Archive for the ‘Government’ Category

Defeat FBI Video Booby-Trap

Wednesday, August 9th, 2017

Joseph Cox details “…deanonymizing people in a targeted way using novel or unorthodox law enforcement techniques…” in The FBI Booby-Trapped a Video to Catch a Suspected Tor Sextortionist.

Not an attack on Tor per se but defeated the use of Tor none the less.

Can you spot the suspect’s error?

From the complaint:


F. Law Enforcement Identifies “Brian Kil’s” True IP Address

51. On June 9, 2017, the Honorable Debra McVicker Lynch authorized the execution of a Network Investigative Technique “NIT” (defined in Clause No. 1:17-mj-437) in order to ascertain the IP address associated with Brian Kil and Victim 2.

52. As set forth in the search warrant application presented to Judge Lynch, the FBI was authorized by the Court to add a small piece of code (NIT) to a normal video file produced by Victim 2, which did not contain any visual depictions of any minor engaged in sexually explicit activity. As authorized, the FBI then uploaded the video file containing the NIT to the Dropbox.com account known only to Kil and Victim 2. When Kil viewed the video containing the NIT on a computer, the NIT would disclose the true IP address associated with the computer used by Kil.

57. When Kil viewed the video containing the NIT on a computer the NIT disclosed the true IP address associated with the computer used by Kil.

Where did “Kil’s” opsec fail?

“Kil” viewed content of unknown origin on a networked computer.

“Kil” thought the content originated with Victim 2, but all remote content on the Internet should be treated as being of unknown origin.

No one knows if you are a dog on the Internet just as you don’t know if the FBI sent the video you are playing.

Content of unknown origin is examined and stays on non-networked computers. Copy text only to networked systems. If you need the original content, well, you have been warned.

You can see the full complaint at:
https://assets.documentcloud.org/documents/3914871/Hernandez-NIT-Complaint.pdf

Best practice: Remote content, even if from known source, is of unknown origin. (A comrade may have made the document, video, image, but government agents intercepted and infected it.)

PS: I’m no fan of sextortionists but I am concerned about the use of “booby-trapped” videos against political activists. (Makes you wonder about “jihadist” videos on YouTube doesn’t it?)

Open Source Safe Cracking Robots

Wednesday, August 9th, 2017

Live, robotic, safe cracking demo. No pressure, no pressure!

One of the most entertaining and informative presentations you are likely to see this year! It includes an opening tip for those common digital safes found in hotel rooms.

From the description:

We’ve built a $200 open source robot that cracks combination safes using a mixture of measuring techniques and set testing to reduce crack times to under an hour. By using a motor with a high count encoder we can take measurements of the internal bits of a combination safe while it remains closed. These measurements expose one of the digits of the combination needed to open a standard fire safe. Additionally, ‘set testing’ is a new method we created to decrease the time between combination attempts. With some 3D printing, Arduino, and some strong magnets we can crack almost any fire safe. Come checkout the live cracking demo during the talk!

Don’t miss their highly informative website, SparkFun Electronics.

Open source, part of the Maker community!

This won’t work against quality safes in highly secure environments but most government safes are low-bidder/low-quality and outside highly secure environments. Use tool appropriate for the security environment.

Radio Navigation, Dodging Government GPS

Tuesday, August 8th, 2017

Radio navigation set to make global return as GPS backup, because cyber by Sean Gallagher.

From the post:

Way back in the 1980s, when I was a young naval officer, the Global Positioning System was still in its experimental stage. If you were in the middle of the ocean on a cloudy night, there was pretty much only one reliable way to know where you were: Loran-C, the hyperbolic low-frequency radio navigation system. Using a global network of terrestrial radio beacons, Loran-C gave navigators aboard ships and aircraft the ability to get a fix on their location within a few hundred feet by using the difference in the timing of two or more beacon signals.

An evolution of World War II technology (LORAN was an acronym for long-range navigation), Loran-C was considered obsolete by many once GPS was widely available. In 2010, after the US Coast Guard declared that it was no longer required, the US and Canada shut down their Loran-C beacons. Between 2010 and 2015, nearly everyone else shut down their radio beacons, too. The trial of an enhanced Loran service called eLoran that was accurate within 20 meters (65 feet) also wrapped up during this time.

But now there’s increasing concern about over-reliance in the navigational realm on GPS. Since GPS signals from satellites are relatively weak, they are prone to interference, accidental or deliberate. And GPS can be jammed or spoofed—portable equipment can easily drown them out or broadcast fake signals that can make GPS receivers give incorrect position data. The same is true of the Russian-built GLONASS system.

Sean focuses on the “national security” needs for a backup to GPS but it isn’t North Koreans, Chinese or Russians who are using Stingray devices against US citizens.

No, those are all in use by agents of the federal and/or state governments. Ditto for anyone spoofing your GPS in the United States.

You need a GPS backup, but your adversary is quite close to home.

The new protocol is call eLoran and Sean has a non-technical overview of it.

You would have unusual requirements to need a private eLoran but so you have an idea of what is possible:


eLoran technology has been available since the mid-1990s and is still available today. In fact, the state-of-the-art of eLoran continues to advance along with other 21st-century technology. eLoran system technology can be broken down into a few simple components: transmitting site, control and monitor site, differential reference station site and user equipment.

Modern transmitting site equipment consists of a high-power, modular, fully redundant, hot-swappable and software configurable transmitter, and sophisticated timing and control equipment. Standard transmitter configurations are available in power ranges from 125 kilowatts to 1.5 megawatts. The timing and control equipment includes a variety of external timing inputs to a remote time scale, and a local time scale consisting of three ensembled cesium-based primary reference standards. The local time scale is not directly coupled to the remote time scale. Having a robust local time scale while still monitoring many types of external time sources provides a unique ability to provide proof-of-position and proof-of-time. Modern eLoran transmitting site equipment is smaller, lighter, requires less input power, and generates significantly less waste heat than previously used Loran-C equipment.

The core technology at a differential eLoran reference station site consists of three differential eLoran reference station or integrity monitors (RSIMs) configurable as reference station (RS) or integrity monitor (IM) or hot standby (RS or IM). The site includes electric field (E-field) antennas for each of the three RSIMs.

Modern eLoran receivers are really software-defined radios, and are backward compatible with Loran-C and forward compatible, through firmware or software changes. ASF tables are included in the receivers, and can be updated via the Loran data channel. eLoran receivers can be standalone or integrated with GNSS, inertial navigation systems, chip-scale atomic clocks, barometric altimeters, sensors for signals-of-opportunity, and so on. Basically, any technology that can be integrated with GPS can also be integrated with eLoran.
Innovation: Enhanced Loran, GPS World (May, 2015)

Some people are happy with government controlled services. Other people, not so much.

Who is determining your location?

“This culture of leaking must stop.” Taking up Sessions’ Gage

Friday, August 4th, 2017

Jeff Sessions, the current (4 August 2017) Attorney General of the United States, wants to improve on Barack Obama‘s legacy as the most secretive presidency of the modern era.

Sessions has announced a tripling Justice Department probes into leaks and a review of guidelines for subpoenas for members of the news media. Attorney General says Justice Dept. has tripled the number of leak probes. (Media subpoenas are an effort to discover media sources and hence to plug the “leaks.”)

Sessions has thrown down his gage, declaring war on occasional transparency from government leakers. Indirectly, that war will include members of the media as casualties.

Shakespeare penned the best response for taking up Sessions’ gage:

Cry ‘Havoc,’ and let slip the dogs of war;

In case you don’t know the original sense of “Havoc:”

The military order Havoc! was a signal given to the English military forces in the Middle Ages to direct the soldiery (in Shakespeare’s parlance ‘the dogs of war’) to pillage and chaos. Cry havoc and let slip the dogs of war

It’s on all of us to create enough chaos to protect leakers and members of the media who publish their leaks.

