Former Head Of GCHQ Says Don't Backdoor End-To-End Encryption, Attack The End Points

from the putting-an-end-to-the-end-to-end-debate dept

When he was head of GCHQ, Robert Hannigan said some pretty clueless things about the Internet and encryption. For example, in 2014, he accused tech companies of 'facilitating murder', and joined in the general demonization of strong crypto. Last year, he called for technical experts to work more closely with governments to come up with some unspecified way around encryption. Nobody really knew what he meant when he said:

"I am not in favor of banning encryption. Nor am I asking for mandatory back doors. … Not everything is a back door, still less a door which can be exploited outside a legal framework."

Now, speaking to the BBC, he has clarified those remarks, and revealed how he thinks governments should be dealing with the issue of end-to-end encryption. As he admits:

"You can't uninvent end-to-end encryption, which is the thing that has particularly annoyed people, and rightly, in recent months. You can't just do away it, you can't legislate it away. The best that you can do with end-to-end encryption is work with the companies in a cooperative way, to find ways around it frankly."

He emphasized that backdoors are not the answer:

"I absolutely don't advocate that. Building in backdoors is a threat to everybody, and it's not a good idea to weaken security for everybody in order to tackle a minority."

So what is the solution? This:

"It's cooperation to target the people who are using it. So obviously the way around encryption is to get to the end point -- a smartphone, or a laptop -- that somebody who is abusing encryption is using. That's the way to do it."

As Techdirt reported earlier this year, this is very much the approach advocated by top security experts Bruce Schneier and Orin Kerr. They published a paper describing ways to circumvent even the strongest encryption. It seems that Hannigan has got the message that methods other than crypto backdoors exist, some of which require cooperation from tech companies, which may or may not be forthcoming. It's a pity that he's no longer head of GCHQ -- he left for "personal reasons" at the beginning of this year. But maybe that has given him a new freedom to speak out against stupid approaches. We just need to hope the UK government still listens to him.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: encryption, gchq, going dark, hacking, robert hannigan, security

'Hacking' Of US Nuclear Facilities Appears To Be Little More Than The Sort Of Spying The US Approves Of

from the spies-like-us dept

Earlier this week, the New York Times raised the alarm -- and vivid Stuxnet imagery -- about hackers targeting US nuclear facilities. The DHS raised its own alarm -- one with a specific color -- about the same hacking attempts.

Among the companies targeted was the Wolf Creek Nuclear Operating Corporation, which runs a nuclear power plant near Burlington, Kan., according to security consultants and an urgent joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week.

The joint report was obtained by The New York Times and confirmed by security specialists who have been responding to the attacks. It carried an urgent amber warning, the second-highest rating for the sensitivity of the threat.

Later in the article, the New York Times brings up Stuxnet, despite undermining such speculative comparisons in earlier paragraphs. According to the documents the Times saw, hackers don't appear to be attempting to control the facilities.

The report did not indicate whether the cyberattacks were an attempt at espionage — such as stealing industrial secrets — or part of a plan to cause destruction. There is no indication that hackers were able to jump from their victims’ computers into the control systems of the facilities, nor is it clear how many facilities were breached.

Wolf Creek officials said nothing sensitive had been breached and the evidence trail suggests something not nearly as concerted as an "attack." Instead, it appears the breaches have been the result of watering holes and spearfishing, not a concentrated assault on nuclear plant control systems. It's not that there's nothing to be worried about, but that there's nothing to be worried about on an "amber" level, to use the DHS's own color-coded Map of Worries.

The DHS's amber alert is mostly baseless… according to the DHS itself.

In a joint statement with the F.B.I., a spokesman for the Department of Homeland Security said, “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

One paragraph after that, an official at the agency all 99 US nuclear facilities report to said no facility had reported any breaches of operational systems.

So, there's apparently some "targeting," but nothing aimed at operational systems and certainly no Stuxnet-equivalent roaming around plants in search of a nuclear catastrophe. Instead, these "attacks" appear to be something the US considers to be perfectly acceptable hacking… at least when we do it. Here's Marcy Wheeler on what the hacking revelations actually reveal:

There is spying — the collection of information on accepted targets. And there is sabotage — the disruption of critical processes for malicious ends.

