public to measure how confident we can be that
Putin's government actually deserves retribution.
"When you're investigating a cybersecurity breach, no one knows whether you're a Russian hacker
or a Chinese hacker pretending to be a Russian hacker or even a U.S. hacker pretending to be a Chinese
hacker pretending to be a Russian hacker," reporter Jordan Robertson says during the third episode
a solid new podcast from Bloomberg, called "Decrypted." In the new episode, he and fellow reporter
break down the facts that put security experts beyond a reasonable doubt that the hack was
in fact an operation of the Russian state.
Here are the key points:
Familiar techniques. Crowdstrike
came in first, once DNC IT teams suspected breaches and recognized the techniques of the two
groups it calls Cozy Bear and Fancy Bear. Others refer to them as APT 28 and 29, where APT stands
for " Advanced
Persistent Threat ." Crowdstrike's co-founder Dmitri Alperovitch broke down his reasoning
on its blog , writing, "We've had lots of experience with both of these actors attempting
to target our customers in the past and know them well. In fact, our team considers them some
of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist
groups we encounter on a daily basis."
Redundancy is Russian. The Crowdstrike post explains that the fact that two organizations
were inside and apparently not working together is consistent with Russian operations. " While
you would virtually never see Western intelligence agencies going after the same target without
de-confliction for fear of compromising each other's operations, in Russia this is not an uncommon
scenario," Alperovitch writes.
Such nice code. Bloomberg turns to an ex-cop at one of the companies that Crowdstrike recruited
to check its work, Mike Buratowski at
Fidelis . His company put the code
discovered on DNC servers into a virtual environment to test it. "You look at the complexity of
what the malware was able to do. The fact that it had the ability to, basically, terminate itself
and wipe its tracks, hide its tracks. You know, that's not stuff you see in commoditized malware,
really," Buratowski said. In other words, this wasn't the kind of malware a cybercriminal could
buy on the black market. It was bespoke stuff made by teams of pros. Buratowski later calls the
code "elegant." Motherboard gives examples of
emails used , which showed careful attention to detail. Too good, he contends, for one person
or a small team to build.
Russian keyboards and timestamps. Investigators found evidence in the code that it had been
written on a Russian style keyboard and
found timestamps across multiple pieces of code consistent with the Russian workday.
Motive. This was an extremely complex hack that took a lot of time and effort. Again, the
Crowdstrike post helps here. It discusses evidence that the spies returned to the scene of the
crime repeatedly to change out code to avoid detection. Buratowski refers to it as an entity with
more operational discipline than an individual or a loose group could sustain. Which begs the
question: who but a nation-state would have sufficient motive to work that hard? Further, the
same groups were linked both to the hacks on
John Podesta and
Colin Powell , which suggests a multi-front initiative. That goes beyond what a hacker collective
might do for bragging rights or lulz.
Information war. The DNC emails dropped the day before the party's national convention. "Releasing
the emails the evening before the convention started? Now you're looking at it like: that really
smacks of an information operation," Buratowski says.
Official attribution from the US government . Washington sees evidence of breaches all the
time. It seldom points the finger at specific states, the Decrypted team argues. The fact that
it has is powerful. "There are ways the government can really know what's going on," Robertson
said, "in a way that no private cybersecurity could ever match."
From there, the podcast asks: what does this hack mean for the U.S. election. They come to basically
the same conclusions that
the Observer did in September : voting systems are very safe-voter rolls are less so, but nation-states
probably want to discredit our system more than they want to change outcomes.
How sure can we be? Buratowski says, "Barring seeing someone at a keyboard or a confession, you're
relying on that circumstantial evidence." So, we can never really know for sure. In fact, even Crowdstrike's
attribution is based on prior experience, which assumes that they have attributed other hacks correctly
in the past. Former congressional staffer Richard Diamond
in USA Today argues that the hacks can be explained by bad passwords, but he also neglects
to counter Crowdstrike's descriptions of the sophisticated code placed inside the servers. From Bloomberg's
version of events, how the hackers got in was really the least interesting part of their investigation.
So what does it all mean? It's natural for political junkies to wonder if there might be further
disclosures coming before Election Day, but - if this is an information operation-it might be even
more disruptive to hold documents until after the election in order to throw doubt on our final choice.
Either way, further disclosures will probably come.
"... I find the whole hysteria over Russian hacking very one-sided. If the US takes it upon itself, out of sincere concern, to help out "moderates" in overthrowing a repressive, evil government in Syria, Libya and Iraq, maybe the same thing happening to the US itself is not that weird? Here is a tyrannical government with little regard for its demotivated and demoralized citizens who can not on their own displace it. This government threatens nuclear war and kills an unjustified number of its own citizens. Its public infrastructure is in ruins and oligarchy is everywhere. In the past the US has set the example for dealing with such troubled states; its time the doctor took his own medicine. ..."
"... Ahhhh, but that exactly where the "exceptional" clause kicks in. You see, America is justified in intervening in other countries' business because we see further, with a clearer gaze and a purer heart, than any other country in the world. Mired as they are in ignorance or inertia, no other country is qualified to judge us, and any mistakes that we make only occur because of the depths of our love for others and our passion for freedom. ..."
"... America has entered one of its periods of historical madness, but this the worst I can remember: worse than McCarthyism, worse that the Bay of Pigs and in the long term potentially more disastrous than the Vietnam War. ~John le Carre ..."
"... It is terrifying to watch Clinton rave about adopting a more "muscular, aggressive" approach to foreign affairs - with little or no push back from the national media, either party or even many citizens. Hell, they are applause lines at her rallies. ..."
"... If 15 years of endless wars, trillions of dollars of wasted money, hundreds of thousands of casualties on all sides and metastasizing terrorist threat with no end in sight doesn't give one a little pause before advocating more of the same, then we might have a problem. ..."
"... Hillary said twice during the debates that "America is great because America is good." Translation: We can do whatever we damn well please because we can. Lord, help us all. I'm so sick of hearing this and our endless criminal wars. ..."
I find the whole hysteria over Russian hacking very one-sided. If the US takes it upon itself,
out of sincere concern, to help out "moderates" in overthrowing a repressive, evil government
in Syria, Libya and Iraq, maybe the same thing happening to the US itself is not that weird?
Here is a tyrannical government with little regard for its demotivated and demoralized citizens
who can not on their own displace it. This government threatens nuclear war and kills an unjustified
number of its own citizens. Its public infrastructure is in ruins and oligarchy is everywhere.
In the past the US has set the example for dealing with such troubled states; its time the
doctor took his own medicine.
The "evidence" for Russian hacking is so suspect that anyone who repeats the story instantly
stamps themselves as either a con or a mark. It's depressing to see media corruption so blatantly
displayed. Now I know what 2003 must have felt like (I was too young to have much of an opinion
The "17 intelligence agencies" claim is complete Clinton bullshit. I'm kind of amazed that
journalists are now stating this as fact. I could say I'm shocked but nothing the presstitutes
do surprises me anymore. They are busy preening for their future White House access. It kind
of makes me want to get drunk and vote for the orange haired guy.
Just finished trying to "re-educate" my husband after he listened to [and apparently believed]
a report in the CBS Evening News on the "Russian hacking of Clinton's e-mails." They reported
it as complete "fact," without even a perfunctory "alleged."
Too difficult to do this correction one person at a time, while the networks have such massive
It *is* highly asymmetric warfare. And as is normal when working the insurgent side, the
trick isn't to try to win by a large number of winning individual engagements, but rather of
delegitimatizing the side with the resource advantage in a broader, cultural way. Delegitimize
the mainstream media actively. If you win the culture war, you win the political war too just
as a bonus. Tell the truth, unapologetically. That's as bad-ass as it gets.
This is sound advice. Problem is, how to delegitimate media generally? Actual insurgents
avoid direct confrontations with superior occupying power and opt for a variety of other strategies
of attack, including: IED's, flash attacks, suicide bombings, disruption of civilian life,
etc. What are some equivalent, concrete (and legal) strategies for disrupting the order of
imposed media? The use of social media seems to be one option, and maybe the most successful.
Yet this tends to reach only certain segments of population who are unlikely to watch CNN or
read the Post in any case. How can one harm the media powers where it hurts them most, by reaching
and disrupting their actual consumers, who tend to be older, establishment-minded, white, etc…?
How to delegitimize the media? They are doing that themselves. In spades. Listen to the
people around you, they are getting wise to it. Just point it out to anyone who'll listen.
It isn't the bombs and attacks that win an insurgency, none of that stuff works if the cause
isn't widely understood and shared. The victory is won–to recycle a cliché–in the hearts and
minds of the ordinary people. Naked Capitalism is a big ammo depot and we are the grunts and
the munitions are ideas. And as I alluded to above, the power of truth. Truth will kick ass
and take names if you let it.
"Truth will kick ass and take names if you let it."
Thanks for the spirit-raising exhortation Kurt!! Many Americans are walking around with
heads like over-inflated cognitive dissonance balloons. If you listen closely, you can hear
these balloons popping off all the time, resulting in yet another person able to confront reality.
Ahhhh, but that exactly where the "exceptional" clause kicks in. You see, America is justified
in intervening in other countries' business because we see further, with a clearer gaze and
a purer heart, than any other country in the world. Mired as they are in ignorance or inertia,
no other country is qualified to judge us, and any mistakes that we make only occur because
of the depths of our love for others and our passion for freedom.
America has entered one of its periods of historical madness, but this the worst I can remember:
worse than McCarthyism, worse that the Bay of Pigs and in the long term potentially more disastrous
than the Vietnam War. ~John le Carre
historical madness/hysterical madness … take your pick.
It is terrifying to watch Clinton rave about adopting a more "muscular, aggressive" approach
to foreign affairs - with little or no push back from the national media, either party or even
many citizens. Hell, they are applause lines at her rallies.
If 15 years of endless wars, trillions of dollars of wasted money, hundreds of thousands
of casualties on all sides and metastasizing terrorist threat with no end in sight doesn't
give one a little pause before advocating more of the same, then we might have a problem.
Hillary said twice during the debates that "America is great because America is good." Translation:
We can do whatever we damn well please because we can. Lord, help us all. I'm so sick of hearing
this and our endless criminal wars.
Not mentioned in the News of the Wired snips: the Dyn DDOS was the latest using a megascale IOT
botnet. Coming soon to a Smart Toaster|Thermostat|Fridge|WasherDryer|EggTimer|PencilSharpener|Dishwasher|GarbageCompacter|BabyMonitor
I suspect various enforcement agencies are using those cameras for something else, like mass
video surveillance, and having just lost a lot of TLS vulnerabilities, are motivated to keep their
sources' name out of the news (as befits TS/SI NOFORN projects), though steering the industry's
and the commercial market economy's Confidence Fairy out of an imminent uncontrolled landing would
suffice to explain the quiet.
For people who understand what that means it is mind-blowing, the processors in your parking
garage gate or your nursery's NannyCam being used in a giant global concerto of digital disruption.