Observations – Not Instructions

Data access: Phishing emails succeed 33% of the time. Do they punish would-be leakers who fall for phishing emails?

Exflitration: Tracing select documents to a leaker is commonplace. How do you trace an entire server disk? The larger and more systematic the data haul, the greater the difficulty in pinning the leak on particular documents. (Back to school specials often include multi-terabyte drives.)

Protect the Media: Full drive leaks posted a Torrent or Dark Web server means media can answer subpoenas with: go to: https://some-location. 😉

BTW, full drive leaks provide transparency for the relationship between the leaked data and media reports. Accountability is as important for the media as the government.

One or more of my observations may constitute crimes depending upon your jurisdiction.

Which I guess is why Nathan Hale is recorded as saying:

Gee, that sounds like a crime. You know, I could get arrested, even executed. None for me please!

Not!

Nathan Hale volunteered to be a spy, was caught and executed, having said:

I only regret, that I have but one life to lose for my country.

Question for you:

Are you a ‘dog of war’ making the government bleed data?

PS: As a security measure, don’t write that answer down or tell anyone. When you read about leaks, you can inwardly smile and know you played your part.

Foreign Intelligence Gathering Laws (and ethics)

Thursday, August 3rd, 2017

Foreign Intelligence Gathering Laws from the Law Library of the Library of Congress.

From the webpage:

This report offers a review of laws regulating the collection of intelligence in the European Union (EU) and Belgium, France, Germany, Netherlands, Portugal, Romania, Sweden, and the United Kingdom. This report updates a report on the same topic issued from 2014. Because issues of national security are under the jurisdiction of individual EU Member States and are regulated by domestic legislation, individual country surveys provide examples of how the European nations control activities of their intelligence agencies and what restrictions are imposed on information collection. All EU Member States follow EU legislation on personal data protection, which is a part of the common European Union responsibility.

If you are investigating or reporting on breaches of intelligence gathering laws in “the European Union (EU) and Belgium, France, Germany, Netherlands, Portugal, Romania, Sweden, and the United Kingdom,” this will be useful. Otherwise, for the other one hundred and eighty-eight (188), you are SOL.

Other than as a basis for outrage, it’s not clear how useful intelligence gathering laws are in fact. The secrecy of intelligence operations makes practical oversight impossible and if leaks are to be credited, no known intelligence agency obeys such laws other than accidentally.

Moreover, as the U.S. Senate report on torture demonstrates, even war criminals are protected from prosecution in the name of intelligence gathering.

I take my cue from the CIA‘s position, as captured by Bob Dylan in Tweeter and the Monkey Man:

“It was you to me who taught
In Jersey anything’s legal as long as you don’t get caught.”

Disarming yourself with law or ethics in any encounter with an intelligence agency, which honors neither, means you will lose.

Choose your strategies accordingly.

Security Leadership by the Uninformed

Wednesday, August 2nd, 2017

The first two paragraphs of Senators Want A Hack-Proof Internet Of Government Things are sufficient to establish the authors of the Internet of Things Cybersecurity Improvements Act as deeply uninformed:

Internet-connected smart devices purchased by the federal government would have to meet strict security standards under bipartisan legislation introduced Tuesday.

Those devices would have to accept software patches to remove vulnerabilities and allow users to change default passwords, according to the Internet of Things Cybersecurity Improvements Act.

Sigh, “…allow users to change default passwords….”

That’s section 3, (a)(1)(A)(i)(IV):

…does not include any fixed or hard-coded credentials used for remote administration, the delivery of updates, or communication.

Yeah! Getting users to change default passwords is a step towards …. 91% insecurity.

If you have the top 1,000 passwords by popularity, you are close to 91% of the “changed” passwords you will encounter. (That link leads to the top 10,000 passwords if you are looking for completeness.)

You could argue that improving the security of the Internet of Things by 9 percentage points (maybe) isn’t nothing.

True but it is so nearly nothing as to not be worth the effort.

PS: There are solutions to the IoT password issue but someone needs to pay money to spark that discussion.

Potential NSA Leak Stream

Wednesday, August 2nd, 2017

The Government Accounting Office (GAO) has publicly identified a potential source of NSA technology leaks. The cumbersome title: DOD’s Monitoring of Progress in Implementing Cyber Strategies Can Be Strengthened (GAO-17-512) begins with this summary:

Officials from Department of Defense (DOD) components identified advantages and disadvantages of the “dual-hat” leadership of the National Security Agency (NSA)/Central Security Service (CSS) and Cyber Command (CYBERCOM) (see table). Also, DOD and congressional committees have identified actions that could mitigate risks associated with ending the dual-hat leadership arrangement, such as formalizing agreements between NSA/CSS and CYBERCOM to ensure continued collaboration, and developing a persistent cyber training environment to provide a realistic, on-demand training capability. As of April 2017, DOD had not determined whether it would end the dual-hat leadership arrangement.

At first I thought it said “ass-hat” leadership and went back to check. 😉

You can read the recommendations if you are in charge of improving that situation (an unlikely outcome) or take the GAO at its word as a place to mine for leaks.

Are dual-hat arrangements “leak patterns” much like “design patterns” in programming languages?

I ask because identifying “leak patterns,” whether in software (buffer overflows) or recurrent organizational security failures, could be a real boon to hounds and hares alike.

“But it feels better when I sneak”

Wednesday, August 2nd, 2017

Email prankster tricks White House officials by Graham Cluley is ample evidence for why you should abandon FOIA requests in favor of phishing/hacking during the reign of Donald Trump.

People can and do obtain mountains of information using FOIA requests, but in the words of Parker Ray, “The Other Woman,”:

“Now I hate to have to cheat
But it feels better when I sneak”

In addition to feeling better, not using FOIA requests during the Trump regime results in:

  1. Access to competitor’s data deposited with the government
  2. Avoids the paperwork and delay of the FOIA process
  3. Bidding and contract data
  4. Develop long-term stealth access than spans presidencies
  5. Incompetence of staff gives broad and deep access across agencies
  6. Mine papers of extremely secretive prior presidents, like Obama
  7. Transparency when least expected and most inconvenient

If that sounds wishful, remember Cluley reports the “technique” used by the prankster was: 1) create an email account in the name of a White House staffer, 2) send an email from that account. This has to be a new low bar for “fake” emails.

Can you afford to be a goody two shoes?

If You Believe in Parliaments

Wednesday, July 19th, 2017

If you believe in parliaments, other than as examples of how governments don’t “get it,” then the The Law Library of Congress, Global Legal Research Center has a treat for you!

Fifty (50) countries and seventy websites surveyed in: Features of (70)Parliamentary Websites in Selected Jurisdictions.

From the summary:

In recent years, parliaments around the world have enhanced their websites in order to improve access to legislative information and other parliamentary resources. Innovative features allow constituents and researchers to locate and utilize detailed information on laws and lawmaking in various ways. These include tracking tools and alerts, apps, the use of open data technology, and different search functions. In order to demonstrate some of the developments in this area, staff from the Global Legal Research Directorate of the Law Library of Congress surveyed the official parliamentary websites of fifty countries from all regions of the world, plus the website of the European Parliament. In some cases, information on more than one website is provided where separate sites have been established for different chambers of the national parliament, bringing the total number of individual websites surveyed to seventy.

While the information on the parliamentary websites is primarily in the national language of the particular country, around forty of the individual websites surveyed were found to provide at least limited information in one or more other languages. The European Parliament website can be translated into any of the twenty-four official languages of the members of the European Union.

