Archives December 2014

The Rafael Hui Case Amplifies Flaws in Hong Kong's Background Checks & Vetting System

Photo above: Rafael Hui (right) and Donald Tsang (left)

My last post of the year below and also in AsiaSentinel.

RafaelHui

Photo above: Rafael Hui

Why Didn’t the HK Vetting System Find Raphael Hui?

Former chief secretary, on his way to jail for 7-1/2 years, should have been spotted by background checks

Written by Vanson Soo
WED,24 DECEMBER 2014

The Hong Kong High Court delivered a landmark ruling Tuesday that brought an end to a chapter of one of the highest-level corruption trials in the city’s history with the conviction of former Chief Secretary Raphael Hui for bribery, along with the two executives who bribed him. But one serious question lingers.

Hui was handpicked by then Hong Kong chief executive Donald Tsang to return to the civil service as chief secretary. Why didn’t the background checks turn up what was obviously a grotesquely opulent lifestyle?

The 131-day high-profile trial involving Hui, effectively the number two in the Hong Kong government hierarchy, and two tycoons of Sun Hung Kai, the world’s second-most valuable real estate company according to Bloomberg, drew effective closure with Hui receiving seven and a half years behind bars for five charges including taking HK$8.5 million (US$1.1 million) in bribes from Sun Hung Kai co-chairman Thomas Kwok, who was given a five-year sentence and fined HK$500,000 for conspiring to corrupt the former chief secretary.

But who would have dared to oppose Hui’s appointment during the vetting process if Tsang wanted him? Apparently nobody. And shouldn’t Tsang be held responsible for overlooking Hui’s (known) vices? Shouldn’t the system have counted on the chief executive as the last line of defense to be absolutely clean?

If pre-employment background checks found a lavish opulent lifestyle and a high-spending propensity that were well known among Hui’s peers, who cast aside the potential red flag as merely a private and personal matter? Wasn’t it a colossal mistake that nobody asked the very simple question, if he was spending well beyond his means, where was he getting the money? Who then should be responsible for the gross oversight?

Details of Hui’s high life, including the showering of expensive gifts on his high-maintenance young mistress, came to light during the trial but it also emerged that his tilt towards the material world was no secret among his associates.

In light of Hui’s case, the government has defended its system of background checks, insisting there were adequate checks in place prior to slotting civil servants into their appointments. That defense highlights one gross, systematic problem, such as pre-employment background checks, in both the civil and commercial sectors alike: a check-the-box mentality instead of a serious investigation.

Pre-employment background checks are an exercise to ensure someone is properly, thoroughly and systematically vetted before an official undertaking, such as employment or appointment, to the extent that the person doesn’t become a potential liability and cause embarrassment sometime down the way.

These checks have both quantitative and qualitative elements. On the quantitative side, the checks include paper trials to confirm (thus the tag “check-the-box”) personal details, educational background, career history and highlight any potential conflicts and red flags found – for example, any record of bankruptcy, insolvency, sanctions, political affiliations, criminal history, etc.

In the civil service, all those checks extend to the subject’s next-of-kin. In commercial background checks (for example, banks in some jurisdictions are required to conduct these checks on all new hires), any personal stake and interest in other companies would also be material information.

The qualitative checks refer to efforts to find, as the wording suggests, any non-quantitative (i.e. non-documented) facts that could potentially cause trouble. In some commercial checks I have done for my clients, for example, someone found to have a high gambling propensity, or another with a history of sexual harassment in the workplace, were duly noted and accounted for in the process. In the political sphere, for example, anyone found to have employed undocumented immigrants would be promptly flagged in the United States and has been, ending the careers of several high-level appointees.

The check-the-box exercise underscores the very bureaucracy of the civil service as these background checks are designed to be “on the safe side,” documenting only those facts that are “traceable and reliable,” according to a source, a former senior Hong Kong government official familiar with the background checks and vetting processes within the civil service.

Beyond these quantifiable facts, the source told me any adverse comments – such as reports of one’s character, much like Hui’s high life – would rarely be passed on in the reports because they would be easily challenged. In several instances, troubles emerged later precisely because these omitted qualitative red flags came back to haunt both the employers and the newly employed.

The point then is, so what if Hui is known to have those vices? The government can boast all they want about their rigorous system of checks, including having two referees to evaluate the candidate but what use is it when the referees were appointed by the candidates themselves?

In Hui’s case, he was handpicked by Tsang to return to the civil service as chief secretary. But it has been widely reported that Tsang himself could face criminal prosecution on charges of improper conduct in office although the city’s anti-graft body – the Independent Commission Against Corruption (ICAC) – only says its investigation is still underway.

So, was it not a colossal mistake by the civil service to assume poor Hui and companies wouldn’t be singing Christmas carols behind bars, this and several more Christmas ahead?

Shhh… The WikiLeaks' CIA Travel Guide

I like to share with you the latest WikiLeaks release, “CIA Travel Advice to Operatives”. Its press release is pasted below (click here for the full report).

And I find it appropriate to highlight an earlier column, Spies and the Airport Screening Machine.

Enjoy!

CIA Travel Advice to Operatives – Press Release

Today, 21 December 2014, WikiLeaks releases two classified documents by a previously undisclosed CIA office detailing how to maintain cover while travelling through airports using false ID – including during operations to infiltrate the European Union and the Schengen passport control system. This is the second release within WikiLeaks’ CIA Series, which will continue in the new year.

The two classified documents aim to assist CIA undercover officials to circumvent these systems around the world. They detail border-crossing and visa regulations, the scope and content of electronic systems, border guard protocols and procedures for secondary screenings. The documents show that the CIA has developed an extreme concern over how biometric databases will put CIA clandestine operations at risk – databases other parts of the US government made prevalent post-9/11.