Smells like the NSA in a desperate attempt to disrupt the flows from Wiki, they already gave the
Clinton camp their best spyware (FoxAcid) and this would be par for the course given the level
of lawbreaking and dirty tricks.
"... Well-crafted spear-phishing emails can be incredibly hard to spot, but if you ever end up on a website asking you for a password, you should be skeptical. Check the URL and make sure you're at a legitimate login page before typing in your password, or navigate to the login page directly. ..."
Here are some easy ways the Clinton team could have avoided getting hacked and might
prevent it in the future.
There is probably no one more acutely aware of the importance of good cybersecurity right now
than Hillary Clinton's campaign chairman John Podesta, whose emails have been laid bare by
WikiLeaks, are being mined for news by journalists (including at The Intercept), and are
available for anyone with internet access to read.
So as a public service to Podesta and everyone else on Clinton's staff, here are some email
security tips that could have saved you from getting hacked, and might help you in the future.
Use a strong password
There's a method for coming up with passwords that are mathematically unfeasible for anyone
to ever guess by brute force, but that are still possible for you to memorize. I've written
about it before, in detail, including an explanation of the math behind it.
But in short: You start with a long list of words and then randomly select one (by rolling
dice), then another, and so on, until you end up with something like: "slinging gusty bunny
chill gift." Using this method, called Diceware, there is a one in 28 quintillion (that is, 28
with 18 zeros at the end) chance of guessing this exact password.
For online services that prevent attackers from making very many guesses - including Gmail - a
five-word Diceware password is much stronger than you'll ever need. To make it super easy, use
this wordlist from the Electronic Frontier Foundation.
.... ... ...
Use a unique password for each application
The same day that WikiLeaks published Podesta's email, his Twitter account got hacked as
well. How do you think that happened? I have a guess: He reused a password that was exposed in
his email, and someone tried it on his Twitter account.
... ... ...
Turn on two-factor authentication
Last year, when I asked National Security Agency whistleblower Edward Snowden what ordinary
people could do to improve their computer security, one of the first pieces of advice he gave
was to use two-factor authentication. If Podesta had enabled it on his Gmail account, you
probably wouldn't be reading his email today.
Google calls it "2-Step Verification" and has an excellent website explaining why you need it,
how it works, and how it protects you. In short: When you log in to your account, after you
type in your password you'll need one more piece of information before Google will allow you
to proceed. Depending on how you set it up you might receive this uniquely generated
information in a text message, a voice call, or a mobile app, or you could plug in a special
security key into your USB port.
Once you start using it, hackers who manage to trick you into giving up your password still
won't be able to log in to your account - at least not without successfully executing a
separate attack against your phone or physically stealing your security key.
Watch out for phishers
... ... ...
Well-crafted spear-phishing emails can be incredibly hard to spot, but if you ever end
up on a website asking you for a password, you should be skeptical. Check the URL and make
sure you're at a legitimate login page before typing in your password, or navigate to the
login page directly.
Encrypt your email
.... ... ...
To get started, check out the Electronic Frontier Foundation's Surveillance Self-Defense guide
for using email encryption for Windows, Mac OS X, and Linux. If enough people in your
organization use encrypted email, consider using our newly released tool GPG Sync to make it
You cats haven't had end to end encryption for more than 5 years and while not at all
difficult to accomplish, the resistance to using such code has amazed all in the ITSEC
community not feeding at the .gov trough. All your ISP's have been carrying NSA gear within
their infrastructure for how long now? Juniper's back door in their gear wasn't to push
firmware updates. The whole system has been left open for a number of reasons, none of which
would be capitalism, free markets or satisfied consumers.
Kirk2NCC1701 -> junction
•Oct 8, 2016 2:59 PM
Well, if you use Yahoo, Outlook or Google mail, then you're the Village Idiot, if you use
those free services for anything other than harmless, boring stuff. You know, Yoga and Cooking
recipes -- like Hillary.
IF you're serious about email privacy, use an email service that is OUTSIDE the US.
As you know, I use Hushmail.me for my Kirk2NCC1701 handle and ZH friends. Hushmail is in
Canada and after speaking with them in person, I am confident that they take their customer's
Privacy seriously, especially for their paying customers. Now, I may have used a Yahoo
alt-persona account, but only for "Trumping". I also may have used Google and Outlook for
"vanilla" stuff, and I may have used other offshore emails for "secure" purposes where lawful
business and personal privacy matters were involved (but No illegal activities, as I'm not an
"illegal" type. Devious, curious, inquiring, opinionated? Hell yes. Illegal? No.)
Been using Pidgeon and Forked stick for years for private stuff.....
as for my Gmail account, I don't give a shit.....
Parrotile -> Kirk2NCC1701
•Oct 8, 2016 8:46 PM
I very rarely need to send anything particularly confidential. My employers expect me to
use the systems they provide for all "Medical in Confidence" stuff, and so since that
requirement is part of my Contract, they are entirely liable for any failures, not me.
EMail - Outlook. It works and again nothing of "interest" is ever sent. If I DO need to
send information that's "Sensitive", I have one of these: -
Word that Yahoo! last year, at the urging of the National Security Agency, secretly developed
a program that monitored the mail of all 280 million of its customers and turned over to the NSA
all mail from those who used any of the agency's thousands of keywords, shows that the US has become
a total police state in terms of trying to monitor every person in the country (and outside too).
With the courts, especially at the appellate and Supreme Court level, rolling over and supporting
this massive evisceration of basic freedoms, including the First Amendment guarantee of freedom of
speech and the Fourth Amendment protection against illegal search and seizure and invasion of privacy,
perhaps the best way for us to fight back is to overload the spy system. How to do this? Just copy
and paste random fragments of the following list (a bit dated, but useable), provided courtesy of
the publication Business Insider, and include them in every communication - email, social media,
etc. - that you send out.
The secret Yahoo! assault (reported on here by Alfredo Lopez in
yesterday's article ),
works by searching users' emails for keywords on an NSA list of suspected words that might be used
by alleged terrorists or anti-government activists, and then those suspect communications are forwarded
to the NSA, where humans eventually have to separate the wheat from the chaff. Too much chaff (and
they surely have too much chaff anyhow!) and they will be buried with work and unable to read anything.
In fact, critics of the government's metastasizing universal surveillance program, including former
FBI agents and other experts, have long criticized the effort to turn the US into a replica of East
Germany with its Stazi secret police, cannot work and is actually counter-productive, because with
spy agencies' limited manpower looking at all the false leads provided by keyword monitoring, they
are bound to miss the real dangerous messages. In fact, this was also the argument used against the
FBI's program of monitoring mosques and suspecting every Muslim American who expressed criticism
of the US. Most are just people saying what a lot of us say: that the US wars in the Middle East
are wrong or even criminal, but they are just citizens or immigrants exercising their free speech
when they do this, not terrorists, and spying on them is and has been a huge waste or time and resources.
Software Could've Given NSA Much More Access Than Just Emails
Former employees of Yahoo have corroborated this week's stories about the company scanning all
emails coming into their servers on behalf of the NSA, saying that the "email scanner" software was
actually made and installed by the US government .
The employees, including at least one on Yahoo's own internal security team, reported finding
the software on the
server and believing they were begin hacked, before executives informed them the government had done
it. They described the software as a broader "rootkit" that could give the NSA access to much more
than just emails.
Yahoo itself has been mostly mum on the matter, issuing a statement claiming the initial reports
were "misleading" but not elaborating at all. The NSA denied the claim outright, though they have
been repeatedly caught lying about similar programs in the past.
Izabella Kaminska joined FT Alphaville in October
2008. Before that she worked as a producer at CNBC, a natural gas reporter at Platts and an associate
editor of BP's internal magazine.
If your email provider suffered a security breach would you:
a) prefer to be informed about it as soon as possible so as to take evasive action?
b) prefer not to be informed until years later, by which time any evasive actions may have
On the basis you chose the first option and a security breach happened, would you:
a) appreciate the warning and the password reset nudge, dismiss the incident to a Smeg happens
scenario and continue using the service provider because at least they're vigilant about security?
b) Recoil in disgust at the very idea your email provider's security systems were lax enough
to allow this to happen and immediately defect to a rival provider?
On the basis you would have chosen the first option and then the first option again (and then
a security breach happened), how would you then react if your email provider determined that a) it
was better to keep you in the dark about it and b) this was because they anticipated you would defect?
To wit, here's a nice insight from Nicole Perlroth and Vindu Goel
at the New York Times for the legacy loyal yahoo email users still out there (h/t @melaniehannah):
Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his
tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of
all user passwords, a step security experts consider standard after a breach. Employees say the
move was rejected by Ms. Mayer's team for fear that even something as simple as a password change
would drive Yahoo's shrinking email users to other services.
Two points on the back of that.
As a yahoo email user, I can testify to the fact that being continuously told by friends and family
that: "Hey there, I think your email may have been hacked" is incentive enough to defect to an alternative
Second, when I tried to download our complete email history so as to shutter the account formally,
we found that this was in fact impossible unless we had the time and temperament to forward up to
20 years worth of email individually to a new account.
To date I am yet to get a reply from the Yahoo service team with respect to how I might get my
hands on my own data in a more practical manner.
Speaking of frictions, here's another relevant snippet from the article:
The "Paranoids," the internal name for Yahoo's security team, often clashed with other parts
of the business over security costs. And their requests were often overridden because
of concerns that the inconvenience of added protection would make people stop using the company's
All of which suggests the crux of Mayer's Yahoo strategy was focused on maximising the security/access
paradox to her own benefit. Namely, maximising access to the detriment of user security if it helped
to bolster Yahoo's user numbers, but minimising user access to their own data if it helped to maximise
the security of yahoo's own stock valuation.
The choice between security and ease of access is a difficult one, and shouldn't be trivialized.
Password policies are a good example - overly loose, and hackers will be able to guess users'
passwords; overly strict (e.g., requiring a password change every month), and users will resort
to passwords on sticky notes stuck to their monitors. If you make things too difficult for users,
they will find ways to ease the burden, and some of those ways will actually make security significantly
That's not to say that Yahoo made the right decision, but it is to say that it isn't as easy as
assuming that more security is always better.
Oooh, you had a Yahoo email account? You've just lost a big chunk of credibility.
I mean I have a Yahoo account (as well as a Netscape account and a Hotmail, sorry, whatever they
call it) plus one or two others. Every time a new email provider has popped up I check their tech
credentials and migrate to the provider that seems to hire the best techies. They get the sensitive
mail. I keep the old accounts and use them for spam-associated registrations and whatnot.
Presently Google and Proton are my principal providers. Anyone who carried on with Yahoo for sensitive
mail has nobody to blame other than him/herself.
@izabellakaminska - setup up your yahoo account
and your new email account on an email client like mac mail or microsoft outlook- make sure they
are both setup as an IMAP account. Wait for all the yahoo email to download and then simply select
all messages and drag them across to your new account.
