Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

Tor users could be FBI’s main target if legal power grab succeeds by Lisa Vaas.

From the post:

The US Department of Justice (DOJ) is proposing a power grab that would make it easier for domestic law enforcement to break into computers of people trying to protect their anonymity via Tor or other anonymizing technologies.

That’s according to a law professor and litigator who deals with constitutional issues that arise in espionage, cybersecurity and counterterrorism prosecutions.

Ahmed Ghappour, a visiting professor at UC Hastings College of the Law, San Francisco, explained the potential ramifications of the legal maneuver in a post published last week.

I dislike government surveillance as much as anyone but let’s get the facts about surveillance straight before debating it.

For example, Lisa says:

…make it easier for domestic law enforcement to break into computers of people trying to protect their anonymity via Tor… (emphasis added)

Certainly gets your attention but I’m with Bill Clinton, it depends on what you mean by “easier.”

If you mean “easier,” as in breaking Tor or other technologies, in a word: NO.

If you mean “easier,” as in issuance of search warrants, YES.

The “…power grab….” concerns re-wording of Rule 41 Search and Seizure of the Federal Rules of Criminal Procedure (Herein, Rule 41.).

Section (b) of Rule 41 sets out who can issue a search and seizure warrant and just as importantly, where the person or evidence can be located. The present rules of section (b) can be summarized as:

1. Person or property located within a district
2. Person or property outside a district, if located within the district when issued but might move before execution of the warrant
3. Person or property within or outside a district (terrorism)
4. Person or property to be tracked within, without a district or both
5. Person or property located outside a district or state but within (A) US territory, possession, or commonwealth; (diplomatic/consular locations)

(There are other nuances I have omitted in order to focus on location of the person and property to be seized.)

Rule 41 (b) defines where the person or property to be seized may be located.

With that background, consider the proposed amendment to Rule 41:

(6) a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside the district if:

(A) the district where the media or information is located has been concealed through technological means; or

(B) in an investigation of a violation of 18 U.S.C. Sec. 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.

The issue is whether the same terms of present Rule 41 (b) (3) in terrorism cases should be expanded to other cases where the location of “media or information…has been concealed through technological means.”

Professor Ahmed Ghappour, in Justice Department Proposal Would Massively Expand FBI Extraterritorial Surveillance is concerned that searches for electronic media at unknown locations will of necessity result in searches of computers located in foreign jurisdictions. No doubt that is the case because to “not know the location of media or information” means just that, you don’t know. Could be on a domestic computer or a foreign one. Unless and until you find the “media or information,” its location will remain unknown.

In the interest of cooperation with foreign law enforcement and some lingering notion of “jurisdiction” of a court being tied to physical boundaries (true historically speaking), Professor Ghappour would resist expanding the same jurisdiction in Rule 41 (b)(3) to non-terrorism crimes under proposed Rule 41 (b)(6)(A).

The essence of the “unknown server location” argument is that United States courts can issue search warrants, if the government can identify the location of a target server, subject to the other provisions of Rule 41. But since Tor prevents discovery of a server location, ipso facto, no search warrant.

To be fair to the government, a physical notion of jurisdiction for search and seizure warrants, as embodied in Rule 41, is a historical artifact and not essential to the Fourth Amendment for U.S. citizens:

The rights of the people to be secure in their persons, houses, papers, and effects, against unreasonable searchers and seizures, shall not be violated; and no Warrants shall issue but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The government’s often flat-footed response to technology is a common topic of conversation. Here an attempt by government to adapt to modern computer network reality is said to be too far and too fast.

Despite my sympathies being with the hare and not the hounds, I don’t think the law should foster an evidentiary shell game based upon antiquated notions of physical jurisdiction. (Leaving it to the government to procure the information it seeks without assistance from innocent bystanders. See Note 1)

Note 1: I don’t see this as contrary to my position in Resisting Tyranny – Customer-Centric-Cloud (CCCl). The issue there was a subpoena to Microsoft for data held in a foreign server. I think Cloud operators have a fiduciary duty to their customers that is prior and superior to the claims of any particular court. If the FBI can obtain the information on such servers with a warrant, on its own, then it should do so. But courts should not be able to press gang others to assist in local law enforcement activities.