All of the parliamentary websites included in the survey have at least basic browse tools that allow users to view legislation in a list format, and that may allow for viewing in, for example, date or title order. All of the substantive websites also enable searching, often providing a general search box for the whole site at the top of each page as well as more advanced search options for different types of documents. Some sites provide various facets that can be used to further narrow searches.

Around thirty-nine of the individual websites surveyed provide users with some form of tracking or alert function to receive updates on certain documents (including proposed legislation), parliamentary news, committee activities, or other aspects of the website. This includes the ability to subscribe to different RSS feeds and/or email alerts.

The ability to watch live or recorded proceedings of different parliaments, including debates within the relevant chamber as well as committee hearings, is a common feature of the parliamentary websites surveyed. Fifty-eight of the websites surveyed featured some form of video, including links to dedicated YouTube channels, specific pages where users can browse and search for embedded videos, and separate video services or portals that are linked to or viewable from the main site. Some countries also make videos available on dedicated mobile-friendly sites or apps, including Denmark, Germany, Ireland, the Netherlands, and New Zealand.

In total, apps containing parliamentary information are provided in just fourteen of the countries surveyed. In comparison, the parliamentary websites of thirty countries are available in mobile-friendly formats, enabling easy access to information and different functionalities using smartphones and tablets.

The table also provides information on some of the additional special features available on the surveyed websites. Examples include dedicated sites or pages that provide educational information about the parliament for children (Argentina, El Salvador, Germany, Israel, Netherlands, Spain, Taiwan, Turkey); calendar functions, including those that allow users to save information to their personal calendars or otherwise view information about different types of proceedings or events (available on at least twenty websites); and open data portals or other features that allow information to be downloaded in bulk for reuse or analysis, including through the use of APIs (application programming interfaces) (at least six countries).

With differing legal vocabularies and local personification of multi-nationals, this is a starting point for transparency based upon topic maps.

I first saw this in a tweet by the Global Investigative Journalism Network (GIJN).

Next Office of Personnel Management (OPM) Leak, When, Not If

Friday, July 14th, 2017

2 Years After Massive Breach, OPM Isn’t Sufficiently Vetting IT Systems by Joseph Marks.

From the post:

More than two years after suffering a massive data beach, the Office of Personnel Management still isn’t sufficiently vetting many of its information systems, an auditor found.

In some cases, OPM is past due to re-authorize IT systems, the inspector general’s audit said. In other cases, OPM did reauthorize those systems but did it in a haphazard and shoddy way during a 2016 “authorization sprint,” the IG said.

“The lack of a valid authorization does not necessarily mean that a system is insecure,” the auditors said. “However, it does mean that a system is at a significantly higher risk of containing unidentified security vulnerabilities.”

The full audit provides more details but suffice it to say OPM security is as farcical as ever.

Do you think use of https://www.opm.gov/ in hacking examples and scripts, would call greater attention to flaws at the OPM?

Targets of Government Cybercrimnal Units

Friday, July 14th, 2017

The Unfortunate Many: How Nation States Select Targets

From the post:

Key Takeaways

  • It’s safe to assume that all governments are developing and deploying cyber capabilities at some level. It’s also safe to assume most governments are far from open about the extent of their cyber activity.
  • If you take the time to understand why nation states get involved with cyber activity in the first place, you’ll find their attacks are much more predictable than they seem.
  • Each nation state has its own objectives and motivations for cyber activity. Even amongst big players like China, Russia, and the U.S. there’s a lot of variation.
  • Most nation states develop national five-year plans that inform all their cyber activities. Understanding these plans enables an organization to prioritize preparations for the most likely threats.

There’s a name for those who rely on governments, national or otherwise, to protect their cybersecurity: victims.

Recorded Future gives a quick overview of factors that may drive the objectives of government cybercriminal units.

I use “cybercriminal units” to avoid the false dichotomy between alleged “legitimate” government hacking and that of other governments and individuals.

We’re all adults here and realize government is a particular distribution of reward and stripes, nothing more. It has no vision, no goal beyond self-preservation and certainly, beyond your locally owned officials, no interest in you or yours.

That is to say governments undertaking hacking to further a “particular distribution of reward and stripes” and their choices are no more (or less) legitimate than anyone else’s.

Government choices are certainly no more legitimate than your choices. Although governments claim a monopoly on criminal prosecutions, which accounts for why criminals acting on their behalf are never prosecuted. That monopoly also explains why governments, assuming they have possession of your person, may prosecute you for locally defined “criminal” acts.

Read the Recorded Future post to judge your odds of being a victim of a national government. Then consider which governments should be your victims.

Locate Your Representative/Senator In Hell

Thursday, July 13th, 2017

Mapping Dante’s Inferno, One Circle of Hell at a Time by Anika Burgess.

From the post:

I found myself, in truth, on the brink of the valley of the sad abyss that gathers the thunder of an infinite howling. It was so dark, and deep, and clouded, that I could see nothing by staring into its depths.”

This is the vision that greets the author and narrator upon entry the first circle of Hell—Limbo, home to honorable pagans—in Dante Alighieri’s Inferno, the first part of his 14th-century epic poem, Divine Comedy. Before Dante and his guide, the classical poet Virgil, encounter Purgatorio and Paradiso, they must first journey through a multilayered hellscape of sinners—from the lustful and gluttonous of the early circles to the heretics and traitors that dwell below. This first leg of their journey culminates, at Earth’s very core, with Satan, encased in ice up to his waist, eternally gnawing on Judas, Brutus, and Cassius (traitors to God) in his three mouths. In addition to being among the greatest Italian literary works, Divine Comedy also heralded a craze for “infernal cartography,” or mapping the Hell that Dante had created.
… (emphasis in original)

Burgess has collected seven (7) traditional maps of the Inferno. I take them to be early essays in the art of visualization. They are by no means, individually or collectively, the definitive visualizations of the Inferno.

The chief deficit of all seven, to me, is the narrowness of the circles/ledges. As I read the Inferno, Dante and Virgil are not pressed for space. Expanding and populating the circles more realistically is one starting point.

The Inferno has no shortage of characters in each circle, Dante predicting the fate of Pope Boniface VIII, to place him in the eight circle of Hell (simoniacs A subclass of fraud.). (Use the online Britannica with caution. It’s entry for Boniface VIII doesn’t even mention the Inferno. (As of July 13, 2017.)

I would like to think being condemned to Hell by no less than Dante would rate at least a mention in my biography!

Sadly, Dante is no longer around to add to the populace of the Inferno but new visualizations could take the opportunity to update the resident list for Hell!

It’s an exercise in visualization, mapping, 14th century literature, and, an excuse to learn the name of your representative and senators.

Enjoy!

Truth In Terrorism Labeling (TITL) – A Starter Set

Tuesday, July 11th, 2017

Sam Biddle‘s recent post: Facebook’s Tough-On-Terror Talk Overlooks White Extremists, is a timely reminder that “terrorism” and “terrorist” are labels with no agreed upon meaning.

To illustrate, here are some common definitions with suggestions for specifying the definition in use:

Terrorist/terrorism(Biddle): ISIS, Al Qaeda, and US white extremists. But not Tibetans and Uyghurs.

Terrorist/terrorism(China): From: How China Sees ISIS Is Not How It Sees ‘Terrorism’:

… in Chinese discourse, terrorism is employed exclusively in reference to Tibetans and Uyghurs. Official government statements typically avoid identifying acts of violence with a specific ethnic group, preferring more generic descriptors like “Xinjiang terrorists,“ “East Turkestan terror forces and groups,” the “Tibetan Youth Congress,” or the “Dalai clique.” In online Chinese chat-rooms, however, epithets like “Uyghur terrorist” or “Tibetan splittest” are commonplace and sometimes combine with homophonic racial slurs like “dirty Tibetans” or “raghead Uyghurs.”