This is spying, what our own cyber doctrine calls “Cyber Collection.”

Cyber Collection: Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence – including information that can be used for future operations – from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects. ( C/NF)

This isn't to say the US shouldn't be engaged in these activities. This isn't to say the US should be completely OK with other countries doing the same thing. What does need to be said is the US government needs to be completely clear about what it has observed, rather than raise alerts about cyber attacks that portray intelligence gathering by foreign operatives as attacks on crucial (and potentially dangerous) systems.

That doesn’t mean Russian spying on how our nuclear facilities work is not without risk. It does carry risks that they are collecting the information so they can one day sabotage our facilities.

But if we want to continue spying on North Korea’s or Iran’s nuclear program, we would do well to remember that we consider spying on nuclear facilities — even by targeting the engineers that run them — squarely within the bounds of acceptable international spying. By all means we should try to thwart this presumed Russian spying. But we should not suggest — as the NYT seems to be doing — that this amounts to sabotage, to the kinds of things we did with StuxNet, because doing so is likely to lead to very dangerous escalation.

This is where the DHS fell down in its "sharing" of internal documents with the New York Times. No one bothered to correct the Times when it went off on a Stuxnet tangent. This could give some government officials the wrong idea about what's happening -- both here and in foreign nations. There are many people in power who get much of their information from the press. This leads to bad bills being hurriedly crafted and public calls to action based on hearsay from a document someone else viewed. And that's just here in the US.

On top of that, there's how we behave and how we expect others to behave. We're going to do this sort of thing. So are our adversaries. Both sides will continue to play defense. But going from 0-to-Stuxnet in the DHS's Ambermobile isn't a great idea. And it allows US officials to further distance themselves from actions we condone as part of our national security efforts.

Filed Under: dhs, espionage, hacking, nuclear facilities

Appeals Court Upholds Matthew Keys' Two-Year Sentence For A 40-Minute Web Defacement

from the can-never-have-too-much-deterrent-apparently dept

The Ninth Circuit Court of Appeals has upheld Matthew Keys' conviction and sentence of two years for a 40-minute web defacement he didn't actually perform himself. That works out to basically 18 days for every minute of mild disruption the LA Times suffered, as it (very briefly) suffered through a headline changed to read "Pressure builds in House to elect CHIPPY 1337."

Prosecutors actually wanted five years for this momentary mild hacking, but still managed to end up with two years after the LA Times submitted enough paperwork to make it appear as though this 40-minute malicious hiccup racked up $1 million in CFAA damages.

The appeals court isn't there to question the accuracy of the LA Times' bill of lading, but it does use the inflated figure to affirm the part of the sentencing affected by the claimed damages. From the unpublished opinion [PDF]:

Concerning employee response time, the district court did not abuse its discretion by relying on loss estimates based on employees’ testimonies or on the worksheet prepared by a Fox 40 executive. In response to Keys’s challenge to inconsistencies in the employee salary evidence, the district court appropriately re-reviewed the trial testimony and considered the amount in light of national statistics on the value of non-liquid employee benefits.

The government presented evidence that nearly all of the 20,000 Fox 40 Rewards Program members cancelled their participation in response to Keys’s conduct. Starting essentially from square one, the database took three years to rebuild. The district court did not abuse its discretion in relying on the Fox 40 executive’s representation that this process cost $200,000. It was appropriate for the district court to order restitution in the amount it cost Fox 40 to replace the member database, as it would be difficult to determine the fair market value of such an asset.

Basically, this database could have been worth any amount, so why not the $200k the LA Times claims it's worth. That adds to the restitution amount owed by Keys and also plays a small part in the sentencing. But in total, this is overkill for a 40-minute web defacement, especially one performed by someone else using Keys' login credentials. The move may have been petty and amateurish but it's extremely difficult to believe the momentary elevation of Chippy 1337 to the front page of the LA Times' website warrants a two-year sentence and thousands of dollars in fines.