Note 2: You may want to review the Advisory Committee on Criminal Rules, New Orleans, April 7-8, 2014 for background materials on the proposed change to Rule 41. Review the Annotated Constitution chapter on Search and Seizure for Fourth Amendment issues.

Note 3: If you are looking for an amusing example for parsing, try 18 U.S.C. Sec. 1030. Far clearer than any part of the Internal Revenue Code or its regulations but still complicated enough to be amusing.

Deploying Dionaea on a Raspberry Pi using MHN

A complete with screenshots guide to installing Dionaea on a Raspberry Pi.

MHN = Modern Honey Network.

With enough honeypots, do you think a “crowd” could capture most malware within days of its appearance?

I guess the NSA needs to run a honeypot inside its network firewalls. 😉

I first saw this in a tweet by Jason Trost.

Germany dumps Verizon for government work over NSA fears by David Meyer.

From the post:

The German government is ditching Verizon as its network infrastructure provider, and it’s citing Edward Snowden’s revelations about NSA surveillance as a reason.

David summarizes and gives pointers to all the statements you will need for “thank you” notes to the NSA or complaints to the current and past administrations.

United States citizens don’t need to worry about possible terrorist attacks. Our own government agencies are working to destroy any trust or confidence in U.S. technology companies. Care to compare that damage to the fictional damage from imagined terrorists?

Are there terrorists in the world? You bet. But the relevant question is: Other than blowing smoke for contracts and appropriations, what real danger exists for average U.S. citizen?

I read recently that “6 times more likely to die from hot weather than from a terrorist attack.” For similar numbers and sources, see: Fear of Terror Makes People Stupid.

Let’s not worry the country into the poor house over terrorism.

When anyone claims we are in danger from terrorism, press them for facts. What data? What intelligence? Press for specifics.

If they claim the details are “secret,” know that they don’t know and don’t want you to know they don’t know. (Remembering the attack that was going to happen at the Russian Olympics. Not a threat, not a warning, but was going to happen. Which didn’t happen, by the way.)

Governments let NSA tap cables on their territory, latest Snowden revelations show by David Meyer.

David has a great summary of recent Snowden leaks that make it clear that multiple governments were cooperating with the NSA tapping efforts.

From the post:

Who’s in? Some of these “third-party”, non-Five Eyes partners, as listed in other Snowden documents: Algeria, Austria, Belgium, Croatia, the Czech Republic, Denmark, Ethiopia, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, Jordan, Macedonia, the Netherlands, Norway, Pakistan, Poland, Romania, Saudi Arabia, Singapore, South Korea, Spain, Sweden, Taiwan, Thailand, Tunisia, Turkey and the United Arab Emirates.

Assuming that the storage issues could be solved, the NSA could at the very least support itself by selling copies of intercepted conversations, email, etc. On the open market with eBay style bidding.

How much would you pay to hear a conversation between Obama and Putin?

Would not solve the privacy issue but would make the NSA less of a drain on US taxpayers.

The best defense against surveillance in the cloud is strong locks, says Amazon CTO Werner Vogels by Mathew Ingram.

From the post:

Although fear of government surveillance has made Amazon’s job more challenging when it comes to selling the benefits of cloud data storage, Amazon’s chief technology officer Werner Vogels told attendees at the Structure conference in San Francisco that the company continues to see strong growth in demand both inside and outside the United States, and it is responding to customers concerns about surveillance by stressing two things: strong encryption and the control that Amazon and its AWS infrastructure give to users.

Vogels described how Neelie Kroes, digital commissioner for the European Commission, said in a recent speech that no matter what regulations countries have around privacy or surveillance, hackers and spies will always try to get around them, and so the best defense isn’t a good lawyer, it’s a good lock — and Amazon “has the best locks,” Vogels said. “The point is that the customer needs to be in control of their data, and we give them full confidence that no one is going to access their data but themselves.”
…

You may enjoy the interview if you are looking for reassurance. If you are looking for security advice, drive on.

One example to rebut the “strong lock” argument. The NSA no doubt has pages of protocol about sysadmins changing their passwords, etc. So from a lock standpoint, the NSA had some rocking locks!

Except, some of the key holders to the locks decided to share their keys. Oh.

Locks are only one part, an important one but still just one, of a complex of measures that define “security” for an entity.

Anyone who says differently, is selling you a partial solution to your security problems.