How to Survive Secondary Screening without Blowing your CIA Cover

The CIA manual “Surviving Secondary”, dated 21 September 2011, details what happens in an airport secondary screening in different airports around the world and how to pass as a CIA undercover operative while preserving one’s cover. Among the reasons for why secondary screening would occur are: if the traveller is on a watchlist (noting that watchlists can often contain details of intelligence officials); or is found with contraband; or “because the inspector suspects that something about the traveler is not right”.

The highlighted box titled “The Importance of Maintaining Cover––No Matter What” at the end of the document provides an example of an occasion when a CIA officer was selected for secondary screening at an EU airport. During the screening his baggage was swiped and traces of explosives found. The officer “gave the cover story” to explain the explosives; that he had been in counterterrorism training in Washington, DC. Although he was eventually allowed to continue, this example begs the question: if the training that supposedly explained the explosives was only a cover story, what was a CIA officer really doing passing through an EU airport with traces of explosives on him, and why was he allowed to continue?

The CIA identifies secondary screening as a threat in maintaining cover due to the breadth and depth of the searches, including detailed questioning, searches of personal belongings and electronic databases and collection of biometrics “all of which focus significant scrutiny on an operational traveler”.

The manual provides advice on how best to prepare for and pass such a process: having a “consistent, well-rehearsed, and plausible cover”. It also explains the benefits of preparing an online persona (for example, Linked-In and Twitter) that aligns with the cover identity, and the importance of carrying no electronic devices with accounts that are not for the cover identity, as well as being mentally prepared.

CIA Overview of EU Schengen Border Control

The second document in this release, “Schengen Overview”, is dated January 2012 and details guidelines for border officials in the EU’s Schengen zone and the threats their procedures might pose in exposing the “alias identities of tradecraft-conscious operational travelers”, the CIA terminology for US spies travelling with false ID during a clandestine operation. It outlines how various electronic systems within Schengen work and the risks they pose to clandestine US operatives, including the Schengen Information System (SIS), the European fingerprint database EURODAC (European Dactyloscopie) and FRONTEX (Frontières extérieures) – the EU agency responsible for easing travel between member states while maintaining security.

While Schengen currently does not use a biometric system for people travelling with US documents, if it did this “would increase the identity threat level” and, the report warns, this is likely to come into place in 2015 with the EU’s Entry/Exit System (EES). Currently, the Visa Information System (VIS), operated by a number of Schengen states in certain foreign consular posts, provides the most concern to the CIA as it includes an electronic fingerprint database that aims to expose travellers who are attempting to use multiple and false identities. As use of the VIS system grows it will increase the “identity threat for non-US-documented travelers”, which would narrow the possible false national identities the CIA could issue for undercover operatives.

WikiLeaks’ Editor-in-Chief Julian Assange said: “The CIA has carried out kidnappings from European Union states, including Italy and Sweden, during the Bush administration. These manuals show that under the Obama administration the CIA is still intent on infiltrating European Union borders and conducting clandestine operations in EU member states.”

Both documents are classified and marked NOFORN (preventing allied intelligence liaison officers from reading it). The document detailing advice on maintaining cover through secondary screening also carries the classification ORCON (originator controlled) and specifically allows distribution to Executive Branch Departments/Agencies of the US government with the appropriate clearance, facilitating clandestine operations by the other 16 known US government spy agencies. Both documents were produced by a previously unknown office of the CIA: CHECKPOINT, situated in the Identity Intelligence Center (i2c) within the Directorate of Science and Technology. CHECKPOINT specifically focuses on “providing tailored identity and travel intelligence” including by creating documents such as those published today designed specifically to advise CIA personnel on protecting their identities while travelling undercover.

Shhh… A Feasible Strategy Despite Severe Innate Phone Security (Eavesdropping) Flaws Like SS7

The Washington Post article below once again highlights one approach to mobile phone usage: have many spares, apart from your regular smartphone(s), like good old cellulars and disposable low-value SIM cards. Dispose the SIM card after each use and always switch amongst those cellulars.

It can’t stop eavesdropping but at least the hackers and spies cannot trace you so easily. The approach may sound extreme to most people, so for all practical reasons, it’s best recommended only for those important and confidential conversations.

SpareSimsPhones2

German researchers discover a flaw that could let anyone listen to your cell calls.
By Craig Timberg December 18

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.

The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.

Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.

These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.

“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.

Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)

The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They’ve likely sat on these things and quietly exploited them.”

The GSMA, a global cellular industry group based in London, did not respond to queries seeking comment about the vulnerabilities that Nohl and Engel have found. For the Post’s article in August on location tracking systems that use SS7, GSMA officials acknowledged problems with the network and said it was due to be replaced over the next decade because of a growing list of security and technical issues.

The German researchers found two distinct ways to eavesdrop on calls using SS7 technology. In the first, commands sent over SS7 could be used to hijack a cell phone’s “forwarding” function — a service offered by many carriers. Hackers would redirect calls to themselves, for listening or recording, and then onward to the intended recipient of a call. Once that system was in place, the hackers could eavesdrop on all incoming and outgoing calls indefinitely, from anywhere in the world.

The second technique requires physical proximity but could be deployed on a much wider scale. Hackers would use radio antennas to collect all the calls and texts passing through the airwaves in an area. For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

Nohl on Wednesday demonstrated the ability to collect and decrypt a text message using the phone of a German senator, who cooperated in the experiment. But Nohl said the process could be automated to allow massive decryption of calls and texts collected across an entire city or a large section of a country, using multiple antennas.

“It’s all automated, at the push of a button,” Nohl said. “It would strike me as a perfect spying capability, to record and decrypt pretty much any network… Any network we have tested, it works.”

Those tests have included more than 20 networks worldwide, including T-Mobile in the United States. The other major U.S. carriers have not been tested, though Nohl and Engel said it’s likely at least some of them have similar vulnerabilities. (Several smartphone-based text messaging systems, such as Apple’s iMessage and Whatsapp, use end-to-end encryption methods that sidestep traditional cellular text systems and likely would defeat the technique described by Nohl and Engel.)

In a statement, T-Mobile said: “T-Mobile remains vigilant in our work with other mobile operators, vendors and standards bodies to promote measures that can detect and prevent these attacks.”