But it appears the DOJ is happy with this outcome. And having completed its prosecution of Keys, it's presumably performing an OJ Simpson-style hunt for the person who actually performed the defacement.

Filed Under: appeal, cfaa, hacking, matthew keys, sentence

Deputy Attorney General Asks Congress For $21 Million To Solve The FBI's 'Going Dark' Problem

from the 21-million-buys-a-lot-of-hysteria dept

James Comey may have been unceremoniously dumped by the Commander-in-Chief, but his device encryption legacy lives on.

The Justice Department is requesting more than $20 million in federal funding to bankroll efforts related to resolving the government’s continuing “Going Dark” problem, Deputy Attorney General Rod Rosenstein said Tuesday, signaling one of the Trump administration’s first attempts at tackling the issue of ubiquitous, hard-to-crack encryption amid growing concerns involving its impact on criminal investigations.

The request came during Rosenstein's testimony before the Appropriations Committee -- the place where all government officials perform their most sincere acts of begging. Not that the FBI was likely to be faced with budget cuts -- not with a "law and order" president running the country and overseen by an Attorney General who appears to believe we're currently engulfed in a massive drug-and-immigrant crimewave.

Here's Rosenstein's full "going dark" budget request:

Department of Justice must continue to take a leading role in enhancing the capabilities of the law enforcement and national security communities. This budget request will provide $21.6 million in funding to counter the “Going Dark” threat. The seriousness of this threat cannot be overstated. “Going Dark” refers to law enforcement’s increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies. This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice. The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools. The Department’s role has been to collect, house, analyze, and share critical data among our federal, state, local, and tribal partners.

Beg to differ, but the "seriousness of this threat" can be overstated. Comey did so on multiple occasions. Sometimes others -- mainly Manhattan DA Cyrus Vance -- followed suit. Both claimed to have a large number of phones in their possession that couldn't be cracked. Even if the underlying assumption that all of these phones contained valuable evidence directly related to investigations, one still had to wonder how hard investigators were trying to get into these phones. Or how many other options they'd explored before throwing their hands up in frustration and resigning the devices to a dismal future as press conference props.

Take, for instance, this quote from the Washington Times article:

Days before leaving office on May 9, Mr. Comey said federal investigators had legally seized more than 6,000 smartphones and electronic devices during a recent six-month span but found that 46 percent couldn’t be opened “with any technique.”

This stat is almost completely unbelievable. Documents obtained from local law enforcement agencies with much smaller budgets show investigators are finding multiple ways to obtain data and communications from locked phones. We're also not hearing these sentiments echoed by law enforcement officials at the local level. If it's this much of a problem for the FBI -- nearly half of all devices seized -- one would think smaller agencies would be seeing a much higher access failure rate, followed directly by public complaints about device encryption. But we're just not seeing that.

Hopefully whatever's handed to the FBI to solve its apparently singular "going dark" program is put to use wisely. But nothing about the "going dark" hype suggests this will be the case. It may just disappear into some sort of talking points war fund and used to promote the spread of "going dark" hysteria until enough legislators are on the hook. If the money is deployed intelligently, it could actually make a difference for the agency. But all evidence points to the agency angling for legislation and favorable court precedent that will make the rest of us pay the price for the agency's inability or unwillingness to see anything but darkness when confronted with technical hurdles.

Filed Under: doj, encryption, going dark, hacking, rod rosenstein

Intercept Posts NSA Docs On Russian Election Hacking, DOJ Announces Arrest Of Leaker Hours Later

from the lifecomesatyoufast.gif dept

The Intercept has just published an NSA document [PDF] (mailed to it by a government contractor [more on that in a bit]) detailing Russian interference in the US election.

Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.

The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light.

The document doesn't exactly offer anything that hasn't already been hinted at or suspected, but it does at least confirm a lot of the election hacking speculation. It also contradicts Putin's claim the Russian government was uninvolved in the election hacking.

While there is no evidence the breached voting software supplier resulted in compromised votes, what's suggested by the NSA document is something just as disruptive: an IRL denial-of-service attack that would affect American voters.