Thank you, this is a great suggestion. I've been trying to figure out how to backup my
Yahoo! account - I only use it for signing up for things where I might get spam, but still wanted
an easy way to back it up. I already used an e-mail client to get e-mails for one of my other accounts,
I don't know why it never occurred to me to do the same for Yahoo!.
"... Another goal of course is to track even further every single purchase - what, and where, and when. And then sell the consumption data to the insurers perhaps… a packet of cigs per day? Or too many bottles of booze? ..."
Swapping standing in line at the check-out for the line at the exit. And when there is an issue
then the greeter calls in the check-out police thereby pissing off the customer. Brilliant.
While Apple fanboys are willing to work for their iPhone's company for free by doing their
own check-out I doubt that is likely for people going to Sam's Club. As well many customers, even
if they have a smartphone, will not enjoy using up their data plan as they try to check and process
the details online.
All these smartphone apps have one major goal, besides collecting credit fees. Reduce store
overhead by getting customers to do more of the work while eliminating employees. The winners
are not the customers or people looking for a way to make ends meet.
Another goal of course is to track even further every single purchase - what, and where,
and when. And then sell the consumption data to the insurers perhaps… a packet of cigs per day?
Or too many bottles of booze?
Of course they are already doing that with the store "fidelity cards", but the mobile apps
will be more precise and less optional.
"... A U.S. investigation into a leak of hacking tools used by the National Security Agency is focusing on a theory that one of its operatives carelessly left them available on a remote computer ..."
"... The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a group calling itself Shadow Brokers. ..."
"... But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews. NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said. ..."
"... That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them. ..."
"... Because the sensors did not detect foreign spies or criminals using the tools on U.S. or allied targets, the NSA did not feel obligated to immediately warn the U.S. manufacturers, an official and one other person familiar with the matter said. ..."
A U.S. investigation into a leak of hacking tools used by the National Security Agency is focusing
on a theory that one of its operatives carelessly left them available on a remote computer and
Russian hackers found them, four people with direct knowledge of the probe told Reuters.
tools, which enable hackers to exploit software flaws in computer and communications systems from
vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a
group calling itself Shadow Brokers.
The public release of the tools coincided with U.S. officials saying they had concluded that Russia
or its proxies were responsible for hacking political party organizations in the run-up to the Nov.
8 presidential election. On Thursday, lawmakers accused Russia of being responsible
... ... ...
But officials heading the FBI-led investigation now discount both of those scenarios, the
people said in separate interviews. NSA officials have told investigators that an employee or contractor
made the mistake about three years ago during an operation that used the tools, the people said.
That person acknowledged the error shortly afterward, they said. But the NSA did not inform the
companies of the danger when it first discovered the exposure of the tools, the sources said. Since
the public release of the tools, the companies involved have issued patches in the systems to protect
Investigators have not ruled out the possibility that the former NSA person, who has since departed
the agency for other reasons, left the tools exposed deliberately. Another possibility, two of the
sources said, is that more than one person at the headquarters or a remote location made similar
mistakes or compounded each other's missteps.
Representatives of the NSA, the Federal Bureau of Investigation and the office of the Director of
National Intelligence all declined to comment.
After the discovery, the NSA tuned its sensors to detect use of any of the tools by other parties,
especially foreign adversaries with strong cyber espionage operations, such as China and Russia.
That could have helped identify rival powers' hacking targets, potentially leading them to be defended
better. It might also have allowed U.S officials to see deeper into rival hacking operations while
enabling the NSA itself to continue using the tools for its own operations.
Because the sensors did not detect foreign spies or criminals using the tools on U.S. or allied
targets, the NSA did not feel obligated to immediately warn the U.S. manufacturers, an official and
one other person familiar with the matter said.
In this case, as in more commonplace discoveries of security flaws, U.S. officials weigh what intelligence
they could gather by keeping the flaws secret against the risk to U.S. companies and individuals
if adversaries find the same flaws.
Richard Tynan, a technologist with Privacy International, told The Intercept
that the " manuals released today offer the most up-to-date view on the
operation of" Stingrays and similar cellular surveillance devices, with
powerful capabilities that threaten civil liberties, communications infrastructure,
and potentially national security. He noted that the documents show the
"Stingray II" device can impersonate four cellular communications towers
at once, monitoring up to four cellular provider networks simultaneously,
and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously.
"... Submitted by Sophie McAdam via TrueActivist.com, ..."
"... He disclosed that government spies can legally hack into any citizen's phone to listen in to what's happening in the room, view files, messages and photos, pinpoint exactly where a person is (to a much more sophisticated level than a normal GPS system), and monitor a person's every move and every conversation, even when the phone is turned off. ..."
"... "Nosey Smurf": lets spies turn the microphone on and listen in on users, even if the phone itself is turned off ..."
"... Snowden says: "They want to own your phone instead of you." It sounds very much like he means we are being purposefully encouraged to buy our own tracking devices. That kinda saved the government some money, didn't it? ..."
"... It's one more reason to conclude that smartphones suck. And as much as we convince ourselves how cool they are, it's hard to deny their invention has resulted in a tendency for humans to behave like zombies , encouraged child labor, made us more lonely than ever, turned some of us into narcissistic selfie – addicts , and prevented us from communicating with those who really matter (the ones in the same room at the same time). Now, Snowden has given us yet another reason to believe that smartphones might be the dumbest thing we could have ever inflicted on ourselves. ..."
In an interview with the BBC's 'Panorama' which aired in Britain last week,
Edward Snowden spoke in detail about the spying capabilities of the UK intelligence
agency GCHQ. He disclosed that government spies can legally hack
into any citizen's phone to listen in to what's happening in the room, view
files, messages and photos, pinpoint exactly where a person is (to a much more
sophisticated level than a normal GPS system), and monitor a person's every
move and every conversation, even when the phone is turned off. These technologies are named after Smurfs, those little
blue cartoon characters who had a recent Hollywood makeover. But despite the
cute name, these technologies are very disturbing; each one is built to spy
on you in a different way:
"Dreamy Smurf": lets the phone be powered on and off
"Nosey Smurf": lets spies turn the microphone on and listen in on
users, even if the phone itself is turned off
"Tracker Smurf":a geo-location tool which allows [GCHQ]
to follow you with a greater precision than you would get from the typical
triangulation of cellphone towers.
"Paranoid Smurf": hides the fact that it has taken
control of the phone. The tool will stop people from recognizing that the
phone has been tampered with if it is taken in for a service, for instance.
Snowden says: "They want to own your phone instead of you." It sounds
very much like he means we are being purposefully encouraged to buy our own
tracking devices. That kinda saved the government some money, didn't it?
His revelations should worry anyone who cares about human rights, especially
in an era where the threat of terrorism is used to justify all sorts of governmental
crimes against civil liberties. We have willingly given up our freedoms in the
name of security; as a result we have
neither. We seem to have forgotten that to live as a free person is a basic
human right: we are essentially free beings. We are born naked and without certification;
we do not belong to any government nor monarchy nor individual, we don't even
belong to any nation or culture or religion- these are all social constructs.
We belong only to the universe that created us, or whatever your equivalent
belief. It is therefore a natural human right not to be not be under secret
surveillance by your own government, those corruptible liars who are supposedly
elected by and therefore accountable to the people.
The danger for law-abiding citizens who say they have nothing to fear because
they are not terrorists, beware: many peaceful British protesters have been
arrested under the Prevention Of Terrorism Act since its introduction in
Snowden's disclosure confirms just how far the attack on civil liberties
has gone since
9/11 and the London bombings. Both events have allowed governments the legal
right to essentially wage war on their own people, through the Patriot Act in
the USA and the Prevention Of Terrorism
Act in the UK. In Britain, as in the USA,
activism seem to have morphed into one entity, while nobody really knows
who the real
terrorists are any more. A sad but absolutely realistic fact of life in
2015: if you went to a peaceful protest at weekend and got detained, you're
hacked right now.
It's one more reason to conclude that smartphones suck. And as much as
we convince ourselves how cool they are, it's hard to deny their invention has
resulted in a tendency for humans to behave like
zombies, encouraged child labor, made us more
lonely than ever, turned some of us into
and prevented us from
communicating with those who really
matter (the ones in the same room at the same time). Now, Snowden has given
us yet another reason to believe that
smartphones might be the dumbest thing we could have ever inflicted on ourselves.
on Tuesday September 06, 2016 @02:00PM
Sean Gallagher, writing for ArsTechnica:
major site breach from four years ago has
resurfaced. Today, LeakedSource revealed that it had
received a copy of a February 2012 dump of the user
database of Rambler.ru
, a Russian search, news,
and e-mail portal site that closely mirrors the
functionality of Yahoo. The dump included usernames,
passwords, and ICQ instant messaging accounts for
over 98 million users. And while previous breaches
uncovered by LeakedSource this year had at least
some encryption of passwords, the Rambler.ru
database stored user passwords in plain text --
meaning that whoever breached the database instantly
had access to the e-mail accounts of all of
Rambler.ru's users. The breach is the latest in a
series of "mega-breaches" that LeakedSource says it
is processing for release. Rambler isn't the only
Russian site that has been caught storing
unencrpyted passwords by hackers. In June, a hacker
offered for sale the entire user database of the
Russian-language social networking site VK.com
(formerly VKontakte) from a breach that took place
in late 2012 or early 2013; that database also
included unencrypted user passwords, as ZDNet's Zach
on Monday September 12, 2016 @04:00PM
The Intercept has today published
200-page documents revealing details about Harris
Corp's Stingray surveillance device
, which has
been one of the closely guarded secrets in law
enforcement for more than 15 years. The firm, in
collaboration with police clients across the U.S.
have "fought" to keep information about the mobile
phone-monitoring boxes from the public against which
they are used. The publication reports that the
surveillance equipment carries a price tag in the
"low six figures." From the report:
Bernardino Sheriff's Department alone has snooped
via Stingray, sans warrant, over 300 times. Richard
Tynan, a technologist with Privacy International,
told The Intercept that the "manuals released today
most up-to-date view on the operation of
Stingrays and similar cellular surveillance devices,
with powerful capabilities that threaten civil
liberties, communications infrastructure, and
potentially national security. He noted that the
documents show the "Stingray II" device can
impersonate four cellular communications towers at
once, monitoring up to four cellular provider
networks simultaneously, and with an add-on can
operate on so-called 2G, 3G, and 4G networks
I just found this via Hacker News… perhaps it was in yesterday's links and I missed it. Truly
scary in the Orwellian sense and yet another reason not to use a smartphone. Chilling read.
SAN FRANCISCO - Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their
every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup
fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like
- just check out the company's price list.
The NSO Group is one of a number of companies that sell surveillance tools that can capture
all the activity on a smartphone, like a user's location and personal contacts. These tools can
even turn the phone into a secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last month, security
researchers caught its spyware trying to gain access to the iPhone of a human rights activist
in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote
about corruption in the Mexican government.
