Category Cyber Espionage

(Above) photo credit: MARC VALLÉE

Check out the NYT article below.

Hackers May Have Obtained Names of Chinese With Ties to U.S. Government

By DAVID E. SANGER and JULIE HIRSCHFELD DAVISJUNE 10, 2015

WASHINGTON — Investigators say that the Chinese hackers who attacked the databases of the Office of Personnel Management may have obtained the names of Chinese relatives, friends and frequent associates of American diplomats and other government officials, information that Beijing could use for blackmail or retaliation.

Federal employees who handle national security information are required to list some or all of their foreign contacts, depending on the agency, to receive high-level clearances. Investigators say that the hackers obtained many of the lists, and they are trying to determine how many of those thousands of names were compromised.

In classified briefings to members of Congress in recent days, intelligence officials have described what appears to be a systematic Chinese effort to build databases that explain the inner workings of the United States government. The information includes friends and relatives, around the world, of diplomats, of White House officials and of officials from government agencies, like nuclear experts and trade negotiators.

“They are pumping this through their databases just as the N.S.A. pumps telephone data through their databases,” said James Lewis, a cyberexpert at the Center for Strategic and International Studies. “It gives the Chinese the ability to exploit who is listed as a foreign contact. And if you are a Chinese person who didn’t report your contacts or relationships with an American, you may have a problem.”

Officials have conceded in the briefings that most of the compromised data was not encrypted, though they have argued that the attacks were so sophisticated and well hidden that encryption might have done little good.

The first attack, which began at the end of 2013 and was disclosed in the middle of last year, was aimed at the databases used by investigators who conduct security reviews. The investigators worked for a contracting firm on behalf of the Office of Personnel Management, and the firm was fired in August.

The broader attack on the personnel office’s main databases followed in December. That attack, announced last week, involved the records of more than four million current and former federal employees, most of whom have no security clearances.

White House and personnel office officials have provided few details about the latest breach. But the Department of Homeland Security has been telling outside experts and members of Congress that it regards the detection of the attack as a success, because it made use of new “signatures” of foreign hackers, based on characteristics of computer code, to find the attack.

In a statement, the personnel office said Wednesday that “it was because of these new enhancements to our IT systems that O.P.M. was able to identify these intrusions.” But the detection happened in April, five months after the attack began.

The list of relatives and “close or continuous contacts” is a standard part of the forms and interviews required of American officials every five years for top-secret and other high-level clearances, and government officials consider the lists to be especially delicate.

In 2010, when The New York Times was preparing to publish articles based on 250,000 secret State Department cables obtained by WikiLeaks, the newspaper complied with a request by the department to redact the names of any Chinese citizens who were described in the cables as providing information to American Embassy officials. Officials cited fear of retaliation by the Chinese authorities.

Officials say they do not know how much of the compromised data was exposed to the Chinese hackers. While State Department employees, especially new ones, are required to list all their foreign friends, diplomats have so many foreign contacts that they are not expected to list them all.

But other government officials are frequently asked to do so, especially in interviews with investigators. The notes from those interviews, conducted by a spinoff of the personnel office called the United States Investigative Service, were obtained by hackers in the earlier episode last year.

Intelligence agencies use a different system, so the contacts of operatives like those in the C.I.A. were not in the databases.

But the standard form that anyone with a national security job fills out includes information about spouses, divorces and even distant foreign relatives, as well as the names of current or past foreign girlfriends and boyfriends, bankruptcies, debts and other financial information. And it appears that the hackers reached, and presumably downloaded, images of those forms.

“I can’t say whether this was more damaging than WikiLeaks; it’s different in nature,” said Representative Adam B. Schiff, a California Democrat who is a member of the House Intelligence Committee, which was briefed by intelligence officials, the Department of Homeland Security and the personnel office on Tuesday. Mr. Schiff, who declined to speak about the specifics of the briefing, added, “But it is certainly one of the most damaging losses I can think of.”

Investigators were surprised to find that the personnel office, which had already been so heavily criticized for lax security that its inspector general wanted parts of the system shut down, did not encrypt any of the most sensitive data.

The damage was not limited to information about China, though that presumably would have been of most interest to the hackers. They are likely to be particularly interested in the contacts of Energy Department officials who work on nuclear weapons or nuclear intelligence, Commerce Department or trade officials working on delicate issues like the negotiations over the Trans-Pacific Partnership, and, of course, White House officials.

In a conference call with reporters on Wednesday, Senator Angus King, an independent from Maine on both the Intelligence Committee and the Armed Services Committee, called for the United States to retaliate for these kinds of losses. “Nation-states need to know that if they attack us this way, something bad is going to happen to their cyberinfrastructure,” he said.

But Mr. King said he could not say if the attacks on the personnel office were state-sponsored, adding, “I have to be careful; I can’t confirm the identity of the entity behind the attack.” The Obama administration has not formally named China, but there has been no effort to hide the attribution in the classified hearings.

The scope of the breach is remarkable, experts say, because the personnel office apparently learned little from earlier government data breaches like the WikiLeaks case and the surveillance revelations by Edward J. Snowden, both of which involved unencrypted data.

President Obama has said he regards the threat of cyberintrusions as a persistent challenge in a world in which both state and nonstate actors “are sending everything they’ve got at trying to breach these systems.”

The problem “is going to accelerate, and that means that we have to be as nimble, as aggressive and as well resourced as those who are trying to break into these systems,” he said at a news conference this week.

The White House has stopped short of blaming Katherine Archuleta, the director of the personnel office, for the breach, emphasizing that securing government computer systems is a challenging task.

Correction: June 10, 2015

An earlier version of a photo caption with this article misstated the name of the federal office building where employees handle national security information are required to list their foreign contacts. It is the Office of Personnel Management building, not Office of Personal Management.

Matt Apuzzo contributed reporting.

The legendary former NSA crypto-mathematician and whistleblower William Binney:

You may have read and heard about the latest cyberattacks on the US government (see video above) over the weekend? Reckon you can’t help wondering how coincidental this “incident” was, judging by the following Guardian article. Nice strategy, Congress??

Please refer to the New York Times and recently leaked Snowden documents for more details.

Now the question is: how long has this been going on and is this a “Plan B” in the aftermath of the recent NSA Surveillance stand-down?

Find out more from the Guardian.

(Above) Photo credit: http://glenngreenwald.net/

Check out the following Guardian article:

Charges against Edward Snowden stand, despite telephone surveillance ban

The former NSA contractor revealed the banned surveillance programme, but an Obama administration spokesman says they will not review his charges

The White House refused to reconsider its legal pursuit of Edward Snowden on Monday, while it sought to take credit for outlawing the bulk telephone surveillance programme he revealed.

Obama administration spokesman Josh Earnest rejected the argument that the imminent passage of legislation banning the practice meant it was time to take a fresh look at the charges against the former National Security Agency contractor.

“The fact is that Mr Snowden committed very serious crimes, and the US government and the Department of Justice believe that he should face them,” Earnest told the Guardian at the daily White House press briefing.

“That’s why we believe that Mr Snowden should return to the United States, where he will face due process and have the opportunity to make that case in a court of law.”

Earnest refused to comment on whether Snowden could be allowed to employ a whistleblower defence if he choose to return voluntarily, something his supporters have argued is impossible under current Espionage Act charges.

“Obviously this is something that the Department of Justice would handle if they are having [those conversations],” said Earnest. “The thing I would put out is that there exists mechanisms for whistleblowers to raise concerns about sensitive national security programmes.”

“Releasing details of sensitive national security programmes on the internet for everyone, including our adversaries to see, is inconsistent with those protocols that are established for protecting whistleblowers,” he added.

But the White House placed itself firmly on the side of NSA reform, when asked if the president was “taking ownership” of the USA Freedom Act, which is expected to pass Congress later this week.

“To the extent that we’re talking about the president’s legacy, I would suspect [it] would be a logical conclusion from some historians that the president ended some of these programmes,” replied Earnest.

“This is consistent with the reforms that the president advocated a year and a half ago. And these are reforms that required the president and his team to expend significant amounts of political capital to achieve over the objection of Republicans.”

The administration also avoided four separate opportunities to warn that the temporary loss of separate Patriot Act surveillance provisions that expired alongside bulk collection on Sunday night had put the safety of Americans at risk, as some have claimed.

“All I can do is I can illustrate to you very clearly that there are tools that had previously been available to our national security professionals that are not available today because the Senate didn’t do their job,” said Earnest.

“As a result, there are programmes and tools that our national security professionals themselves say are important to their work that are not available to them right now, as we speak.”

Asked four times by reporters whether that meant Americans were markedly less safe as a result of the standoff in the Senate, the White House spokesman repeatedly said it was up to these national security staff, not him, to say.

http://video.foxnews.com/v/embed.js?id=4268521323001&w=466&h=263Watch the latest video at video.foxnews.com

http://finance.yahoo.com/video/woman-tracked-down-her-identity-205618021.html?format=embed

Find out more from these related articles.

See also recent coverage on this topic.

Google snooping on your web browsing or email may now be the least of your worries.

Late last week, it became known that Google has filed its creepiest patents yet – for a toy that can control other Wi-fi connected devices. Well for starters, just imagine this: If that toy senses you’re looking at it, it will rotate its head and look back at you…

And check out the following Guardian article below:

USA Freedom Act fails as senators reject bill to scrap NSA bulk collection

Ben Jacobs and Sabrina Siddiqui in Washington and Spencer Ackerman in New York
Saturday 23 May 2015 05.46 BST

Bill fails for the second time after vote in the small hours of Saturday morning, but Rand Paul thwarts Republican leaders’ attempts to extend Patriot Act

For the second time in less than a year, US senators rejected a bill to abolish the National Security Agency’s bulk collection of American phone records.

By a vote of 57-42, the USA Freedom Act failed on Friday to reach the 60-vote threshold needed to advance in the Senate after hours of procedural manoeuvering lasted into the small hours Saturday morning.

The result left the Senate due to reconvene on May 31, just hours before a wellspring of broad NSA and FBI domestic spying powers will expire at midnight.

Architects of the USA Freedom Act had hoped that the expiration at the end of May of the Patriot Act authorities, known as Section 215, provided them sufficient leverage to undo the defeat of 2014 and push their bill over the line.

The bill was a compromise to limit the scope of government surveillance. It traded the end of NSA bulk surveillance for the retention through 2019 of Section 215, which permits the collection of “business records” outside normal warrant and subpoena channels – as well as a massive amount of US communications metadata, according to a justice department report.

Although the bill passed the House of Representatives by a massive 338-88 margin last week, it was unable to overcome concerns from Republicans about the process of letting telecom companies take responsibility about the collection data from the NSA.

Republican leadership was hoping for a short-term extension of the Patriot Act which would push debate into early June, once the Senate returns from its Memorial Day recess.

This was considered far more likely than a two-month extension of the legislation, which was considered a forlorn hope and failed by a 45-54 vote shortly after the USA Freedom Act failed to reach cloture on Saturday morning.

Nevada Republican Dean Heller, a co-sponsor of the bill, told reporters early on Friday: “We’re losing the ‘politics of going home’ argument with our conference.”

He added that proponents of a short term extension were able to argue that supporting the bill meant staying on Capitol Hill all week. “So how do you win that argument?” Heller said.

The answer was by making senators stay regardless of how they voted as Kentucky Republican Rand Paul, a virulent opponent of NSA surveillance, torpedoed any attempt to kick the can down the road.

On Saturday morning, after both cloture votes failed, Senate majority leader Mitch McConnell asked for unanimous consent to extend the Patriot Act for a week. Paul objected. Objections were then heard from Paul, as well as from Oregon Democrat Ron Wyden and New Mexico Democrat Martin Heinrich on four-day, two-day and one-day extensions. Eventually McConnell gave up and announced that the Senate would adjourn until 31 May, the day before the key provisions of the Patriot Act expire.

The failure of the USA Freedom Act leaves the Senate in an impasse.

Republican whip John Cornyn, a strident supporter of extending the Patriot Act, divided the Senate into three groups on Friday.

As he put it, there are those who want a “straight extension, those who like USA Freedom and those who like nothing”.

Those who want a straight extension of the Patriot Act are in a distinct minority and supporters of the USA Freedom Act still cannot muster the necessary super majority to advance the bill. The result means those who are more than happy to simply let Section 215 expire on May 31 are in the driver’s seat.

When reporters asked Paul on Saturday morning whether he was concerned about the provisions of the Patriot Act expiring at the end of the month, the Kentucky Republican seemed unworried “We were liking the constitution for about 200 years and I think we could rely on the constitution.”

There still is some room for compromise. Arizona Republican John McCain, when asked if the USA Freedom Act was better than a lapse, said: “There are some programs that are affected by ‘Freedom USA’ that I would be very concerned about shutting down.” He added “but obviously anything is better than shutting down the whole operation.”

McCain also noted that “you can argue whether we should be doing the mega data thing but you can’t argue that it’s a good idea to shut down the whole thing.”

However, that shouldn’t be seen as any sort of endorsement of the NSA reform bill by hawks in Senate GOP caucus. Representative Tom Massie, a Kentucky Republican who came to the Senate floor to witness the vote Saturday morning, told reporters he was surprised at how strongly many of his fellow Republicans felt about the compromise reform bill. “They really don’t like the Freedom Act,” he said.

In the meantime, barring a breakthrough in the coming days, “the whole operation may be shutdown regardless” as the May 31 deadline looms closer.

Mitch McConnell may still be majority leader but for now, it’s Rand Paul’s Senate.

Find out more from the two video clips below and the following related articles:

(Above) photo credit: Jeff Nenarella/The Epoch Times

See also other related reports.

It’s simple. Whenever Bruce Schneier speaks, listen.

How we sold our souls – and more – to the internet giants

Bruce Schneier
Sunday 17 May 2015 11.00 BST

Last year, when my refrigerator broke, the repair man replaced the computer that controls it. I realised that I had been thinking about the refrigerator backwards: it’s not a refrigerator with a computer, it’s a computer that keeps food cold. Just like that, everything is turning into a computer. Your phone is a computer that makes calls. Your car is a computer with wheels and an engine. Your oven is a computer that cooks lasagne. Your camera is a computer that takes pictures. Even our pets and livestock are now regularly chipped; my cat could be considered a computer that sleeps in the sun all day.