Pamela Smith, president of election integrity watchdog Verified Voting, agreed that even if VR Systems doesn’t facilitate the actual casting of votes, it could make an alluring target for anyone hoping to disrupt the vote.

“If someone has access to a state voter database, they can take malicious action by modifying or removing information,” she said. “This could affect whether someone has the ability to cast a regular ballot, or be required to cast a ‘provisional’ ballot — which would mean it has to be checked for their eligibility before it is included in the vote, and it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed.”

That being said, the US election process is somewhat hack-proof, though certainly not by design or as the result of security enhancements. Election hacking can apparently be somewhat mitigated by operational inefficiencies and this nation's democratic process bottleneck. Voting databases are decentralized, with very little coordination/connection between county, state, and federal systems. To make things even more unpredictable, the Electoral College decides who gets to become president, rather than millions of votes cast through a vast variety of voting machines.

Perhaps the most astonishing aspect of this leak is how quickly the government tracked the leaker down. The Intercept asked the government for comment on May 30th. By June 3rd, the government's investigation had narrowed to one suspect: government contractor Reality Winner [emoji combining WTF/irony].

Although the government's press release and affidavit [PDF] only refer to The Intercept as "News Outlet," the dates of the document cited match up to those in the published document. How did the NSA track down Winner so quickly? Internal printer audits and email records.

The U.S. Government Agency conducted an internal audit to determine who accessed the intelligence reporting since its publication. The U.S. Government Agency determined that six individuals printed this reporting. WINNER was one of these six individuals. A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact with the News Outlet.

In short, bad opsec and worse opsec. There's more:

The U.S. Government Agency examined the document shared by the News Outlet and determined the pages of the intelligence reporting appeared to be folded and/or creased, suggesting they had been printed and hand-carried out of a secured space.

These creases can plainly be seen in the document published by The Intercept.

According to the FBI, Winner has already confessed to these actions. And it's tough to see this information as being of the whistleblower variety as it doesn't expose any sort of surveillance overreach, but rather the sort of work we actually expect the NSA to be engaged in. The only possible motive for Winner's decision to hand this document over to journalists is the (somewhat justifiable) fear the Trump Administration would do its best to ensure this information was never made public.

On the other hand, the document is clearly of public interest, seeing as it details apparently ongoing efforts by a foreign country to disrupt the election process. It also highlights just how many security holes remain unaddressed, despite years of warning by security researchers. Even if the Russian government never performs another election hack, it has already planted several seeds of doubt in the legitimacy of the system -- something that will cause every election result going forward to be questioned by those who come out on the losing end.

Filed Under: doj, e-voting, elections, hacking, leaks, nsa, reality winner, russia, whistleblowing
Companies: the intercept

FBI Tries New Rule 41 Changes On For Size In Fight Against Long-Running Botnet

from the one-warrant;-all-the-computers dept

The DOJ is proud to announce it's flexing its new Rule 41 muscle. The changes proposed in 2015 sailed past a mostly-uninterested Congress and into law, giving the FBI and other DOJ entities permission to hack computers anywhere in the world with a single warrant.

With the new rules, the law has finally caught up with the FBI's activities. It deployed a Network Investigative Tool -- the FBI's nifty nickname for intrusive malware that sends identifying info from people's computers to FBI investigators -- back in 2012 during a child porn investigation and mostly got away with it. It tried it again in 2015 and ran into a bit more resistance.

Rule 41's (former) jurisdictional limitations meant the FBI wasn't supposed to be able to "search" computers all over the US using a single warrant issued in Virginia. This activity was supposed to be confined to the state of Virginia. The aftermath of the Playpen investigation has led to a multitude of conflicting judicial opinions. Some have found the warrant invalid and the evidence obtained worthless. Others have granted good faith exceptions or determined no privacy violation took place. In at least one case, the government has dismissed the charges rather than expose any information about its Rule 41-flouting NIT.

In this case, the FBI isn't hacking computers to uncover child porn site visitors. Instead, it's going to be fiddling with a lot of computers to take down a botnet. The DOJ press release makes particular note of how lawful this all is now, post-Rule 41 amending:

In seeking authorization to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure. A copy of this warrant along with the other court orders are produced below.   The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server. This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.