Now, internal NSO Group emails, contracts and commercial proposals obtained by The New York
Times offer insight into how companies in this secretive digital surveillance industry operate.
The emails and documents were provided by two people who have had dealings with the NSO Group
but would not be named for fear of reprisals.
I could be wrong, but the promos for Sixty Minutes on the local news make it seem they might
be about this subject. Either way it is another scare you about what your cell phone can do story,
possibly justified this time.
An anecdote which I cannot support with links or other evidence:
A friend of mine used to work for a (non USA) security intelligence service. I was bouncing
ideas off him for a book I'm working on, specifically ideas about how monitoring/electronics/spying
can be used to measure and manipulate societies. He was useful for telling if my ideas (for a
Science Fiction novel) were plausible without ever getting into details. Always very careful to
keep his replies in the "white" world of what any computer security person would know, without
delving into anything classified.
One day we were way out in the back blocks, and I laid out one scenario for him to see if it
would be plausible. All he did was small cryptically, and point at a cell phone lying on a table
10 meters away. He wouldn't say a word on the subject.
It wasn't his cellphone, and we were in a relatively remote region with no cell phone coverage.
It told me that my book idea was far too plausible. It also told me that every cellphone is
likely recording everything all the time, for later upload when back in signal range. (Or at least
there was the inescapable possibility that the cell phones were doing so, and that he had to assume
foreign (or domestic?) agencies could be following him through monitoring of cell phones of friends
It was a clarifying moment for me.
Every cellphone has a monumental amount of storage space (especially for audio files). Almost
every cellphone only has a software "switch" for turning it off, not a hardware interlock where
you can be sure off is off. So how can you ever really be sure it is "off"? Answer- you can't
Sobering thought. Especially when you consider the Bluffdale facility in the USA.
There are dozens of digital spying companies that can
track everything a target does on a smartphone.
Spencer Platt/Getty Images
SAN FRANCISCO - Want to invisibly spy on 10
owners without their knowledge? Gather their every keystroke, sound,
message and location? That will cost you $650,000, plus a $500,000 setup fee with an
Israeli outfit called the NSO Group. You can spy on more people if you would like -
just check out the company's price list.
The NSO Group is one of a number of companies that
sell surveillance tools
that can capture all the activity on a smartphone, like a
user's location and personal contacts. These tools can even turn the phone into a
secret recording device.
Since its founding six years ago, the NSO Group has kept a low profile. But last
month, security researchers
caught its spyware trying to gain access
to the iPhone of a human rights activist
in the United Arab Emirates. They also discovered a second target, a Mexican
journalist who wrote about corruption in the Mexican government.
Now, internal NSO Group emails, contracts and commercial proposals obtained by The
New York Times offer insight into how companies in this secretive digital
surveillance industry operate. The emails and documents were provided by two people
who have had dealings with the NSO Group but would not be named for fear of
The company is one of dozens of digital spying outfits that track everything a target
does on a smartphone. They aggressively market their services to governments and law
enforcement agencies around the world. The industry argues that this spying is
necessary to track terrorists, kidnappers and drug lords. The NSO Group's corporate
mission statement is "Make the world a safe place."
Ten people familiar with the company's sales, who refused to be identified, said that
the NSO Group has a strict internal vetting process to determine who it will sell to.
An ethics committee made up of employees and external counsel vets potential
customers based on human rights rankings set by the World Bank and other global
bodies. And to date, these people all said, NSO has yet to be denied an export
But critics note that the company's spyware has also been used to track journalists
and human rights activists.
"There's no check on this," said Bill Marczak, a senior fellow at the Citizen Lab at
the University of Toronto's Munk School of Global Affairs. "Once NSO's systems are
sold, governments can essentially use them however they want. NSO can say they're
trying to make the world a safer place, but they are also making the world a more
The NSO Group's capabilities are in higher demand now that companies like Apple,
Facebook and Google are using stronger encryption to protect data in their systems,
in the process making it harder for government agencies to track suspects.
The NSO Group's spyware finds ways around encryption by baiting targets to click
unwittingly on texts containing malicious links or by exploiting previously
undiscovered software flaws. It was taking advantage of
three such flaws in Apple software
- since fixed - when it was discovered by
researchers last month.
The cyberarms industry typified by the NSO Group operates in a legal gray area, and
it is often left to the companies to decide how far they are willing to dig into a
target's personal life and what governments they will do business with. Israel has
strict export controls for digital weaponry, but the country has never barred the
sale of NSO Group technology.
Since it is privately held, not much is known about the NSO Group's finances, but its
business is clearly growing. Two years ago, the NSO Group sold a controlling stake in
its business to Francisco Partners, a
firm based in San Francisco, for $120 million. Nearly a year
later, Francisco Partners was exploring a sale of the company for 10 times that
amount, according to two people approached by the firm but forbidden to speak about
The company's internal documents detail pitches to countries throughout Europe and
multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15
million for three projects over three years, according to internal NSO Group emails
dated in 2013.
"Our intelligence systems are subject to Mexico's relevant legislation and have legal
authorization," Ricardo Alday, a spokesman for the Mexican embassy in Washington,
said in an emailed statement. "They are not used against journalists or activists.
All contracts with the federal government are done in accordance with the law."
Zamir Dahbash, an NSO Group spokesman, said that the sale of its spyware was
restricted to authorized governments and that it was used solely for criminal and
terrorist investigations. He declined to comment on whether the company would cease
selling to the U.A.E. and Mexico after last week's disclosures.
For the last six years, the NSO Group's main product, a tracking system called
Pegasus, has been used by a growing number of government agencies to target a range
of smartphones - including iPhones, Androids, and BlackBerry and Symbian systems -
without leaving a trace.
Among the Pegasus system's capabilities, NSO Group contracts assert, are the
abilities to extract text messages, contact lists, calendar records, emails, instant
messages and GPS locations. One capability that the NSO Group calls "room tap" can
gather sounds in and around the room, using the phone's own microphone.
Pegasus can use the camera to take snapshots or screen grabs. It can deny the phone
access to certain websites and applications, and it can grab search histories or
anything viewed with the phone's web browser. And all of the data can be sent back to
the agency's server in real time.
In its commercial proposals, the NSO Group asserts that its tracking software and
hardware can install itself in any number of ways, including "over the air stealth
installation," tailored text messages and emails, through public Wi-Fi hot spots
rigged to secretly install NSO Group software, or the old-fashioned way, by spies in
Much like a traditional software company, the NSO Group prices its surveillance tools
by the number of targets, starting with a flat $500,000 installation fee. To spy on
10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android
users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users - on
top of the setup fee, according to one commercial proposal.
You can pay for more targets. One hundred additional targets will cost $800,000, 50
extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000,
according to an NSO Group commercial proposal. There is an annual system maintenance
fee of 17 percent of the total price every year thereafter.
What that gets you, NSO Group documents say, is "unlimited access to a target's
mobile devices." In short, the company says: You can "remotely and covertly collect
information about your target's relationships, location, phone calls, plans and
activities - whenever and wherever they are."
And, its proposal adds, "It leaves no traces whatsoever."
"... Some "American" companies and public research institutions are surely victims of espionage, but for the most part private industry has brought this on itself by building offshore offices and *actively* directing their workers to transfer the knowledge and "train their replacements", so that they can do the work instead of US workers who are let go (or not again hired) because their skills are now "irrelevant". ..."
"... In "defense" or "national interest" related work, for the most part citizens of or even people originating from countries that are considered military or geopolitical adversaries are excluded from participation. This makes it much harder to infiltrate people in the US, as long as it is not offshored. But then the US govt and its contractors will pay higher rates for the product/service than US consumers who will have to do "more with less" (money). ..."
"... Oh, China (public and private entities) surely engages in those things it is accused of, but this is by far outweighed by US business captains shoving the "free" know-how and innovation down their throats to enable the short term "cost savings" (which will in short order be compensated for by declining aggregate demand when the formerly well paid local staff can only buy the cheapest stuff, and retail adjusts and mostly orders the cheapest). ..."
"... Likewise most "everybody else" also. I have a good number of colleagues from China and other Asian countries. Many of them take pride in coming up with their own solutions instead of copying stuff, like people everywhere. ..."
"... A German language article where this and other cases are mentioned: http://www.zeit.de/1998/28/199828.spionage.neu_.xml Nobody is squeaky clean in this game. ..."
"... At the time I was working in a tech company there, and new security protocols were instituted, like not sending certain confidential information by email or fax. There was even an anecdote (unverified) of how a foreign service (not US in that case) was allegedly intercepting business documents/negotiations that were conducted by fax, and making the information available to "their" own companies bidding for the same project. Whether true or not, that's what the management was concerned about. ..."
" If spying is the world's second oldest profession, the government of China has given it a
new, modern-day twist, enlisting an army of spies not to steal military secrets but the trade
secrets and intellectual property of American companies. It's being called "the great brain robbery
The Justice Department says that the scale of China's corporate espionage is so vast it constitutes
a national security emergency, with China targeting virtually every sector of the U.S. economy,
and costing American companies hundreds of billions of dollars in losses -- and more than two
John Carlin: They're targeting our private companies. And it's not a fair fight. A private
company can't compete against the resources of the second largest economy in the world."
John Carlin: This is a serious threat to our national security. I mean, our economy depends on
the ability to innovate. And if there's a dedicated nation state who's using its intelligence
apparatus to steal day in and day out what we're trying to develop, that poses a serious threat
to our country.
Lesley Stahl: What is their ultimate goal, the Chinese government's ultimate goal?
John Carlin: They want to develop certain segments of industry and instead of trying to out-innovate,
out-research, out-develop, they're choosing to do it through theft.
All you have to do, he says, is look at the economic plans published periodically by the Chinese
Politburo. They are, according to this recent report by the technology research firm INVNT/IP,
in effect, blueprints of what industries and what companies will be targeted for theft."
Some "American" companies and public research institutions are surely victims of espionage,
but for the most part private industry has brought this on itself by building offshore offices
and *actively* directing their workers to transfer the knowledge and "train their replacements",
so that they can do the work instead of US workers who are let go (or not again hired) because
their skills are now "irrelevant".
Likewise if a manufacturer outsources to an offshore supplier, they have to divulge some of
their secret sauce and technical skill to their "partner" if they want the product to meet specs
and quality metrics.
In "defense" or "national interest" related work, for the most part citizens of or even
people originating from countries that are considered military or geopolitical adversaries are
excluded from participation. This makes it much harder to infiltrate people in the US, as long
as it is not offshored. But then the US govt and its contractors will pay higher rates for the
product/service than US consumers who will have to do "more with less" (money).
Oh, China (public and private entities) surely engages in those things it is accused of, but
this is by far outweighed by US business captains shoving the "free" know-how and innovation down
their throats to enable the short term "cost savings" (which will in short order be compensated
for by declining aggregate demand when the formerly well paid local staff can only buy the cheapest
stuff, and retail adjusts and mostly orders the cheapest).