Computers are being embedded into all sort of products that connect to the internet. Nest, which Google purchased last year for more than $3bn, makes an internet-enabled thermostat. You can buy a smart air conditioner that learns your preferences and maximises energy efficiency. Fitness tracking devices, such as Fitbit or Jawbone, collect information about your movements, awake and asleep, and use that to analyse both your exercise and sleep habits. Many medical devices are starting to be internet-enabled, collecting and reporting a variety of biometric data. There are – or will be soon – devices that continually measure our vital signs, moods and brain activity.

This year, we have had two surprising stories of technology monitoring our activity: Samsung televisions that listen to conversations in the room and send them elsewhere for transcription – just in case someone is telling the TV to change the channel – and a Barbie that records your child’s questions and sells them to third parties.

All these computers produce data about what they’re doing and a lot of it is surveillance data. It’s the location of your phone, who you’re talking to and what you’re saying, what you’re searching and writing. It’s your heart rate. Corporations gather, store and analyse this data, often without our knowledge, and typically without our consent. Based on this data, they draw conclusions about us that we might disagree with or object to and that can affect our lives in profound ways. We may not like to admit it, but we are under mass surveillance.

Internet surveillance has evolved into a shockingly extensive, robust and profitable surveillance architecture. You are being tracked pretty much everywhere you go, by many companies and data brokers: 10 different companies on one website, a dozen on another. Facebook tracks you on every site with a Facebook Like button (whether you’re logged in to Facebook or not), while Google tracks you on every site that has a Google Plus g+ button or that uses Google Analytics to monitor its own web traffic.

Most of the companies tracking you have names you’ve never heard of: Rubicon Project, AdSonar, Quantcast, Undertone, Traffic Marketplace. If you want to see who’s tracking you, install one of the browser plug-ins that let you monitor cookies. I guarantee you will be startled. One reporter discovered that 105 different companies tracked his internet use during one 36-hour period. In 2010, the seemingly innocuous site Dictionary.com installed more than 200 tracking cookies on your browser when you visited.

It’s no different on your smartphone. The apps there track you as well. They track your location and sometimes download your address book, calendar, bookmarks and search history. In 2013, the rapper Jay Z and Samsung teamed up to offer people who downloaded an app the ability to hear the new Jay Z album before release. The app required that users give Samsung consent to view all accounts on the phone, track its location and who the user was talking to. The Angry Birds game even collects location data when you’re not playing. It’s less Big Brother and more hundreds of tittletattle little brothers.

Most internet surveillance data is inherently anonymous, but companies are increasingly able to correlate the information gathered with other information that positively identifies us. You identify yourself willingly to lots of internet services. Often you do this with only a username, but increasingly usernames can be tied to your real name. Google tried to enforce this with its “real name policy”, which required users register for Google Plus with their legal names, until it rescinded that policy in 2014. Facebook pretty much demands real names. Whenever you use your credit card number to buy something, your real identity is tied to any cookies set by companies involved in that transaction. And any browsing you do on your smartphone is tied to you as the phone’s owner, although the website might not know it.

Surveillance is the business model of the internet for two primary reasons: people like free and people like convenient. The truth is, though, that people aren’t given much of a choice. It’s either surveillance or nothing and the surveillance is conveniently invisible so you don’t have to think about it. And it’s all possible because laws have failed to keep up with changes in business practices.

In general, privacy is something people tend to undervalue until they don’t have it anymore. Arguments such as “I have nothing to hide” are common, but aren’t really true. People living under constant surveillance quickly realise that privacy isn’t about having something to hide. It’s about individuality and personal autonomy. It’s about being able to decide who to reveal yourself to and under what terms. It’s about being free to be an individual and not having to constantly justify yourself to some overseer.

This tendency to undervalue privacy is exacerbated by companies deliberately making sure that privacy is not salient to users. When you log on to Facebook, you don’t think about how much personal information you’re revealing to the company; you chat with your friends. When you wake up in the morning, you don’t think about how you’re going to allow a bunch of companies to track you throughout the day; you just put your cell phone in your pocket.

But by accepting surveillance-based business models, we hand over even more power to the powerful. Google controls two-thirds of the US search market. Almost three-quarters of all internet users have Facebook accounts. Amazon controls about 30% of the US book market, and 70% of the ebook market. Comcast owns about 25% of the US broadband market. These companies have enormous power and control over us simply because of their economic position.

Our relationship with many of the internet companies we rely on is not a traditional company-customer relationship. That’s primarily because we’re not customers – we’re products those companies sell to their real customers. The companies are analogous to feudal lords and we are their vassals, peasants and – on a bad day – serfs. We are tenant farmers for these companies, working on their land by producing data that they in turn sell for profit.

Yes, it’s a metaphor, but it often really feels like that. Some people have pledged allegiance to Google. They have Gmail accounts, use Google Calendar and Google Docs and have Android phones. Others have pledged similar allegiance to Apple. They have iMacs, iPhones and iPads and let iCloud automatically synchronise and back up everything. Still others let Microsoft do it all. Some of us have pretty much abandoned email altogether for Facebook, Twitter and Instagram. We might prefer one feudal lord to the others. We might distribute our allegiance among several of these companies or studiously avoid a particular one we don’t like. Regardless, it’s becoming increasingly difficult to avoid pledging allegiance to at least one of them.

After all, customers get a lot of value out of having feudal lords. It’s simply easier and safer for someone else to hold our data and manage our devices. We like having someone else take care of our device configurations, software management, and data storage. We like it when we can access our email anywhere, from any computer, and we like it that Facebook just works, from any device, anywhere. We want our calendar entries to appear automatically on all our devices. Cloud storage sites do a better job of backing up our photos and files than we can manage by ourselves; Apple has done a great job of keeping malware out of its iPhone app store. We like automatic security updates and automatic backups; the companies do a better job of protecting our devices than we ever did. And we’re really happy when, after we lose a smartphone and buy a new one, all of our data reappears on it at the push of a button.

In this new world of computing, we’re no longer expected to manage our computing environment. We trust the feudal lords to treat us well and protect us from harm. It’s all a result of two technological trends.

The first is the rise of cloud computing. Basically, our data is no longer stored and processed on our computers. That all happens on servers owned by many different companies. The result is that we no longer control our data. These companies access our data—both content and metadata—for whatever profitable purpose they want. They have carefully crafted terms of service that dictate what sorts of data we can store on their systems, and can delete our entire accounts if they believe we violate them. And they turn our data over to law enforcement without our knowledge or consent. Potentially even worse, our data might be stored on computers in a country whose data protection laws are less than rigorous.

The second trend is the rise of user devices that are managed closely by their vendors: iPhones, iPads, Android phones, Kindles, ChromeBooks, and the like. The result is that we no longer control our computing environment. We have ceded control over what we can see, what we can do, and what we can use. Apple has rules about what software can be installed on iOS devices. You can load your own documents onto your Kindle, but Amazon is able to delete books it has already sold you. In 2009, Amazon automatically deleted some editions of George Orwell’s Nineteen Eighty-Four from users’ Kindles because of a copyright issue. I know, you just couldn’t write this stuff any more ironically.

It’s not just hardware. It’s getting hard to just buy a piece of software and use it on your computer in any way you like. Increasingly, vendors are moving to a subscription model—Adobe did that with Creative Cloud in 2013—that gives the vendor much more control. Microsoft hasn’t yet given up on a purchase model, but is making its MS Office subscription very attractive. And Office 365’s option of storing your documents in the Microsoft cloud is hard to turn off. Companies are pushing us in this direction because it makes us more profitable as customers or users.

Given current laws, trust is our only option. There are no consistent or predictable rules. We have no control over the actions of these companies. I can’t negotiate the rules regarding when Yahoo will access my photos on Flickr. I can’t demand greater security for my presentations on Prezi or my task list on Trello. I don’t even know the cloud providers to whom those companies have outsourced their infrastructures. If any of those companies delete my data, I don’t have the right to demand it back. If any of those companies give the government access to my data, I have no recourse. And if I decide to abandon those services, chances are I can’t easily take my data with me.

Political scientist Henry Farrell observed: “Much of our life is conducted online, which is another way of saying that much of our life is conducted under rules set by large private businesses, which are subject neither to much regulation nor much real market competition.”

The common defence is something like “business is business”. No one is forced to join Facebook or use Google search or buy an iPhone. Potential customers are choosing to enter into these quasi-feudal user relationships because of the enormous value they receive from them. If they don’t like it, goes the argument, they shouldn’t do it.

This advice is not practical. It’s not reasonable to tell people that if they don’t like their data being collected, they shouldn’t email, shop online, use Facebook or have a mobile phone. I can’t imagine students getting through school anymore without an internet search or Wikipedia, much less finding a job afterwards. These are the tools of modern life. They’re necessary to a career and a social life. Opting out just isn’t a viable choice for most of us, most of the time; it violates what have become very real norms of contemporary life.

Right now, choosing among providers is not a choice between surveillance or no surveillance, but only a choice of which feudal lords get to spy on you. This won’t change until we have laws to protect both us and our data from these sorts of relationships. Data is power and those that have our data have power over us. It’s time for government to step in and balance things out.

Adapted from Data and Goliath by Bruce Schneier, published by Norton Books. To order a copy for £17.99 go to bookshop.theguardian.com. Bruce Schneier is a security technologist and CTO of Resilient Systems Inc. He blogs at schneier.com, and tweets at @schneierblog

The House overwhelmingly approved Wednesday legislation to end the NSA’s bulk collection of phone records. Are you counting on it? I’m not as it’s highly likely secret “alternatives” have already been paved to have the NSA continue business as usual…

(Above) Photo credit: CBS 60 Minutes

http://www.cbsnews.com/common/video/cbsnews_video.swf

http://www.cbsnews.com/common/video/cbsnews_video.swf

http://www.cbsnews.com/common/video/cbsnews_video.swf

http://www.cbsnews.com/common/video/cbsnews_video.swf

(Above) photo credit: RT (Image from twitter.com @Manuel_Rapalo)

No matter what the judge thinks, one can’t help feeling sorry for Jeffrey Sterling (see the New York Times story below) considering how David Petraeus got away so lightly.

Ex-C.I.A. Officer Sentenced in Leak Case Tied to Times Reporter

By MATT APUZZOMAY 11, 2015

LEXANDRIA, Va. — A former Central Intelligence Agency officer on Monday was sentenced to three and a half years in prison on espionage charges for telling a journalist for The New York Times about a secret operation to disrupt Iran’s nuclear program. The sentence was far less than the Justice Department had wanted.

The former officer, Jeffrey A. Sterling, argued that the Espionage Act, which was passed during World War I, was intended to prosecute spies, not officials who talked to journalists. He asked for the kind of leniency that prosecutors showed to David H. Petraeus, the retired general who last month received probation for providing his highly classified journals to his biographer.

The case revolves around an operation in which a former Russian scientist provided Iran with intentionally flawed nuclear component schematics. Mr. Sterling was convicted in January of disclosing the operation to James Risen, a reporter for The Times, who had revealed it in his 2006 book, “State of War.” Mr. Risen described it as a botched mission that may have inadvertently advanced Iran’s nuclear program.

The Justice Department said that Mr. Sterling’s disclosures compromised an important C.I.A. operation and jeopardized the life of a spy. Under federal sentencing guidelines, he faced more than 20 years in prison, a calculation with which the Justice Department agreed. Prosecutors sought a “severe” sentence in that range.

Prosecutors maintain that the program was successful, and said Mr. Sterling’s disclosure “was borne not of patriotism but of pure spite.” The Justice Department argued that Mr. Sterling, who is black, had a vendetta against the C.I.A., which he had sued for racial discrimination.

Judge Leonie M. Brinkema gave no indication that she was swayed by the government’s argument that the book had disrupted a crucial operation, or harmed national security. She said she was most bothered that the information revealed in “State of War” had jeopardized the safety of the Russian scientist, who was a C.I.A. informant. Of all the types of secrets kept by American intelligence officers, she said, “This is the most critical secret.”

She said Mr. Sterling had to be punished to send a message to other officials. “If you knowingly reveal these secrets, there’s going to be a price to be paid,” she said.

Mr. Sterling, 47, spoke only briefly to thank the judge and court staff for treating him kindly as the case dragged on for years. Barry J. Pollack, a lawyer for Mr. Sterling, said jurors got the verdict wrong when they voted to convict. “That said, the judge today got it right,” he said.

Under federal rules, Mr. Sterling will be eligible for release from prison in just under three years.

The sentence caps a leak investigation that began under President George W. Bush and became a defining case in the Obama administration’s crackdown on government leaks. Under Attorney General Eric H. Holder Jr., the Justice Department prosecuted more people for having unauthorized discussions with reporters than all prior administrations combined.

For years, Mr. Sterling’s case was known most for the Justice Department’s efforts to force Mr. Risen to reveal his source. At the last minute, under pressure from journalist groups and liberal advocates, Mr. Holder relented and did not force Mr. Risen to choose between revealing his source or going to jail. Prosecutors won the case without Mr. Risen’s testimony.

Since the conviction, the case has been notable because of the stark differences in sentences handed down to leakers. Midlevel people like Mr. Sterling have been charged most aggressively. John C. Kiriakou, a former C.I.A. officer, served about two years in prison. Two former government contractors, Donald J. Sachtleben and Stephen J. Kim, are serving prison time. Thomas A. Drake, a former National Security Agency official, faced the prospect of years in prison but received a plea deal on a minor charge and avoided serving time after his lawyers won critical rulings before the trial.

By comparison, the F.B.I. investigated a decorated military leader, retired Gen. James E. Cartwright, after public reports described a highly classified wave of American cyberattacks against Iran. But that investigation has stalled because investigators considered the operation too sensitive to discuss at a public trial.

Mr. Petraeus, meanwhile, retains his status as an adviser to the Obama administration despite giving Paula Broadwell, his biographer, who was also his lover, notebooks containing handwritten classified notes about official meetings, war strategy, intelligence capabilities and the names of covert officers. Ms. Broadwell had a security clearance but was not authorized to receive the information.

Mr. Petraeus also admitted lying to the F.B.I., and the leniency of his plea deal infuriated many prosecutors and agents.

In court documents filed in Mr. Sterling’s case, the Justice Department argued that Mr. Petraeus’s crimes were not comparable. “None of this classified information was included in his biography, made public in any other way, or disclosed by his biographer to any third parties.”

Perhaps the Thai army (see story below) felt insulted being left out of the spy game…?

Army interrupts Israeli demonstration of wiretapping devices to Special Branch Bureau

May 8, 2015 12:24 pm

BANGKOK: A group of soldiers today raided the meeting room of the Special Branch Bureau and detained nine Israeli technicians and staff while they were demonstrating electronic wire tapping devices to special branch police.