NSA Playset invites hackers to ‘play along with the NSA’ by Violet Blue.

From the post:

Inspired by the NSA’s ANT Catalog of spyware and surveillance tools, The NSA Playset project invites hackers to reproduce easy, at-home versions of the NSA’s spy-tools arsenal — and NSA-style silly names are required.

The NSA’s ANT Catalog was among documents leaked by Edward Snowden. It revealed 49 different software and hardware tools used for espionage on civilian targets. For hackers, it’s an irresistible Pandora’s Box.
…

What item from the NSA ANT Catalog do you want to help build?

PS: Remember the NSA ANT Catalog dates from 2008 so adjust prices for commercial licensing accordingly.

Barb Darrow interviews IBM’s Lance Crosby (SoftLayer CEO within IBM) and at or about time mark 27:00, asks about trusting data to U.S. based companies:

Crosby responds:

My response is protect your data against any third party — whether it’s the NSA, other governments, hackers, terrorists, whatever…” he noted. “I say let’s stop worrying about the NSA and start talking about encryption and VPNs and all the ways you can protect yourself. Yes the NSA got caught but they’re not the first and won’t be the last.

Who did Crosby omit?

Your U.S.-based vendor..

How do you protect your data from your own vendor? That’s the question that Crosby so neatly ducks.

Crosby is speaking at Structure 2014. If you are attending, be sure to ask him,

“How do we protect our data from IBM if IBM is our cloud vendor?”

In all fairness, please revise and ask the same question of other cloud vendors as well.

Today, all of your data held by a U.S.-based vendor is just one court order away from being in the possession of the United States government. Who can use it, share it with competitors, etc.

Governments who want to promote the cloud will create exempt from government process mechanisms for data centers, their owners and staff, to be free from all government requests for data.

Governments who don’t want to promote the cloud and economic growth, well, they won’t have such mechanisms.

This could be the golden moment when multi-national vendors to become truly multi-national as opposed to being surrogates for the United States government.

Quotes from and commentary based on: Why we need to stop freaking out about the NSA and get on with business.

Everything is Broken by Quinn Norton.

From the post:

Once upon a time, a friend of mine accidentally took over thousands of computers. He had found a vulnerability in a piece of software and started playing with it. In the process, he figured out how to get total administration access over a network. He put it in a script, and ran it to see what would happen, then went to bed for about four hours. Next morning on the way to work he checked on it, and discovered he was now lord and master of about 50,000 computers. After nearly vomiting in fear he killed the whole thing and deleted all the files associated with it. In the end he said he threw the hard drive into a bonfire. I can’t tell you who he is because he doesn’t want to go to Federal prison, which is what could have happened if he’d told anyone that could do anything about the bug he’d found. Did that bug get fixed? Probably eventually, but not by my friend. This story isn’t extraordinary at all. Spend much time in the hacker and security scene, you’ll hear stories like this and worse.

It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.

Computers, and computing, are broken.
…

Your reaction may be different but I took Quinn’s essay as a breath of fresh air.

Seriously. The predictions of a computer assisted nirvana emerging from big data, graphs, participation, etc. are tiresome. Not to mention false.

Quinn does a great job of outlining the current problems with computers and computing as well as fixing the blame for the same.

Take a look in the mirror.

Yep, it isn’t some evildoer lurking behind a tree.

True, evildoers may take advantage of the system we have allowed to happen, but that’s a symptom and not a cause.

Read Quinn’s essay and decide how your participation is going to change in what we have wrought.

I first saw this in Nat Torkington’s Four short links: 21 May 2014.

DHS warns against using Internet Explorer until bug is patched by Mark Hachman.

From the post:

A vulnerability discovered in Internet Explorer over the weekend is serious—serious enough that the Department of Homeland Security is advising users to stop using it until it’s been patched.

On Monday, the United States Computer Emergency Readiness Team (US-CERT), part of the U.S. Department of Homeland Security, weighed in.

“US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer,” it said in a bulletin. “This vulnerability affects IE versions 6 through 11 and could lead to the complete compromise of an affected system.

Two questions that need answering:

First, how long as the NSA know about this vulnerability? Thinking the government should be helping the public and software vendors.

Second, is this really a zero-day bug? I ask because the source of the announcement was Microsoft itself. I thought “zero-day” referred to the advance notice given to the vendor before a bug is publicly identified. Yes?