Likewise most "everybody else" also. I have a good number of colleagues from China and other
Asian countries. Many of them take pride in coming up with their own solutions instead of copying
stuff, like people everywhere.
"Stealing" of ideas is practiced everywhere. I know an anecdote from a "Western" company where
a high level engineering manager suggested inviting another academic/research group on the pretext
of exploring a collaboration, only to get enough of an idea of their approach, and then dump them.
Several of the present staff balked at this and it didn't go anywhere. But it was instructive.
(1) How is it done (because we don't know)
(2) Which approach has been proven to work (out of many that we would have to try)
The focus in discussing the topic is often on (1), and it is certainly an important aspect,
perhaps the most important one if the adversary is in bootstrapping mode.
However once you are at a certain level, (2) becomes more important - the solution space is
simply too large, and knowing what has already worked elsewhere can cut through a lot of failed
experiments (including finding a better solution of course).
(2) also relates somewhat to "best practices" - don't try to innovate and create yet another
proprietary thing that only the people who created it understand, do what everybody else is doing,
then you can hire more people who "already know it", or if "others" improve or build on the existing
solution, that immediately applies to your version as well.
The downside is that your solution is not "differentiated". But if it is cheaper it doesn't
where US electronic surveillance was allegedly involved in a business dispute. In this case
there is no explicit claim about technology theft, but two companies were accusing each other
of patent violations, and espionage techniques were used to "obtain evidence".
BTW note the date - this kind of stuff was going on in the 90's. It is not a recent invention.
BTW this here was mentioned, you may have heard of it, in any case it was a big deal in Germany
where the US had several operational bases:
At the time I was working in a tech company there, and new security protocols were instituted,
like not sending certain confidential information by email or fax. There was even an anecdote
(unverified) of how a foreign service (not US in that case) was allegedly intercepting business
documents/negotiations that were conducted by fax, and making the information available to "their"
own companies bidding for the same project. Whether true or not, that's what the management was
"... The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, "ace02468bdf13579." That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE. ..."
On Monday, a hacking group calling itself the "ShadowBrokers" announced an auction
for what it claimed were "cyber weapons" made by the NSA. Based on never-before-published
documents provided by the whistleblower Edward Snowden, The Intercept
can confirm that the arsenal contains authentic NSA software, part of a powerful
constellation of tools used to covertly infect computers worldwide.
of the code has been a matter of heated debate this week among cybersecurity
experts, and while it remains unclear how the software leaked, one thing is
now beyond speculation: The malware is covered with the NSA's virtual fingerprints
and clearly originates from the agency.
The evidence that ties the ShadowBrokers dump to the NSA comes in an
agency manual for implanting malware, classified top secret, provided by Snowden,
and not previously available to the public. The draft manual instructs NSA operators
to track their use of one malware program using a specific 16-character string,
"ace02468bdf13579." That exact same string appears throughout the ShadowBrokers
leak in code associated with the same program, SECONDDATE.
SECONDDATE plays a specialized role inside a complex global system built
by the U.S. government to infect and monitor what one document
estimated to be millions of computers around the world. Its release by ShadowBrokers,
alongside dozens of other malicious tools, marks the first time any full copies
of the NSA's offensive software have been available to the public, providing
a glimpse at how an elaborate system outlined in the Snowden documents looks
when deployed in the real world, as well as concrete evidence that NSA hackers
don't always have the last word when it comes to computer exploitation.
But malicious software of this sophistication doesn't just pose a threat
to foreign governments, Johns Hopkins University cryptographer Matthew Green
told The Intercept:
The danger of these exploits is that they can be used to target anyone
who is using a vulnerable router. This is the equivalent of leaving lockpicking
tools lying around a high school cafeteria. It's worse, in fact, because
many of these exploits are not available through any other means, so they're
just now coming to the attention of the firewall and router manufacturers
that need to fix them, as well as the customers that are vulnerable.
So the risk is twofold: first, that the person or persons who stole this
information might have used them against us. If this is indeed Russia, then
one assumes that they probably have their own exploits, but there's no need
to give them any more. And now that the exploits have been released, we
run the risk that ordinary criminals will use them against corporate targets.
The NSA did not respond to questions concerning ShadowBrokers, the Snowden
documents, or its malware.
A Memorable SECONDDATE
The offensive tools released by ShadowBrokers are organized under a litany
of code names such as POLARSNEEZE and ELIGIBLE BOMBSHELL, and their exact purpose
is still being assessed. But we do know more about one of the weapons: SECONDDATE.
SECONDDATE is a tool designed to intercept web requests and redirect browsers
on target computers to an NSA web server. That server, in turn, is designed
to infect them with malware. SECONDDATE's existence was
first reported by The Intercept in 2014, as part of a look at a
global computer exploitation effort code-named TURBINE. The malware server,
known as FOXACID, has also been
described in previously released Snowden documents.
Other documents released by The Intercept today not only tie SECONDDATE
to the ShadowBrokers leak but also provide new detail on how it fits into the
NSA's broader surveillance and infection network. They also show how SECONDDATE
has been used, including to spy on Pakistan and a computer system in Lebanon.
The top-secret manual that authenticates the SECONDDATE found in the wild
as the same one used within the NSA is a 31-page document titled "FOXACID
SOP for Operational Management" and marked as a draft. It dates to no earlier
than 2010. A section within the manual describes administrative tools for tracking
how victims are funneled into FOXACID, including a set of tags used to catalogue
servers. When such a tag is created in relation to a SECONDDATE-related infection,
the document says, a certain distinctive identifier must be used:
The same SECONDDATE MSGID string appears in 14 different files throughout
the ShadowBrokers leak, including in a file titled SecondDate-3021.exe. Viewed
through a code-editing program (screenshot below), the NSA's secret number can
be found hiding in plain sight:
All told, throughout many of the folders contained in the ShadowBrokers'
package (screenshot below), there are 47 files with SECONDDATE-related names,
including different versions of the raw code required to execute a SECONDDATE
attack, instructions for how to use it, and other related files.
After viewing the code, Green told The Intercept the MSGID string's
occurrence in both an NSA training document and this week's leak is "unlikely
to be a coincidence." Computer security researcher Matt Suiche, founder of UAE-based
cybersecurity startup Comae Technologies, who has been particularly vocal in
his analysis of the ShadowBrokers this week, told The Intercept "there
is no way" the MSGID string's appearance in both places is a coincidence.
Where SECONDDATE Fits In
This overview jibes with previously unpublished classified files provided
by Snowden that illustrate how SECONDDATE is a component of BADDECISION, a broader
NSA infiltration tool. SECONDDATE helps the NSA pull off a "man in the middle"
attack against users on a wireless network, tricking them into thinking they're
talking to a safe website when in reality they've been sent a malicious payload
from an NSA server.
According to one December 2010 PowerPoint presentation titled "Introduction
to BADDECISION," that tool is also designed to send users of a wireless
network, sometimes referred to as an 802.11 network, to FOXACID malware servers.
Or, as the presentation puts it, BADDECISION is an "802.11 CNE [computer network
exploitation] tool that uses a true man-in-the-middle attack and a frame injection
technique to redirect a target client to a FOXACID server." As another
top-secret slide puts it, the attack homes in on "the greatest vulnerability
to your computer: your web browser."
One slide points out that the attack works on users with an encrypted wireless
connection to the internet.
That trick, it seems, often involves BADDECISION and SECONDDATE, with the
latter described as a "component" for the former. A series of diagrams in the
"Introduction to BADDECISION" presentation show how an NSA operator "uses SECONDDATE
to inject a redirection payload at [a] Target Client," invisibly hijacking a
user's web browser as the user attempts to visit a benign website (in the example
given, it's CNN.com). Executed correctly, the file explains, a "Target Client
continues normal webpage browsing, completely unaware," lands on a malware-filled
NSA server, and becomes infected with as much of that malware as possible -
or as the presentation puts it, the user will be left "WHACKED!" In the other
top-secret presentations, it's put plainly: "How
do we redirect the target to the FOXACID server without being noticed"?
Simple: "Use NIGHTSTAND or BADDECISION."
The sheer number of interlocking tools available to crack a computer is dizzying.
FOXACID manual, government hackers are told an NSA hacker ought to be familiar
with using SECONDDATE along with similar man-in-the-middle wi-fi attacks code-named
MAGIC SQUIRREL and MAGICBEAN. A top-secret
presentation on FOXACID lists further ways to redirect targets to the malware
To position themselves within range of a vulnerable wireless network, NSA
operators can use a mobile antenna system running software code-named BLINDDATE,
depicted in the field in what appears to be Kabul. The software can even be
attached to a drone. BLINDDATE in turn can run BADDECISION, which allows for
a SECONDDATE attack:
Elsewhere in these files, there are at least two documented cases of SECONDDATE
being used to successfully infect computers overseas: An April 2013
presentation boasts of successful attacks against computer systems in both
Pakistan and Lebanon. In the first, NSA hackers used SECONDDATE to breach "targets
in Pakistan's National Telecommunications Corporation's (NTC) VIP Division,"
which contained documents pertaining to "the backbone of Pakistan's Green Line
communications network" used by "civilian and military leadership."
SECONDDATE is just one method that the NSA uses to get its target's browser
pointed at a FOXACID server. Other methods include sending spam that attempts
to exploit bugs in popular web-based email providers or entices targets to click
on malicious links that lead to a FOXACID server. One
document, a newsletter for the NSA's Special Source Operations division,
describes how NSA software other than SECONDDATE was used to repeatedly direct
targets in Pakistan to FOXACID malware web servers, eventually infecting the
A Potentially Mundane Hack
Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has
offered some context and a relatively mundane possible explanation for the leak:
that the NSA headquarters was not hacked, but rather one of the computers the
agency uses to plan and execute attacks was compromised. In a
series of tweets, he pointed out that the NSA often lurks on systems that
are supposed to be controlled by others, and it's possible someone at the agency
took control of a server and failed to clean up after themselves. A regime,
hacker group, or intelligence agency could have seized the files and the opportunity
to embarrass the agency.
"... The NSA identified Peña's cellphone and those of his associates using advanced software that can filter out specific phones from the swarm around the candidate. These lines were then targeted. The technology, one NSA analyst noted, "might find a needle in a haystack." The analyst described it as "a repeatable and efficient" process. ..."
"... Another NSA operation, begun in May 2010 and codenamed FLATLIQUID, targeted Pena's predecessor, President Felipe Calderon. The NSA, the documents revealed, was able "to gain first-ever access to President Felipe Calderon's public email account." ..."
"... At the same time, members of a highly secret joint NSA/CIA organization, called the Special Collection Service, are based in the U.S. embassy in Mexico City and other U.S. embassies around the world. It targets local government communications, as well as foreign embassies nearby. For Mexico, additional eavesdropping, and much of the analysis, is conducted by NSA Texas, a large listening post in San Antonio that focuses on the Caribbean, Central America and South America. ..."