But after the interruption of the planned demonstration by soldiers from the Second Calvary Division of the First Army Region, Royal Thai Police commissioner Pol Gen Somyot Phumphanmuang came out to defend the demonstration saying it was merely a misunderstanding caused by misinformation.

The commissioner said the Royal Thai Police and the Special Branch Bureau have been allocated budget from the government to procure wiretapping devices for use.

He said an Israeli supplier has approached the Royal Thai Police and scheduled today to demonstrate its devices.

However he said as the Army has learned of the Israeli approach, it then asked the firm to explain whether these electronic devices have been granted import permission legitimately or not.

He said the soldiers then invited the Israeli technicians and staff to their office for clarification and to display import documents.

He said the Israeli firm has insisted all its devices have been imported for demonstration legally.

Pol Gen Somyot said an Army colonel had phoned him saying he suspected some devices might be illegally smuggled into the country and sought his permission to interrupt the demonstration.

The commissioner recalled he immediately rang the First Army Region commander and the commander of the Second Calvary Division and also explained to the Israeli technicians of the Army’s request and the firm agreed to cooperate.

Pol Gen Somyot added it happened because of misunderstanding and he would ask the firm to return again for demonstration.

Some thoughts for the weekend… listen especially to the first six and a half minutes of this clip below about the conspiracy theories surrounding the recent mysterious death of Dave Goldberg, the husband of Facebook Chief Operating Officer Sheryl Sandberg – the “Facebook-NSA Queen”.

(Above) Photo credit: dailydotcom

Are you wondering why this “problem” (data overload – see article below) did not happen earlier…?

NSA is so overwhelmed with data, it’s no longer effective, says whistleblower

Summary:One of the agency’s first whistleblowers says the NSA is taking in too much data for it to handle, which can have disastrous — if not deadly — consequences.

By Zack Whittaker for Zero Day | April 30, 2015 — 14:29 GMT (22:29 GMT+08:00)

NEW YORK — A former National Security Agency official turned whistleblower has spent almost a decade and a half in civilian life. And he says he’s still “pissed” by what he’s seen leak in the past two years.

In a lunch meeting hosted by Contrast Security founder Jeff Williams on Wednesday, William Binney, a former NSA official who spent more than three decades at the agency, said the US government’s mass surveillance programs have become so engorged with data that they are no longer effective, losing vital intelligence in the fray.

That, he said, can — and has — led to terrorist attacks succeeding.

Binney said that an analyst today can run one simple query across the NSA’s various databases, only to become immediately overloaded with information. With about four billion people — around two-thirds of the world’s population — under the NSA and partner agencies’ watchful eyes, according to his estimates, there is too much data being collected.

“That’s why they couldn’t stop the Boston bombing, or the Paris shootings, because the data was all there,” said Binney. Because the agency isn’t carefully and methodically setting its tools up for smart data collection, that leaves analysts to search for a needle in a haystack.

“The data was all there… the NSA is great at going back over it forensically for years to see what they were doing before that,” he said. “But that doesn’t stop it.”

Binney called this a “bulk data failure” — in that the NSA programs, leaked by Edward Snowden, are collecting too much for the agency to process. He said the problem runs deeper across law enforcement and other federal agencies, like the FBI, the CIA, and the Drug Enforcement Administration (DEA), which all have access to NSA intelligence.

Binney left the NSA a month after the September 11 attacks in New York City in 2001, days after controversial counter-terrorism legislation was enacted — the Patriot Act — in the wake of the attacks. Binney stands jaded by his experience leaving the shadowy eavesdropping agency, but impassioned for the job he once had. He left after a program he helped develop was scrapped three weeks prior to September 11, replaced by a system he said was more expensive and more intrusive. Snowden said he was inspired by Binney’s case, which in part inspired him to leak thousands of classified documents to journalists.

Since then, the NSA has ramped up its intelligence gathering mission to indiscriminately “collect it all.”

Binney said the NSA is today not as interested in phone records — such as who calls whom, when, and for how long. Although the Obama administration calls the program a “critical national security tool,” the agency is increasingly looking at the content of communications, as the Snowden disclosures have shown.

Binney said he estimated that a “maximum” of 72 companies were participating in the bulk records collection program — including Verizon, but said it was a drop in the ocean. He also called PRISM, the clandestine surveillance program that grabs data from nine named Silicon Valley giants, including Apple, Google, Facebook, and Microsoft, just a “minor part” of the data collection process.

“The Upstream program is where the vast bulk of the information was being collected,” said Binney, talking about how the NSA tapped undersea fiber optic cables. With help from its British counterparts at GCHQ, the NSA is able to “buffer” more than 21 petabytes a day.

Binney said the “collect it all” mantra now may be the norm, but it’s expensive and ineffective.

“If you have to collect everything, there’s an ever increasing need for more and more budget,” he said. “That means you can build your empire.”

They say you never leave the intelligence community. Once you’re a spy, you’re always a spy — it’s a job for life, with few exceptions. One of those is blowing the whistle, which he did. Since then, he has spent his retirement lobbying for change and reform in industry and in Congress.

“They’re taking away half of the constitution in secret,” said Binney. “If they want to change the constitution, there’s a way to do that — and it’s in the constitution.”

An NSA spokesperson did not immediately comment.

(Above) photo credit: CNN

The North Korean authorities hang out two allegedly South Korean spies to dry via this CNN exclusive:

(Above) photo credit: US Department of Defense

Here’s an insightful piece from the New York Times (below) on a key man in the Pentagon previously featured in the Hollywood movies “Charlie Wilson’s War” and “Zero Dark Thirty”:

A Secret Warrior Leaves the Pentagon as Quietly as He Entered

MAY 1, 2015
The Saturday Profile
By THOM SHANKER

WASHINGTON — ASKED what he is looking forward to, Michael G. Vickers, who retired this week as under secretary of defense for intelligence, answered without hesitation: “Sleeping.”

Having participated in virtually every significant global crisis of the past four decades, either as a supporting player or just as often cast in a starring, if uncredited, role, he has missed a lot of that. “I get kept awake by near-term things and long-term things,” he says.

Most Americans do not even know the job Mr. Vickers is leaving, just days after his 62nd birthday, even though the Pentagon commands the intelligence community’s largest share of the vast federal budget for spying, about $80 billion, and manages the most intelligence employees, about 180,000 people.

For a man who once practiced infiltrating Soviet lines with a backpack-size nuclear weapon, Mr. Vickers has a mellow, professorial demeanor. In addition to Army Special Forces training, he has studied Spanish, Czech and Russian and holds a doctorate in strategy from Johns Hopkins University. (Of his 1,000-page dissertation, he says, “It’s a good doorstop.”) His answers to policy questions are disciplined, cautious and usually organized in two parts, or three, or more.

So ask: What exactly kept you awake? First, as the military would say, are the crocodiles closest to the canoe.

“Our immediate threats are terrorism, particularly from global jihadist groups that want to attack the United States. It is a constant danger,” Mr. Vickers said. “And cyber is now in that category.”

Add the rising Russian challenge to the European order, which Mr. Vickers categorizes as “a fairly near-term problem,” along with “the things that could happen on the Korean Peninsula.”

And the over-the-horizon threats?

“When you step back a bit and look at enduring strategic problems,” he said, “then you look at the Middle East, where you have terrorism and proxy wars and the danger of religious wars and dangers of sectarian conflict.” He warns that religious and sectarian wars tend to be viciously heartfelt, and therefore bloody and protracted.

Attention must be paid to what, he predicts, will be this century’s most dynamic region: “East Asia and the rise of China — how to engage and manage that relationship and that with our allies, and keep the peace in that region.”

Each of those regions poses a difficult challenge for American policy makers, but Mr. Vickers warned of the prospect of more than one exploding simultaneously, with individual risks turning into a cascade of crises from, say, Mali to Pakistan or across East Asia.

“The challenge in the current world is that, for the first time since early in the Cold War, you have more of a risk of crises in multiple regions turning into broader conflict,” he said.

DURING the Cold War, Mr. Vickers was a member of the Green Berets assigned to infiltrate Warsaw Pact borders should World War III break out. His mission: Detonate a portable nuclear bomb to blunt an attack by the overwhelming numbers of Soviet tanks.
Continue reading the main story

He was sent to Central America and the Caribbean during the era of small anticommunist wars, helping to end an airline hijacking and a hostage case involving Honduran government officials. He was also assigned to what a military biography euphemistically calls “contingency operations against the Sandinista regime in Nicaragua.”

Leaving the Army for the Central Intelligence Agency, he joined the invasion of Grenada. And after the Marine barracks in Beirut were bombed in 1983, killing 241 United States servicemen, he was given sensitive counterterrorism work in Lebanon.

As a rising C.I.A. officer, Mr. Vickers was the chief strategist for the largest covert action in American history, smuggling arms and money to Afghan mujahedeen battling Soviet invaders in Afghanistan.

After the collapse of communism in Europe, Mr. Vickers took a break in the policy world, writing white papers on budgets and strategy and how to restructure the military — until he was summoned to the Pentagon not long after the terrorist attacks on Sept. 11, 2001.

The grim connection was not lost on Mr. Vickers.

Al Qaeda blossomed among those same anti-Soviet “freedom fighters” in the years when Afghanistan, which had received billions of dollars in covert American assistance during the Soviet occupation, was paid scant attention by Washington after Moscow’s army marched home in disgrace.

“We made a mistake at the end of the Cold War by disengaging from that region,” Mr. Vickers said, “and I don’t think we want to do that again.”

FOR the past eight years at the Pentagon, he first managed Special Operations policy and then intelligence programs. He was former Defense Secretary Robert M. Gates’s handpicked liaison to the C.I.A. for the SEAL Team 6 mission that killed Osama bin Laden.

Mr. Vickers’s efforts contributed to the accelerated expansion of Special Operations forces — doubling personnel numbers, tripling their budget and quadrupling the pace of deployments.

But there is another military truism — if your favorite tool is a hammer, then every problem looks like a nail — and Mr. Vickers is aware of the dangers for the Special Operations forces.

“For all of the capabilities that S.O.F. has as a force-multiplier, as a small-footprint, big-impact force, it is not a panacea for all of your strategic problems,” he said.

Mr. Vickers’s Pentagon tour also witnessed growth in another signature weapon of the post-9/11 period: unmanned aerial vehicles for surveillance and attack. Early in the counterterrorism wars, the Pentagon could barely keep half a dozen drones airborne at one time; the ceiling now is 65.

“The combination of ‘armed,’ ‘precision,’ ‘reconnaissance’ has been one of the most dramatic innovations,” he said. “It has been a critical operational instrument in the successes we have had against core Al Qaeda, in particular.”

Yet the drone program has come under harsh public scrutiny, especially since President Obama revealed that a January strike by a C.I.A. drone on a Qaeda target in Pakistan killed two Western hostages, one of them an American. Mr. Vickers demurred when asked whether that portion of the lethal drone program now operated covertly by the C.I.A. should fold under the Pentagon.

But he addressed the broader issue of whether the benefits of killing terrorists with remotely piloted, pinpoint strikes by drones outweighs the risks of alienating the public.

“As precise as this instrument is, as important as this instrument is, it is one tool and it is not enough to bring stability to an area,” he said. Landing Hellfire missiles on terrorists does not end terrorism; policy has to address the underlying local grievances that lead to radicalism, he added.

To strategically defeat adversaries, he said, “you have to change the postwar governance to make the victory stick.”

With a résumé that reads like an action-movie character’s biography, Mr. Vickers has been depicted in one film, “Charlie Wilson’s War,” and drawn into controversy over another, “Zero Dark Thirty.” He was absolved after a two-year inquiry into whether classified information was leaked to the filmmakers behind “Zero Dark Thirty.” Critics had argued that administration officials hoped the movie could burnish the president’s commander-in-chief credibility.

Near the conclusion of his retirement ceremony on Thursday, Mr. Vickers said he already had a glimpse of his new, quieter life.

He said that when a Pentagon work crew removed a special telephone installed in his home for after-hours secure communications, he found that his cable connection was accidentally cut at the same time — and he had lost all access to the outside world via Internet and TV.

A version of this article appears in print on May 2, 2015, on page A5 of the New York edition with the headline: Action Role of a Lifetime, Often Uncredited.

(Above) Photo Credit: APA/EPA/GUILLAUME HORCAJUELO

It shouldn’t be any surprise if one has been following related news, including an earlier post this week on how the German foreign intelligence agency BND has been supporting NSA spying activities in Europe via a former US espionage base in Bad Aibling. Expect other similar actions against the NSA following the lead by Airbus (see video clip below).

And expect not just a tirade of questions on the German authorities but also the NSA and Obama administration. The NSA massive eavesdropping program was designed solely to protect America against terrorist threats? And nothing to do with industrial corporate espionage? Look who’s talking…

Or better late than never? Check out the article below:

Too little too late? NSA starting to implement ‘Snowden-proof’ cloud storage

Published time: April 14, 2015 10:28
Edited time: April 14, 2015 18:04

The NSA is implementing a huge migration to custom-designed cloud architecture it says will revolutionize internal security and protect against further leaks by data analysts with unfettered access to classified information.

Put simply, the NSA hopes to keep future Edward Snowdens out by employing a cloud file storage system it built from scratch. A major part of the system is that all the data an analyst will have access to will be tagged with new bits of information, including that relating to who can see it. Data won’t even show up on an analyst’s screen if they aren’t authorized to access it, NSA Chief Information Officer Lonny Anderson told NextGov.

The process has been slowly taking place over the last two years following the Snowden leaks. This means any information stored after the fact now comes meta-tagged with the new security privileges, among other things.

The agency has Snowden to thank for expediting a process that was actually started in the aftermath of the September 11 attacks in 2001. The idea for storing all information on cloud servers had been in the making, but hadn’t come to fruition until it was too late.

Now it’s moving at an expanded pace to implement something called GovCloud, which is a scaled version of the NSA’s entire universe of mined data. It is set to become pre-installed on the computers of all 16 US intelligence agencies, a move that started with the NSA.

At first glance, the idea appears counter-intuitive. Edward Snowden pretty much used the fact that all the information was in one place to find what he needed and access it.

However, as Anderson explains, “While putting data to the cloud environment potentially gives insiders the opportunity to steal more, by focusing on securing data down at cell level and tagging all the data and the individual, we can actually see what data an individual accesses, what they do with it, and we can see that in real time.”

The agency’s cloud strategist Dave Hurry explained the strategy further: “We don’t let people just see everything; they’re only seeing the data they are authorized to see.”