The issue of cell phone interception is particularly sensitive in Germany because of news reports last year, based on documents provided by former NSA contractor Edward Snowden, that a phone belonging to Chancellor Angela Merkel was the subject of NSA surveillance. The techniques of that surveillance have not become public, though Nohl said that the SS7 hacking method that he and Engel discovered is one of several possibilities.

U.S. embassies and consulates in dozens of foreign cities, including Berlin, are outfitted with antennas for collecting cellular signals, according to reports by German magazine Der Spiegel, based on documents released by Snowden. Many cell phone conversations worldwide happen with either no encryption or weak encryption.

The move to 3G networks offers far better encryption and the prospect of private communications, but the hacking techniques revealed by Nohl and Engel undermine that possibility. Carriers can potentially guard their networks against efforts by hackers to collect encryption keys, but it’s unclear how many have done so. One network that operates in Germany, Vodafone, recently began blocking such requests after Nohl reported the problem to the company two weeks ago.

Nohl and Engel also have discovered new ways to track the locations of cell phone users through SS7. The Post story, in August, reported that several companies were offering governments worldwide the ability to find virtually any cell phone user, virtually anywhere in the world, by learning the location of their cell phones through an SS7 function called an “Any Time Interrogation” query.

Some carriers block such requests, and several began doing so after the Post’s report. But the researchers in recent months have found several other techniques that hackers could use to find the locations of callers by using different SS7 queries. All networks must track their customers in order to route calls to the nearest cellular towers, but they are not required to share that information with other networks or foreign governments.

Carriers everywhere must turn over location information and allow eavesdropping of calls when ordered to by government officials in whatever country they are operating in. But the techniques discovered by Nohl and Engel offer the possibility of much broader collection of caller locations and conversations, by anyone with access to SS7 and the required technical skills to send the appropriate queries.

“I doubt we are the first ones in the world who realize how open the SS7 network is,” Engel said.

Secretly eavesdropping on calls and texts would violate laws in many countries, including the United States, except when done with explicit court or other government authorization. Such restrictions likely do little to deter criminals or foreign spies, say surveillance experts, who say that embassies based in Washington likely collect cellular signals.

The researchers also found that it was possible to use SS7 to learn the phone numbers of people whose cellular signals are collected using surveillance devices. The calls transmit a temporary identification number which, by sending SS7 queries, can lead to the discovery of the phone number. That allows location tracking within a certain area, such as near government buildings.

The German senator who cooperated in Nohl’s demonstration of the technology, Thomas Jarzombek of Merkel’s Christian Democratic Union party, said that while many in that nation have been deeply angered by revelations about NSA spying, few are surprised that such intrusions are possible.

“After all the NSA and Snowden things we’ve heard, I guess nobody believes it’s possible to have a truly private conversation on a mobile phone,” he said. “When I really need a confidential conversation, I use a fixed-line” phone.

Are You Unique – How to Check Your Browser Fingerprints & Online Privacy?

Think you have taken all measures to remain anonymous and untraceable online? Or are you still (unknowingly) leaving browser fingerprints that can be traced to you and your devices?

The good news is, there’s a way to check and confirm if you are unique in cyberspace.

A browser fingerprint, or device fingerprint, is the systematic collection of information about a remote device for identification purposes, even when cookies are turned off.

There’s a web site “Am I Unique” which you can visit and check by clicking “View my browser fingerprint” as shown below:

Fingerprinting-Browser

That should give much food for thoughts for the Christmas holidays?

According to a recent international survey on 23,376 Internet users in 24 countries, carried out between October 7, 2014 and November 12, 2014, which found some 64 percent confessed they’re more concerned today about online privacy than they were a year ago.

Privacy-survey

That’s one way to gauge the post-Snowden effects. And if you still wonder why privacy matters, I highly recommend the Glenn Greenwald’s TEDTalk on “Why Privacy Matters“.

Shhh… US Federal Court: Warrantless Surveillance Footage in Public Areas is an Invasion of Privacy

Guess one would easily assume privacy does not apply in public areas – just look at the proliferation of CCTV cameras in the streets.

Well, that’s probably not necessarily the case judging by one recent court ruling in Washington. It may be good news for the general public and bad news for law enforcement.

Now first, many would probably associate the following 2 photos with typical covert surveillance operations, whereby operatives waited patiently to snap photos (and video) evidence of their subjects.

Surveillance-Detectives

Surveillance-Detectives2

But in this case involving the Washington police and Leonel Vargas (an “undocumented” immigrant suspected of drug trafficking), the authorities had a better idea.

The police planted a video camera, without a warrant, on a nearby utility pole 100 yards from Vargas’ rural Washington state house and shot 6 weeks worth of footage of his front yard whereby they eventually captured convincing evidence.

Vargas challenged the case on the grounds of violation of his privacy, which the government argued was not valid as his front yard is a public space and thus privacy does not apply.

The evidence put forward by the authorities was subsequently thrown out of the court by US District Judge Edward Shea, whose ruling is well summed up as such:

Law enforcement’s warrantless and constant covert video surveillance of Defendant’s rural front yard is contrary to the public’s reasonable expectation of privacy and violates Defendant’s Fourth Amendment right to be free from unreasonable search. The video evidence and fruit of the video evidence are suppressed.

Find out more about this case from here and there.

Shhh… The FBI Unmasking of TOR Users with Metasploit

I like to share this WIRED updates on the use of TOR.

The FBI Used the Web’s Favorite Hacking Tool to Unmask Tor Users
By Kevin Poulsen 12.16.14 | 7:00 am

For more than a decade, a powerful app called Metasploit has been the most important tool in the hacking world: An open-source Swiss Army knife of hacks that puts the latest exploits in the hands of anyone who’s interested, from random criminals to the thousands of security professionals who rely on the app to scour client networks for holes.

Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.