"... Unlike the Defense Department's Pentagon, the headquarters of the cyberspies fills an entire secret city. Located in Fort Meade, Maryland, halfway between Washington and Baltimore, Maryland, NSA's headquarters consists of scores of heavily guarded buildings. The site even boasts its own police force and post office. ..."
"... One top-secret operation, code-named TreasureMap, is designed to have a "capability for building a near real-time interactive map of the global Internet. … Any device, anywhere, all the time." Another operation, codenamed Turbine, involves secretly placing "millions of implants" - malware - in computer systems worldwide for either spying or cyberattacks. ..."
"... Yet there can never be a useful discussion on the topic if the Obama administration continues to point fingers at other countries without admitting that Washington is engaged heavily in cyberspying and cyberwarfare. ..."
"... The Shadow Factory: The Ultra-Secret NSA From 9/11 to the Eavesdropping on America ..."
National attention is focused on Russian eavesdroppers' possible targeting of U.S. presidential candidates
and the Democratic Congressional Campaign Committee. Yet, leaked top-secret National Security Agency
documents show that the Obama administration has long been involved in major bugging operations against
the election campaigns -- and the presidents -- of even its closest allies.
The United States is,
by far, the world's
nation when it comes to cyberspying and cyberwarfare. The National Security Agency has been eavesdropping
on foreign cities, politicians, elections and entire countries since it first turned on its receivers
in 1952. Just as other countries, including Russia, attempt to do to the United States. What is new
is a country leaking the intercepts back to the public of the target nation through a middleperson.
There is a strange irony in this. Russia, if it is actually involved in the hacking of the computers
of the Democratic National Committee, could be attempting to influence a U.S. election by leaking
to the American public the falsehoods of its leaders. This is a tactic Washington used against the
Soviet Union and other countries during the Cold War.
In the 1950s, for example, President Harry S Truman created the Campaign of Truth to reveal to
the Russian people the "Big Lies" of their government. Washington had often discovered these lies
through eavesdropping and other espionage.
Today, the United States has morphed from a Cold War, and in some cases a hot war, into a cyberwar,
with computer coding replacing bullets and bombs. Yet the American public manages to be "shocked,
shocked" that a foreign country would attempt to conduct cyberespionage on the United States.
NSA operations have, for example, recently delved into elections in Mexico, targeting its
last presidential campaign. According to a top-secret PowerPoint presentation leaked by former NSA
contract employee Edward Snowden, the operation involved a "surge effort against one of Mexico's
leading presidential candidates, Enrique Peña Nieto, and nine of his close associates." Peña won
that election and is now Mexico's president.
The NSA identified Peña's cellphone and those of his associates using advanced software that can
filter out specific phones from the swarm around the candidate. These lines were then targeted. The
technology, one NSA analyst noted, "might find a needle in a haystack." The analyst described it
as "a repeatable and efficient" process.
Another NSA operation, begun in May 2010 and codenamed FLATLIQUID, targeted Pena's predecessor,
President Felipe Calderon. The NSA, the documents revealed, was able "to gain first-ever access to
President Felipe Calderon's public email account."
At the same time, members of a highly secret joint NSA/CIA organization, called the Special Collection
Service, are based in the U.S. embassy in Mexico City and other U.S. embassies around the world.
It targets local government communications, as well as foreign embassies nearby. For Mexico, additional
eavesdropping, and much of the analysis, is conducted by NSA Texas, a large listening post in San
Antonio that focuses on the Caribbean, Central America and South America.
Unlike the Defense Department's Pentagon, the headquarters of the cyberspies fills an entire secret
city. Located in Fort Meade, Maryland, halfway between Washington and Baltimore, Maryland, NSA's
headquarters consists of scores of heavily guarded buildings. The site even boasts its own police
force and post office.
And it is about to grow considerably bigger, now that the NSA cyberspies have merged with the
cyberwarriors of U.S. Cyber Command, which controls its own Cyber Army, Cyber Navy, Cyber Air Force
and Cyber Marine Corps, all armed with state-of-the-art cyberweapons. In charge of it all is a four-star
admiral, Michael S. Rogers.
Now under construction inside NSA's secret city, Cyber Command's new $3.2- billion headquarters
is to include 14 buildings, 11 parking garages and an enormous cyberbrain - a 600,000-square-foot,
$896.5-million supercomputer facility that will eat up an enormous amount of power, about 60 megawatts.
This is enough electricity to power a city of more than 40,000 homes.
In 2014, for a cover story in Wired and a PBS documentary, I spent three days in Moscow
with Snowden, whose last NSA job was as a contract cyberwarrior. I was also granted rare access to
his archive of documents. "Cyber Command itself has always been branded in a sort of misleading way
from its very inception," Snowden told me. "It's an attack agency. … It's all about computer-network
attack and computer-network exploitation at Cyber Command."
The idea is to turn the Internet from a worldwide web of information into a global battlefield
for war. "The next major conflict will start in cyberspace," says one of the secret NSA documents.
One key phrase within Cyber Command documents is "Information Dominance."
The Cyber Navy, for example, calls itself the Information Dominance Corps. The Cyber Army is providing
frontline troops with the option of requesting "cyberfire support" from Cyber Command, in much the
same way it requests air and artillery support. And the Cyber Air Force is pledged to "dominate cyberspace"
just as "today we dominate air and space."
Among the tools at their disposal is one called Passionatepolka, designed to "remotely brick network
cards." "Bricking" a computer means destroying it – turning it into a brick.
One such situation took place in war-torn Syria in 2012, according to Snowden, when the NSA attempted
to remotely and secretly install an "exploit," or bug, into the computer system of a major Internet
provider. This was expected to provide access to email and other Internet traffic across much of
Syria. But something went wrong. Instead, the computers were bricked. It
took down the Internet across the country for a period of time.
While Cyber Command executes attacks, the National Security Agency seems more interested in tracking
virtually everyone connected to the Internet, according to the documents.
One top-secret operation, code-named TreasureMap, is designed to have a "capability for building
a near real-time interactive map of the global Internet. … Any device, anywhere, all the time." Another
operation, codenamed Turbine, involves secretly placing "millions of implants" - malware - in computer
systems worldwide for either spying or cyberattacks.
Yet, even as the U.S. government continues building robust eavesdropping and attack systems, it
looks like there has been far less focus on security at home. One benefit of the cyber-theft of the
Democratic National Committee emails might be that it helps open a public dialogue about the dangerous
potential of cyberwarfare. This is long overdue. The
possible security problems for the U.S. presidential election in November are already being discussed.
Yet there can never be a useful discussion on the topic if the Obama administration continues
to point fingers at other countries without admitting that Washington is engaged heavily in cyberspying
In fact, the United States is the only country ever to launch an actual cyberwar -- when the Obama
administration used a cyberattack to destroy thousands of centrifuges, used for nuclear enrichment,
in Iran. This was an illegal act of war, according to the Defense Department's own definition.
Given the news reports that many more DNC emails are waiting to be leaked as the presidential
election draws closer, there will likely be many more reminders of the need for a public dialogue
on cybersecurity and cyberwarfare before November.
(James Bamford is the author of The Shadow Factory: The Ultra-Secret NSA From 9/11 to the
Eavesdropping on America. He is a columnist for Foreign Policy magazine.)
After posting a 64 character hex code
that is believed to be an encryption key, the internet worries that the famed
whistleblower may have been killed or captured resulting in the triggering of a dead
man's switch and potentially the release of many more US national secrets.
A dead man's switch is a message set up to be automatically sent if the holder
of an account does not perform a regular check-in. The whistleblower has acknowledged
that he has distributed encrypted files to journalists and associates that have not
yet been released so in Snowden's case, the dead man's switch could be an encryption
key for those files.
As of this time, Edward Snowden's Twitter account has gone silent for over 24
hours which is far from unprecedented for the whistleblower but is curious at a time
when public concern has been raised over his well-being. The 64 hex characters in the
code do appear to rule out the initial theory that Edward Snowden, like so many
of us, simply butt dialed his phone, but instead is a clearly a secure hash algorithm
that can serve as a signature for a data file or as a password.
The timing shortly after the "It's Time" tweet also have caused concern for some
such as a user named stordoff who believes that the nascent
Twitter post "was intended to set something in motion." The user postulates that it
is an encrypted message, a signal, or a password.
Snowden's initial data release in 2013 exposed what many had feared about the NSA
for years, that the agency had gone rogue and undertaken a massive scheme of domestic
surveillance. However, it is also known that the information released was only part
of the document cache he had acquired from government servers.
It has been reported that additional government data was distributed in encrypted
files to trusted journalists who were told to not release the information unless they
received a signal urging them to – information that the whistleblower determined was
too sensitive for release at the time.
The possibility also exists that Snowden has decided that after three years
in hiding that additional information needed to be released to the public independent
of some physical harm to himself, but the whistleblower's fans and privacy advocates
across the world will continue to sit on the edge of their seats in worry until and
unless he tweets to confirm that he is safe.
The location stamps on just a handful of Twitter posts can help even low-tech stalkers find you,
The notion of online privacy has been greatly diminished in recent years, and just this week two
new studies confirm what to many minds is already a dismal picture.
First, a study
reported on Monday by Stanford University found that smartphone metadata-information about calls
and text messages, such as time and length-can reveal a surprising amount of personal detail.
To investigate their topic, the researchers built an Android app and used it to retrieve the metadata
about previous calls and text messages-the numbers, times, and lengths of communications-from more
than 800 volunteers' smartphone logs. In total, participants provided records of more than 250,000
calls and 1.2 million texts.
The researchers then used a combination of automated and manual processes to understand just what's
being revealed. What they found was that it's possible to infer a lot more than you might think.
A person who places multiple calls to a cardiologist, a local drug store, and a cardiac arrhythmia
monitoring device hotline likely suffers from cardiac arrhythmia, for example. Based on frequent
calls to a local firearms dealer that prominently advertises AR semiautomatic rifles and to the customer
support hotline of a major manufacturer that produces them, it's logical to conclude that another
likely owns such a weapon.
The researchers set out to fill what they consider knowledge gaps within the National Security
Agency's current phone metadata program. Currently, U.S. law gives more privacy protections to call
content and makes it easier for government agencies to obtain metadata, in part because policymakers
assume that it shouldn't be possible to infer specific sensitive details about people based on metadata
This study, reported in the Proceedings
of the National Academy of Sciences, suggests otherwise. Preliminary versions of the work have already
played a role in federal surveillance policy debates and have been cited in litigation filings and
letters to legislators in both the U.S. and abroad.
It takes as few as eight tweets to locate someone
Researchers at MIT and Oxford University, meanwhile, have
shown that the
location stamps on just a handful of Twitter posts can be enough to let even a low-tech snooper find
out where you live and work.