CERF: Classified NSA Work Mucked Up Security For Early TCP/IP by Paul Roberts.

From the post:

Did the National Security Agency, way back in the 1970s, allow its own priorities to stand in the way of technology that might have given rise to a more secure Internet? You wouldn’t be crazy to reach that conclusion after hearing an interview with Google Vice President and Internet Evangelist Vint Cerf on Wednesday.

As a graduate student in Stanford in the 1970s, Cerf had a hand in the creation of ARPANet, the world’s first packet-switched network. He later went on to work as a program manager at DARPA, where he funded research into packet network interconnection protocols that led to the creation of the TCP/IP protocol that is the foundation of the modern Internet.

Cerf is a living legend who has received just about every honor a technologist can: including the National Medal of Technology, the Turing Award and the Presidential Medal of Freedom. But he made clear in the Google Hangout with host Leo Laporte that the work he has been decorated for – TCP/IP, the Internet’s lingua franca – was at best intended as a proof of concept, and that only now – with the adoption of IPv6 – is it mature (and secure) enough for what Cerf called “production use.”

Specifically, Cerf said that given the chance to do it over again he would have designed earlier versions of TCP/IP to look and work like IPV6, the latest version of the IP protocol with its integrated network-layer security and massive 128 bit address space. IPv6 is only now beginning to replace the exhausted IPV4 protocol globally.
…

Paul later points out that we can’t know the impact of then available security would have had on the creation and adoption of the Internet.

Fair point.

And there isn’t any use in crying over spilled milk.

However, after decades of lying, law breaking and trying to disadvantage the population it is alleged to serve, why isn’t Congress defunding the NSA now?

If an agency has a proven track record of law-breaking and lying to Congress, what reason is there to credit any report, any statement or any information the NSA claims to have gathered?

You know the saying: Fool me once, shame on you. Fool me twice, shame on me?

The entire interview:

If you aren’t worried about privacy, human rights, etc., let’s make it a matter of dollars and cents.

Think about the economic losses and expenses of your enterprise from an insecure Internet or the profits you could be making with a secure Internet.

The NSA has been at war against your commercial interests for as long as the Internet has existed. If you are serious about the Internet and information, then it is time to rid everyone of the #1 drag on ecommerce, the NSA.

Introducing the iOS Reverse Engineering Toolkit by Stephen Jensen.

From the post:

It should be the goal of every worker to expend less time and energy to achieve a task, while still maintaining, or even increasing, productivity. As an iOS penetration tester, I find myself repeating the same manual tasks for each test. Typing out the same commands to run various tools that are required to help me do my job. And to be honest, it’s completely monotonous. Every time I fat-finger a key, I lose productivity, forcing me to expend more time and energy to achieve the task. I’m a fan of automation. I’m a fan of streamlined innovation that saves me time and still accomplishes, for the most part, the same results. It was this desire to save time, and reduce my likelihood of suffering from carpal tunnel, that I created the iOS Reverse Engineering Toolkit.

It’s close enough to the weekend to start looking for interesting diversions.

Does anybody know if NSA staff use iPhones or not? 😉

They can hardly complain about the ethics of surveillance. Yes?

You have heard the phrase “ugly Americans,” but have you heard “nosy Americans?”

Lee Munson reports in NSA can record 100% of another country’s telephone calls that:

The National Security Agency (NSA) has the ability to record every single one of a foreign country’s telephone calls and then play the conversations back up to a month after recording, according to a report by The Washington Post.

The NSA program, which begun in 2009, is known as MYSTIC.

MYSTIC, according to the Post, is used to intercept conversations in just one (undisclosed) country, but planning documents show that the NSA intends to use the system in other countries in the future.

The really sad part is when you read:

The Washington Post says, at the request of US officials, it will not reveal the country in question, or any other nation where the system has been planned to be put to use. It is, however, quite likely that calls made to or from that nation will include American citizens.

I must have missed the ballot when United States citizens elected the Washington Post to decide on our behalf what facts we need to hear, and those we don’t.

And I don’t have a lot of sympathy for the argument that surveillance may include American citizens.

Its an easy argument to make constitutionally, but if you denigrate the rights of others based on citizenship, the soccer fields aren’t as far away as you think. (But they will be in non-U.S. territory.)