For those of you watching the UK’s plunge into darkness, the Investigatory Powers Bill, as amended in committee, has been posted online.
Apologies for the lite amount of posting today but a very large data dump was released earlier today that distracted me from posting. đ
Long-Secret Stingray Manuals Detail How Police Can Spy On Phones by Sam Biddle.
Sam summarizes the high points from around 200 pages of current but never seen before Harris instruction manuals. Good show!
From the post:
…
Harris declined to comment. In a 2014 letter to the Federal Communications Commission, the company argued that if the ownerâs manuals were released under the Freedom of Information Act, this would âharm Harrisâs competitive interestsâ and âcriminals and terrorist[s] would have access to information that would allow them to build countermeasures.â
…
Creating countermeasures?
Better, treat these documents as a basis for reverse-engineering Harris Stingrays into DIY kits.
False promises from known liars on use of “Stingray”s or “IMSI catchers are not going to combat government abuse of this technology.
Inviting governments to join the general public in the cellphone fish bowl might.
Can you imagine the reaction of your local sheriff, district attorney, judge, etc. when they are being silently tracked?
Not just in their routine duties but to mistresses, drug dens, prostitutes, porn parlors and the like?
We won’t have to wait long for the arrival of verifiable, secure cellphones.
Introduction to Cobham Tactical Communications and Surveillance (PDF)
As a world-leader in its field, providing products and integrated surveillance solutions to law enforcement, military, national security and border patrol agencies, Cobham Tactical Communications & Surveillance offers innovative video, audio, tracking, locating, sensor, and covert surveillance solutions for government and civil agencies. (from page 2 of the PDF)
This catalog, described as “confidential” in Leaked Catalogue Reveals a Vast Array of Military Spy Gear Offered to U.S. Police started circulating on Twitter, 1 September 2016.
The catalog is a hoot to read but if you follow the URL at the bottom of each page, www.cobham.com/tcs, you will be taken to later, public information on the same products.
More recent information I might add, as the catalog does not list the High Bandwidth Mesh â P5 (PDF), which is listed on the website.
I did not see online video concealment suggestions:
So, perhaps the catalog is more useful than its date might indicate.
I understand the emphasis on U.S. police but this type of equipment is used by governments worldwide.
Counter measures and/or duplicating these capabilities so the watchers can be watched are always a good idea.
PS: The outdoor trash can looks way too clean to be plausible. Besides, there are ways to create surprises with outdoor trash cans.
I mentioned in Your assignment, should you choose to accept itâŚ. that BAE Systems has been selling surveillance technology to the United Arab Emirate, the nice people behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.
Since then, Joseph Cox posted: British Companies Are Selling Advanced Spy Tech to Authoritarian Regimes.
From his post:
Since early 2015, over a dozen UK companies have been granted licenses to export powerful telecommunications interception technology to countries around the world, Motherboard has learned. Many of these exports include IMSI-catchers, devices which can monitor large numbers of mobile phones over broad areas.
Some of the UK companies were given permission to export their products to authoritarian states such as Saudi Arabia, the United Arab Emirates, Turkey, and Egypt; countries with poor human rights records that have been well-documented to abuse surveillance technology.
âAt a time when the use of these surveillance tools is still highly controversial in the UK, it is completely unacceptable that companies are allowed to export the same equipment to countries with atrocious human rights records or which lack rule of law altogether. There is absolutely a clear risk that these products can be used for repression and abuses,â Edin Omanovic, research officer at Privacy International, told Motherboard in an email.
…
Joseph’s report explains the technology and gives examples of some of the sales to the worst offenders. He also includes a link to the dataset of export sales.
Joseph obtained a list of the exporters from the UK Department for International Trade. But that list is included as an image. I created this HTML list from that image:
In an attempt to seem fierce, Cellxion Ltd has this unfriendly greeting at the bottom of their public homepage:
Your IP address, [**.**.**.**], has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. Your IP address has been recorded and all activity on this system is actively monitored. Under US Federal Law (18 U.S.C. 1030), United Kingdom Law (Computer Misuse Act 1990) and other international law it is a criminal offence to access or attempt to access this computer system without prior written authorisation from cellXion ltd. Any unauthorised attempt to access this system will be reported to the appropriate authorities and prosecuted to the full extent of the law. (emphasis added, I obscured my IP number)
What does Dogbert say? Oh, yeah,
Cellxion, kiss my wager!