Limiting “terrorism” to Tibetans and Uyghurs excludes ISIS, Al Qaeda, and US white extremists from that term.

Terrorist/terrorism(Facebook): ISIS, Al Qaeda, but no US white extremists (following US)

Terrorist/terrorism(Russia): Putin’s Flexible Definition of Terrorism

Who, exactly, counts as a terrorist? If you’re Russian President Vladimir Putin, the definition might just depend on how close or far the “terror” is from Moscow. A court in the Nizhniy Novgorod regional center last week gave a suspended two year sentence to Stanislav Dmitriyevsky, Chair of the local Russian-Chechen Friendship Society, and editor of Rights Defense bulletin. Dmitriyevsky was found guilty of fomenting ethnic hatred, simply because in March 2004, he published an appeal by Chechen rebel leader Aslan Maskhadov — later killed by Russian security services — and Maskhadov’s envoy in Europe, Akhmet Zakayev.

Maskhadov, you see, is officially a terrorist in the eyes of the Kremlin. Hamas, however, isn’t. Putin said so at his Kremlin press-conference on Thursday, where he extended an invitation — eagerly accepted — to Hamas’s leaders to Moscow for an official visit.

In fairness to Putin, as a practical matter, who is or is not a “terrorist” for the US depends on the state of US support. US supporting, not terrorists, US not supporting, likely to be terrorists.

Terrorist/terrorism(US): Generally ISIS, Al Qaeda, no US white extremists, for details see: Terrorist Organizations.

By appending parentheses and Biddle, China, Facebook, Russia, or US to terrorist or terrorism, the reading public has some chance to understand your usage of “terrorism/terrorist.”

Otherwise they are nodding along using their definitions of “terrorism/terrorist” and not yours.

Or was that vagueness intentional on your part?

New York Times, Fact Checking and Dacosta’s First OpEd

Friday, July 7th, 2017

Cutbacks on editors/fact-checking at the New York Times came at an unfortunate time for Marc Dacosta‘s first OpEd, The President Wants to Keep Us in the Dark (New York Times, 28 June 2017).

DaCosta decries the lack of TV cameras at several recent White House press briefings. Any proof the lack of TV cameras altered the information available to reporters covering the briefings? Here’s DaCosta on that point:


But the truth is that the decision to prevent the press secretary’s comments on the day’s most pressing matters from being televised is an affront to the spirit of an open and participatory government. It’s especially chilling in a country governed by a Constitution whose very First Amendment protects the freedom of the press.

Unfortunately, the slow death of the daily press briefing is only part of a larger assault by the Trump administration on a precious public resource: information.

DaCosta’s implied answer is no, a lack of TV cameras resulted in no diminishing of information from the press conference. But, his hyperbole gland kicks in, then he cites disjointed events claimed to diminish public access to information.

For example, Trump’s non-publication of visitor records:


Immediately after Mr. Trump took office, the administration stopped publishing daily White House visitor records, reversing a practice established by President Obama detailing the six million appointments he and administration officials took at the White House during his eight years in office. Who is Mr. Trump meeting with today? What about Mr. Bannon? Good luck finding out.

Really? Mark J. Rozell summarizes the “detailing the six million appointments he and administration officials took…” this way:


Obama’s action clearly violated his own pledge of transparency and an outpouring of criticism of his action somewhat made a difference. He later reversed his position when he announced that indeed the White House visitor logs would be made public after all.

Unfortunately, the president decided only to release lengthy lists of names, with no mention of the purpose of White House visits or even differentiation between tourists and people consulted on policy development.

This action enabled the Obama White House to appear to be promoting openness while providing no substantively useful information. If the visitor log listed “Michael Jordan,” there was no way to tell if the basketball great or a same-named industry lobbyist was the person at the White House that day and the layers of inquiry required to get that information were onerous. But largely because the president had appeared to have reversed himself in reaction to criticism for lack of transparency, the controversy died down, though it should not have.

Much of the current reaction to President Trump’s decision has contrasted that with the action of his predecessor, and claimed that Obama had set the proper standard by opening the books. The reality is different though, as Obama’s action set no standard at all for transparency.
…(Trump should open White House visitor logs, but don’t flatter Obama, The Hill, 18 April 2017)

That last line on White House visitor records under Obama is worth repeating:

The reality is different though, as Obama’s action set no standard at all for transparency.

Obama-style opaqueness would not answer the questions:

Who is Mr. Trump meeting with today? What about Mr. Bannon? [Questions by DaCosta.]

A fact-checker and/or editor at the New York Times knew that answer (hint to NYT management).

Even more disappointing is the failure of DaCosta, as the co-founder of Engima, to bring any data to a claim that White House press briefings are of value.

One way to test the value of White House press briefings is to extract the “facts” announced during the briefing and compare those to media reports in the prior twenty-four hours.

If DaCosta thought of such a test, the reason it went unperformed isn’t hard to guess:


The Senate had just released details of a health care plan that would deprive 22 million Americans of health insurance, and President Trump announced that he did not, as he had previously hinted, surreptitiously record his conversations with James Comey, the former F.B.I. director.
… (DaCosta)

First, a presidential press briefing isn’t an organ for the US Senate and second, Trump had already tweeted the news about not recording his conversations with James Comey. None of those “facts” broke at the presidential press briefing.

DaCosta is 0 for 2 for new facts at that press conference.

I offer no defense for the current administration’s lack of transparency, but fact-free and factually wrong claims against it don’t advance DaCosta’s cause:


Differences of belief and opinion are inseparable from the democratic process, but when the facts are in dispute or, worse, erased altogether, public debate risks breaking down. To have a free and democratic society we all need a common and shared context of facts to draw from. Facts or data will themselves never solve any problem. But without them, finding solutions to our common problems is impossible.

We should all expect better of President Trump, the New York Times and Marc DaCosta (@marc_dacosta).

Kaspersky: Is Source Code Disclosure Meaningful?

Thursday, July 6th, 2017

Responding to a proposed ban of Kaspersky Labs software, Eugene Kaspersky, chief executive of Kaspersky, is quoted in Russia’s Kaspersky Lab offers up source code for US government scrutiny, as saying:

The chief executive of Russia’s Kaspersky Lab says he’s ready to have his company’s source code examined by U.S. government officials to help dispel long-lingering suspicions about his company’s ties to the Kremlin.

In an interview with The Associated Press at his Moscow headquarters, Eugene Kaspersky said Saturday that he’s also ready to move part of his research work to the U.S. to help counter rumors that he said were first started more than two decades ago out of professional jealousy.

“If the United States needs, we can disclose the source code,” he said, adding that he was ready to testify before U.S. lawmakers as well. “Anything I can do to prove that we don’t behave maliciously I will do it.”

Personally I think Kaspersky is about to be victimized by anti-Russia hysteria, where repetition of rumors, not facts, are the coin of the realm.

Is source code disclosure is meaningful? A question applicable to Kasperky disclosures to U.S. government officials, or Microsoft or Oracle disclosures of source code to foreign governments.

My answer is no, at least if you mean source code disclosure limited to governments or other clients.