And if a situation arises where an employee needs access to information that’s off-limits, the program tells them who to ask to get it sorted out.

A further advantage to this is accelerating the analysis of the log data generated when an analyst wants to access particular information. Edward Snowden’s computer history, for some reason, did not set off any alarms until it was too late. That’s because the security logs had to be manually reviewed at a later time, NSA officials told NextGov.

They say this could have been averted with GovCloud, which would immediately raise a red flag if an analyst attempted to “exceed limits of authority.” The agency would have the former analyst in handcuffs before he managed to pack his bags for the airport.

GovCloud isn’t marketing itself as just a security feature that rescues the intelligence agencies from outdated practices and hardware. It is also touted as the answer to privacy advocates, who had a field day with the NSA when it turned out it was indiscriminately mining citizens’ communications.

“We think from a compliance standpoint, moving from a whole mess of stovepipes into a central cloud that has a lot more functionality gives us more capability,” Tom Ardisana, technology directorate compliance officer at NSA, said.

It’s not clear whether the general public will know if the NSA is ‘complying’, but its officials claim that GovCloud is a step in the right direction. Outdated hardware and an over-reliance on data centers built before the shifts in privacy and security policies meant the process of compliance had to be manual and tedious.

“Whenever you bolt on compliance to address a particular issue, there is always a second- and third-order effect for doing that,” Anderson continued. “It’s an extremely manual process. There is risk built in all over that we try to address. The cloud architecture allows us to build those issues in right from the start and in automated fashion address them,” he explained.

In broader terms, the new trend toward automation will also ensure analysts can drastically cut the time they spend on doing a whole plethora of tasks like cross-checking information between databases manually.

“It’s a huge step forward,” Anderson believes, adding how entire agencies – starting with the NSA and the Defense Department – were being transitioned into the new operating environment starting three weeks ago, meaning all their work tools and applications will now also have to be accessed from there.

Other agencies will follow, but for now it’s all about trial periods and seeing how smoothly the system works.

The agency hopes the move toward cloud computing will herald the end of data centers, although whether the system is hacker-proof remains to be seen.

Despite recent reports that Snowden is edging closer to securing Icelandic citizenship, his pal Julian Assange argues that the former NSA contractor is better off staying put in Russia:

Check out the original New York Times story.

(Above) Photo credit: Reuters.

The former US espionage base, Bad Aibling, was supposedly returned to the German foreign intelligence agency BND back in 2004. But that’s what “happened” only on surface. Check out the Spiegel special report below:

Spying Close to Home: German Intelligence Under Fire for NSA Cooperation

US intelligence spent years spying on European targets from a secretive base. Now, it seems that German intelligence was aware of the espionage — and did nothing to stop it.

April 24, 2015 – 07:20 PM

It was obvious from its construction speed just how important the new site in Bavaria was to the Americans. Only four-and-a-half months after it was begun, the new, surveillance-proof building at the Mangfall Kaserne in Bad Aibling was finished. The structure had a metal exterior and no windows, which led to its derogatory nickname among members of the Bundesnachrichtendienst (BND), the German foreign intelligence agency: The “tin can.”

The construction project was an expression of an especially close and trusting cooperation between the American National Security Agency (NSA) and the BND. Bad Aibling had formerly been a base for US espionage before it was officially turned over to the BND in 2004. But the “tin can” was built after the handover took place.

The heads of the two intelligence agencies had agreed to continue cooperating there in secret. Together, they established joint working groups, one for the acquisition of data, called Joint Sigint Activity, and one for the analysis of that data, known as the Joint Analysis Center.

But the Germans were apparently not supposed to know everything their partners in the “tin can” were doing. The Americans weren’t just interested in terrorism; they also used their technical abilities to spy on companies and agencies in Western Europe. They didn’t even shy away from pursuing German targets.

The Germans noticed — in 2008, if not sooner. But nothing was done about it until 2013, when an analysis triggered by whistleblower Edward Snowden’s leaks showed that the US was using the facility to spy on German and Western European targets.

On Thursday, though, SPIEGEL ONLINE revealed that the US spying was vastly more extensive than first thought. The revelations have been met with extreme concern in the German capital — partly because they mark the return of a scandal that two successive Merkel administrations have never truly sought to clear up.

It remains unclear how much the BND knew, and to what extent German intelligence was involved, either intentionally or not. More crucially, it demonstrates the gap in trust that exists between two close allies.

Humiliating Efforts

The German government will have to quickly come up with answers. It will also have to decide how it will confront Washington about these new accusations. In the past two years, Berlin has made little to no progress in its largely humiliating efforts to get information from Washington.

The issue that could have been cleared up, at least internally, shortly after the NSA scandal began in the summer of 2013. But BND decision-makers chose not to go public with what they knew.

When media reports began emerging that the NSA had scooped up massive amounts of data in Germany and Europe, and that this data surveillance was not being performed exclusively for the global fight against terrorism, BND agents became suspicious. In previous years, BND agents had noticed on several occasions that the so-called “Selector Lists,” that the Germans received from their American partners and which were regularly updated, contained some oddities.

Selectors are targets like IP addresses, mobile phone numbers or email accounts. The BND surveillance system contains hundreds of thousands, possibly more than a million, such targets. Analysts are automatically notified of hits.

In 2008, at the latest, it became apparent that NSA selectors were not only limited to terrorist and weapons smugglers. Their searches also included the European defense company EADS, the helicopter manufacturer Eurocopter and French agencies. But it was only after the revelations made by whistleblower Edward Snowden that the BND decided to investigate the issue. In October 2013, an investigation came to the conclusion that at least 2,000 of these selectors were aimed at Western European or even German interests.

That would have been a clear violation of the Memorandum of Agreement that the US and Germany signed in 2002 in the wake of the Sept. 11, 2001 terror attacks. The agreement pertained to joint, global surveillance operations undertaken from Bad Aibling.

Cease and Desist

Washington and Berlin agreed at the time that neither Germans nor Americans — neither people nor companies or organizations — would be among the surveillance targets. But in October 2013, not even the BND leadership was apparently informed of the violations that had been made. The Chancellery, which is charged with monitoring the BND, was also left in the dark. Instead, the agents turned to the Americans and asked them to cease and desist.

In spring 2014, the NSA investigative committee in German parliament, the Bundestag, began its work. When reports emerged that EADS and Eurocopter had been surveillance targets, the Left Party and the Greens filed an official request to obtain evidence of the violations.

At the BND, the project group charged with supporting the parliamentary investigative committee once again looked at the NSA selectors. In the end, they discovered fully 40,000 suspicious search parameters, including espionage targets in Western European governments and numerous companies. It was this number that SPIEGEL ONLINE reported on Thursday. The BND project group was also able to confirm suspicions that the NSA had systematically violated German interests. They concluded that the Americans could have perpetrated economic espionage directly under the Germans’ noses.

Only on March 12 of this year did the information end up in the Chancellery. Merkel administration officials immediately recognized its political explosiveness and decided to go on the offensive. On Wednesday, the Parliamentary Control Panel met, a body that is in charge of monitoring Germany’s three intelligence agencies. The heads of the agencies normally deliver their reports in the surveillance-proof meeting room U1.214.

Panel members suspected something was different at this week’s meeting when Chancellery head Peter Altmaier, a cabinet-level position in Germany, indicated that he would be attending. The heads of the parliamentary NSA investigative committee were also invited to attend. BND President Gerhard Schindler, however, was asked to stay away. The day after the meeting, the government announced bluntly that Schindler’s office had displayed “technical and organizational deficits.”

Recast in a Different Light

With that, Germany’s foreign intelligence agency has some explaining to do. The BND, after all, doesn’t just report to the Chancellery. It has also provided testimony on its activities at Bad Aibling several times to the Parliamentary Control Panel and to the NSA investigative committee. That testimony now appears in a different light.

According to a classified memo, the agency told parliamentarians in 2013 that the cooperation with the US in Bad Aibling was consistent with the law and with the strict guidelines that had been established.

The memo notes: “The value for the BND (lies) in know-how benefits and in a closer partnership with the NSA relative to other partners.” The data provided by the US, the memo continued, “is checked for its conformance with the agreed guidelines before it is inputted” into the BND system.

Now, we know better. It remains to be determined whether the BND really was unaware at the time, or whether it simply did not want to be aware.

The NSA investigative committee has also questioned former and active BND agents regarding “selectors” and “search criteria” on several occasions. Prior to the beginning of each session, the agents were informed that providing false testimony to the body was unlawful. The BND agents repeatedly insisted that the selectors provided by the US were precisely checked.

A senior analyst from the department responsible, known as “Signals Intelligence,” testified in March that BND lawyers would check “each individual search term” and “each individual selector” to ensure that it conformed with the Memorandum of Agreement. That didn’t just apply to government officials and German companies, he said, but to Europeans more broadly.

‘Prosecutors Must Investigate’

“Sneaking in” such search terms would “become apparent” in such a long-term operation, the witness said. “To try, over all these years, to sneak selectors by us to perpetrate economic espionage, I don’t think that is possible,” the witness said. He added: “We never noticed such a thing.”

Members of the NSA investigative committee now feel that they have been lied to, and the reactions have been harsh. “At least since the Snowden revelations in 2013, all those involved at all levels, including the Chancellery, should have been suspicious of the cooperation with the NSA,” says Konstantin von Notz, the senior Green Party member on the investigative committee.

“The spying scandal shows that the intelligence agencies have a life of their own and are uncontrollable,” says the senior Left Party representative Martina Renner. “There have to be personnel consequences and German public prosecutors must investigate.”

But as of late Thursday, the German government hadn’t even informed the public prosecutor’s office of the incident.

By Maik Baumgärtner, Nikolaus Blome, Hubert Gude, Marcel Rosenbach, Jörg Schindler and Fidelius Schmid

The article below sums it up nicely: the Protecting Cyber Networks Act passed by the Congress this week was a surveillance bill in disguise.

Check out this video by the Anonymous:

House of Representatives Passes Cybersecurity Bills Without Fixing Core Problems

April 22, 2015 | By Mark Jaycox

The House passed two cybersecurity “information sharing” bills today: the House Permanent Select Committee on Intelligence’s Protecting Cyber Networks Act, and the House Homeland Security Committee’s National Cybersecurity Protection Advancement Act. Both bills will be “conferenced” to create one bill and then sent to the Senate for advancement. EFF opposed both bills and has been urging users to tell Congress to vote against them.

The bills are not cybersecurity “information sharing” bills, but surveillance bills in disguise. Like other bills we’ve opposed during the last five years, they authorize more private sector spying under new legal immunity provisions and use vague definitions that aren’t carefully limited to protect privacy. The bills further facilitate companies’ sharing even more of our personal information with the NSA and some even allow companies to “hack back” against potentially innocent users.

As we’ve noted before, information sharing is not a silver bullet to stopping security failures. Companies can already share the necessary technical information to stop threats via Information Sharing and Analysis Centers (ISACs), public reports, private communications, and the DHS’s Enhanced Cybersecurity Services.

While we are disappointed in the House, we look forward to the fight in the Senate where equally dangerous bills, like the Senate Select Committee on Intelligence’s Cybersecurity Information Sharing Act, have failed to pass every year since 2010.

Contact your Senator now to oppose the Senate bills.

Time to brace up for further loss of privacy as the PCNA would amount to voluntary wholesale transfer of data to the NSA (see story below).

And the Congress actually believe it’s in the name of stopping hackers and cyber attacks?

House Passes Cybersecurity Bill Despite Privacy Protests

Andy Greenberg
04.22.15

Congress is hellbent on passing a cybersecurity bill that can stop the wave of hacker breaches hitting American corporations. And they’re not letting the protests of a few dozen privacy and civil liberties organizations get in their way.

On Wednesday the House of Representatives voted 307-116 to pass the Protecting Cyber Networks Act, a bill designed to allow more fluid sharing of cybersecurity threat data between corporations and government agencies. That new system for sharing information is designed to act as a real-time immune system against hacker attacks, allowing companies to warn one another via government intermediaries about the tools and techniques of advanced hackers. But privacy critics say it also threatens to open up a new backchannel for surveillance of American citizens, in some cases granting the same companies legal immunity to share their users’ private data with government agencies that include the NSA.

“PCNA would significantly increase the National Security Agency’s (NSA’s) access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity,” reads a letter signed earlier this week by 55 civil liberties groups and security experts that includes the American Civil Liberties Union, the Electronic Frontier Foundation, the Freedom of the Press Foundation, Human Rights Watch and many others.

“The revelations of the past two years concerning the intelligence community’s abuses of surveillance authorities and the scope of its collection and use of individuals’ information demonstrates the potential for government overreach, particularly when statutory language is broad or ambiguous,” the letter continues. “[PCNA] fails to provide strong privacy protections or adequate clarity about what actions can be taken, what information can be shared, and how that information may be used by the government.”

Specifically, PCNA’s data-sharing privileges let companies give data to government agencies—including the NSA—that might otherwise have violated the Electronic Communications Privacy Act or the Wiretap Act, both of which restrict the sharing of users’ private data with the government. And PCNA doesn’t even restrict the use of that shared information to cybersecurity purposes; its text also allows the information to be used for investigating any potential threat of “bodily harm or death,” opening its application to the surveillance of run-of-the-mill violent crimes like robbery and carjacking.

Congressman Adam Schiff, who led the advocacy for the bill on the House floor, argued in a statement to reporters that PCNA in fact supports privacy by protecting Americans from future hacker breaches. “We do this while recognizing the huge and growing threat cyber hacking and cyber espionage poses to our privacy, as well as to our financial wellbeing and our jobs,” he writes.

“In the process of drafting this bill, protecting privacy was at the forefront throughout, and we consulted extensively with privacy and civil liberties groups, incorporating their suggestions in many cases. This is a strong bill that protects privacy, and one that I expect will get even better as the process goes forward—we expect to see large bipartisan support on the Floor.”

Here’s a video [above] of Schiff’s statement on the House floor.

PCNA does include some significant privacy safeguards, such as a requirement that companies scrub “unrelated” data of personally identifying information before sending it to the government, and that the government agencies pass it through another filter to delete such data after receiving it.