As you already know, use TAILS, Tor and VPN as you pursue these leads.
Good hunting!
Germany and France declare War on Encryption to Fight Terrorism by Mohit Kumar.
From the post:
Yet another war on Encryption!
France and Germany are asking the European Union for new laws that would require mobile messaging services to decrypt secure communications on demand and make them available to law enforcement agencies.
French and German interior ministers this week said their governments should be able to access content on encrypted services in order to fight terrorism, the Wall Street Journal reported.
(emphasis in original)
…
On demand decryption? For what? Rot-13 encryption?
The Franco-German text transmitted to the European Commission.
The proposal wants to extend current practices of Germany and France with regard to ISPs but doesn’t provide any details about those practices.
In case you have influence with the budget process at the EU, consider pointing out there is no, repeat no evidence that any restriction on encryption will result in better police work combating terrorism.
But then, what government has ever pushed for evidence-based policies?
You may (may not) remember the TV show, Mission Impossible. It had a cast of regulars who formed a spy team to undertake “impossible” tasks that could not be traced back to the U.S. government.
Stories like: BAE Systems Sells Internet Surveillance Gear to United Arab Emirates make me wish for a non-nationalistic, modern equivalent of the Mission Impossible team.
You may recall the United Arab Emirates (UAE) were behind the attempted hack of Ahmed Mansoor, a prominent human rights activist.
So much for the UAE needing spyware for legitimate purposes.
From the article:
…
In a written statement, BAE Systems said, âIt is against our policy to comment on contracts with specific countries or customers. BAE Systems works for a number of organizations around the world, within the regulatory frameworks of all relevant countries and within our own responsible trading principles.âThe Danish Business Authority told Andersen it found no issue approving the export license to the Ministry of the Interior of the United Arab Emirates after consulting with the Danish Ministry of Foreign Affairs, despite regulations put in place by the European Commission in October 2014 to control exports of spyware and internet surveillance equipment out of concern for human rights. The ministry told Andersen in an email it made a thorough assessment of all relevant concerns and saw no reason to deny the application.
…
It doesn’t sound like any sovereign government is going to restrain BAE Systems and/or the UAE.
Consequences for their mis-deeds will have to come from other quarters.
Like the TV show started every week:
Your assignment, should you choose to accept it….
Secret Cameras Recording Baltimore’s Every Move From Above by Monte Reel.
Unknown to the citizens of Baltimore, they have been under privately funded, plane-based video surveillance since the beginning of 2016.
The pitch to the city:
âImagine Google Earth with TiVo capability.â
You need to read Monte’s article in full and there are names you will recognize if you watch PBS:
Last year the public radio program Radiolab featured Persistent Surveillance in a segment about the tricky balance between security and privacy. Shortly after that, McNutt got an e-mail on behalf of Texas-based philanthropists Laura and John Arnold. John is a former Enron trader whose hedge fund, Centaurus Advisors, made billions before he retired in 2012. Since then, the Arnolds have funded a variety of hot-button causes, including advocating for public pension rollbacks and charter schools. The Arnolds told McNutt that if he could find a city that would allow the company to fly for several months, they would donate the money to keep the plane in the air. McNutt had met the lieutenant in charge of Baltimoreâs ground-based camera system on the trade-show circuit, and theyâd become friendly. âWe settled in on Baltimore because it was ready, it was willing, and it was just post-Freddie Gray,â McNutt says. The Arnolds donated the money to the Baltimore Community Foundation, a nonprofit that administers donations to a wide range of local civic causes.
I find the mention of Freddie Gray ironic, considering how truthful and forthcoming the city and its police officers were in that case.
If footage exists for some future Freddie Gray-like case, you can rest assured the relevant camera failed, the daily data output failed, a Rose Mary Wood erasure accident happened, etc.
From Monte’s report, we aren’t at facial recognition, yet, assuming his sources were being truthful. But we all know that’s coming, if not already present.
Many will call for regulation of this latest intrusion into your privacy, but regulation depends upon truthful data upon which to judge compliance. The routine absence of truthful data about police activities, both digital and non-digital, makes regulation difficult to say the least.
In the absence of truthful police data, it is incumbent upon citizens to fill that gap, both for effective regulation of police surveillance and for the regulation of police conduct.
The need for an ad-hoc citizen-based surveillance system is clear.