Here’s why:

  • Limited competence: For the FBI in particular, source code disclosure is meaningless. Recall the FBI blew away $170 million in the Virtual Case File project with nothing to show and no prospect of a timeline, after four years of effort.
  • Limited resources: Guido Vranken‘s The OpenVPN post-audit bug bonanza demonstrates that after two (2) manual audits, vulnerabilities remain to be found in OpenVPN. Unlike OpenVPN, any source code given to a government will be reviewed at most once and then only by a limited number of individuals. Contrast that with OpenVPN, which has been reviewed for years by a large number of people and yets flaws remain to be discovered.
  • Limited staff: Closely related to my point about limited resources, the people in government who are competent to undertake a software review are already busy with other tasks. Most governments don’t have a corps of idle but competent programmers waiting for source code disclosures to evaluate. Whatever source code review takes place, it will be the minimum required and that only as other priorities allow.

If Kaspersky Labs were to open source but retain copyright on their software, then their source code could be reviewed by:

  • As many competent programmers as are interested
  • On an ongoing basis
  • By people with varying skills and approaches to software auditing

Setting a new standard, that is open source but copyrighted for security software, would be to the advantage of leaders in Gartner’s Magic Quadrant, others, not so much.

It’s entirely possible for someone to compile source code and avoid paying a license fee but seriously, is anyone going to pursue pennies on the ground when there are $100 bills blowing overhead? Auditing, code review, transparency, trust. (I know, the RIAA chases pennies but it’s run by delusional paranoids.)

Three additional reasons for Kaspersky to go open source but copyrighted:

  • Angst among its more poorly managed competitors will soar.
  • Example for government mandated open source but copyright for domestic sales. (Think China, EU, Russia.)
  • Front page news featuring Kaspersky Labs as breaking away from the pack.

Entirely possible for Kaspersky to take advantage of the narrow-minded nationalism now so popular in some circles of the U.S. government. Not to mention changing the landscape of security software to its advantage.

Re-imagining Legislative Data – Semantic Integration Alert

Tuesday, June 27th, 2017

Innovate, Integrate, and Legislate: Announcing an App Challenge by John Pull.

From the post:

This morning, on Tuesday, June 27, 2017, Library of Congress Chief Information Officer Bernard A. Barton, Jr., is scheduled to make an in-person announcement to the attendees of the 2017 Legislative Data & Transparency Conference in the CVC. Mr. Barton will deliver a short announcement about the Library’s intention to launch a legislative data App Challenge later this year. This pre-launch announcement will encourage enthusiasts and professionals to bring their app-building skills to an endeavor that seeks to create enhanced access and interpretation of legislative data.

The themes of the challenge are INNOVATE, INTEGRATE, and LEGISLATE. Mr. Barton’s remarks are below:

Here in America, innovation is woven into our DNA. A week from today our nation celebrates its 241st birthday, and those years have been filled with great minds who surveyed the current state of affairs, analyzed the resources available to them, and created devices, systems, and ways of thinking that created a better future worldwide.

The pantheon includes Benjamin Franklin, George Washington Carver, Alexander Graham Bell, Bill Gates, and Steve Jobs. It includes first-generation Americans like Nikolai Tesla and Albert Einstein, for whom the nation was an incubator of innovation. And it includes brilliant women such as Grace Hopper, who led the team that invented the first computer language compiler, and Shirley Jackson, whose groundbreaking research with subatomic particles enabled the inventions of solar cells, fiber-optics, and the technology the brings us something we use every day: call waiting and caller ID.

For individuals such as these, the drive to innovate takes shape through understanding the available resources, surveying the landscape for what’s currently possible, and taking it to the next level. It’s the 21st Century, and society benefits every day from new technology, new generations of users, and new interpretations of the data surrounding us. Social media and mobile technology have rewired the flow of information, and some may say it has even rewired the way our minds work. So then, what might it look like to rewire the way we interpret legislative data?

It can be said that the legislative process – at a high level – is linear. What would it look like if these sets of legislative data were pushed beyond a linear model and into dimensions that are as-yet-unexplored? What new understandings wait to be uncovered by such interpretations? These understandings could have the power to evolve our democracy.

That’s a pretty grand statement, but it’s not without basis. The sets of data involved in this challenge are core to a legislative process that is centuries old. It’s the source code of America government. An informed citizenry is better able to participate in our democracy, and this is a very real opportunity to contribute to a better understanding of the work being done in Washington. It may even provide insights for the people doing the work around the clock, both on the Hill, and in state and district offices. Your innovation and integration may ultimately benefit the way our elected officials legislate for our future.

Improve the future, and be a part of history.

The 2017 Legislative Data App Challenge will launch later this summer. Over the next several weeks Information will be made available at loc.gov/appchallenge, and individuals are invited to connect via appchallenge@loc.gov.

I mention this as a placeholder only because Pull’s post is general enough to mean several things, their opposites or something entirely different.

The gist of the post is that later this summer (2017), a challenge involving an “app” will be announced. The “app” will access/deliver/integrate legislative data. Beyond that, no further information is available at this time.

Watch for future posts as more information becomes available.

Manning Leaks — No Real Harm (Database of Government Liars Anyone?)

Tuesday, June 20th, 2017

Secret Government Report: Chelsea Manning Leaks Caused No Real Harm by Jason Leopold.

From the post:

In the seven years since WikiLeaks published the largest leak of classified documents in history, the federal government has said they caused enormous damage to national security.

But a secret, 107-page report, prepared by a Department of Defense task force and newly obtained by BuzzFeed News, tells a starkly different story: It says the disclosures were largely insignificant and did not cause any real harm to US interests.

Regarding the hundreds of thousands of Iraq-related military documents and State Department cables provided by the Army private Chelsea Manning, the report assessed “with high confidence that disclosure of the Iraq data set will have no direct personal impact on current and former U.S. leadership in Iraq.”

The 107 page report, redacted, runs 35 pages. Thanks to BuzzFeed News for prying that much of a semblance of the truth out of the government.

It is further proof that US prosecutors and other federal government representatives lie to the courts, the press and the public, whenever its suits their purposes.

Anyone with transcripts from the original Manning hearings, should identify statements by prosecutors at variance with this report, noting the prosecutor’s name, rank and recording the page/line reference in the transcript.

That individual prosecutors and federal law enforcement witnesses lie is a commonly known fact. What I haven’t seen, is a central repository of all such liars and the lies they have told.

I mention a central repository because to say one or two prosecutors have lied or been called down by a judge grabs a headline, but showing a pattern over decades of lying by the state, that could move to an entirely different level.

Judges, even conservative ones (especially conservative ones?), don’t appreciate being lied to by anyone, including the state.

The state has chosen lying as its default mode of operation.

Let’s help them wear that banner.

Interested?

Key DoD Officials – September 1947 to June 2017

Monday, June 19th, 2017

While looking for a particular Department of Defense official, I stumbled on: Department of Defense Key Officials September 1947–June 2017.

Yes, almost seventy (70) years worth of key office holders at the DoD. It’s eighty (80) pages long, produced by the Historical Office of the Secretary of Defense.

One potential use, aside from giving historical military fiction a ring of authenticity, would be to use this as a starting set of entities to trace through the development of the military/industrial complex.

Everyone, including me, refers to the military/industrial complex as though it is a separate entity, over there somewhere.

But as everyone discovered with the Panama Papers, however tangled and corrupt even world-wide organizations can be, we have the technology to untangle those knots and to shine bright lights into obscure corners.

Interested?

DoD Audit Ready By End of September (Which September? Define “ready.”)

Monday, June 19th, 2017

For your Monday amusement: Pentagon Official: DoD will be audit ready by end of September by Eric White.

From the post:

In today’s Federal Newscast, the Defense Department’s Comptroller David Norquist said the department has been properly preparing for its deadline for audit readiness.