But those protections still don’t go far enough, says Robyn Greene, policy counsel for the Open Technology Institute. Any information considered a “threat indicator” could still legally be sent to the government—even, for instance, IP address innocent victims of botnets used in distributed denial of service attacks against corporate websites. No further amendments that might have added new privacy restrictions to the bill were considered before the House’s vote Wednesday. “I’m very disappointed that the house has passed an information sharing bill that does so much to threaten Americans’ privacy and civil liberties, and no real effort was made to address the problems the bill still had,” says Greene. “The rules committee has excluded amendments that would have resolved privacy concerns…This is little more than a backdoor for general purpose surveillance.”

In a surprise move yesterday, the White House also publicly backed PCNA and its Senate counterpart, the Cybersecurity Information Sharing Act in a statement to press. That’s a reversal of its threat to veto a similar Cybersecurity Information Sharing and Protection Ac in 2013 over privacy concerns, a decision that all but killed the earlier attempt at cybersecurity data sharing legislation. Since then, however, a string of high-profile breaches seems to have swayed President Obama’s thinking, from the cybercriminal breaches of Target and health insurer Anthem that spilled millions of users’ data, to the devastating hack of Sony Pictures Entertainment, which the FBI has claimed was perpetrated as an intimidation tactic by the North Korean government to prevent the release of its Kim Jong-un assassination comedy the Interview.

If the White House’s support stands, it now leaves only an upcoming Senate vote sometime later this month on the Senate’s CISA as the deciding factor as to whether it and PCNA are combined to become law.

But privacy advocates haven’t given up on a presidential veto. A new website called StopCyberspying.com launched by the internet freedom group Access, along with the EFF, the ACLU and others, includes a petition to the President to reconsider a veto for PCNA, CISA and any other bill that threatens to widen internet surveillance.

OTI’s Greene says she’s still banking on a change of heart from Obama, too. “We’re hopeful that the administration would veto any bill that doesn’t address these issues,” she says. “To sign a bill that resembles CISA or PCNA would represent the administration doing a complete 180 on its commitment to protect Americans’ privacy.”

This story (below) gives a whole new meaning to the phrase No News is Good News:

The most popular news sites can be used to spy on you, research shows

Cale Guthrie Weissman

Over a year ago it was discovered that government surveillance programs can use digital ad tracking software to keep tabs on Internet users. Now it appears more widespread than most thought.

In fact, 100 popular news sites were found to be susceptible to security issues that could help spies learn about what websites you browse and the data you share.

The fact that the government uses ad tracking software to surveil citizens isn’t necessarily new, but recently published research shows just how widespread the issue is.

This is in the wake of the one the top ad organisations publically saying that the majority of its ad tracking programs are safe and secure. The truth is that almost half of the software used by the most popular global news websites are unsecure and provide an easy way for governments to snoop, according to the new research.

A Toronto-based researcher named Andrew Hilts performed his own audit of the 100 top media sites to see how secure data exchange really was. Hilt is a fellow at the University of Toronto’s Citizen Lab, as well as the executive director of the nonprofit Open Effect.

Hilt decided to check out if ad trackers — third-party ad software that sends and receives data — were encrypted. If the trackers were found to be unencrypted, it meant that personal data was in plain sight and easy to hack. (In essence, ad trackers leave cookies on users’ browsers, which are used to remember information such as personal preferences and previous logins. If this data is not protected it’s ripe for the taking.)

Of the pages Hilt loaded, he discovered 47 different third parties that were transmitting data to and from the sites. Of those third parties, 19 of them left what’s called a “unique identifier.” Hilt explained to me that unique identifiers are basically used to compile “a profile of who you are and what you’re interested in.”

Now this is the important, albeit slightly complicated, part of Hilt’s analysis:

An average of 53% of the third party hosts transmitting data on top news websites support HTTPS. News websites, on average, initiated communications with 10 different third parties that led to transmissions of uniquely identifying cookies that could not be secured with HTTPS. An average of 9 unique ID transmissions were to servers that support HTTPS. In other words, network snoops can take advantage of many insecurely-transmitted unique identifiers to help them identify just who is reading what news.

In laymen terms this means that on average nearly half of all third-party data transfers happening on the most popular news websites are unencrypted. Hilt explained to me the ramifications: “If an ad tracking system is being done unencrypted, other actors like your ISP or the NSA can collected this data,” he said.

Looking at the analysis, you can see that websites like the New York Post and the Economist transmit myriad data through third parties. Both of which, according to his chart, transmit well over 20 unencrypted identifiers that could be used by hackers.

The discoveries began in 2013. One of the many Snowden documents described a program that “piggybacked” on internet advertising technologies, using ad tracking technology to keep tabs on people of interest. The NSA discovered a handy loophole; many trackers are unencrypted. Thus, the NSA could easily tap into a website’s data exchange and also collect the traffic data of users.

More than a year after this initial revelation the Internet Advertising Bureau wrote a blog post calling for more widespread ad tracker encryption. This organisation called for all ad companies to support the encrypted HTTPS protocol — even the ad trackers. A website that uses the HTTPS protocol communicates encrypted data, which makes external snooping much harder to do.

The problem is that all parts of the website need to use HTTPS, not just the website itself. So if a news organisation uses third-party ad software that doesn’t use HTTPS, the website could very easily be tapped by spies. That’s why the IAB called for more data security.

“Once a website decides to support HTTPS,” the IAB wrote, “they need to make sure that their primary ad server supports encryption.” This way a user can be sure that all information exchanged on the page is secure and invisible to any unwanted eyes. The IAB added in its post that “nearly 80% of [its] members ad delivery systems supported HTTPS.”

Hilt’s findings show that this may not be the case.

Privacy advocates freaked out yesterday over Hilt’s findings. “A dubious congratulations to the St Louis Post-Dispatch, topping the news charts with 168 tracking URLs per page load,” tweeted Electronic Frontier Foundation activist Parker Higgins.

While the IAB’s message to advertisers is a step in the right direction, the fact that it doesn’t seem aware of how prevalent unencrypted tracking is means there’s a huge problem. In order for a website to truly ensure that its users aren’t being tracked by unknown third parties, it must ensure that both it and all of its third parties are communicating using HTTPS.

Hilt said the he’s happy the IAB is working to correct this issue, but it also needs to be aware of the work that needs to be done.

“The findings show they still have a ways to go,” he said.

Here’s an insight to one man at Google to keep tab on – see the article below.

New Google security chief looks for balance with privacy
By GLENN CHAPMAN, AFP April 19, 2015 4:55am

MOUNTAIN VIEW, United States – Google has a new sheriff keeping watch over the wilds of the Internet.

Austrian-born Gerhard Eschelbeck has ranged the British city of Oxford; cavorted at notorious Def Con hacker conclaves, wrangled a herd of startups, and camped out in Silicon Valley.

He now holds the reins of security and privacy for all-things Google.

In an exclusive interview with AFP, Eschelbeck spoke of using Google’s massive scope to protect users from cyber villains such as spammers and state-sponsored spies.

“The size of our computing infrastructure allows us to process, analyze, and research the changing threat landscape and look ahead to predict what is coming,” Eschelbeck said during his first one-on-one press interview in his new post.

“Security is obviously a constant race; the key is how far can you look ahead.”

Eschelbeck took charge of Google’s 500-strong security and privacy team early this year, returning to Silicon Valley after running engineering for a computer security company in Oxford for two years.

“It was a very natural move for me to join Google,” Eschelbeck said. “What really excited me was doing security at large scale.”

Google’s range of global services and products means there are many fronts for a security expert to defend. Google’s size also means there are arsenals of powerful computer servers for defenders to employ and large-scale data from which to discern cyber dangers.

Eschelbeck’s career in security stretches back two decades to a startup he built while a university student in Austria that was acquired by security company McAfee.

What started out as a six-month work stint in California where McAfee is based turned into a 15-year stay by Eschelbeck.

He created and advised an array of computer security startups before heading off to Oxford. Eschelbeck, has worked at computer technology titans such as Sophos and Qualys, and holds patents for network security technologies.

Constant attack

He was confident his team was up to the challenge of fending off cyber attacks, even from onslaughts of sophisticated operations run by the likes of the US National Security Agency or the Chinese military.

Eschelbeck vowed that he would “absolutely” find any hacker that came after his network.

“As a security guy, I am never comfortable,” he said. “But, I do have a very strong team…I have confidence we have the right reactive and proactive defense mechanisms as well.”

State-sponsored cyber attacks making news in the past year come on top of well-known trends of hacking expressly for fun or profit.

The sheer numbers of attack “vectors” has rocketed exponentially over time, with weapons targeting smartphones, applications, datacenters, operating systems and more.

“You can safely assume that every property on the Internet is continuously under attack,” Eschelbeck said.

“I feel really strong about our ability to identify them before they become a threat and the ability to block and prevent them from entering our environment.”

Scrambling data

Eschelbeck is a backer of encrypting data, whether it be an email to a friend or photos stored in the cloud.

“I hope for a time when all the traffic on the Internet is encrypted,” he said.

“You’re not sending a letter to your friend in a transparent envelop, and that is why encryption in transport is so critical.”

He believes that within five years, accessing accounts with no more than passwords will be a thing of the past.

Google lets people require code numbers sent to phones be used along with passwords to access accounts in what is referred to as “two-factor” authentication.

The Internet titan also provides “safe browsing” technology that warns people when they are heading to websites rigged to attack visitors.

Google identifies about 50,000 malicious websites monthly, and another 90,000 phishing websites designed to trick people into giving up their passwords or other valuable personal information, Eschelbeck said.

“We have some really great visibility into the Web, as you can imagine,” he said.

“The time for us to recognize a bad site is incredibly short.”

Doubling-down on privacy

Eschelbeck saw the world of online security as fairly black and white, while the privacy side of his job required subjective interpretations.

Google works closely with data protection authorities in Europe and elsewhere to try and harmonize privacy protections with the standards in various countries.

“I really believe that with security and privacy, there is more overlap than there are differences,” he said.

“We have made a tremendous effort to focus and double-down on privacy issues.”

As have other large Internet companies, Google has routinely made public requests by government agencies for information about users.

Requests are carefully reviewed, and only about 65 percent of them satisfied, according to Google.

“Privacy, to me, is protecting and securing my activities; that they are personal to myself and not visible to the whole wide world,” Eschelbeck said. — Agence France-Presse

The Intercept has revealed how New Zealand has teamed up with the NSA to eavesdrop on China, its largest trading partner (see article below).

This is not the first time New Zealand has been pulled into the equation about mass surveillance and the NSA. Just a month ago, New Zealand was also accused of spying on its neighbors in the Pacific islands (see video below).

New Zealand Plotted Hack on China With NSA

By Ryan Gallagher and Nicky Hager

New Zealand spies teamed with National Security Agency hackers to break into a data link in the country’s largest city, Auckland, as part of a secret plan to eavesdrop on Chinese diplomats, documents reveal.

The covert operation, reported Saturday by New Zealand’s Herald on Sunday in collaboration with The Intercept, highlights the contrast between New Zealand’s public and secret approaches to its relationship with China, its largest and most important trading partner.

The hacking project suggests that New Zealand’s electronic surveillance agency, Government Communications Security Bureau, or GCSB, may have violated international treaties that prohibit the interception of diplomatic communications.

New Zealand has signed both the 1961 Vienna Convention on Diplomatic Relations and the 1963 Vienna Convention on Consular Relations, international treaties that protect the “inviolability” of diplomatic correspondance. The country’s prime minister, John Key, said in a recent speech on security that New Zealand had an obligation to support the rule of law internationally, and was “known for its integrity, reliability and independence.”

Last year, Key said that New Zealand’s relationship with China, worth an estimated $15 billion in annual two-way trade, had “never been stronger.” The relationship was not just about “purely trading,” he said, “it is so much broader and much deeper than that.”

In 2013, Key described a meeting with top Chinese officials in Beijing as “extremely warm” and told of how he was viewed as a “real friend” by the country’s premier, Li Keqiang.

At the same time, as minister in charge of the GCSB, Key was overseeing spying against China – which included the top-secret planned operation in Auckland, aimed at the Chinese consulate.

The hacking project is outlined in documents obtained by The Intercept from NSA whistleblower Edward Snowden.

A secret report called “NSA activities in progress 2013,” includes an item titled “New Zealand: Joint effort to exploit Chinese MFA [Ministry of Foreign Affairs] link.” The operation, according to another NSA document, had “identified an MFA data link between the Chinese consulate and Chinese Visa Office in Auckland,” two buildings about a five-minute walk apart on the city’s busy Great South Road.

The document added that the New Zealand agency was “providing additional technical data” on the data link to the NSA’s Tailored Access Operations, a powerful unit that hacks into computer systems and networks to intercept communications. The agencies had “verbally agreed to move forward with a cooperative passive and active effort against this link,” it said.

Passive surveillance refers to a method of eavesdropping on communications that intercepts them as they are flowing over Internet cables, between satellites, or across phone networks. Active surveillance is a more aggressive tactic that involves hacking into computers; in the case of the Auckland operation, active surveillance could have involved planting spyware in the Chinese government computers or routers connected via the consulate data link.

The documents do not reveal whether the operation was successfully completed, due to the timeframe that the records cover. In May 2013, Snowden left his Hawaii-based intelligence job and flew to Hong Kong carrying the cache of secret files. In April 2013, shortly before Snowden’s departure, “formal coordination” on the hacking plan had begun between the NSA and its New Zealand counterpart, according to the documents.

More New Zealand operations targeting China appear to have been ongoing at that time. In another April 2013 NSA document describing the agency’s relationship with New Zealand spies, under the heading “What partner provides to NSA,” the first item on the list is “collection on China.” New Zealand’s GCSB surveillance agency “continues to be especially helpful in its ability to provide NSA ready access to areas and countries that are difficult for the United States to access,” the report said.

China intelligence is handled inside the New Zealand agency by a special section that focuses on economic analysis. According to sources with knowledge of the agency’s operations, its economic section, known as the “IBE,” specialised in Japanese diplomatic communications from 1981 until the late 2000s. In recent years its focus has shifted to intercepted Chinese communications, the sources say.

In response to the revelations, a spokesman for the Chinese Embassy in New Zealand told the Herald on Sunday that the country was “concerned” about the spying. “We attach great importance to the cyber security issue,” the spokesman said, adding that “China proposes to settle disputes through dialogue and formulate codes to regulate cyber space behaviors that are acceptable to all sides.”

China itself is known to be a major perpetrator of espionage on the global stage, and it has been repeatedly accused by the U.S. government of hacking into American computer networks. Last year, China was linked to an apparent intelligence-gathering hack on a powerful New Zealand supercomputer used to conduct weather and climate research.