That attack, “Operation Torpedo,” was a 2012 sting operation targeting users of three Dark Net child porn sites. Now an attorney for one of the defendants ensnared by the code is challenging the reliability of the hackerware, arguing it may not meet Supreme Court standards for the admission of scientific evidence. “The judge decided that I would be entitled to retain an expert,” says Omaha defense attorney Joseph Gross. “That’s where I am on this—getting a programming expert involved to examine what the government has characterized as a Flash application attack of the Tor network.”

A hearing on the matter is set for February 23.

Tor, a free, open-source project originally funded by the US Navy, is sophisticated anonymity software that protects users by routing traffic through a labyrinthine delta of encrypted connections. Like any encryption or privacy system, Tor is popular with criminals. But it also is used by human rights workers, activists, journalists and whistleblowers worldwide. Indeed, much of the funding for Tor comes from grants issued by federal agencies like the State Department that have a vested interest in supporting safe, anonymous speech for dissidents living under oppressive regimes.

With so many legitimate users depending upon the system, any successful attack on Tor raises alarm and prompts questions, even when the attacker is a law enforcement agency operating under a court order. Did the FBI develop its own attack code, or outsource it to a contractor? Was the NSA involved? Were any innocent users ensnared?

Now, some of those questions have been answered: Metasploit’s role in Operation Torpedo reveals the FBI’s Tor-busting efforts as somewhat improvisational, at least at first, using open-source code available to anyone.

Created in 2003 by white hat hacker HD Moore, Metasploit is best known as a sophisticated open-source penetration testing tool that lets users assemble and deliver an attack from component parts—identify a target, pick an exploit, add a payload and let it fly. Supported by a vast community of contributors and researchers, Metasploit established a kind of lingua franca for attack code. When a new vulnerability emerges, like April’s Heartbleed bug, a Metasploit module to exploit it is usually not far behind.

Moore believes in transparency—or “full disclosure”—when it comes to security holes and fixes, and he’s applied that ethic in other projects under the Metasploit banner, like the Month of Browser Bugs, which demonstrated 30 browser security holes in as many days, and Critical.IO, Moore’s systematic scan of the entire Internet for vulnerable hosts. That project earned Moore a warning from law enforcement officials, who cautioned that he might be running afoul of federal computer crime law.

In 2006, Moore launched the “Metasploit Decloaking Engine,” a proof-of-concept that compiled five tricks for breaking through anonymization systems. If your Tor install was buttoned down, the site would fail to identify you. But if you’d made a mistake, your IP would appear on the screen, proving you weren’t as anonymous as you thought. “That was the whole point of Decloak,” says Moore, who is chief research officer at Austin-based Rapid7. “I had been aware of these techniques for years, but they weren’t widely known to others.”

One of those tricks was a lean 35-line Flash application. It worked because Adobe’s Flash plug-in can be used to initiate a direct connection over the Internet, bypassing Tor and giving away the user’s true IP address. It was a known issue even in 2006, and the Tor Project cautions users not to install Flash.

The decloaking demonstration eventually was rendered obsolete by a nearly idiot-proof version of the Tor client called the Tor Browser Bundle, which made security blunders more difficult. By 2011, Moore says virtually everyone visiting the Metasploit decloaking site was passing the anonymity test, so he retired the service. But when the bureau obtained its Operation Torpedo warrants the following year, it chose Moore’s Flash code as its “network investigative technique”—the FBI’s lingo for a court-approved spyware deployment.

Torpedo unfolded when the FBI seized control of a trio of Dark Net child porn sites based in Nebraska. Armed with a special search warrant crafted by Justice Department lawyers in Washington DC, the FBI used the sites to deliver the Flash application to visitors’ browsers, tricking some of them into identifying their real IP address to an FBI server. The operation identified 25 users in the US and an unknown number abroad.

Gross learned from prosecutors that the FBI used the Decloaking Engine for the attack — they even provided a link to the code on Archive.org. Compared to other FBI spyware deployments, the Decloaking Engine was pretty mild. In other cases, the FBI has, with court approval, used malware to covertly access a target’s files, location, web history and webcam. But Operation Torpedo is notable in one way. It’s the first time—that we know of—that the FBI deployed such code broadly against every visitor to a website, instead of targeting a particular suspect.

The tactic is a direct response to the growing popularity of Tor, and in particular an explosion in so-called “hidden services”—special websites, with addresses ending in .onion, that can be reached only over the Tor network.

Hidden services are a mainstay of the nefarious activities carried out on the so-called Dark Net, the home of drug markets, child porn, and other criminal activity. But they’re also used by organizations that want to evade surveillance or censorship for legitimate reasons, like human rights groups, journalists, and, as of October, even Facebook.

A big problem with hidden service, from a law enforcement perceptive, is that when the feds track down and seize the servers, they find that the web server logs are useless to them. With a conventional crime site, those logs typically provide a handy list of Internet IP addresses for everyone using the site – quickly leveraging one bust into a cascade of dozens, or even hundreds. But over Tor, every incoming connection traces back only as far as the nearest Tor node—a dead end.

Thus, the mass spyware deployment of Operation Torpedo. The Judicial Conference of the United States is currently considering a Justice Department petition to explicitly permit spyware deployments, based in part on the legal framework established by Operation Torpedo. Critics of the petition argue the Justice Department must explain in greater detail how its using spyware, allowing a public debate over the capability.

“One thing that’s frustrating for me right now, is it’s impossible to get DOJ to talk about this capability,” says Chris Soghoian, principal technologist at the ACLU. “People in government are going out of their way to keep this out of the discussion.”

For his part, Moore has no objection to the government using every available tool to bust pedophiles–he once publicly proposed a similar tactic himself. But he never expected his long-dead experiment to drag him into a federal case. Last month he started receiving inquiries from Gross’ technical expert, who had questions about the efficacy of the decloaking code. And last week Moore started getting questions directly from the accused pedophile in the case— a Rochester IT worker who claims he was falsely implicated by the software.