Though Twitter's location-reporting service is off by default, many Twitter users choose
to activate it. Now, it looks like even as few as eight tweets over the course of a single
day can give stalkers what they need to track you down.
The researchers used real tweets from Twitter users in the Boston area; users consented to the
use of their data and also confirmed their home and work addresses, their commuting routes, and the
locations of various leisure destinations from which they had tweeted.
The time and location data associated with the tweets were then presented to a group of 45 study
participants, who were asked to try to deduce whether the tweets had originated at the Twitter users'
homes, workplaces, leisure destinations or commute locations.
Bottom line: They had little trouble figuring it out. Equipped with map-based representations,
participants correctly identified Twitter users' homes roughly 65 percent of the time and their workplaces
at closer to 70 percent.
Part of a more general project at MIT's Internet Policy Research Initiative, the
paper was presented last
week at the Association for Computing Machinery's Conference on Human Factors in Computing Systems.
"Many people have this idea that only machine-learning techniques can discover interesting patterns
in location data, and they feel secure that not everyone has the technical knowledge to do that,"
said Ilaria Liccardi, a research scientist at MIT's Internet Policy Research Initiative and first
author on the paper. "What we wanted to show is that when you send location data as a secondary piece
of information, it is extremely simple for people with very little technical knowledge to find out
where you work or live."
Twitter said it does not comment on third-party research, but directed users to
online information about its optional location
"... Actually, you can hide nothing, and anything you said, wrote, or plausibly thought can and will be held against you at a time convenient for the Security State to whip it out if they have their way. ..."
The right of the people to be secure in their persons, houses, papers, and effects,
against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue,
but upon probable cause, supported by Oath or affirmation, and particularly describing the place
to be searched, and the persons or things to be seized.
Obviously, this paints our (overblown) liberties with an over-wide brush, and the Wise Solons
of our Senate know just how to get around this superannuated and flawed conceptual framework.
Just ignore this amendment. You've got nothing to hide, right , so what are you worried
about? Actually, you can hide nothing, and anything you said, wrote, or plausibly thought
can and will be held against you at a time convenient for the Security State to whip it out if
they have their way.
C'mon, it's an Empire now, and it plays by its own rules, and is not to be chained to some
fossilized, starry-eyed claptrap from the Enlightenment. Sheesh.
Wait, military special forces from over a dozen countries are running an exercise in the supposedly
sovereign territory of the United States? What, is this the transnational elite's super-special
SWAT team taking off the wraps? And Idiot America loves it. The Founding Fathers weep, just as
they do concerning that first item.
Let those malcontents from Green Day whine about the Idiocracy…
For a while the information contained with the leaked documents took a backseat to the cultural
impulse to dissect Snowden as a celebrity-his Reddit posts about sex and Cosmo asking "What
the hell is Edward Snowden's girlfriend thinking right now?" Then Sunday talk shows debated whether
Snowden was a was fink, traitor, whistleblower, or spy - as the elusive former contractor made an
escape to Russia worthy of a spy-thriller chase scene.
But the Snowden documents contained serious information. Since June, we have learned about a variety
of NSA programs, including PRISM, a multilayered, multiagency program that mines the data of suspected
terrorists, as well as that of anyone even marginally associated with them. And the information that
has been released is reportedly just a
fraction of what exists.
Still, we have about eight months worth of data dumps, information that has prompted the
promise of action from the White House,
bills in the Congress, and today's "Day We Fight Back" protest, which is calling on people around
the globe to protest NSA surveillance on the Web and in person. Below, we look back at some of the
most alarming revelations from Edward Snowden thus far.
The NSA intercepts deliveries According to documents published by German newspaper
Der Spiegel, the NSA
uses a tactic called "method interdiction,"
which intercepts packages that are en route to the recipient. Malware or backdoor-enabling hardware
is installed in workshops by agents and the item then continues on its way to the customer.
The NSA can spy on PCs not connected to the Internet Der Spiegel also published a document from an NSA division called ANT, which
revealed technology the NSA uses to carry out operations, including a radio-frequency device
that can monitor and even change data on computers that are not online.
Phone companies must turn over bulk phone data In April,
Verizon was ordered to hand
over telephony metadata from calls made from the United States to other countries over the course
of three months. The metadata included originating and terminating phone numbers, mobile subscriber
identity numbers, calling card numbers, and the time and duration of calls. The secretive nature
of the FISA court that made the request for data, however, meant that Verizon and other companies
could not discuss the data requests.
The NSA collects email and IM contact lists Hundreds of thousands of
are collected by the NSA in a single day, The Washington Post also revealed. While the
targets are outside of the United States, the scope of the collection means that info from U.S. citizens
is inevitably included.
The NSA eavesdrops on the phone calls of world leaders. The U.S. government's friends and family calling plan reportedly extends to the content of calls,
including tapping into German Chancellor Angela Merkel's phone calls from the
roof of the U.S. embassy in Berlin. The news prompted German officials to consider
creating their own Internet.
The NSA engages in industrial espionage. The U.S. government has framed the NSA's activities as necessary to keeping citizens safe, but Snowden
said on German television, "If there's information at Siemens that's beneficial to U.S. national
interests-even if it doesn't have anything to do with national security-then they'll
take that information nevertheless."
Tech companies cooperated with the NSA and then were asked not to talk about it. Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL, and Apple were all
named in the PRISM documents and
struggled with how to talk to the public about it because of gag orders.
The revelation that an Israeli firm cracked the iPhone raises questions about state-corporate
The Federal Bureau of Investigation (FBI) court battle with Apple over the security system in
place on iPhones appears to be over. But some experts in the communications security community are
expressing concern because of the
According to government sources speaking both on and off the record, the FBI succeeded in breaking
through the Apple security measures
with the assistance of an unidentified third party. The technique used was apparently not a one-off
and is transferable as the Bureau
has now indicated that
it will be accessing data on a second phone involved in a murder investigation in Arkansas and is
even considering allowing local police forces to share the technology. That means that the FBI
and whatever other security and police agencies both in the U.S. and abroad it provides the information
to will have the same capability, potentially compromising the security of all iPhones worldwide.
The breakthrough in the case leads inevitably to questions about the identity of the company or
individual that assisted the Bureau. It means that someone outside government circles would also
have the ability to unlock the phones, information that could eventually wind up in the hands of
criminals or those seeking to disrupt or sabotage existing telecommunications systems.
No security system is unbreakable if a sophisticated hacker is willing to put enough time, money
and resources into the effort. If the hacker is a government with virtually unlimited resources the
task is somewhat simpler as vast computer power will permit millions of attempts to compromise a
phone's operating system.
In this case, the problem consisted of defeating an "Erase Data" feature linked to a passcode
that had been placed on the target phone by Syed Farook, one of the shooters in December's San Bernardino
terrorist attack. Apple had
designed the system so that 10 failures to enter the correct passcode would lock the phone and
erase all the data on it. This frustrated FBI efforts to come up with the passcode by what is referred
to as a "brute force" attack where every possible combination of numbers and letters is entered until
the right code is revealed. Apple's security software also was able to detect multiple attempts after
entry of an incorrect passcode and slow down the process, meaning that in theory it would take five
and a half years for a computer to try all possible combinations of a six-character alphanumeric
passcode using numbers and lowercase letters even if it could disable the "Erase Data" feature.
Speculation is that the FBI and its third party associate were able to break the security by
circumventing the measure that monitors the number of unsuccessful passcode entries, possibly to
include generating new copies of the phone's NAND storage chip to negate the 10-try limit. The computer
generated passcodes could then be entered again and again until the correct code was discovered.
And, of course, once the method of corrupting the Erase Data security feature is determined it can
be used on any iPhone by anyone with the necessary computer capability, precisely the danger that
Apple had warned about when it refused to cooperate with the FBI in the first place.
Most of the U.S. mainstream media has been reluctant to speculate on who the third party that
aided the FBI might be but the Israeli press has not been so reticent. They
identified a company called Cellebrite, a digital forensics company located in Israel. It is
reported that the company's executive vice president for mobile forensics Leeor Ben-Peretz was recently
in Washington consulting with clients. Ben-Peretz is Cellebrite's marketing chief, fully capable
of demonstrating the company's forensics capabilities. Cellebrite reportedly has worked with the
FBI before, having had a
contract arrangement entered into in 2013 to provide decryption services.
Cellebrite was purchased by Japanese cellular telephone giant Suncorporation in 2007 but it is
still headquartered and managed from Petah Tikva, Israel with a North American office in Parsippany,
New Jersey and branches in Germany, Singapore and Brazil. It works closely with the Israeli police
and intelligence services and is reported to have ties to both Mossad and Shin Bet. Many of its employees
are former Israeli government employees who had worked in cybersecurity and telecommunications.
If Cellebrite is indeed the "third party" responsible for the breakthrough on the Apple problem,
it must lead to speculation that the key to circumventing iPhone security is already out there in
the small world of top level telecommunications forensic experts. It might reasonably be assumed
that the Israeli government has access to the necessary technology, as well as Cellebrite's Japanese
owners. From there, the possibilities inevitably multiply.
Most countries obtain much of their high grade intelligence from communications intercepts. Countries
like Israel, China, and France conduct much of their high-tech spying through exploitation of their
corporate presence in the United States. Israel, in particular, is heavily embedded in the telecommunications
industry, which permits direct access to confidential exchanges of information.
Israel has in fact a somewhat
shady reputation in the United
States when it comes to telecommunications spying. Two companies in particular-Amdocs and Comverse
Infosys-have at times dominated their market niches in America. Amdocs,
which has contracts with many of the largest telephone companies in the U.S. that together handle
90 percent of all calls made, logs all calls that go out and come in on the system. It does not retain
the conversations themselves, but the records provide patterns, referred to as "traffic analysis,"
that can provide intelligence leads. In 1999, the National Security Agency warned that records of
calls made in the United States were winding up in Israel.
Comverse Infosys, which
dissolved in 2013
after charges of conspiracy, fraud, money laundering and making false filings, provided wiretapping
equipment to law enforcement throughout the United States. Because equipment used to tap phones for
law enforcement is integrated into the networks that phone companies operate, it cannot be detected.
Phone calls were intercepted, recorded, stored, and transmitted to investigators by Comverse, which
claimed that it had to be "hands on" with its equipment to maintain the system. Many experts believe
that it is relatively easy to create an internal cross switch that permits the recording to be sent
to a second party, unknown to the authorized law-enforcement recipient. Comverse
was also believed to be involved with NSA on a program of illegal spying directed against American
Comverse equipment was never inspected by FBI or NSA experts to determine whether the information
it collected could be leaked, reportedly because senior government managers blocked such inquiries.
According to a Fox News investigative
report, which was later deleted from Fox's website under pressure from various pro-Israel groups,
DEA and FBI sources said post-9/11 that even to suggest that Israel might have been spying using
Comverse was "considered career suicide."