But the Snowden documents have shown that countries in the so-called “Five Eyes” surveillance alliance – which includes New Zealand, the United States, the United Kingdom, Canada, and Australia – are also heavily involved in conducting aggressive spying and hacking operations across the world.

Previous revelations have detailed how agencies in the alliance have hacked law-abiding companies, foreign government computers, and designed technology to attack and destroy infrastructure using cyberwar techniques. Last year, The Intercept revealed how the NSA had developed the capability to deploy millions of malware “implants” to infect computers and steal data on a large scale.

The NSA, the GCSB and the New Zealand prime minister’s office each declined to answer questions about this story.

GCSB’s acting director, Una Jagose, said in an emailed statement that the agency “exists to protect New Zealand and New Zealanders.” She added: “We have a foreign intelligence mandate. We don’t comment on speculation about matters that may or may not be operational. Everything we do is explicitly authorised and subject to independent oversight.”

Has Julian Assange gone overboard with the latest WikiLeaks‘ dump of over 200,000 Sony documents and emails on its website this week?

“This archive shows the inner workings of an influential multinational corporation. It is newsworthy and at the centre of a geo-political conflict. It belongs in the public domain. WikiLeaks will ensure it stays there,” Assange explains in his press statement.

Sony’s lawyer David Boies was certainly not impressed and he has sent letters to media outlets urging them not to make use of the data, according to a Bloomberg report.

The question is, would you buy it? See Facebook’s response here and below.

Here’s an interesting story:

Meet the privacy activists who spy on the surveillance industry

by Daniel Rivero | April 6, 2015

LONDON– On the second floor of a narrow brick building in the London Borough of Islington, Edin Omanovic is busy creating a fake company. He is playing with the invented company’s business cards in a graphic design program, darkening the reds, bolding the blacks, and testing fonts to strike the right tone: informational, ambiguous, no bells and whistles. In a separate window, a barren website is starting to take shape. Omanovic, a tall, slender Bosnian-born, Scottish-raised Londonite gives the company a fake address that forwards to his real office, and plops in a red and black company logo he just created. The privacy activist doesn’t plan to scam anyone out of money, though he does want to learn their secrets. Ultimately, he hopes that the business cards combined with a suit and a close-cropped haircut will grant him access to a surveillance industry trade show, a privilege usually restricted to government officials and law enforcement agencies.

Once he’s infiltrated the trade show, he’ll pose as an industry insider, chatting up company representatives, swapping business cards, and picking up shiny brochures that advertise the invasive capabilities of bleeding-edge surveillance technology. Few of the features are ever marketed or revealed openly to the general public, and if the group didn’t go through the pains of going undercover, it wouldn’t know the lengths to which law enforcement and the intelligence community are going to keep tabs on their citizens.

“I don’t know when we’ll get to use this [company], but we need a lot of these to do our research,” Omanovic tells me. (He asked Fusion not to reveal the name of the company in order to not blow its cover.)

The strange tactic– hacking into an expo in order to come into close proximity with government hackers and monitors– is a regular part of operations at Privacy International, a London-based anti-surveillance advocacy group founded 25 years ago. Omanovic is one of a few activists for the group who goes undercover to collect the surveillance promotional documents.

“At last count we had about 1,400 files,” Matt Rice, PI’s Scottish-born advocacy officer says while sifting through a file cabinet full of the brochures. “[The files] help us understand what these companies are capable of, and what’s being sold around the world,” he says. The brochures vary in scope and claims. Some showcase cell site simulators, commonly called Stingrays, which allow police to intercept cell phone activity within a certain area. Others provide details about Finfisher– surveillance software that is marketed exclusively to governments, which allows officials to put spyware on a target’s home computer or mobile device to watch their Skype calls, Facebook and email activity.

The technology buyers at these conferences are the usual suspects — the Federal Bureau of Investigation (FBI), the UK’s Government Communications Headquarters (GCHQ), and the Australian Secret Intelligence Service– but also representatives of repressive regimes —Bahrain, Sudan, pre-revolutionary Libya– as the group has revealed in attendees lists it has surfaced.

At times, companies’ claims can raise eyebrows. One brochure shows a soldier, draped in fatigues, holding a portable device up to the faces of a somber group of Arabs. “Innocent civilian or insurgent?,” the pamphlet asks.

“Not certain?”

“Our systems are.”

The treasure trove of compiled documents was available as an online database, but PI recently took it offline, saying the website had security vulnerabilities that could have compromised information of anyone who wanted to donate to the organization online. They are building a new one. The group hopes that the exposure of what Western companies are selling to foreign governments will help the organization achieve its larger goal: ending the sale of hardware and software to governments that use it to monitor their populations in ways that violate basic privacy rights.

The group acknowledges that it might seem they are taking an extremist position when it comes to privacy, but “we’re not against surveillance,” Michael Rispoli, head of PI’s communications, tells me. “Governments need to keep people safe, whether it’s from criminals or terrorists or what it may be, but surveillance needs to be done in accordance with human rights, and in accordance with the rule of law.”

The group is waging its fight in courtrooms. In February of last year, it filed a criminal complaint to the UK’s National Cyber Crime Unit of the National Crime Agency, asking it to investigate British technology allegedly used repeatedly by the Ethiopian government to intercept the communications of an Ethiopian national. Even after Tadesse Kersmo applied for– and was granted– asylum in the UK on the basis of being a political refugee, the Ethiopian government kept electronically spying on him, the group says, using technology from British firm Gamma International. The group currently has six lawsuits in action, mostly taking on large, yet opaque surveillance companies and the British government. Gamma International did not respond to Fusion’s request for comment on the lawsuit, which alleges that exporting the software to Ethiopian authorities means the company assisted in illegal electronic spying.

“The irony that he was given refugee status here, while a British company is facilitating intrusions into his basic right to privacy isn’t just ironic, it’s wrong,” Rispoli says. “It’s so obvious that there should be laws in place to prevent it.”

PI says it has uncovered other questionable business relationships between oppressive regimes and technology companies based in other Western countries. An investigative report the group put out a few months ago on surveillance in Central Asia said that British and Swiss companies, along with Israeli and Israeli-American companies with close ties to the Israeli military, are providing surveillance infrastructure and technical support to countries like Turkmenistan and Uzbekistan– some of the worst-ranking countries in the world when it comes to freedom of speech, according to Freedom House. Only North Korea ranks lower than them.

PI says it used confidential sources, whose accounts have been corroborated, to reach those conclusions.

Not only are these companies complicit in human rights violations, the Central Asia report alleges, but they know they are. Fusion reached out to the companies named in the report, NICE Systems (Israel), Verint Israel (U.S./ Israel), Gamma (UK), or Dreamlab (Switzerland), and none have responded to repeated requests for comment.

The report is a “blueprint” for the future of the organization’s output, says Rice, the advocacy officer. “It’s the first time we’ve done something that really looks at the infrastructure, the laws, and putting it all together to get a view on how the system actually works in a country, or even a whole region,” says Rice.

“What we can do is take that [report], and have specific findings and testimonials to present to companies, to different bodies and parliamentarians, and say this is why we need these things addressed,” adds Omanovic, the researcher and fake company designer.

The tactic is starting to show signs of progress, he says. One afternoon, Omanovic was huddled over a table in the back room, taking part in what looked like an intense conference call. “European Commission,” he says afterwards. The Commission has been looking at surveillance exports since it was revealed that Egypt, Tunisia, and Bahrain were using European tech to crack down on protesters during the Arab Spring, he added. Now, PI is consulting with some members, and together they “hope to bring in a regulation specifically on this subject by year’s end.”

***

Privacy International has come a long way from the “sterile bar of an anonymous business hotel in Luxembourg,” where founder Simon Davies, then a lone wolf privacy campaigner, hosted its first meeting with a handful of people 25 years ago. In a blog post commemorating that anniversary, Davies (who left the organization about five years ago) described the general state of privacy advocacy when that first meeting was held:

“Those were strange times. Privacy was an arcane subject that was on very few radar screens. The Internet had barely emerged, digital telephony was just beginning, the NSA was just a conspiracy theory and email was almost non-existent (we called it electronic mail back then). We communicated by fax machines, snail mail – and through actual real face to face meetings that you travelled thousands of miles to attend.”

Immediately, there were disagreements about the scope of issues the organization should focus on, as detailed in the group’s first report, filed in 1991. Some of the group’s 120-odd loosely affiliated members and advisors wanted the organization to focus on small privacy flare-ups; others wanted it to take on huge, international privacy policies, from “transborder data flows” to medical research. Disputes arose as to what “privacy” actually meant at the time. It took years for the group to narrow down the scope of its mandate to something manageable and coherent.

Gus Hosein, current executive director, describes the 90’s as a time when the organization “just knew that it was fighting against something.” He became part of the loose collective in 1996, three days after moving to the UK from New Haven, Connecticut, thanks to a chance encounter with Davies at the London Economics School. For the first thirteen years he worked with PI, he says, the group’s headquarters was the school pub.

They were fighting then some of the same battles that are back in the news cycle today, such as the U.S. government wanting to ban encryption, calling it a tool for criminals to hide their communications from law enforcement. “[We were] fighting against the Clinton Administration and its cryptography policy, fighting against new intersections of law, or proposals in countries X, Y and Z, and almost every day you would find something to fight around,” he says.

Just as privacy issues stemming from the dot com boom were starting to stabilize, 9/11 happened. That’s when Hosein says “the shit hit the fan.”

In the immediate wake of that tragedy, Washington pushed through the Patriot Act and the Aviation and Transportation Security Act, setting an international precedent of invasive pat-downs and extensive monitoring in the name of anti-terrorism. Hosein, being an American, followed the laws closely, and the group started issuing criticism of what it considered unreasonable searches. In the UK, a public debate about issuing national identification cards sprung up. PI fought it vehemently.

“All of a sudden we’re being called upon to respond to core policy-making in Western governments, so whereas policy and surveillance were often left to some tech expert within the Department of Justice or whatever, now it had gone to mainstream policy,” he says. “We were overwhelmed because we were still just a ragtag bunch of people trying to fight fights without funding, and we were taking on the might of the executive arm of government.”

The era was marked by a collective struggle to catch up. “I don’t think anyone had any real successes in that era,” Hosein says.

But around 2008, the group’s advocacy work in India, Thailand and the Philippines started to gain the attention of donors, and the team decided it was time to organize. The three staff members then started the formal process of becoming a charity, after being registered as a corporation for ten years. By the time it got its first office in 2011 (around the time its founder, Davies, walked away to pursue other ventures) the Arab Spring was dominating international headlines.

“With the Arab Spring and the rise of attention to human rights and technology, that’s when PI actually started to realize our vision, and become an organization that could grow,” Hosein says. “Four years ago we had three employees, and now we have 16 people,” he says with a hint of pride.

***

“This is a real vindication for [Edward] Snowden,” Eric King, PI’s deputy director says about one of the organization’s recent legal victories over the UK’s foremost digital spy agency, known as the Government Communications Headquarters or GCHQ.

PI used the documents made public by Snowden to get the British court that oversees GCHQ to determine that all intelligence sharing between GCHQ and the National Security Administration (NSA) was illegal up until December 2014. Ironically, the court went on to say that the sharing was only illegal because of lack of public disclosure of the program. Now that details of the program were made public thanks to the lawsuit, the court said, the operation is now legal and GCHQ can keep doing what it was doing.

“It’s like they’re creating the law on the fly,” King says. “[The UK government] is knowingly breaking the law and then retroactively justifying themselves. Even though we got the court to admit this whole program was illegal, the things they’re saying now are wholly inadequate to protect our privacy in this country.”

Nevertheless, it was a “highly significant ruling,” says Elizabeth Knight, Legal Director of fellow UK-based civil liberties organization Open Rights Group. “It was the first time the [courts have] found the UK’s intelligence services to be in breach of human rights law,” she says. “The ruling is a welcome first step towards demonstrating that the UK government’s surveillance practices breach human rights law.”

In an email, a GCHQ spokesperson downplayed the significance of the ruling, saying that PI only won the case in one respect: on a “transparency issue,” rather than on the substance of the data sharing program. “The rulings re-affirm that the processes and safeguards within these regimes were fully adequate at all times, so we have not therefore needed to make any changes to policy or practice as a result of the judgement,” the spokesperson says.

Before coming on board four years ago, King, a 25-year old Wales native, worked at Reprieve, a non-profit that provides legal support to prisoners. Some of its clients are at Guantanamo Bay and other off-the-grid prisons, something that made him mindful of security concerns when the group was communicating with clients. King worried that every time he made a call to his clients, they were being monitored. “No one could answer those questions, and that’s what got me going on this,” says King.

Right now, he tells me, most of the group’s legal actions have to do with fighting the “Five Eyes”– the nickname given to the intertwined intelligence networks of the UK, Canada, the US, Australia and New Zealand. One of the campaigns, stemming from the lawsuit against GCHQ that established a need for transparency, is asking GCHQ to confirm if the agency illegally collected information about the people who signed a “Did the GCHQ Illegally Spy On You?” petition. So far, 10,000 people have signed up to be told whether their communications or online activity were collected by the UK spy agency when it conducted mass surveillance of the Internet. If a court actually forces GCHQ to confirm whether those individuals were spied on, PI will then ask that all retrieved data be deleted from the database.

“It’s such an important campaign not only because people have the right to know, but it’s going to bring it home to people and politicians that regular, everyday people are caught up in this international scandal,” King says. “You don’t even have to be British to be caught up in it. People all over the world are being tracked in that program.”

Eerke Boiten, a senior lecturer at the interdisciplinary Cyber Security Centre at the University of Kent, says that considering recent legal victories, he can’t write off the effort, even if he would have dismissed it just a year ago.

“We have now finally seen some breakthroughs in transparency in response to Snowden, and the sense that intelligence oversight needs an overhaul is increasing,” he wrote in an email to me. “So although the [British government] will do its best to shore up the GCHQ legal position to ensure it doesn’t need to respond to this, their job will be harder than before.”

“Privacy International have a recent record of pushing the right legal buttons,” he says. “They may win again.”

A GCHQ spokesperson says that the agency will “of course comply with any direction or order” a court might give it, stemming from the campaign.

King is also the head of PI’s research arm– organizing in-depth investigations into national surveillance ecosystems, in tandem with partner groups in countries around the world. The partners hail from places as disparate as Kenya and Mexico. One recently released report features testimonials from people who reported being heavily surveilled in Morocco. Another coming out of Colombia will be more of an “exposé,” with previously unreported details on surveillance in that country, he says.