Moore finds that unlikely, but in the interest of transparency, he answered all the questions in detail. “It only seemed fair to reply to his questions,” Moore says. “Though I don’t believe my answers help his case at all.”

Using the outdated Decloaking Engine would not likely have resulted in false identifications, says Moore. In fact, the FBI was lucky to trace anyone using the code. Only suspects using extremely old versions of Tor, or who took great pains to install the Flash plug-in against all advice, would have been vulnerable. By choosing an open-source attack, the FBI essentially selected for the handful offenders with the worst op-sec, rather than the worst offenders.

Since Operation Torpedo, though, there’s evidence the FBI’s anti-Tor capabilities have been rapidly advancing. Torpedo was in November 2012. In late July 2013, computer security experts detected a similar attack through Dark Net websites hosted by a shady ISP called Freedom Hosting—court records have since confirmed it was another FBI operation. For this one, the bureau used custom attack code that exploited a relatively fresh Firefox vulnerability—the hacking equivalent of moving from a bow-and-arrow to a 9-mm pistol. In addition to the IP address, which identifies a household, this code collected the MAC address of the particular computer that infected by the malware.

“In the course of nine months they went from off the shelf Flash techniques that simply took advantage of the lack of proxy protection, to custom-built browser exploits,” says Soghoian. “That’s a pretty amazing growth … The arms race is going to get really nasty, really fast.”

One Question on the Sydney Siege: Why didn't the Snipers Shoot Earlier?

I’m troubled by the Sydney siege at the Lindt Chocolate Café in Martin Place that has just concluded with 3 fatalities and 3 injured.

For starters, here’s one easy question: What’s wrong with these pictures (above from 7 News and the 2 below) and the video below (watch from 2:06 onwards)?

Sydney siege gunman-PIC
Photo credit: 7 News

Sydney-LindtCafeSeige-PIC
Picture: Ross Schultz Source: News Corp Australia

Now, the real question is: Where were the snipers? And why didn’t they shoot when they had the chance?

(Snipers reportedly manned nearby rooftops and shouted “Hostage down, window two” only when tactical police stormed the café at the end of the siege.)

If the media had these clear shots of the gunman Man Haron Monis, why didn’t the authorities have the snipers to take him down within the 16 hours window? If the snipers were not in a better position than the media, surely they have enough time to move for better views, rooftop or on the ground? The snipers of course need clearance from their commanders who should be on site with their squads. So does that mean the authorities did not want to kill him for whatever reasons?

Certainly many complicated questions but in any case, there were 17 hostages at stake and the police did not move in for the kill until (negotiations apparently failed and) there were gunshots within the café?

I have only one potential explanation: the authorities were concerned with the hostage taker’s claims that there were other explosive devices planted around the city – and the police have intelligence that he has comrades who would trigger those devices if he’s dead (I know it’s easier said than done but with good use of negotiators and intelligence, and a good 16-hour timeframe, the police and intelligence agencies could have established if he has other accomplices to detonate those devices, if any – plus it’s not that Man Haron Monis was any stranger to the Australian authorities. They should have a huge file on him all along).

Anything short (and as it turned out, his former lawyer, Manny Conditsis, reportedly told the media that Monis was an isolated figure who had acted alone), it’s sad to see yet another case whereby the authorities have not followed protocol in hostage situations: Take the man down (at the very opportunity).

It’s reminiscent of the Manila hostage event of 23 August 2010, when the hostage taker, former Philippines police officer Rolando Mendoza, hijacked a tourist bus with 25 hostages onboard. He was in plain sight (see picture below) several times, more than sufficient for the snipers to decide where to aim. But the Philippines authorities missed the opportunities, resulting in 9 deaths (including the perpetrator).

Manila-BusHostage-PIC

A longer version of this column appears in AsiaSentinel.com

Shhh… Michael Hayden on the Senate’s CIA Interrogation Report

Photo (above) credit: CIA

I like to share this POLITICO MAGAZINE exclusive interview with former CIA Director (May 30, 2006 – February 12, 2009) Michael Hayden on the release of the US Senate’s report.

Michael Hayden Is Not Sorry
The Senate report rakes Bush’s former CIA director over the coals. He fires back in an exclusive interview.

By MICHAEL HIRSH
December 09, 2014

Though the CIA’s “enhanced interrogation” program long predated his takeover of the agency in 2006, former Director Michael Hayden has found himself at the center of the explosive controversy surrounding the Senate Intelligence Committee’s executive summary of its still-classified report on torture. In a long, impassioned speech on the floor Tuesday, Committee Chair Dianne Feinstein cited Hayden’s testimony repeatedly as evidence that the CIA had not been forthright about a program that the committee majority report called brutal, ineffective, often unauthorized “and far worse than the CIA represented to policymakers and others.” She publicly accused Hayden of falsely describing the CIA’s interrogation techniques “as minimally harmful and applied in a highly clinical and professional manner.” In an interview with Politico Magazine National Editor Michael Hirsh, Hayden angrily rebuts many of the report’s findings.

Michael Hirsh: The report concludes, rather shockingly, that Pres. George W. Bush and other senior officials—including Defense Secretary Donald Rumsfeld for a time and Secretary of State Colin Powell—were not aware of many details of the interrogation programs for a long period. According to CIA records, it concludes, no CIA officer including Directors George Tenet and Porter Goss briefed the president on the specific enhanced interrogation techniques before April 2006. Is that true?

Michael Hayden: It is not. The president personally approved the waterboarding of Abu Zubaydah [in 2002]. It’s in his book! What happened here is that the White House refused to give them [the Senate Intelligence Committee] White House documents based upon the separation of powers and executive privilege. That’s not in their report, but all of that proves that there was dialogue was going on with the White House. What I can say is that the president never knew where the [black] sites were. That’s the only fact I’m aware that he didn’t know.

Hirsh: The report directly challenges your truthfulness, repeatedly stating that your testimony on the details of the programs –for example on whether the interrogations could be stopped at any time by any CIA participant who wanted them halted— is “not congruent with CIA records.” Does that mean you weren’t telling the truth?