The search warrant [PDF] application leads off with this as well, waving it in front of its unusual request like a wary vampire hunter's cross.

I make this affidavit in support of an application for a warrant under Federal Rule of Criminal Procedure 41 to authorize an online operation to disrupt the Kelihos botnet currently under the control of Peter Yuryevich LEVASHOV, a criminal hacker. The operation, which is particularly described in Attachment A and Attachment B, involves the distribution of updated peer lists, job messages and/or IP filter lists, further described in Attachment B, to the TARGET COMPUTERS currently infected with the Kelihos botnet malware in violation of Title 18, United States Code, Sections 1030, L343, and 2511, as described in Attachment A. This operation will also obtain the Internet Protocol addresses and associated routing information of those infected computers, and those addresses are evidence of crimes committed by LEVASHOV. A PRTT order has been requested for the purpose of attaining those IP addresses and associated routing information. This operation will not capture content from the TARGET COMPUTERS or modify them in any other capacity except limiting the TARGET COMPUTERS' ability to interact with the Kelihos botnet.

The intent here is to dismantle the botnet by freeing zombie computers. All well and good, except it's not the government pointing victims to malware removal tools, but rather letting themselves into the "house" to size up infections before passing this info on to third parties to actually perform the removals.

This new form of intrusion raised concerns in Congress, but the DOJ insisted the changes were innocuous and please let's all stop talking about this before someone stops the Rule 41 amendments slow roll to tacit approval.

Here it is in action: thousands of computers temporarily hosting digital G-men. We're in unknown territory right now with the FBI's anti-botnet work. The FBI itself doesn't even appear all that sure about the extent of its new Rule 41 powers. As is noted in the warrant, the FBI also applied for a Pen Register/Trap and Trace (PRTT) order [PDF] just in case.

Other than the three elements described above, federal law does not require that an application for an order authorizing the installation and use of a pen register and a trap and trace device specify any facts. The following additional information is provided to demonstrate that the order requested falls within this Court's authority to authorize the installation and use of a pen register or trap and trace device under 18 U.S.C. g 3123(a)(1).

This is the FBI basically saying the law doesn't require this application, but here it is anyway. A CYA PRTT for the interception of communications metadata that might help identify botnet victims. And for all its talismanic waving of Rule 41, the FBI isn't even sure it's really required to seek a warrant to perform this botnet cleanup. From the warrant affidavit:

To effectively combat the P2P structure of the Kelihos botnet, the FBI with assistance of private partners will participate in the exchange of peer lists and job messages with other infected computers. The FBI's communications, however, will not contain any commands, nor will they contain IP addresses of any of the infected computers. Instead, the FBI replies will contain the IP and routing information for the FBI's "sinkhole" server. As this new routing information permeates the botnet, the Kelihos infected computers will cease any current malicious activity and learn to only communicate with the sinkhole. The effect of these actions will be to free individual infections from exchanging information with the Kelihos botnet and with LEVASHOV. This will stop Kelihos's most immediate harm, the harvesting of personal data and credentials, and the transmittal of that data to servers under LEVASHOV's control.

Another portion of the Kelihos job messages is a list, known as the IP filter list. This list functions as a type of blacklist, preventing communication with those IPs contained within the filter list. If necessary, the FBI also seeks authorization to send a filter list to TARGET COMPUTERS to block Kelihos infected computers from continuing to communicate with router nodes.

The footnote attached to this reads:

The law is unsettled as to whether the operation authorized by the proposed warrant constitutes a search or seizure. However, in an abundance of caution, the United States is seeking a warrant.

It looks like the FBI is tentatively exploring its new powers, making sure it has the paper trail it needs to stave off courtroom challenges. If it sticks to disrupting a botnet, it shouldn't face any. If it takes advantage of its new access privileges, it might.