The Pentagon’s top financial official said DoD will meet its deadline to be “audit ready” by the end of September. DoD has been working toward the deadline for the better part of seven years, and as the department pointed out in its most recent audit readiness update, most federal agencies haven’t earned clean opinions until they’ve been under full-scale audits for several years. But newly-confirmed comptroller David Norquist said now’s the time to start. He said the department has already contracted with several outside accounting firms to perform the audits, both for the Defense Department’s various components and an overarching audit of the entire department.

I’m reminded of the alleged letter by the Duke of Wellington to Whitehall:

Gentlemen,

Whilst marching from Portugal to a position which commands the approach to Madrid and the French forces, my officers have been diligently complying with your requests which have been sent by H.M. ship from London to Lisbon and thence by dispatch to our headquarters.

We have enumerated our saddles, bridles, tents and tent poles, and all manner of sundry items for which His Majesty’s Government holds me accountable. I have dispatched reports on the character, wit, and spleen of every officer. Each item and every farthing has been accounted for, with two regrettable exceptions for which I beg your indulgence.

Unfortunately the sum of one shilling and ninepence remains unaccounted for in one infantry battalion’s petty cash and there has been a hideous confusion as the the number of jars of raspberry jam issued to one cavalry regiment during a sandstorm in western Spain. This reprehensible carelessness may be related to the pressure of circumstance, since we are war with France, a fact which may come as a bit of a surprise to you gentlemen in Whitehall.

This brings me to my present purpose, which is to request elucidation of my instructions from His Majesty’s Government so that I may better understand why I am dragging an army over these barren plains. I construe that perforce it must be one of two alternative duties, as given below. I shall pursue either one with the best of my ability, but I cannot do both:

1. To train an army of uniformed British clerks in Spain for the benefit of the accountants and copy-boys in London or perchance.

2. To see to it that the forces of Napoleon are driven out of Spain.

Your most obedient servant,

Wellington

The primary function of any military organization is suppression of the currently designated “enemy.”

Congress should direct the Department of Homeland Security (DHS) to auditing the DoD.

Instead of chasing fictional terrorists, DHS staff would be chasing known to exist dollars and alleged expenses.

FOIA Success Prediction

Friday, June 16th, 2017

Will your FOIA request succeed? This new machine will tell you by Benjamin Mullin.

From the post:

Many journalists know the feeling: There could be a cache of documents that might confirm an important story. Your big scoop hinges on one question: Will the government official responsible for the records respond to your FOIA request?

Now, thanks to a new project from a data storage and analysis company, some of the guesswork has been taken out of that question.

Want to know the chances your public records request will get rejected? Plug it into FOIA Predictor, a probability analysis web application from Data.World, and it will provide an estimation of your success based on factors including word count, average sentence length and specificity.

Accuracy?

Best way to gauge that is experience with your FOIA requests.

Try starting at MuckRock.com.

Enjoy!

(Legal) Office of Personnel Management Data!

Friday, June 9th, 2017

We’re Sharing A Vast Trove Of Federal Payroll Records by Jeremy Singer-Vine.

From the post:

Today, BuzzFeed News is sharing an enormous dataset — one that sheds light on four decades of the United States’ federal payroll.

The dataset contains hundreds of millions of rows and stretches all the way back to 1973. It provides salary, title, and demographic details about millions of U.S. government employees, as well as their migrations into, out of, and through the federal bureaucracy. In many cases, the data also contains employees’ names.

We obtained the information — nearly 30 gigabytes of it — from the U.S. Office of Personnel Management, via the Freedom of Information Act (FOIA). Now, we’re sharing it with the public. You can download it for free on the Internet Archive.

This is the first time, it seems, that such extensive federal payroll data is freely available online, in bulk. (The Asbury Park Press and FedsDataCenter.com both publish searchable databases. They’re great for browsing, but don’t let you download the data.)

We hope that policy wonks, sociologists, statisticians, fellow journalists — or anyone else, for that matter — find the data useful.

We obtained the information through two Freedom of Information Act requests to OPM. The first chunk of data, provided in response to a request filed in September 2014, covers late 1973 through mid-2014. The second, provided in response to a request filed in December 2015, covers late 2014 through late 2016. We have submitted a third request, pending with the agency, to update the data further.

Between our first and second requests, OPM announced it had suffered a massive computer hack. As a result, the agency told us, it would no longer release certain information, including the employee “pseudo identifier” that had previously disambiguated employees with common names.

What a great data release! Kudos and thanks to BuzzFeed News!

If you need the “pseudo identifiers” for the second or following releases and/or data for the employees withheld (generally the more interesting ones), consult data from the massive computer hack.

Or obtain the excluded data directly from the Office of Personnel Management without permission.

Enjoy!

Open Data = Loss of Bureaucratic Power

Friday, June 9th, 2017

James Comey’s leaked memos about meetings with President Trump illustrates one reason for the lack of progress on open data reported in FOIA This! The Depressing State of Open Data by Toby McIntosh.

From Former DOJ Official on Comey Leak: ‘Standard Operating Procedure’ Among Bureaucrats:


On “Fox & Friends” today, J. Christian Adams said the leak of the memos by Comey was in line with “standard operating procedure” among Beltway bureaucrats.

“[They] were using the media, using confidential information to advance attacks on the President of the United States. That’s what they do,” said Adams, adding he saw it go on at DOJ.

Access to information is one locus of bureaucratic power, which makes the story in FOIA This! The Depressing State of Open Data a non-surprise:

In our latest look at FOIA around the world, we examine the state of open data sets. According to the new report by the World Wide Web Foundation, the news is not good.

“The number of global truly open datasets remains at a standstill,” according to the group’s researchers, who say that only seven percent of government data is fully open.

The findings come in the fourth edition of the Open Data Barometer, an annual assessment which was enlarged this year to include 1,725 datasets from 15 different sectors across 115 countries. The report summarizes:

Only seven governments include a statement on open data by default in their current policies. Furthermore, we found that only 7 percent of the data is fully open, only one of every two datasets is machine readable and only one in four datasets has an open license. While more data has become available in a machine-readable format and under an open license since the first edition of the Barometer, the number of global truly open datasets remains at a standstill.

Based on the detailed country-by-country rankings, the report says some countries continue to be leaders on open data, a few have stepped up their game, but some have slipped backwards.

With open data efforts at a standstill and/or sliding backwards, waiting for bureaucrats to voluntarily relinquish power is a non-starter.

There are other options.

Need I mention the Office of Personnel Management hack? The highly touted but apparently fundamentally vulnerable NSA?

If you need a list of cyber-vulnerable U.S. government agencies, see: A-Z Index of U.S. Government Departments and Agencies.

You can:

  • wait for bureaucrats to abase themselves,
  • post how government “…ought to be transparent and accountable…”
  • echo opinions of others on calling for open data,

or, help yourself to government collected, generated, or produced data.

Which one do you think is more effective?

Theresa May (UK) Out Dumbs Donald Trump (USA)

Monday, June 5th, 2017

Theresa May (UK) has made a dumber proposal than Donald Trump (USA), at least this week. But it is only Monday.

The Independent reports Theresa May is calling for regulation of the internet, after a van and knife on London Bridge.

From the story:


“We cannot allow this ideology the safe space it needs to breed – yet that is precisely what the internet, and the big companies that provide internet-based services provide,” Ms May said.

“We need to work with allied democratic governments to reach international agreements to regulate cyberspace to prevent the spread of extremist and terrorism planning.”

She warned there was “a new trend in the threat we face” and that while the three recent terror attacks in the UK were not linked by “common networks”, they were “bound together by the single evil ideology of Islamic extremism”.

Completely unhinged.

Do take the threats of regulation seriously.

Search for and publish 0Days upon discovery. Computers are breached may belong to governments attempting to regulate the internet. Any diminishing of their capabilities and/or secrecy, is a win for everyone.