Hayden: I would never lie to the committee. I did not lie.

Hirsh: Does it mean that you, along with others at senior levels, were misled about what was actually going on in the program?

Hayden: My testimony is consistent with what I was told and what I had read in CIA records. I said what the agency told me, but I didn’t just accept it at face value. I did what research I could on my own, but I had a 10-day window in which to look at this thing [the committee’s request for information]. I was actually in Virginia for about 30 hours and studied the program for about three before I went up to testify. I was trying to describe a program I didn’t run. The points being made against my testimony in many instances appear to be selective reading of isolated incidents designed to prove a point where I was trying to describe the overall tenor of the program. I think the conclusions they drew were analytically offensive and almost street-like in their simplistic language and conclusions. The agency has pushed back rather robustly in its own response.

Hirsh: You seem upset.

Hayden: Yeah, I’m emotional about it. Everything here happened before I got there [to the CIA], and I’m the one she [Sen. Feinstein] condemns on the floor of the Senate? Gee, how’d that happen? I’m the dumb son of a bitch who went down and tried to lay out this program in great detail to them. I’m mentioned twice as much in there as George Tenet—but George and Porter Goss had 97 detainees during their tenure, while I had two.

Hirsh: Is there anything you think the report gets right?

Hayden: All of us are really upset because we could have used a fair and balanced review of what we did. … The agency clearly admits it was fly-by-wire in the beginning. They were making it up as they went along and it should have been more well-prepared. They’ve freely admitted that. They said that early on they lacked the core competencies required to undertake an unprecedented program of detaining and interrogating suspected terrorists around the world. But then what the committee does is to take what I said out of context. They take statements I made about the later days of the program, for example when I said it was well-regulated and there were medical personnel available, etc., and then apply it to the early days of the program, when there were not. It misrepresents what I said.

Hirsh: One of the most stunning and cited conclusions of the report is that interrogations of CIA detainees were brutal and far worse than the CIA represented to policymakers and others.

Hayden: That is untrue. And let me give you a data point. John Durham, a special independent prosecutor, over a three-year period investigated every known CIA interaction with every CIA detainee. At the end of that the Obama administration declined any prosecution. [In 2012, the Justice Department announced that its investigation into two interrogation deaths that Durham concluded were suspicious out of the 101 he examined—those of Afghan detainee Gul Rahman and Iraqi detainee Manadel al-Jamadi—would be closed with no charges.] So if A is true how does B get to be true? If the CIA routinely did things they weren’t authorized to do, then why is there no follow-up? I have copies of the DOJ reports they’re using today. The question is, is the DoJ going to open any investigation and the DoJ answer is no. You can’t have it both ways. You can’t have all this supposed documentary evidence saying the agency mistreated these prisoners and then Barack Obama’s and Eric Holder’s Department of Justice saying no, you’ve got bupkis here.

Hirsh: What about the report’s overarching conclusion that these enhanced techniques simply were not effective at getting intelligence?

Hayden: My very best argument is that I went to [then-Deputy CIA Director] Mike Morell and I said, ‘Don’t fuck with me. If this story [about the usefulness of intelligence gained from enhanced techniques] isn’t airtight then I’m not saying it to Congress.’ They came back and said our version of the story is correct. Because of this program Zubaydah begat [Khalid Sheikh Mohammed], who begat [others]. We learned a great deal from the detainees.

Hirsh: The report says that even the CIA’s inspector general was not fully informed about the programs—that in fact the CIA impeded oversight by the IG.

Hayden: The IG never told me that. The IG never reported that to Congress. Look, I’m relying on people below me. If they tell you an untruth, you get rid of them. But I never felt I was being misled, certainly not on the important contours of this program. What they [the committee] are doing is grabbing emails out of the ether in a massive fishing expedition. This is a partisan report, as you can see from the minority report out of the committee.

Hirsh: Can you sort out the discrepancy between your testimony that there were only 97 detainees in the history of the program when the report says there 119?

Hayden: We knew there were more. The high-value-target program—they don’t show up on my list if they’re at the [black] sites. And committee knew all about that. They have chapter and verse from [former CIA IG John] Helgerson about it. It’s a question of what criteria you use. When I met with my team about these discrepancies, I said, ‘You tell [incoming CIA director] Leon Panetta he’s got to change the numbers that have been briefed to Congress.’

Hirsh: The report suggests that you misrepresented what you told Congress in the briefings, telling a meeting of foreign ambassadors to the United States in 2006 that every committee member was “fully briefed.”

Hayden: I mean what are they doing—trying to score my public speeches? What’s that about? You want me to go out and score Ron Wyden’s speeches?

Hirsh: You don’t believe you’re in legal jeopardy?

Hayden: No, not at all. I didn’t do anything wrong. How could I be in legal jeopardy?

Michael Hirsh is national editor for Politico Magazine.

The US Senate Intelligence Committee & CIA Interrogation Report – A Closer Look at the Tortures at Guantanamo Bay

CIA-guantanamo

In view of the huge trove of news coverage following the release of the long overdue and highly anticipated CIA Interrogation report (the BBC has a nice summary of the 20 key findings) by the US Senate Intelligence Committee on Tuesday, I thought it is good to (re)view this UK’s Channel 4 “Guantanamo Handbook” documentary.

It is a reenactment of the tortures at one of the most well known US military prisons in Cuba called the Guantanamo Bay detention camp, also referred to as Guantánamo, G-bay or GTMO – whereby 7 British volunteered to be detainees and subjected to selected CIA-style tortures for 48 hours.

Most notably, one volunteer who started off saying he supported the torture program as a means to gather intelligence and save lives – as per White House speaks – was the first to withdraw on medical grounds after just 10 hours, saying even though he had “strong views” earlier, he has “become more sympathetic of what’s going on there than before” and felt lucky he was “pulled” (out of the program).

Action speaks louder than words? Period.