Filed Under: botnet, doj, fbi, hacking, nit, rule 41, warrant

New Regulations Appear To Authorize Chinese Law Enforcement To Hack Into Computers Anywhere In The World

from the everyone's-doing-it dept

A recurrent theme here on Techdirt has been the way in which the West has ceded the moral high ground in so many areas involving the tech world. For example, in 2010, we noted that the US had really lost the right to point fingers over Internet censorship. The moral high ground on surveillance went in 2013 for people, and in 2014 for economic espionage. Meanwhile, the UK has been shown to be as bad as the most disreputable police states in its long-running blanket surveillance of all its citizens.

The UK's most recent move to cast off any pretense that it is morally superior to other "lesser" nations is the Investigatory Powers Act, which formalizes all the powers its intelligence services have been secretly using for years. One of the most intrusive of those is the power to carry out what is quaintly termed "equipment interference" -- hacking -- anywhere in the world. That means it certainly won't be able to criticize some new rules in China, spotted by the Lawfare blog:

The regulations seem to authorize the unilateral extraction of data concerning anyone (or any company) being investigated under Chinese criminal law from servers and hard drives located outside of China.

Article 9 of the 2016 regulations provides that the police or prosecutors may extract digital data from original storage media (e.g., servers, hard drives) that are located outside of mainland China (i.e., including servers in Hong Kong, Macau, and Taiwan) "through the Internet" and may perform "remote network inspections" of such computer information systems. Remote network inspections are helpfully defined, in Article 29, as "investigation, discovery, and collection of electronic data from remote computer information systems related to crime through the Internet." The only caveat to this grant of authority is a requirement that investigations be subject to "strict standards." No guidance is provided as to what "strict" means.

On its face, the regulation indicates that Chinese officials have authorization to remotely search or extract data anywhere in the world, subject only to the limitations of [China's] domestic law.

If the idea of Chinese government agents hacking into your computer doesn't appeal, well, tough luck: the West is doing it too, so there's really nothing governments there can say that isn't deeply hypocritical. That won't stop them, of course, and it may lead to some nasty international name-calling that could escalate dangerously.

The fact that pretty much all the main players are hacking everyone else like crazy is yet another argument for not weakening encryption anywhere. However much certain politicians might want magic crypto systems that only let in the good guys and always keep out the bad guys -- perhaps by invoking the necessary hashtags -- they simply don't exist. Morever, the supposedly clear-cut distinction between good guys and bad guys has been blurred so completely by decades of the West losing the moral high ground here that it's not a very useful way of framing things anyway.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: china, hacking

Congressman Introduces Bill That Would Allow People And Companies To 'Hack Back' After Attacks

from the a-limited-offensive-weapon-that-can-only-be-raised-as-a-defense dept

Probably not the best idea, but it's something some legislators and private companies have been looking to do for years: hack back. Now there's very, very, very nascent federal legislation in the works that would give hacking victims a chance to jab a stick in the hornet's nest or work on their attribution theories or whatever.

A new bill intended to update the Computer Fraud and Abuse Act would allow victims of computer attacks to engage in active defense measures to identify the attacker and disrupt the attack.

Proposed by Rep. Tom Graves (R-Ga.), the bill would grant victims of computer intrusions unprecedented rights. Known as the Active Cyber Defense Certainty Act, the legislation seeks to amend the CFAA, the much-maligned 1986 law that is used in most computer crime prosecutions.

The CFAA amendment [PDF] would (sort of) authorize very limited "hack back" permissions. The powers can only be used for good, so to speak. The attacked can turn the tables slightly by invading the attacker's domain solely for the purpose of determining the person/group behind the attack.

What it won't allow is retribution and revenge, which may come as a disappointment to those who have been brutally breached.

(ii) does not include conduct that—

(I) destroys the information stored on a computers of another;

(II) causes physical injury to another person; or

(III) creates a threat to the public health or safety

That may temper the enthusiasm of supporters, but it's best the victims don't stoop to the level of their attackers, if only because the CFAA is already a hideously out-of-date mess that would be helped NOT AT ALL by endorsing the same behavior it criminalizes elsewhere.

The bill is only a "discussion draft" at this point, so by the time it reaches a vote, it may bear little to no resemblance to this embryo of an idea.