And then there’s the stuff that King pioneered: the method of sneaking into industry conferences by using a shadow company. He developed the technique Omanovic is using. King can’t go to the conferences undercover anymore because his face is now too well known. When asked why he started sneaking into the shows, he says: “Law enforcement doesn’t like talking about [surveillance]. Governments don’t talk about it. And for the most part our engagement with companies is limited to when we sue them,” he laughs.

When it comes to the surveillance field, you would be hard pressed to find a company that does exactly what it says it does, King tells me. So when he or someone else at PI sets up a fake company, they expect to get about as much scrutiny as the next ambiguous, potentially official organization that lines up behind them.

Collectively, PI has been blacklisted and been led out of a few conferences over the past four years they have been doing this, he estimates.

“If we have to navigate some spooky places to get what we need, then that’s what we’ll do,” he says. Sometimes you have to walk through a dark room to turn on a light. Privacy International sees a world with a lot of dark rooms.

“Being shadowy is acceptable in this world.”

Check out the related New York Times coverage and original Citizen Lab report.

No arrest yet but the good news is that the US and Europe have, via the FBI and Europol’s European Cybercrime Center, dismantled on Wednesday a network of as many as 12,000 computers that cyber-criminals used to elude security firms and law enforcement agencies for some years. Check out the video clip and Bloomberg article below.

Meanwhile, recall yesterday’s blog on data breach and the 22 countries where stolen data were most frequently accessed.

Police Shut Europe Computer Network Enabling Theft, Extortion

by Cornelius RahnChris Strohm

European and U.S. police shut down a computer network on Wednesday used by cybercriminals to facilitate the theft of banking passwords and extortion which had eluded security companies and law enforcement for years.

Agents of the U.S. Federal Bureau of Investigation and the European Cybercrime Center seized servers across Europe that had been responsible for spreading malware on thousands of mainly U.S.-based victim computers, said Raj Samani, chief technology officer for Intel Corp.’s security unit in the region, which helped prepare the takedown.

Governments are responding to increasing frequency and impact of online attacks by setting up dedicated cybercrime units and working with security-software companies to weed out threats before more damage is done. The network functioned as a portal offered by criminals to others seeking to spread their own malware, according to Paul Gillen, head of operations at Europol’s European Cybercrime Centre.

“If that carried on in earnest, it had great potential from a criminal perspective,” Gillen said. “People set up infrastructure like that and rent it out to others, saying ‘here are a lot of infected computers so you can upload all your banking malware or other things on them.’”

FBI and Europol said there had been no arrests yet as it was too early to say who the perpetrators were, or what damage the malware had caused. Police will now sift through the data gained from the seized machines before notifying victims and determining the culprits, according to Gillen.

The malicious code, labeled W32/Worm-AAEH, was first detected in 2009 but was difficult to weed out because it changed its shape as many as six times a day, Intel’s Samani said. The worm had evolved capabilities such as shutting down connections with servers from antivirus companies and disabling tools that could terminate it, he said.

Even after the control servers are no longer available to the criminals to morph existing pieces of malware, users must still clean up their machines. Computer owners can stop the software’s core function by setting rules that prevent new software from running automatically and shutting certain ports, Intel said.

Here’s an interesting experiment (below) on where did those stolen data go after a data breach.

The list of those 22 countries where the (fake) sensitive data were accessed is noteworthy, especially if one falls under your jurisdiction – mine in the list…

What happens to data after a breach?

Posted on 07 April 2015.

Bitglass undertook an experiment geared towards understanding what happens to sensitive data once it has been stolen. In the experiment, stolen data traveled the globe, landing in five different continents and 22 countries within two weeks.

Overall, the data was viewed more than 1,000 times and downloaded 47 times; some activity had connections to crime syndicates in Nigeria and Russia.

Threat researcher programmatically synthesized 1,568 fake names, social security numbers, credit card numbers, addresses and phone numbers that were saved in an Excel spreadsheet. The spreadsheet was then transmitted through the Bitglass proxy, which automatically watermarked the file.

Each time the file is opened, the persistent watermark, which survives copy, paste and other file manipulations, “calls home” to record view information such as IP address, geographic location and device type. Finally, the spreadsheet was posted anonymously to cyber-crime marketplaces on the Dark Web.

The experiment offers insight into how stolen records from data breaches are shared, bought and then sold on the black market. During the experiment, crime syndicates in Nigeria and Russia emerged via clusters of closely-related activity. Traffic patterns indicate the fake data was shared among members of the syndicates to vet its validity and subsequently shared elsewhere on the Dark Web, beyond the original drop sites.

In 2014, 783 data breaches were reported, which represents a 27.5 percent spike over the previous year. Data breaches continue to spike in 2015 – as of March 20, 174 breaches, affecting nearly 100 million customer records were reported. While many are suffering from data-breach fatigue, this experiment sheds light on how cybercriminals interact with pilfered data and thus helps enterprises understand why visibility is critical when it comes to limiting the damage of breaches.

The falsified data was placed on Dropbox as well as on seven Dark Web sites believed to be frequented by cybercriminals. The result of the experiment found that within 12 days the data was:

– Accessed from five continents – North America, Asia, Europe, Africa and South America

– Accessed from 22 countries – United States, Brazil, Belgium, Nigeria, Hong Kong, Spain, Germany, the United Kingdom, France, Sweden, Finland, the Maldives, New Zealand, Canada, Norway, the Russian Federation, the Netherlands, the Czech Republic, Denmark, Italy, Turkey

– Accessed most often from Nigeria, Russia and Brazil

– Viewed 1,081 times, with 47 unique downloads.

Photo (above) credit: http://www.freakingnews.com

Here’s a breaking news (below) from the CNN:

How the U.S. thinks Russians hacked the White House

By Evan Perez and Shimon Prokupecz, CNN
Updated 0037 GMT (0737 HKT) April 8, 2015

Washington (CNN)Russian hackers behind the damaging cyber intrusion of the State Department in recent months used that perch to penetrate sensitive parts of the White House computer system, according to U.S. officials briefed on the investigation.

While the White House has said the breach only affected an unclassified system, that description belies the seriousness of the intrusion. The hackers had access to sensitive information such as real-time non-public details of the president’s schedule. While such information is not classified, it is still highly sensitive and prized by foreign intelligence agencies, U.S. officials say.

The White House in October said it noticed suspicious activity in the unclassified network that serves the executive office of the president. The system has been shut down periodically to allow for security upgrades.

The FBI, Secret Service and U.S. intelligence agencies are all involved in investigating the breach, which they consider among the most sophisticated attacks ever launched against U.S. government systems. ​The intrusion was routed through computers around the world, as hackers often do to hide their tracks, but investigators found tell-tale codes and other markers that they believe point to hackers working for the Russian government.

National Security Council spokesman Mark Stroh didn’t confirm the Russian hack, but he did say that “any such activity is something we take very seriously.”

“In this case, as we made clear at the time, we took immediate measures to evaluate and mitigate the activity,” he said. “As has been our position, we are not going to comment on [this] article’s attribution to specific actors.”

Neither the U.S. State Department nor the Russian Embassy immediately responded to a request for comment.

Ben Rhodes, President Barack Obama’s deputy national security adviser, said the White House’s use of a separate system for classified information protected sensitive national security-related items from being obtained by hackers.

“We do not believe that our classified systems were compromised,” Rhodes told CNN’s Wolf Blitzer on Tuesday.

“We’re constantly updating our security measures on our unclassified system, but we’re frankly told to act as if we need not put information that’s sensitive on that system,” he said. “In other words, if you’re going to do something classified, you have to do it on one email system, one phone system. Frankly, you have to act as if information could be compromised if it’s not on the classified system.”

To get to the White House, the hackers first broke into the State Department, investigators believe.

The State Department computer system has been bedeviled by signs that despite efforts to lock them out, the Russian hackers have been able to reenter the system. One official says the Russian hackers have “owned” the State Department system for months and it is not clear the hackers have been fully eradicated from the system.

As in many hacks, investigators believe the White House intrusion began with a phishing email that was launched using a State Department email account that the hackers had taken over, according to the U.S. officials.

Director of National Intelligence James Clapper, in a speech at an FBI cyberconference in January, warned government officials and private businesses to teach employees what “spear phishing” looks like.

“So many times, the Chinese and others get access to our systems just by pretending to be someone else and then asking for access, and someone gives it to them,” Clapper said.

The ferocity of the Russian intrusions in recent months caught U.S. officials by surprise, leading to a reassessment of the cybersecurity threat as the U.S. and Russia increasingly confront each other over issues ranging from the Russian aggression in Ukraine to the U.S. military operations in Syria.

The attacks on the State and White House systems is one reason why Clapper told a Senate hearing in February that the “Russian cyberthreat is more severe than we have previously assessed.”

The revelations about the State Department hacks also come amid controversy over former Secretary of State Hillary Clinton’s use of a private email server to conduct government business during her time in office. Critics say her private server likely was even less safe than the State system. The Russian breach is believed to have come after Clinton departed State.

But hackers have long made Clinton and her associates targets.

The website The Smoking Gun first reported in 2013 that a hacker known as Guccifer had broken into the AOL email of Sidney Blumenthal, a friend and advisor to the Clintons, and published emails Blumenthal sent to Hillary Clinton’s private account. The emails included sensitive memos on foreign policy issues and were the first public revelation of the existence of Hillary Clinton’s private email address​ now at the center of controversy: hdr22@clintonemail.com. The address is no longer in use.

Wesley Bruer contributed to this report

Have to feel sorry for Snowden here…

Here’s an exclusive story (below) from Al Jazeera neither Google nor the NSA wants you to know.

Exclusive: Emails reveal close Google relationship with NSA

National Security Agency head and Internet giant’s executives have coordinated through high-level policy discussions

May 6, 2014 5:00AM ET
by Jason Leopold

Email exchanges between National Security Agency Director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far cozier working relationship between some tech firms and the U.S. government than was implied by Silicon Valley brass after last year’s revelations about NSA spying.

Disclosures by former NSA contractor Edward Snowden about the agency’s vast capability for spying on Americans’ electronic communications prompted a number of tech executives whose firms cooperated with the government to insist they had done so only when compelled by a court of law.

But Al Jazeera has obtained two sets of email communications dating from a year before Snowden became a household name that suggest not all cooperation was under pressure.

On the morning of June 28, 2012, an email from Alexander invited Schmidt to attend a four-hour-long “classified threat briefing” on Aug. 8 at a “secure facility in proximity to the San Jose, CA airport.”

“The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security,” Alexander wrote in the email, obtained under a Freedom of Information Act (FOIA) request, the first of dozens of communications between the NSA chief and Silicon Valley executives that the agency plans to turn over.

Alexander, Schmidt and other industry executives met earlier in the month, according to the email. But Alexander wanted another meeting with Schmidt and “a small group of CEOs” later that summer because the government needed Silicon Valley’s help.

“About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.”

Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society, said she believes information sharing between industry and the government is “absolutely essential” but “at the same time, there is some risk to user privacy and to user security from the way the vulnerability disclosure is done.”

The challenge facing government and industry was to enhance security without compromising privacy, Granick said. The emails between Alexander and Google executives, she said, show “how informal information sharing has been happening within this vacuum where there hasn’t been a known, transparent, concrete, established methodology for getting security information into the right hands.”

The classified briefing cited by Alexander was part of a secretive government initiative known as the Enduring Security Framework (ESF), and his email provides some rare information about what the ESF entails, the identities of some participant tech firms and the threats they discussed.

Alexander explained that the deputy secretaries of the Department of Defense, Homeland Security and “18 US CEOs” launched the ESF in 2009 to “coordinate government/industry actions on important (generally classified) security issues that couldn’t be solved by individual actors alone.”

“For example, over the last 18 months, we (primarily Intel, AMD [Advanced Micro Devices], HP [Hewlett-Packard], Dell and Microsoft on the industry side) completed an effort to secure the BIOS of enterprise platforms to address a threat in that area.”

“BIOS” is an acronym for “basic input/output system,” the system software that initializes the hardware in a personal computer before the operating system starts up. NSA cyberdefense chief Debora Plunkett in December disclosed that the agency had thwarted a “BIOS plot” by a “nation-state,” identified as China, to brick U.S. computers. That plot, she said, could have destroyed the U.S. economy. “60 Minutes,” which broke the story, reported that the NSA worked with unnamed “computer manufacturers” to address the BIOS software vulnerability.

But some cybersecurity experts questioned the scenario outlined by Plunkett.

“There is probably some real event behind this, but it’s hard to tell, because we don’t have any details,” wrote Robert Graham, CEO of the penetration-testing firm Errata Security in Atlanta, on his blog in December. “It”s completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm.”

And by enlisting the NSA to shore up their defenses, those companies may have made themselves more vulnerable to the agency’s efforts to breach them for surveillance purposes.

“I think the public should be concerned about whether the NSA was really making its best efforts, as the emails claim, to help secure enterprise BIOS and mobile devices and not holding the best vulnerabilities close to their chest,” said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation’s digital civil liberties team.

He doesn’t doubt that the NSA was trying to secure enterprise BIOS, but he suggested that the agency, for its own purposes, was “looking for weaknesses in the exact same products they’re trying to secure.”

The NSA “has no business helping Google secure its facilities from the Chinese and at the same time hacking in through the back doors and tapping the fiber connections between Google base centers,” Cardozo said. “The fact that it’s the same agency doing both of those things is in obvious contradiction and ridiculous.” He recommended dividing offensive and defensive functions between two agencies.

Two weeks after the “60 Minutes” broadcast, the German magazine Der Spiegel, citing documents obtained by Snowden, reported that the NSA inserted back doors into BIOS, doing exactly what Plunkett accused a nation-state of doing during her interview.

Google’s Schmidt was unable to attend to the mobility security meeting in San Jose in August 2012.

“General Keith.. so great to see you.. !” Schmidt wrote. “I’m unlikely to be in California that week so I’m sorry I can’t attend (will be on the east coast). Would love to see you another time. Thank you !” Since the Snowden disclosures, Schmidt has been critical of the NSA and said its surveillance programs may be illegal.

Army Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff, did attend that briefing. Foreign Policy reported a month later that Dempsey and other government officials — no mention of Alexander — were in Silicon Valley “picking the brains of leaders throughout the valley and discussing the need to quickly share information on cyber threats.” Foreign Policy noted that the Silicon Valley executives in attendance belonged to the ESF. The story did not say mobility threats and security was the top agenda item along with a classified threat briefing.