Some might argue that collecting intelligence is a function of government and that espionage,
even between friends, will always take place. When it comes to smartphones, technical advances in
phone security will provide a silver bullet for a time but the hackers, and governments, will inevitably
catch up. One might assume that the recent revelations about the FBI's capabilities vis-à-vis the
iPhone indicate that the horse is already out of the stable. If Israel was party to the breaking
of the security and has the technology it will use it. If the FBI has it, it will share it with other
government agencies and even with foreign intelligence and security services.
Absent from the discussion regarding Apple are the
more than 80 percent of smartphones used worldwide that employ the Google developed Android operating
system that has its own distinct security features designed to block government intrusion. The FBI
is clearly driven by the assumption that all smartphones should be accessible to law enforcement.
The next big telecommunications security court case might well be directed against Google.
Philip Giraldi, a former CIA officer, is executive director of the Council for the National
You can't just clear a cookie. Google builds a permanent
profile on you and stores it at their end. They use a variety
of means to do this, such as taking your MAC address and every
other bit transmitted on the internet and linking it to a
database they have built that records your popular searches and
This is how people get filter bubbled and steered; dirty
internet searches. A clean search would see actual societal
interests and trends instead of the contrived ones pushed by the
State narrative. It's also part of the meta- and direct data
that goes into secret profiles in the "intelligence community".
They think they can use this trendy (yet largely mythical)
Big Data to create a precrime division. It's also nice to have
dirt on the whole country in case anyone gets out of line and
challenges the aristocracy.
"There's a very real difference between allegiance to country–allegiance to people–than allegiance
to state, which is what nationalism today is really more about," says Edward Snowden. On February
20, the whistleblowing cybersecurity expert addressed a wide range of questions during an in-depth
interview with Reason's Nick Gillespie at Liberty Forum, a gathering of the Free State Project (FSP)
in Manchester, New Hampshire.
FSP seeks to move 20,000 people over the next five years to New Hampshire, where they will secure
"liberty in our lifetime" by affecting the political, economic, and cultural climate of the state.
Over 1,900 members have already migrated to the state and their impact is already being felt. Among
their achievements to date:
getting 15 of their brethren in the state House, challenging anti-ridehail laws, fighting in court
for outre religious liberty, winning legal battles over taping cops, being mocked by Colbert for
heroically paying off people's parking meters, hosting cool anything goes festivals for libertarians,
nullifying pot juries, and inducing occasional pants-wetting absurd paranoia in local statists.
Snowden's cautionary tale about the the dangers of state surveillance wasn't lost on his audience
of libertarians and anarchists who reside in the "Live Free or Die" state. He believes that technology
has given rise to unprecedented freedom for individuals around the world-but he says so from an undisclosed
location in authoritarian Russia.
And he reminds us that governments also have unprecedented potential to surveil their populations
at a moment's notice, without anyone ever realizing what's happening.
"They know more about us than they ever have in the history of the United States," Snowden
warns. "They're excusing themselves from accountability to us at the same time they're trying to
exert greater power over us."
In the midst of a fiercely contested presidential race, Snowden remains steadfast in his distrust
of partisan politics and declined to endorse any particular candidate or party, or even to label
his beliefs. "I do see sort of a clear distinction between people who have a larger faith in liberties
and rights than they do in states and institutions," he grants. "And this would be sort of the authoritarian/libertarian
axis in the traditional sense. And I do think it's clear that if you believe in the progressive liberal
tradition, which is that people should have greater capability to act freely, to make their own choices,
to enjoy a better and freer life over the progression of sort of human life, you're going to be pushing
away from that authoritarian axis at all times."
Snowden drews laughs when asked if he was eligible to vote via absentee ballot. "This is still
a topic of...active research," he deadpans.
But he stresses that the U.S. government can win back trust and confidence through rigorous accountability
to citizens and by living up to the ideals on which the country was founded. "We don't want Russia
or China or North Korea or Iran or France or Germany or Brazil or any other country in the world
to hold us up as an example for why we should be narrowing the boundaries of liberty around the world
instead of expanding them," says Snowden.
Runs about 50 minutes.
TABLE OF CONTENTS
0:00 - Edward Snowden, welcome to New Hampshire. Meet the Free State Project.
0:53 - Apple vs. the Federal Bureau of Investigation. Why should strong encryption be legal?
5:02 - Is privacy dead? Should we just get over it?
10:48 - What would a legal and effective government surveillance program look like?
14:53 - Could we have stopped the slide into mass surveillance? Shouldn't we have seen it coming?
19:04 - How can government earn back the trust and confidence of the American people?
As an analytical thinker, communicator and recovering professional journalist, I can thoroughly
appreciate Ed Snowden's take on the benefits of using pseudonyms when releasing potentially incendiary
ideas to the greater population. Fairly sure we both know that no critical thinking goes unpunished
in America these days. Mission 1: Stay safe!
Being a former Army Ranger I find it difficult to understand how Americans support the
Right to bear Arms but not the Right of Free speech and Privacy of communication. all three
amendments have equal rights. While I don't agree with how Snowden leaked the 1984
Surveillance Corporations, I'm glad he did. Sua sponte, Uncle Mike
Robert Van Tuinen2
I am. the government intentionally hid this information and discredited and fire previous
whistleblowers. What he did was right and necessary.
"We want a government that is...small...and legitimate". SPEAK FOR YOURSELF! GOVERNMENT IS
THE OPPOSITE OF LEGITIMATE. Government is a monopoly on violent coercive force, no matter how
small. "Representing the people" is impossible without perpetrating evil on a large
percentage. Demand 100% voluntary interaction now. No government=no rulers. We are not a
government of law when The Constitution is up for "interpretation". The government is the
biggest breach of contract and coersive force ever perpetrated on people. It's historical
existance does not argue for its continued existance. Think: zero coersion. Pessimistic? Me
too, but look at the social change enabled by digital communication. Look at the Free State
Project, Look at cryptography; We may at least find a piece of freedom in this world of
coersion and distrust. Things are bad but we are bound to hit bottom. Please applause.j/k.
amazing! This person's value system, sense of morality, loyalty to humanity and liberty is
admirable. The people are starving for politicians with that kind of ethos. I wish Ron Paul
run for president. I kinda like Bernie Sanders most out of the options offered in this
snowden said "im an engineer not a politican". when you listen to Ed Snowden, you must
recognize that he is in fact a great philosopher.
when i listen to his answers when he was asked about the apple case. the things he said are
exactly right without a single flaw in his descriptions. he described every single aspect and
he showed us by doing that, what the apple case is really all about.
he points out: it is important to make sure that a goverment does not allow backdors in
encryption, but we have also to accept the reality that we are simply unable to protect us
against the NSA surveillance apparatus. again snowden talks about NSAs (in my opinion) the
very dangerous ability to store all communication data in advance. by the way: Russ Tice said
more then once "they store everything indefinitely".
what Snowden said about the apple case destroys the sophisticated narrative the media has
created on purpose to suggest that surveillance can be avoided somehow. there is a nice
article on reason.com talking in detail about the Apple case, and how it was planned well in
if i had a single chance to ask mr snowden one question i would ask him "Mr Snowden, do you
believe what the goverment has told us about 9/11"? i am sure there was enough time for mr
snowden to listen to a guy named David Chandler, or to take a look at the movie "HYPOTHESIS"
it might be interesting to watch his reaction.
If EVERY gubermant agency had ONE person with BALLS like Snowden and told the truth about
tyranny the American people (not to be confused with it's slimeball government) would be on
the good path to taking our Republic back. Those who perform unconstitutional tasks, or
enforce unconstitutional laws against their fellow Americans are TRAITORS and the modern day
equivalent to Hitlers SS.
Edward Snowden is a gifted outlier, born with genius brain. How I wish to be born with such
UPDATE 9/05/2015: In a rare exclusive interview from Russia, Edward Snowden states he would come
back to the United States if he was guaranteed a fair trial. A fair trial is unlikely says ex-whistle-blower,
Daniel Ellsberg. He would not be allowed to confront his accusers. He would not be allowed to testify
in front of a jury. It would be like a closed military tribunal, and he would be locked up with no
detailed press coverage.
I would say Tor is about as good except that Google, Akami, and Cloudflare sites (cough
NC cough) regularly block Tor exit nodes. Still, you get a little more hardening using Tor
browser than other browsers (using defaults).
The header with your unique identifier can be scrubbed out when your using a VPN. Verizon
only sees that you "went" to the VPN address…all sites you visit see you as coming from the
VPN address. Neither the two shall meet without further snooping (which is not covered by the
injection Verizon does…that we know of).
Damn, I knew I should have gone through the process to remove the drm from my e books. I might
have to look into doing that immediately. But first I should check how my couple of nook newstand
subscriptions will be handled.
Whew, I have time. That is in the UK. Still a good warning shot over the bow…
"… But U.S. critics say that could allow foreign companies to use the agreement to invalidate
U.S. safety rules and regulations."
One thing no one much mentions is that the TPP allows
ability to sue to invalidate regulations, but does not all local corporations the same. In
this, TPP privileges foreign over local production, and ensures a race to the bottom on product
place of origin.
"A Party may exclude from patentability inventions, the prevention within their
territory of the commercial exploitation of which is necessary to protect ordre public
or morality, including to protect human, animal or plant life or health or to avoid
serious prejudice to nature or the environment, provided that such exclusion is not
made merely because the exploitation is prohibited by its law."
I thought I saw the word morality some place else in the TPP, but apparently, the IP chapter
was the only place. Bad research on my part! In any case, beware the ratchet clauses and the
enemies within, lest your health system become just "Canadian™" enough for the world market.
"... Oh, but it is serious. The material is/was classified. It just wasn't marked as such. Which means someone removed the classified material from a separate secure network and sent it to Hilary. We know from her other emails that, on more than one occasion, she requested that that be done. ..."
"... fellow diplomats and other specialists said on Thursday that if any emails were blatantly of a sensitive nature, she could have been expected to flag it. "She might have had some responsibility to blow the whistle," said former Ambassador Thomas Pickering, "The recipient may have an induced kind of responsibility," Pickering added, "if they see something that appears to be a serious breach of security." ..."
"... Finally whether they were marked or not the fact that an electronic copy resided on a server in an insecure location was basically like her making a copy and bringing it home and plunking it in a file cabinet... ..."
"... In Section 7 of her NDA, Clinton agreed to return any classified information she gained access to, and further agreed that failure to do so could be punished under Sections 793 and 1924 of the US Criminal Code. ..."
"... The agreement considers information classified whether it is "marked or unmarked." ..."
"... According to a State Department regulation in effect during Clinton's tenure (12 FAM 531), "classified material should not be stored at a facility outside the chancery, consulate, etc., merely for convenience." ..."
"... Additionally, a regulation established in 2012 (12 FAM 533.2) requires that "each employee, irrespective of rank must certify" that classified information "is not in their household or personal effects." ..."