Crowd-Funding Public Access to NSA Tools!

Tuesday, May 30th, 2017

Awesome! (with a caveat below)

Shadow Brokers Response Team is creating open & transparent crowd-funded analysis of leaked NSA tools.

The group calling itself the Shadow Brokers have released several caches of exploits to date. These caches and releases have had a detrimental outcome on the Internet at large, one leak especially resulted in the now in-famous WannaCry ransomware worm – others have been used by criminal crackers to illegally access infrastructure. Many have been analysing the data to determine its authenticity and impact on infrastructure, as a community it has been expressed that the harm caused by exploits could have been mitigated against had the Shadow Brokers been paid for their disclosures.

The leaks of information seen so far have included weaponized reliable exploits for the following platforms:

  • Cisco
  • Juniper
  • Solaris
  • Microsoft Windows
  • Linux

The Shadow Brokers have announced they are offering a “monthly dump” service which requires a subscription of 100 ZCASH coins. Currently this is around £17688.29 but could change due to the fleeting nature of cryptocurrency. By paying the Shadow Brokers the cash they asked for we hope to pool resources and avert any future WannaCry type incidents. This patreon is a chance for those who may not have large budgets (SME, startups and individuals) in the ethical hacking and whitehat community to pool resources and buy a subscription for the new monthly released data.

The goal here is to raise sufficient funds from interested parties to purchase a subscription to the new data leak. We are attempting to perform the following task:

  • Raise funds to purchase 100 ZCASH coins
  • Purchase 100 ZCASH coins from a reputable exchange
  • Transfer 100 ZCASH coins to ShadowBrokers with email address
  • Access the data from the ShadowBrokers and distribute to backers
  • Perform analysis on data leak and ascertain risk / perform disclosures

The Shadow Brokers have implied that the leak could be any of the following items of interest:

  • web browser, router, handset exploits and tools
  • newer material from NSA ops disk including Windows 10 exploits
  • misc compromised network data (SWIFT or Nuclear programmes)
  • … (emphasis in original)

An almost excellent plan that with enough contributors, reduces the risk to any one person to a manageable level.

Two-hundred and fifty contributors at $100 each, makes the $25,000 goal. That’s quite doable.

My only caveat is the “…whitehat ethical hacker…” language for sharing the release. Buying a share in the release should be just that, buying a share. What participants do or don’t do with their share is not a concern.

Kroger clerks don’t ask me if I am going to use flour to bake bread for the police and/or terrorists.

Besides, the alleged NSA tools weren’t created by “…whitehat ethical hackers….” Yes? No government has a claim on others to save them from their own folly.

Any competing crowd-funded subscriptions to the Shadow Brokers release?

Hacking Fingerprints (Yours, Mine, Theirs)

Thursday, May 25th, 2017

Neural networks just hacked your fingerprints by Thomas McMullan.

From the post:

Fingerprints are supposed to be unique markers of a person’s identity. Detectives look for fingerprints in crime scenes. Your phone’s fingerprint sensor means only you can unlock the screen. The truth, however, is that fingerprints might not be as secure as you think – at least not in an age of machine learning.

A team of researchers has demonstrated that, with the help of neural networks, a “masterprint” can be used to fool verification systems. A masterprint, like a master key, is a fingerprint that can be open many different doors. In the case of fingerprint identification, it does this by tricking a computer into thinking the print could belong to a number of different people.

“Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting,” the researchers ­– Philip Bontrager, Julian Togelius and Nasir Memon – claim in a paper.

The tweet that brought this post to my attention didn’t seem to take this as good news.

But it is, very good news!

Think about it for a moment. Who is most likely to have “strict security settings?”

Your average cubicle dweller/home owner or …, large corporation or government entity?

What is more, if you, as a cubicle dweller are ever accosted for a breach of security, leaking fingerprint protected files, etc., what better defense than known spoofing of fingerprints?

Not that you would be guilty of such an offense but its always nice to have a credible defense in addition to being innocent!

For further details:

DeepMasterPrint: Generating Fingerprints for Presentation Attacks by Philip Bontrager, Julian Togelius, Nasir Memon.

Abstract:

We present two related methods for creating MasterPrints, synthetic fingerprints that a fingerprint verification system identifies as many different people. Both methods start with training a Generative Adversarial Network (GAN) on a set of real fingerprint images. The generator network is then used to search for images that can be recognized as multiple individuals. The first method uses evolutionary optimization in the space of latent variables, and the second uses gradient-based search. Our method is able to design a MasterPrint that a commercial fingerprint system matches to 22% of all users in a strict security setting, and 75% of all users at a looser security setting.

Defeating fingerprints as “conclusive proof” of presence is an important step towards freedom for us all.

China Draws Wrong Lesson from WannaCry Ransomware

Tuesday, May 23rd, 2017

Chinese state media says US should take some blame for cyberattack

From the post:


China’s cyber authorities have repeatedly pushed for what they call a more “equitable” balance in global cyber governance, criticizing U.S. dominance.

The China Daily pointed to the U.S. ban on Chinese telecommunication provider Huawei Technologies Co Ltd, saying the curbs were hypocritical given the NSA leak.

Beijing has previously said the proliferation of fake news on U.S. social media sites, which are largely banned in China, is a reason to tighten global cyber governance.

The newspaper said that the role of the U.S. security apparatus in the attack should “instill greater urgency” in China’s mission to replace foreign technology with its own.

The state-run People’s Daily compared the cyber attack to the terrorist hacking depicted in the U.S. film “Die Hard 4”, warning that China’s role in global trade and internet connectivity opened it to increased risks from overseas.

China is certainly correct to demand a place at the table for China and other world powers in global cyber governance.

But China is drawing the wrong lesson from the WannaCry ransomeware attacks if that is used as a motivation for closed source Chinese software to replace “foreign” technology.

NSA staffers may well be working for Microsoft and/or Oracle, embedding NSA produced code in their products. With closed source code, it isn’t possible to verify the absence of such code or to prevent its introduction.

Sadly, the same is true if closed source code is written by Chinese programmers, some of who may have agendas, domestic or foreign, of their own.

The only defense to rogue code is to invest in open source projects. Not everyone will read every line of code but being available for being read, is a deterrent to obvious subversion of an applications security.

China should have “greater urgency” to abandon closed source software, but investing in domestic closed source only replicates the mistake of investing in foreign closed source software.

Opensource projects cover every office, business and scientific need.

Chinese government support for Chinese participation in existing and new opensource projects can make these projects competitors to closed and potential spyware products.

The U.S. made the closed source mistake for critical cyber infrastructure. China should not make the same mistake.

Fiscal Year 2018 Budget

Tuesday, May 23rd, 2017

Fiscal Year 2018 Budget.

In the best pay-to-play tradition, the Government Printing Office (GPO) has these volumes for sale:

America First: A Budget Blueprint To Make America Great Again By: Executive Office of the President, Office of Management and Budget. GPO Stock # 041-001-00719-9 ISBN: 9780160937620. Price: $10.00.

Budget of the United States Government, FY 2018 (Paperback Book) By: Executive Office of the President, Office of Management and Budget. GPO Stock # 041-001-00723-7 ISBN: 9780160939228. Price: $38.00.

Appendix, Budget of the United States Government, FY 2018 By: Executive Office of the President, Office of Management and Budget GPO Stock # 041-001-00720-2 ISBN: 9780160939334. Price: $79.00.

Budget of the United States Government, FY 2018 (CD-ROM) By: Executive Office of the President, Office of Management and Budget GPO Stock # 041-001-00722-9 ISBN: 9780160939358. Price: $29.00.

