We keep hearing US government officials tell us fanciful stories about why we need cybersecurity legislation that paves the way for the government to get access to private information, but the arguments never make much sense. There are vague claims of threats that really seem more like garden variety hackers, and then there are the completely made up threats that are pulled right from Hollywood scripts -- like the claims that an online attack will lead to planes colliding.
A new survey suggests that the public just isn't buying it. 63% of those polled worried about the impact on privacy and civil liberties if we provided greater information sharing with the government. So for all the talk about how there's "bipartisan" support for doing something here, it's not clear that there's really American public support for this kind of thing.
The American Enterprise Institute (AEI) recently held an event about cybersecurity and cybersecurity legislation. The keynote speech was from NSA boss General Keith Alexander. He of course talked about why he supports cybersecurity legislation, such as CISPA and other proposals that will make it easier for the NSA access private content from service providers -- much of which, reports claim, they're already capturing and storing. Alexander has claimed that the NSA doesn't have "the ability" to spy on American emails and such, and reiterates that claim during the Q&A in this session, insisting that the Utah data center doesn't hold data on Americans' emails (and makes a joke about just how many emails that would be to read). That's nice for him to say, but so many people with knowledge of the situation claim the opposite.
In a motion filed today, the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the "secret room" at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006.
So it's interesting to pay attention to what Alexander has to say in pushing for cybersecurity legislation. You can watch the full video below, if you'd like:
Much of what he talks about online involves basic malware and hack attacks. These are definitely issues -- but are they issues that we need the military (which the NSA is a part of) to step in on? His "quote" line is that these attacks represent the "greatest transfer of wealth in history." That is a pretty broad statement, and there's almost no evidence to support it. He points to studies from Symantec and McAfee on the "costs" of dealing with security issues -- but remember, those are two of the biggest sellers of security software, and have every incentive in the world to inflate the so-called "costs." Also, seriously? The "greatest transfer of wealth in history"? Has he paid absolutely no attention to what's happened on Wall Street and the financial world over the past decade? Does anyone honestly believe that the amount of money "transferred" due to hack attacks is greater than the amount of money transferred due to dodgy financial deals and the mortgage/CDO mess? That doesn't pass the laugh test.
He does insist that worse attacks are coming, but provides no basis for that (or, again, why the NSA needs your info). In fact, according to a much more believable study, the real risks are not outside threats and hackers, but internal security screwups and disgruntled inside employees. None of that requires NSA help. At all.
But it sure makes for a convenient bogeyman to get new laws that take away privacy rights.
Alexander, recognizing the civil liberties audience he was talking to, admits that the NSA neither needs nor wants most personal info, such as emails, and repeatedly states that they need to protect civil liberties (though, in the section quoted below, you can also interpret his words to actually mean they don't care about civil liberties -- but that's almost certainly a misstatement on his part):
One of the things that we have to have then [in cybersecurity legislation], is if the critical infrastructure community is being attacked by something, we need them to tell us... at network speed. It doesn't require the government to read their mail -- or your mail -- to do that. It requires them -- the internet service provider or that company -- to tell us that that type of event is going on at this time. And it has to be at network speed if you're going to stop it.
It's like a missile, coming in to the United States.... there are two things you can do. We can take the "snail mail" approach and say "I saw a missile going overhead, looks like it's headed your way" and put a letter in the mail and say, "how'd that turn out?" Now, cyber is at the speed of light. I'm just saying that perhaps we ought to go a little faster. We probably don't want to use snail mail. Maybe we could do this in real time. And come up with a construct that you and the American people know that we're not looking at civil liberties and privacy, but we're actually trying to figure out when the nation is under attack and what we need to do about it.
Nice thing about cyber is that everything you do in cyber, you can audit. With 100% reliability. Seems to be there's a great approach there.
Now all that's interesting, because if that's true, then why is he supporting legislation that would override any privacy rules that protect such info? If he really only needs limited information sharing, then why isn't he in favor of more limited legislation that includes specific privacy protections for that kind of information? He goes back to insisting they don't care about this info later on in the talk, but never explains why he doesn't support legislation that continues to protect the privacy of such things:
The key thing in information sharing that gets, I think, misunderstood, is that when we talk about information sharing, we're not talking about taking our personal emails and giving those to the government.
So make that explicit. Rather than supporting cybersecurity legislation that wipes out all privacy protections why not highlight what kind of information sharing is blocked right now and why it's blocked? Is it because of ECPA regulations? Something else? What's the specific problem? Talking about bogeymen hackers and malicious actors makes for a good Hollywood script, but there's little evidence to support the idea that it's a real threat here -- and in response, Alexander is asking us all to basically wipe out all such privacy protections... because he insists that the NSA doesn't want that kind of info. And, oh yeah, this comes at the same time that three separate whistleblowers -- former NSA employees -- claim that the NSA is getting exactly that info already.
So, this speech is difficult to square up with that reality. If he really believes what he's saying, then why not (1) clearly identify the current regulatory hurdles to information sharing, (2) support legislation that merely amends those regulations and is limited to just those regulations and (3) support much broader privacy protections for the personal info that he insists isn't needed? It seems like a pretty straightforward question... though one I doubt we'll get an answer to. Ever. At least not before cybersecurity legislation gets passed.