While it may be tempting to give private companies the power to hack attackers, there's always the chance mission creep will turn these permissions into violations. A few years ago, the IP Commission suggested it might be a good idea to allow software companies to "hack" computers owned by those suspected of infringement in order to uncover their identities and the location of the purloined software. The commission suggested the deployment of malware -- something more aligned with the FBI's child porn investigation tactics (which themselves have been found to be of dubious legality) than with what's being suggested here.

But this is only a suggestion. There's still a lot of legislative meat to be put on these bones and it's unlikely the same companies who thought it would be a fine idea to deploy malware against suspected pirates have changed their opinion over the last four years.

Rep. Tom Graves is the person behind the bill and had this to say about it -- part of which is pretty much dead on.

“This bill is about empowering individuals to defend themselves online, just as they have the legal authority to do during a physical assault,” said Graves. “While the bill doesn’t solve every problem, it’s an important first step. I hope my bill helps individuals defend themselves against cybercriminals while igniting a conversation that leads to more ideas and solutions that address this growing threat.”

"Empowering individuals" through federal law can go sideways in a flash. The second half of Graves' statement is better. A conversation does need to take place about responses to security breaches and attacks. But that conversation shouldn't start until those wishing to speak up start doing a much better job locking down their digital valuables. Offense is more fun to play than defense, but defense is where it all should start.

It also should be pointed out this bill is not open season on hackers. It doesn't give companies or individuals explicit permission to hack back, but rather provides them with a defense should they happen to be sued or prosecuted for engaging in this behavior. An affirmative defense is rarely as useful as explicit permission, as anyone who's argued fair use in court can attest. The DOJ has engaged in some very creative readings of the CFAA over the years, and an affirmative defense is only going to go so far in preventing bogus prosecutions.

Filed Under: attribution, cfaa, congress, hack back, hacking, tom graves

CIA Leak Shows Mobile Phones Vulnerable, Not Encryption

from the and-cia-isn't-helping dept

As you've probably heard by now, this morning Wikileaks started releasing a new cache of information regarding CIA hacking tools. This is interesting on a variety of levels, but many of the reports focus on the claims that encrypted chat apps like Signal, Whatsapp and Telegram may be compromised. See the top two links in this screenshot:

Wikileaks itself may have contributed to this view with the following paragraph in its release:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.

But the details don't seem to show that those apps are compromised, so much as that Android and iOS devices are compromised. It's always been true that if someone can get into your phone, the encryption scheme you use doesn't matter, because they can just pull keystrokes or grab data before you encrypt it -- in the same way that someone looking over your shoulder can read your messages as well. That's not a fault of the encryption or the app, but of the environment in which you're using the app itself.

And that should really be the bigger concern here. Over the years, nearly all of the focus on hacking mobile phones has been on the NSA and its capabilities, rather than the CIA. But it's now clear that the CIA has its own operations, akin to the NSA's hacking operations (kinda makes you wonder why we need that overlap). Except that the CIA's hacking team seems almost entirely unconcerned with following the federal government's rules on letting private companies know about vulnerabilities they've discovered.

Remember, the Obama White House put in place what it called a Vulnerabilities Equities Program in which the intelligence community is supposed to default to letting private companies know about vulnerabilities. And, yes, this was always something of a joke as there was a giant loophole involving "except for a clear national security or law enforcement need" that the NSA basically used to withhold vulnerabilities all the time. Still, at least the NSA appeared to get around to revealing some vulnerabilities eventually (probably once they were no longer useful).

Here, however, it looks like the CIA was hoarding some really serious vulnerabilities with wild abandon. In a chart released by Wikileaks you see that the CIA is getting these vulnerabilities from a variety of sources. Some it's finding itself, some it's purchasing, and some are shared via other agencies, such as the NSA or the UK's GCHQ. As Ed Snowden notes, there is now clear evidence (which many suspected, but which had not been proven) that the US government was secretly paying to keep US software unsafe and vulnerable. That's really dangerous. It's putting basically everyone in much more serious danger, just so the CIA, NSA and others can get in when they want to:

This is why the whole conversation about mandating backdoors and "going dark" was so dangerous in the first place. Those were plans to force even more of these vulnerabilities into the wild, just for the very very rare cases where they were needed by law enforcement or intelligence.