Life-Saving Gadgets like Bulletproof Bags and Shields for Schools & the Workplace

Photo (above) credit: Alexander Augusteijn

With the recent headlines on fatal shootings by the police, and school massacres in the US earlier, the demand for bulletproof gears may well be on the rise again. And with Christmas round the corner, there’s no better time to show your loved ones you really care about their safety, at school and the workplace.

Perhaps you’re not alien to these products but I thought of sharing anyway, especially my findings on price effective solutions.

But first, here’s the link to a video introduction on one such product. And here’s a demonstration of the gear at work – blocking the bullet.

If it’s convincing, there’s still one operational issue. It takes a good few seconds to convert those ordinary-looking computer bags into a bulletproof shield covering the upper body. And that’s why I thought the next product (picture below) is more practical: it takes just a second to transform the briefcase into a bulletproof wall to shield the entire body when one found himself/herself in a suddenly hostile cross-fire situation.

BulletproofBriefcase-BodyShield

I found online retail stores selling these briefcases at around US$800 apiece.

Subsequently, I also found the China-based OEM manufacturers for these same briefcases. The minimum order quantity (MOQ) is usually quoted at 50, ie. a minimum of 50 pieces per order.

Now for all I know, some manufacturers entertain orders for “one sample” but at a premium, which in this case was US$400 at best.

One manufacturer then offered a “much better price” if I ordered 10 samples instead, at US$250 apiece. And I also asked about the best price for the stated MOQ of 50: US$235 apiece.

Not bad but if only I can convince some buddies to pool in for at least 10 such briefcases.

So I thought the best solution both for the price and practical reasons are the bulletproof panels (picture below).

Bulletblocker-StrikeFace

Besides inserting these panels into the children’s backpacks, one can also insert them into computer bags and briefcases for working adults. The flexibility in use is a big plus. And they cost less than US$100 apiece.

Shhh… DOJ Uses 18th Century Law to Make Apple Unlock Encrypted iPhones

It’s time to raise the antenna again on smartphone encryption matters.

Law enforcement agencies, particularly the FBI, have been desperately pressurizing the Congress to force Apple and Google to do away with their new default smartphone encryption. And authorities are apparently giving in.

According to an exclusive report by Ars Technica (below) earlier this week, court documents from 2 federal criminal cases in New York and California show the US Department of Justice on October 31 this year went as far as exercising a 18th century law – the All Writs Act – to compel Apple and at least one other company to cooperate with law enforcement officials in investigations dealing with locked and encrypted smartphones.

The 225-year-old law gives the courts the right to issue whatever writs or orders in order to compel someone to do something.

To the extent that Apple has recently beefed up encryption in its latest iOS 8, the fact that the DOJ would go to such absurd lengths might set worrying precedence – recall a recent ludicrous DOJ assertion that the new encryption standards would kill a child.

A more disturbing question: What would you do if you were FBI director James Comey making his rounds to denounce smartphone encryption?

Make the DOJ use the All Writs Act to force manufacturers to install convenient backdoors. Why not?

—————————————-

Feds want Apple’s help to defeat encrypted phones, new legal case shows

Prosecutors invoke 18th-century All Writs Act to get around thorny problem.
by Cyrus Farivar – Dec 1 2014, 10:00pm CST

OAKLAND, CA—Newly discovered court documents from two federal criminal cases in New York and California that remain otherwise sealed suggest that the Department of Justice (DOJ) is pursuing an unusual legal strategy to compel cellphone makers to assist investigations.

In both cases, the seized phones—one of which is an iPhone 5S—are encrypted and cannot be cracked by federal authorities. Prosecutors have now invoked the All Writs Act, an 18th-century federal law that simply allows courts to issue a writ, or order, which compels a person or company to do something.

Some legal experts are concerned that these rarely made public examples of the lengths the government is willing to go in defeating encrypted phones raise new questions as to how far the government can compel a private company to aid a criminal investigation.

Two federal judges agree that the phone manufacturer in each case—one of which remains sealed, one of which is definitively Apple—should provide aid to the government.

Ars is publishing the documents in the California case for the first time in which a federal judge in Oakland specifically notes that “Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.”

The two orders were both handed down on October 31, 2014, about six weeks after Apple announced that it would be expanding encryption under iOS 8, which aims to render such a data handover to law enforcement useless. Last month, The Wall Street Journal reported that DOJ officials told Apple that it was “marketing to criminals” and that “a child will die” because of Apple’s security design choices.

Apple did not immediately respond to Ars’ request for comment.

Meet the “All Writs Act”

Alex Abdo, an attorney with the American Civil Liberties Union, wondered if the government could invoke the All Writs Act to “compel Master Lock to come to your house and break [a physical lock] open.”

“That’s kind of like the question of could the government compel your laptop maker to unlock your disk encryption?” he said. “And I think those are very complicated questions, and if so, then that’s complicated constitutional questions whether the government can conscript them to be their agents. Then there’s one further question: can the government use the All Writs Act to compel the installation of backdoors?”

But, if Apple really can’t decrypt the phone as it claims, the point is moot.

“Then that’s pretty much the end of it,” Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, told Ars. “The writ doesn’t require Apple to do something that is impossible for it to do.”

Andrew Crocker, a legal fellow also at the Electronic Frontier Foundation, pointed out on Twitter on Tuesday that back in 2005, a different New York magistrate refused to accept the government’s invocation of the All Writs Act to obtain real-time cell site data.

As Magistrate Judge James Orenstein wrote at the time:

Thus, as far as I can tell, the government proposes that I use the All Writs Act in an entirely unprecedented way. To appreciate just how unprecedented the argument is, it is necessary to recognize that the government need only run this Hail Mary play if its arguments under the electronic surveillance and disclosure statutes fail.

The government thus asks me to read into the All Writs Act an empowerment of the judiciary to grant the executive branch authority to use investigative techniques either explicitly denied it by the legislative branch, or at a minimum omitted from a far-reaching and detailed statutory scheme that has received the legislature’s intensive and repeated consideration. Such a broad reading of the statute invites an exercise of judicial activism that is breathtaking in its scope and fundamentally inconsistent with my understanding of the extent of my authority.