Richard Clarke, the former cybersecurity czar in the White House -- and a huge, huge, huge proponent of pushing for greater legislation for spying on Americans under the guise of "cybersecurity" (it used to be "cyberwar" but that term was so laughable, it's been downgraded to "cybersecurity) -- has written one of the most ridiculous defenses of new internet spying proposals, claiming that Chinese hackers are stealing all our intellectual property by hacking into computers online. He has no evidence of this. He tells apocryphal stories of Chinese hackers somehow getting all the data from a "$1 billion research program copied by hackers in one night." The whole thing is fear-mongering in the extreme, using the specter of evil "Chinese pirates" hacking computers and stealing important US intellectual property. That's wrong for a variety of reasons that we've discussed multiple times. But where it gets downright silly is in his assertion that (1) the US could magically "stop" these mythical hackers from "stealing" data, and (2) that Homeland Security already has the authority to spy on all internet traffic as it comes over the border:
If given the proper authorization, the United States government could stop files in the process of being stolen from getting to the Chinese hackers. If government agencies were authorized to create a major program to grab stolen data leaving the country, they could drastically reduce today’s wholesale theft of American corporate secrets.
[....]
Under Customs authority, the Department of Homeland Security could inspect what enters and exits the United States in cyberspace. Customs already looks online for child pornography crossing our virtual borders. And under the Intelligence Act, the president could issue a finding that would authorize agencies to scan Internet traffic outside the United States and seize sensitive files stolen from within our borders.
And this does not have to endanger citizens’ privacy rights. Indeed, Mr. Obama could build in protections like appointing an empowered privacy advocate who could stop abuses or any activity that went beyond halting the theft of important files.
Almost everything stated above is ridiculous. As law professor James Grimmelman points out, with this article "Richard Clarke disqualifies himself from participating in any serious discussion of cybersecurity."
Indeed. It's scary to think that Clarke was ever seen as an expert in cybersecurity. He seems to be under the assumption that the internet really is a series of tubes, in which customs agents can simply stop all that data at the border and inspect it. And the idea that appointing a single "privacy advocate" would magically stop abuses? You'd think he just stepped off the turnip truck, rather than having spent many years in government where privacy was regularly abused, despite much more significant safeguards in place. Who does he think he's kidding?
Will we ever have people driving policy discussions on regulating the internet who actually understand the internet?
Perhaps no single "demographic" is more misunderstood (and feared -- especially post-SOPA debacle) by Hollywood than "The Hacker." In the hands of the movie machine, hackers are portrayed as fast-talking (and fast-typing) young men (and very occasionally, women) with unfortunate hairdos, huddled around multiple screens making use of thoroughly impractical GUIs, all the while spouting a confounding mixture of instantly-outdated slang and acronyms.
Maybe Hollywood uses this creative license to keep its fears at bay. It's got IT departments full of young men (and women) with unfortunate hairdos to handle anyone trying to DDOS its kilobytes, allowing it to breathe easy and sleep the deep sleep of the blissfully unaware. To confront the fact that anyone with half-decent social engineering skills could talk them and their underlings out of sensitive information is probably way too alarming.
Well, this is rather incredible. With the news that Anonymous hacked the offices of the Syrian President and dumped a ton of emails online... comes the news that the hack was insanely easy. Why? Because, apparently, the password was 12345. No joke. Of course, that's considered one of the worst passwords of all time. And, as pointed out by Lauren Weinstein, this is the exact same password that was immortalized by Dark Helmet (the original one, rather than our local Techdirt hero) as being the stupidest password he's ever heard -- and the "kind of thing an idiot would have on his luggage!"
It's been pointed out over and over again that censoring the internet is no way to deal with things like copyright infringement -- and that people will always figure out ways to route around such censorship. That's why it's interesting to hear that some folks at the famed Chaos Communication Congress in Berlin last week outlined some plans to set up their own satellite system for routing around internet censorship around the globe. And... a key reason given for why this is needed? SOPA, of course:
He cited the proposed Stop Online Piracy Act (Sopa) in the United States as an example of the kind of threat facing online freedom. If passed, the act would allow for some sites to be blocked on copyright grounds.
They're obviously a long way from this, but the ability of amateurs to build and launch their own satellites into space has been growing and that's only going to accelerate. On top of that, with efforts like SOPA and other censorship efforts around the globe, it's giving more urgency to folks who believe in freedom of speech and civil liberties to figure out ways to decentralize and move away from systems that can be controlled by governments.
We've noted in the past couple of years that a few big events have started to call attention to the parts of the network that are centarlized and vulnerable to censorship -- and that's resulted in numerous efforts to decentralize those elements and make them censorship-proof. These projects won't all work (and some will certainly fail miserably), but as more and more people realize that these censor-proof systems are needed, it means that they will get created.