At a time when the President is suddenly acting as if he's concerned about domestic surveillance (at least of himself), perhaps now would be a good time to crack down on this kind of stuff. I'm not holding my breath -- but, for now, we're getting a lot more insight into the CIA's electronic surveillance methods, and it sounds like there's more to come.

Filed Under: cia, encryption, hacking, nsa, phones, surveillance, vep, vulnerabilities, vulnerabilities equities program
Companies: wikileaks

Italy Proposes Astonishingly Sensible Rules To Regulate Government Hacking Using Trojans

from the benvenuto-al-registro-dei-captatori dept

As Techdirt has just reported, even though encryption is becoming more widespread, it's not still not much of a problem for law enforcement agencies, despite some claims to the contrary. However, governments around the world are certainly not sitting back waiting for it to become an issue before acting. Many have already put in place legal frameworks that allow them to obtain information even when encryption is used, predominantly by hacking into a suspect's computer or mobile phone. In the US, this has been achieved with controversial changes to Rule 41; in the UK, the Snooper's Charter gives the government there almost unlimited powers to conduct what it coyly calls "equipment interference."

One of the main tools for carrying out surveillance in this way is the trojan -- code that is placed surreptitiously on a suspect's system to allow it to be monitored and controlled by the authorities in real time over the Internet. There are clearly huge risks and problems with this approach, something that a legislative proposal from the Civic and Innovators parliamentary group in Italy tries to address, as explained by Fabio Pietrosanti and Stefano Aterno on Boing Boing. The draft law is the result of nearly two years' work by a group of experts from many fields:

a former speaker of the Parliament, civil rights activists, law enforcement officers, computer forensics researchers, prosecutors, law professors, IT security experts, anti-mafia and anti-terrorism departments and politicians.

Perhaps that breadth explains why the ideas are really pretty good, for once. The underlying principle is that a government trojan is only allowed to operate in ways that have been explicitly authorized by an Italian judge's signed warrant. For example:

A Telephone Wiretapping Warrant is required to listen a Whatsapp call.

A Remote Search and Seizure Warrant is required to acquire files on remote devices.

An Internet Wiretapping Warrant is required to record web browsing sessions.

The same kind of warrant that would be required for planting a physical audio surveillance bug is required to listen to the surrounding environment with the device’s microphone.

Those kinds of legal safeguards are welcome, but they are not enough on their own. Also needed are stringent technical controls that will limit the harm and risk of introducing government malware onto a system. The working group has addressed this too with a series of innovative requirements for trojan surveillance programs:

a. The source code must be deposited to a specific authority and it must be verifiable with a reproducible build process (like the Tor Project and Debian Linux are doing)

b. Every operation carried on by the trojan or through its use must be duly documented and logged in a tamper proof and verifiable way, using cryptographic time-stamping and digital signing, so that its results can be fairly contested by the defendant during the inter partes hearing [that is, with everyone involved present].

c. The trojan, once installed, shall not lower the security level of the device where it has been activated

d. Once the investigation has finished, the trojan must be uninstalled or, otherwise, detailed instruction on how to self-remove it must be provided.

e. Trojan production and uses must be traceable by establishing a National Trojan Registry with the fingerprint of each version of the software being produced and deployed.

f. The trojans must be certified, with a yearly renewal of the certification, to ensure compliance with the law and technical regulation issued by the ministry.

It's a remarkable list of technical and operational requirements that are surely unique in their attempt to minimize the key dangers of implanting clandestine surveillance software. Of course, it would be better if the use of government malware were avoided completely, and other methods were adopted. But realistically, the police and intelligence agencies around the world will be pushing hard for legislation to allow them to infect people's computers and mobiles in this way, not least if encryption does become more of a problem.

Given that trojans will be used, whether we like it or not, far better to constrain them as much as possible through well-thought out rules such as those drawn up by the Italian parliamentary group. Let's hope their proposals are adopted without significant amendments by the Italian parliament so that they can be used as a template for similar laws in other jurisdictions.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: government hacking, hacking, italy, regulations, trojans