A week after the gathering, Dempsey said during a Pentagon press briefing, “I was in Silicon Valley recently, for about a week, to discuss vulnerabilities and opportunities in cyber with industry leaders … They agreed — we all agreed on the need to share threat information at network speed.”

Google co-founder Sergey Brin attended previous meetings of the ESF group but because of a scheduling conflict, according to Alexander’s email, he also could not attend the Aug. 8 briefing in San Jose, and it’s unknown if someone else from Google was sent.

A few months earlier, Alexander had emailed Brin to thank him for Google’s participation in the ESF.

“I see ESF’s work as critical to the nation’s progress against the threat in cyberspace and really appreciate Vint Cerf [Google’s vice president and chief Internet evangelist], Eric Grosse [vice president of security engineering] and Adrian Ludwig’s [lead engineer for Android security] contributions to these efforts during the past year,” Alexander wrote in a Jan. 13, 2012, email.

“You recently received an invitation to the ESF Executive Steering Group meeting, which will be held on January 19, 2012. The meeting is an opportunity to recognize our 2012 accomplishments and set direction for the year to come. We will be discussing ESF’s goals and specific targets for 2012. We will also discuss some of the threats we see and what we are doing to mitigate those threats … Your insights, as a key member of the Defense Industrial Base, are valuable to ensure ESF’s efforts have measurable impact.”

A Google representative declined to answer specific questions about Brin’s and Schmidt’s relationship with Alexander or about Google’s work with the government.

“We work really hard to protect our users from cyberattacks, and we always talk to experts — including in the U.S. government — so we stay ahead of the game,” the representative said in a statement to Al Jazeera. “It’s why Sergey attended this NSA conference.”

Brin responded to Alexander the following day even though the head of the NSA didn’t use the appropriate email address when contacting the co-chairman.

“Hi Keith, looking forward to seeing you next week. FYI, my best email address to use is [redacted],” Brin wrote. “The one your email went to — sergey.brin@google.com — I don’t really check.”

Kudos to Google which made the right, prompt and decisive move to protect the security and authenticity of the entire internet ecosystem.

The setup of the security certificates like HTTPS (Hyper Text Transfer Protocol Secure – a more secure version of the original HTTP protocol and usually used to secure e-commerce transactions like online banking, email applications and e-commerce checkout areas) have been based on a system of trust placed on the issuers of those certificates. It takes just one breach to break down the entire system and China….. well, you know the rest of the story – Check out the video clip and TechDirt article below.

Google Completely Cuts Off Chinese Government’s Certificate Authority, CNNIC

from the wow dept

As you may have heard, last week, Google warned about an unauthorized HTTPS certificate being issued via CNNIC (China Internet Network Information Center — which basically manages the Chinese internet, handling domain registration, security certificates and more). CNNIC blamed an Egyptian firm MCS Holdings, saying it had allowed MCS to issue security certificates for domains it had registered, but MCS had abused that power to issue bogus certificates.

Late on Wednesday, Google added a somewhat surprising update to its blog post about the matter, announcing that it was cutting off CNNIC certificates going forward:

As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.

This is a pretty big deal, but the right move for Google to make. It’s well known that the whole setup of security certificates is based on how much you trust the issuers of the certificates. If you can’t trust the certificate authorities the whole system breaks down. This has long been a problem that is going to require a very different security model in the future. But, while we still have that system, it’s of absolute importance that any breach of trust needs to be dealt with severely.

Was that a brainfart?

President Barack Obama signed an executive order Wednesday that permits the US to impose economic sanctions on individuals and entities anywhere in the world for destructive cyber-crimes and online corporate espionage – see the Bloomberg article below.

Now what’s this about? An all-out effort on cyber-criminals or just plain window dressing?

For all their abilities to trace the attacks right down to the identities of the hackers, have the US authorities been able to do anything? Recall the Mandiant Report two years ago that allegedly traced Chinese hackers down to the very unit of a military base in Shanghai?

Recall also the five Chinese military hackers (above) on the FBI wanted list last year? Where has that led to (see video clip below)? And what about the alleged North Korean hacks on Sony Pictures?

With all good intent and seriousness to go on the offensive, Obama has yet to put his words into action on this front…

Hackers, Corporate Spies Targeted by Obama Sanctions Order

by Justin SinkChris Strohm

President Barack Obama signed an executive order Wednesday allowing the use of economic sanctions for the first time against perpetrators of destructive cyber-attacks and online corporate espionage.

That will let the Treasury Department freeze the assets of people, companies or other entities overseas identified as the source of cybercrimes. The federal government also will be able to bar U.S. citizens and companies from doing business with those targeted for sanctions.

“Cyberthreats pose one of the most serious economic and national security challenges to the United States,” Obama said in a statement. “As we have seen in recent months, these threats can emanate from a range of sources and target our critical infrastructure, our companies and our citizens.”

Under the order, sanctions only will be used if a cyber-attack threatens to harm U.S. national security, foreign policy or the broader economy. It’s aimed at cybercriminals who target critical infrastructure, disrupt major computer networks, or are involved in the “significant” theft of trade secrets or intellectual property for competitive advantage or private financial gain.

Data Breaches

The administration is using the threat of sanctions to help prevent large-scale data theft after breaches at major U.S. corporations, including retailer Target Corp., health-insurer Anthem Inc. and home-improvement chain Home Depot Inc. It’s also a recognition that companies are facing increasingly destructive attacks, such as the hack against Sony Pictures Entertainment that crippled thousands of computers and delayed release of a comedy movie.

Sanctions imposed under the executive order will help disrupt the operations of hackers who may be in countries outside the reach of U.S. law enforcement, John Carlin, U.S. assistant attorney general for national security, said in a phone interview.

Banks and other companies connected to the U.S. financial system will be required to prohibit sanctioned hackers and entities from using their services, cutting them off from valuable resources, Carlin said.

“It’s a new powerful tool and we intend do to use it,” Carlin said. “It has the capability to significantly raise the cost for those who steal or benefit through cybercrime.”

Transcends Borders

The unique aspect of the executive order is that it allows the U.S. to impose sanctions on individuals or entities over hacking attacks regardless of where they are located, White House Cybersecurity Coordinator Michael Daniel told reporters on a conference call. While other sanctions are tied to a particular country or group of persons, hacking attacks transcend borders.

“What sets this executive order apart is that it is focused on malicious cyber-activity,” Daniel said. “What we’re trying to do is enable us to have a new way of both deterring and imposing costs on malicious cyber-actors wherever they may be.”

The order is a signal of the administration’s “clear intent to go on offense against the full range of very serious cyberthreats that are out there,” said Peter Harrell, the former principal deputy assistant secretary for sanctions at the State Department.

“This is a message that if folks around the world don’t cut out these activities, they’re going to find themselves cut off from the American banking system,” Harrell said in an interview.

Hidden Identities

Harrell said there are potential stumbling blocks to effective implementation. For one, hackers work hard to conceal their identity. Even though the U.S. and private companies have improved their ability to trace attacks, attribution can sometimes be difficult.

Daniel acknowledged that determining who is actually behind hacking attacks is still a challenge but said the U.S. is getting better at it.

In other cases, diplomatic considerations may be at play. The administration’s decision in 2014 to file criminal charges against five members of the Chinese military over their role in cyber-espionage strained relations with Beijing.

In January, Obama authorized economic sanctions against 10 North Korean officials and government entities in connection with the Sony attack. The North Korean government has denied any involvement in the Sony case.

Overseas Governments

Harrell said the use of sanctions can provide leverage as the U.S. registers complaints with governments overseas about cyber-attacks. Targeted use of the new sanctions powers also may help deter criminals.

“A number of these cyber-attacks are organized by fairly significant actors out there — large hacking collectives, or organized by foreign intelligence agencies,” Harrell said. “They all have real potential costs if they were put on sanctions lists.”

The Obama administration has been under pressure to take action to help companies protect their networks from cyber-attacks. In early March, Premera Blue Cross announced that hackers may have accessed 11 million records, including customer Social Security numbers, bank account data and medical information.

Home Depot in September said 56 million payment cards and 53 million e-mail addresses had been stolen by hackers. And just days earlier, JPMorgan Chase & Co. announced a data breach affecting 76 million households and 7 million small businesses.

The highest-profile breach, however, may have been the hacking of Sony Pictures. The U.S. government said North Korean hackers broke into the studio’s network and then exposed e-mails and private employment and salary records. U.S. authorities said it was in retaliation for plans to release “The Interview,” a satirical film depicting the assassination of leader Kim Jong Un.

Continuing on the Facebook topic again, check out the video clip and the exclusive Guardian article below:

Facebook ‘tracks all visitors, breaching EU law’

Exclusive: People without Facebook accounts, logged out users, and EU users who have explicitly opted out of tracking are all being tracked, report says

Facebook tracks the web browsing of everyone who visits a page on its site even if the user does not have an account or has explicitly opted out of tracking in the EU, extensive research commissioned by the Belgian data protection agency has revealed.

The report, from researchers at the Centre of Interdisciplinary Law and ICT (ICRI) and the Computer Security and Industrial Cryptography department (Cosic) at the University of Leuven, and the media, information and telecommunication department (Smit) at Vrije Universiteit Brussels, was commissioned after an original draft report revealed Facebook’s privacy policy breaches European law.

The researchers now claim that Facebook tracks computers of users without their consent, whether they are logged in to Facebook or not, and even if they are not registered users of the site or explicitly opt out in Europe. Facebook tracks users in order to target advertising.

The issue revolves around Facebook’s use of its social plugins such as the “Like” button, which has been placed on more than 13m sites including health and government sites.

Facebook places tracking cookies on users’ computers if they visit any page on the facebook.com domain, including fan pages or other pages that do not require a Facebook account to visit.

When a user visits a third-party site that carries one of Facebook’s social plug-ins, it detects and sends the tracking cookies back to Facebook – even if the user does not interact with the Like button, Facebook Login or other extension of the social media site.

EU privacy law states that prior consent must be given before issuing a cookie or performing tracking, unless it is necessary for either the networking required to connect to the service (“criterion A”) or to deliver a service specifically requested by the user (“criterion B”).

The same law requires websites to notify users on their first visit to a site that it uses cookies, requesting consent to do so.

A cookie is a small file placed on a user’s computer by a website that stores settings, previous activities and other small amounts of information needed by the site. They are sent to the site on each visit and can therefore be used to identify a user’s computer and track their movements across the web.

“We collect information when you visit or use third-party websites and apps that use our services. This includes information about the websites and apps you visit, your use of our services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us,” states Facebook’s data usage policy, which was updated this year.

Facebook’s tracking practices have ‘no legal basis’

An opinion published by Article 29, the pan-European data regulator working party, in 2012 stated that unless delivering a service specifically requested by the user, social plug-ins must have consent before placing a cookie. “Since by definition social plug-ins are destined to members of a particular social network, they are not of any use for non-members, and therefore do not match ‘criterion B’ for those users.”

The same applies for users of Facebook who are logged out at the time, while logged-in users should only be served a “session cookie” that expires when the user logs out or closes their browser, according to Article 29.

The Article 29 working party has also said that cookies set for “security purposes” can only fall under the consent exemptions if they are essential for a service explicitly requested by the user – not general security of the service.

Facebook’s cookie policy updated this year states that the company still uses cookies if users do not have a Facebook account, or are logged out, to “enable us to deliver, select, evaluate, measure and understand the ads we serve on and off Facebook”.

The social network tracks its users for advertising purposes across non-Facebook sites by default. Users can opt out of ad tracking, but an opt-out mechanism “is not an adequate mechanism to obtain average users informed consent”, according to Article 29.

“European legislation is really quite clear on this point. To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in,” explained Brendan Van Alsenoy, a researcher at ICRI and one of the report’s author.

“Facebook cannot rely on users’ inaction (ie not opting out through a third-party website) to infer consent. As far as non-users are concerned, Facebook really has no legal basis whatsoever to justify its current tracking practices.”

Opt-out mechanism actually enables tracking for the non-tracked

The researchers also analysed the opt-out mechanism used by Facebook and many other internet companies including Google and Microsoft.

Users wanting to opt out of behavioural tracking are directed to sites run by the Digital Advertising Alliance in the US, Digital Advertising Alliance of Canada in Canada or the European Digital Advertising Alliance in the EU, each of which allow bulk opting-out from 100 companies.

But the researchers discovered that far from opting out of tracking, Facebook places a new cookie on the computers of users who have not been tracked before.

“If people who are not being tracked by Facebook use the ‘opt out’ mechanism proposed for the EU, Facebook places a long-term, uniquely identifying cookie, which can be used to track them for the next two years,” explained Günes Acar from Cosic, who also co-wrote the report. “What’s more, we found that Facebook does not place any long-term identifying cookie on the opt-out sites suggested by Facebook for US and Canadian users.”

The finding was confirmed by Steven Englehardt, a researcher at Princeton University’s department of computer science who was not involved in the report: “I started with a fresh browsing session and received an additional ‘datr’ cookie that appears capable of uniquely identifying users on the UK version of the European opt-out site. This cookie was not present during repeat tests with a fresh session on the US or Canadian version.”

Facebook sets an opt-out cookie on all the opt-out sites, but this cookie cannot be used for tracking individuals since it does not contain a unique identifier. Why Facebook places the “datr” cookie on computers of EU users who opt out is unknown.

‘Privacy-friendly’ design

For users worried about tracking, third-party browser add-ons that block tracking are available, says Acar: “Examples include Privacy Badger, Ghostery and Disconnect. Privacy Badger replaces social plug-ins with privacy preserving counterparts so that users can still use social plug-ins, but not be tracked until they actually click on them.

“We argue that it is the legal duty of Facebook to design its services and components in a privacy-friendly way,” Van Alsenoy added. “This means designing social plug-ins in such a way that information about individual’s personal browsing activities outside of Facebook are not unnecessarily exposed.”

Facebook is being investigated by the Dutch data protection authority, which asked the social network to delay rollout of its new privacy policy, and is being probed by the Article 29 working party.

A Facebook spokesperson said: “This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.”

“Earlier this year we updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising. We’re confident the updates comply with applicable laws including EU law.”

Van Alsenoy and Acar, authors of the study, told the Guardian: “We welcome comments via the contact email address listed within the report. Several people have already reached out to provide suggestions and ideas, which we really appreciate.”

“To date, we have not been contacted by Facebook directly nor have we received any meeting request. We’re not surprised that Facebook holds a different opinion as to what European data protection laws require. But if Facebook feels today’s releases contain factual errors, we’re happy to receive any specific remarks it would like to make.”