For many years various governments have complained about the fact that Skype communications are encrypted, and have demanded backdoors. In the US, the FBI has been pushing hard for such backdoors. There have been some reports of applications that allow for wiretapping Skype, despite its supposed encryption, but not much in the way of details. Now the famed Chaos Computer Club (CCC) is claiming to have reverse engineered the "lawful interception" trojan being used by German law enforcement.
They got the program after a lawyer whose client was under investigation gave the CCC his client's hard drive, where the group found the code. As frequently happens with these kinds of things, the CCC found that the trojan actually introduces myriad security problems as well:
The analysis concludes, that the trojan's developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.
"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," commented a CCC speaker. "Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."
The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified "evidence" against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question.
[....]
The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.
"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", commented a speaker of the CCC. "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'".
Even without the fact that more capabilities can be added, the existing software is pretty powerful. It apparently can remotely control the computers that it's on, take screenshots of what's happening on the computer, including emails and personal messages. And yet, time and time again law enforcement asks us to "trust" them when they want the power to secretly install this kind of crap on people's computers?
The big news in the security world, obviously, is the fact that a fraudulent Google certificate made its way out into the wild, apparently targeting internet users in Iran. The Dutch company DigiNotar has put out a statement saying that it discovered a breach back on July 19th during a security audit, and that fraudulent certificates were generated for "several dozen" websites. The only one known to have gotten out into the wild is the Google one. Either way, as everyone scrambles to clean this up, you should remove DigiNotar from your browser trust root (usually under "advanced" or somewhere in the options). Whether or not you do this, DigiNotar is probably effectively dead as an ongoing issuer of security certificates. No one will trust them again.
So how was this done? The folks at F-Secure have found some evidence suggesting the company was hacked by Iranian hackers (probably working for the government). But what's really scary, is that the evidence F-Secure found suggests that DigiNotar was hacked at least two years ago. F-Secure also takes issue with DigiNotar's explanation concerning how this one fraudulent Google certificate got out:
While Diginotar revoked the other rogue certificates, they missed the one issued to Google. Didn't Diginotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places? And when Diginotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?
As the problems with the certificate authority system become clear, lots of people are working on ways to detect and mitigate these attacks. Chrome's pinning feature is available not only to Google web sites but to any webmaster; if you run an HTTPS site, you can contact the Chrome developers and get your site's keys hard-coded. Other browser vendors may implement a similar feature soon. The same result could also be achieved by giving web sites themselves a way to tell browsers what certificates to anticipate—and efforts to do this are now underway, building on top of DNSSEC or HSTS. Then browsers could simply not believe conflicting information, or at least provide a meaningful way to report it or warn the user about the situation.
Of course, there will be no DNSSEC if PROTECT IP passes... Another reason to worry about that law, as it closes off one path to protect against these kinds of attacks.
"Texas Instruments has struck back against Nspire gamers and hackers with even stronger anti-downgrade protection in OS 3.0.2, after the TI calculator hacking community broke the anti-downgrade protection found in OS 2.1 last summer and the new one in OS 3.0.1 a month ago. In addition to that, in OS 3.0.1 the hacker community found Lua programming support and created games and software using it. Immediately, TI retaliated by adding an encryption check to make sure those third-party generated programs won't run on OS 3.0.2."
So then, business as usual for TI, who a couple of years back sent out DMCA takedown notices in an effort to remove posted code that allowed their scientific calculators to run custom software. Having learned nothing from that situation (other than perhaps "misguided might makes 'right'"), TI has decided to bypass the broken DMCA process (well, "broken" as in anybody can use it for just about anything, not that it doesn't work) and just go ahead and brick the modified calculators.
Not only have they learned nothing from their own experience, but they've completely missed any sort of cautionary notes from the epic saga of "Sony vs. The h4x0rz," in which a console manufacturer unwisely removed functionality that users paid for with a fatuous "update," only to find themselves staring down the barrel of an enterprising jailbreaker. And then there was that whole thing about their network being taken down (still ongoing).
We recently compared Sony's lawsuit against GeoHot for adding functionality (that Sony had removed) to PS3s, to Sony's attack on Aibo hackers a decade ago. With somewhat perfect timing, Philip Torrone has now put together a full list of Sony's ongoing "war" against "makers, hackers and innovators." You can read all the details at the link, but here's the list that he's working from:
Sony DMCA delayed disclosure of Sony BMG rootkit vulnerability
Sony threatens Aibo hobbyists for creating software that enables Sony’s Aibo robot dog to dance
Sony sues Connectix and Bleem to block software that allows gamers to play their PlayStation games on PCs
Sony attacks PlayStation “Mod Chips” and enforces a system of “region coding”
Sony sued Gamemasters, distributor of the Game Enhancer peripheral device, which allowed owners of a U.S. PlayStation console to play games purchased in Japan and other countries
Sony removes OtherOS option, removes Linux support
Sony is suing makers, hackers, and tinkers for jailbreaking of the PS3 to play homebrew games
What's really amazing in all of this is that Sony keeps making the same anti-maker mistakes over and over and over again. It's as if they don't understand that these people are adding value and making Sony products more valuable.