Analytical Perspectives, Budget of the United States Government, FY 2018 By: Executive Office of the President, Office of Management and Budget. GPO Stock # 041-001-00721-1 ISBN: 9780160939341. Price: $56.00.

Major Savings and Reforms: Budget of the United States Government, Fiscal Year 2018 By: Executive Office of the President, Office of Management and Budget. GPO Stock # 041-001-00724-5 ISBN: 9780160939457. Price: $35.00.

If someone doesn’t beat me to it (very likely), I will be either uploading the CD-ROM and/or pointing you to a location with the contents of the CD-ROM.

As citizens, whether you voted or not, you should have the opportunity to verify news accounts, charges and counter-charges with regard to the budget.

Open Source Data Jeopardizing Cleared Personnel:… (School Yearbooks?)

Wednesday, May 17th, 2017

Open Source Data Jeopardizing Cleared Personnel: Intelligence Operations Outsmarted by Technology by Alexander H. Georgiades.

Abstract:

The availability and accessibility of Open Source Intelligence (OSINT) combined with the information from data breaches has affected cleared personnel in the United States Intelligence Community (IC) and Department of Defense (DoD) who conduct and support intelligence operations. This information when used in conjunction with biometric detection technology at border crossings has greatly improved the likelihood of cleared personnel from the United States Government (USG) of being identified and targeted by adversaries. The shift from traditional Tactics, Techniques, and Procedures (TTPs) used by cleared personnel (either operating in an overt or covert status) during the Cold War when biometric technology was not an obstacle, has caught the United States government intelligence services off-guard when conducting sensitive missions Outside of the Continental United States (OCONUS).

The consequences of not maintaining updated software and hardware standards have already affected U.S. intelligence operations and exposed cleared personnel. The computer breach at the Office of Personnel and Management (OPM), where millions of sensitive records from cleared personnel in the private and public sectors is the most recent example. This unprecedented loss of Personally Identifiable Information (PII) has been the unfortunate wakeup call needed for decision makers in the United States government to reevaluate how they handle, collect, store, and protect the information of cleared personnel in this digital age.

The analysis of competing hypothesis and other predictive analytical methods will be used to evaluate the data available to adversaries who target cleared personnel and the intelligence operations they support. Case studies, news articles, books, government, and industry reports will be used as supporting evidence to illustrate how the growth in biometric detection technology use in conjunction with the availability of OSINT and material from data breaches adversely affect intelligence operations.

The amount of information available to adversaries is at an unprecedented level. Open source forums provide detailed information about cleared personnel and government TTPs that can be used by adversaries to unravel intelligence operations, target cleared personnel, and jeopardize USG equities (such as sources and methods) in the field. The cleared workforce must learn from mistakes of complacency and poor tradecraft in the past to develop new methodologies to neutralize the effectiveness of adversaries who use OSINT and biometric technology to their advantage.

Social media use by cleared employees who reveal too much operational information about themselves or the projects they work on is one of the gateways that can be easily closed to adversaries. Cleared personnel must be mandated to limit the amount of information they publish online. By closing the door to social media and preventing the personal and professional lives of the cleared workforce from being used to target them, adversaries would not be as effective in jeopardizing or exposing intelligence operations overseas. Increased Operational Security (OPSEC) procedures must also be mandated to protect the programs and operations these cleared personnel work on, with an emphasis on covert officers who use false personas when operating overseas.

The information bridges that were created after September 11, 2001 to increase collaboration must be reevaluated to determine if the relaxation of classified information safeguards and storage of sensitive information is now becoming detrimental to USG intelligence operations and cleared personnel.

As you know, I have little sympathy for the Intelligence Community (IC), creators of the fishbowl in which we commonly reside. Members of the IC sharing that fate, has a ring of justice to it.

This thesis offers a general overview of the problem and should be good to spark ideas of open source intelligence that can be used to corroborate or contradict other sources of intelligence.

By way of example, educational records are easy enough to edit and convincing to anyone not aware they have been edited.

On the other hand, original and digitized year books or similar contemporary resources, are not so easily manipulated.

As I say that, tracking every child from first grade through the end of their academic career, is eminently doable, with the main obstacle being acquisition of the original yearbooks.

Cross-referencing other large collections of photos and the project starts to sound useful to any number of governments, especially those worried about operatives from Western countries.

Are you worried about Western operatives?

Memo To File (Maybe Bad OpSec)

Wednesday, May 17th, 2017

What an FBI memo like Comey’s on Trump looks like by Josh Gerstein.

From the post:

The existence of memos that former FBI Director James Comey reportedly prepared detailing his conversations with President Donald Trump about the bureau’s Russia investigation is far from shocking to FBI veterans, who say documenting such contacts in highly sensitive investigations is par for the course.

“A conversation with a subject of an investigation is evidentiary, no matter what is discussed,” said former FBI official Tom Fuentes, who stressed that he doesn’t know what the president’s status is with respect to the ongoing probe of Russia’s alleged meddling in the 2016 election. “Any conversation with Trump is going to be noteworthy….If you drop dead of a heart attack, your successor is going to want to know what was going on, so you would record that whether it’s to aid your future memory or for a successor two or three years down the line.”

Comey documented Trump’s request to curtail the FBI investigation into Russian meddling in the 2016 election the day after former national security adviser Michael Flynn resigned, according to a New York Times report subsequently confirmed by a source to POLITICO. The White House has denied the president made any such request.

A “memo to file” isn’t complicated and especially if done on a routine basis, has high value as evidence. Gerstein includes a link to an actual “memo to file.” (see his post)

I mention this because a practice of “memo to file,” much like Nixon’s Watergate tapes, can prove to be a two-edged sword.

Like calendars, travel logs, expense records, etc., a series of “memo(s) to file” may not agree with your current memory of events. The “record” will be presumed to be more reliable than your present memory.

Just a warning to make sure the record you preserve is the one you want quoted back to yourself in the future.

Don’t Blame NSA For Ransomware Attack!

Wednesday, May 17th, 2017

Stop Blaming NSA For The Ransomware Attack by Patrick Tucker.

Most days I think the NSA should be blamed for everything from global warming to biscuits that fail to rise.

But for leaked cyber weapons? No blame whatsoever.

Why? The answer lies in the NSA processing of vulnerabilities.

From the post:


“You’ve heard my deputy director say that in excess of 80-something percent of the vulnerabilities are actually disclosed—responsibly disclosed —to the vendors so that they can then actually patch and remediate for that,” Curtis Dukes, NSA’s former deputy national manager for national security systems, said at an American Enterprise Institute event in October. “So I do believe it’s a thoughtful process that we have here in the U.S.”

Dukes said the impetus to conceal an exploit vanishes when it is used by a criminal gang, adversarial nation, or some other malefactor.

We may choose to restrict a vulnerability for offensive purposes, like breaking into an adversary’s network, he said. But that doesn’t mean we’re not also constantly looking for signs whether another nation-state or criminal network has actually found that same vulnerability and now are using it. As soon as we see any indications of that, then that decision immediately flips, and we move to disseminate and remediate.

You may think that is a “thoughtful process” but that’s not why I suggest the NSA should be held blameless.

Look at the numbers on vulnerabilities:

80% disclosed by the NSA for remediation.

20% concealed by the NSA.

Complete NSA disclosure means the 20% now concealed, vanishes for everyone.

That damages everyone seeking government transparency.

Don’t wave your arms in the air crying “ransomware! ransomeware! Help me! Help me!,” or “Blame the NSA! “Blame the NSA.”

Use FOIA requests, leaks and cyber vulnerabilities to peel governments of their secrecy, like lettuce, one leaf at a time.