“Any capabilities [Apple] may have to unlock the iPhone”

One of the new phone search cases was filed in federal court in Oakland, just across the bay from San Francisco, while another was filed in federal court in Manhattan.

In the Oakland case, prosecutors asked a federal judge in to “assist in the execution of a federal search warrant by facilitating the un-locking of an iPhone.”

Ars went in person to the Oakland courthouse on Wednesday to obtain the documents and is publishing both the government’s application and the judge’s order for the first time here. The All Writs Act application and order are not available via PACER, the online database for federal court records.

“This Court has the authority to order Apple, Inc., to use any capabilities it may have to unlock the iPhone,” Garth Hire, an assistant US attorney, wrote to the court and cited the All Writs Act.

“The government is aware, and can represent, that in other cases, courts have ordered the unlocking of an iPhone under this authority,” he wrote. “Additionally, Apple has routinely complied with such orders.”

“This court should issue the order because doing so would enable agents to comply with this Court’s warrant commanding that the iPhone be examined for evidence identified by the warrant,” he continued. “Examination of the iPhone without Apple’s assistance, if it is possible at all, would require significant resources and may harm the iPhone. Moreover, the order is not likely to place any unreasonable burden on Apple.”

In response, Magistrate Judge Kandis Westmore ordered that Apple “provide reasonable technical assistance to enable law enforcement agents to obtain access to unencrypted data.” She did not specifically mention the All Writs Act.

But she added:


It is further ordered that, to the extent that data on the iOS device is encrypted, Apple may provide a copy of the encrypted data to law enforcement but Apple is not required to attempt to decrypt, or otherwise enable law enforcement’s attempts to access any encrypted data.

Westmore’s language is a near-duplicate of a June 6, 2014 order issued by a different judge from the Northern California district, San Jose division, which is about 40 miles south of Oakland. There, Magistrate Judge Howard Lloyd ordered Apple to assist in the search of an iPad Mini, months before the release of iOS 8.

New spying tools afoot

On Tuesday, The Wall Street Journal reported on an order issued by a federal magistrate in New York in a case involving alleged credit card fraud.

In that Manhattan case, Magistrate Judge Gabriel Gorenstein granted the government’s proposed order on the same day as Westmore (October 31, 2014), also citing the All Writs Act, which compels the unnamed phone manufacturer to provide “reasonable technical assistance” in unlocking the device.

The mystery company could challenge the judge’s order, according to Brian Owsley, a former federal magistrate judge who now is a law professor at Indiana Tech.

“Unfortunately, we will probably not know because the issue will likely be sealed even though there should be more transparency in these issues,” he told Ars by e-mail, noting that during his tenure on the bench he could not remember a time when the government invoked the All Writs Act.

“It is only through greater transparency will we start to get the answers. If the provider simply complies we will know nothing. Here, Judge Gorenstein’s approach strikes me as very even-handed, but the inherent problem is that those who are concerned about privacy issues in general simply have to hope that the provider will speak up for us.”

But Orin Kerr, a law professor at George Washington University and a former federal prosecutor, does not believe that the seized phone in the New York case was an iOS 8 device.

“The government obtained a warrant on October 10 for a phone already in its possession,” he told Ars by e-mail. “Apple’s announcement was something like September 18. If it was an iPhone, it was probably an iPhone running [on] an earlier operating system.”

Still, Alex Abdo, the ACLU attorney, after reading a copy of the Oakland documents, concluded that the “government’s application raises troubling questions about the extent to which it can force companies to break the products they sell.”

“We are heartened, however, that the court recognized that possibility and stopped short of ordering Apple to come up with a way to decrypt its customers’ data,” he added.

“More broadly, it is disconcerting that the government is relying on a catch-all law to seek surveillance powers that it should be seeking from Congress and the public,” said Abdo. “If the government wants new spying tools, it should allow our democratic process to debate them openly first.”

UPDATE 1:50pm CT: Jonathan Mayer, a lecturer at Stanford Law, said that use of the All Writs Act is not as novel as it may seem. (He recommended his recent lecture on the subject!)

“The TL;DR is that there is nothing new about using the All Writs Act to compel assistance,” Mayer told Ars by e-mail. “And there is also nothing new about using it to compel assistance with unlocking a phone. That repeated language you saw? It’s provided by Apple itself!”

“As for the opinion discounting the All Writs Act, that had to do with surveillance under the Electronic Communications Privacy Act. Where ECPA applies, the All Writs Act doesn’t. (It’s just a default, as the court rightly noted.) Phone unlocking isn’t covered by ECPA, so the All Writs Act remains in play.”

Shhh… USB Thumb Drives Everywhere

Here’s one topic I have long wanted to post and I found this one below serves a nice reminder: Just be careful with any USB thumb drives lying around. In fact, you should ignore them altogether because chances are good that they were there for a reason.

http://www.ksl.com/api/jwplayer/player.php?file=http://media.ksl.com/1417021128-685081439.mp4&image=//media.ksl.com/1417021128-685081439.jpg&width=640&height=360

Shhh… Glenn Greenwald with James Risen on "Pay Any Price: Greed, Power, and Endless War"

Photo (above) Source: https://www.youtube.com/watch?v=wZ68ZQhzwPs

I like to share with you this interview on the new book by James Risen, the two-time Pulitzer Prize-winning New York Times investigative reporter at the center of one of the most significant press freedom cases in decades who exposed the warrantless wiretapping of Americans by the National Security Agency as early as 2005, 8 years before the Snowden revelations. Risen also hit headlines after being on Obama’s blacklist after he was threatened with prison terms by the Justice Department for refusing to reveal the source of one of his stories.

https://soundcloud.com/the_intercept/james-risen-glenn-greenwald-pay-any-price-the-war-on-terror-press-freedoms

And here is the transcript from The Intercept.