What isn’t clear is how such a system would evolve?
Perhaps a server that stitches together cellphone video based on GPS coordinates and orientation? From multiple cellphones? Everyone can contribute X seconds of video from any given location?
Would not be seamless but if we all target known police officers and public officials…, who knows how complete a record could be developed?
Crowdsourced-Citizen-Surveillance anyone?
Tor 0.2.8.7 is released, with important fixes
From the post:
Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses option in 0.2.8.6, and replaces a retiring bridge authority. Everyone who sets the ReachableAddresses option, and all bridges, are strongly encouraged to upgrade.
You can download the source from the Tor website. Packages should be available over the next week or so.
For some reason, a link to the Tor website was omitted.
Upgrade and surf somewhat more securely. (Security never being absolute.)
Nice Officials Say They’ll Sue Internet Users Who Share Photos Of French Fashion Police Fining Women In Burkinis by Mike Masnick.
From the post:
This seems pretty ridiculous on all sorts of levels, but never think things are so ridiculous that some politicians can’t make them worse. Guillaume Champeau from the excellent French site Numerama alerts me to the news that the deputy mayor of Nice, Christian Estrosi is threatening to sue those who share these images over social media. Yup, France, a country that claims to pride itself on freedom is not just telling women that they can’t cover themselves up too much on the beach, but that it’s also illegal to report on the police following through on that. Here’s is the awkward Google translation of the French report:
Christian Estrosi … has published a press release by the city of Nice, to announce that he would file a complaint against those who would broadcast pictures of municipal police verbalize women guilty of exercising what they believed to be their freedom to dress from head to feet on the beaches.
” Photos showing municipal police of Nice in the exercise of their functions have been circulating this morning on social networks and raise defamation and threats against these agents ,” the statement said.
Wait. Showing accurate photos creates defamation against the police? How’s that work? Estrosi apparently says that legal actions have already been filed, though Numerama was unable to confirm any legal actions as yet. The article also notes that despite Estrosi implying otherwise, police do not have any sort of special protections that say they cannot be photographed while in public.
It’s not clear if you have to take the picture or merely share the picture.
Just in case sharing is enough, here is the picture from Mike’s post:
There are a number of variations on this image. I suppose all of them count as far as “defamation” of the police.
If reposting isn’t sufficient to defame the French police enforcing the burkiki ban, please consider this post an active request for images of French police enforcing that ban.
Pitched at an adult Sunday School level, which makes this perfect for informing the wider public about government surveillance issues.
Share this video far and wide!
For viewers who want more detail, direct them to: How IMSI Catchers Work by Jason Hernandez.
Every group has a persecution story so tie present day government surveillance to “…what if (historical) X had surveillance…” to drive your point home.
Report of the Bulk Powers Review (PDF) by David Anderson Q.C. Independent Reviewer of Terrorism Legislation. (Web version)
From its webpage:
This report includes the findings of the independent review of the operational case for bulk powers, which will inform scrutiny of the Investigatory Powers Bill.
If you find yourself dissatisfied with the sound bite and excerpt commentaries on this report, you may find the two hundred and three (203) full version more to your likely. At least in terms of completeness.
I have glanced at the conclusions but will refrain from commenting until reading the report in full. It is possible that Anderson will persuade me to change my initial impressions, although I concede that is highly unlikely.
How To Detect and Find Rogue Cell Towers by Brian Benchoff
Great promise but less than great delivery. Detection rig is described in general terms, but so general that replication would be quite time consuming.
A generally available solution to detect rogue cell towers has yet to appear.
When they do, will this sign be useful?:
What about custom balloons with that logo?
Think of detection and warning of rogue cell towers as a civic duty.
Stanford computer scientists show telephone metadata can reveal surprisingly sensitive personal information by Bjorn Carey.
The intelligence community assertion that telephone metadata only enables “connecting the dots,” has been confirmed to be a lie.
From the post:
Most people might not give telephone metadata â the numbers you dial, the length of your calls â a second thought. Some government officials probably view it as similarly trivial, which is why this information can be obtained without a warrant.
But a new analysis by Stanford computer scientists shows that it is possible to identify a personâs private information â such as health details â from metadata alone. Additionally, following metadata âhopsâ from one personâs communications can involve thousands of other people.
The researchers set out to fill knowledge gaps within the National Security Agencyâs current phone metadata program, which has drawn conflicting assertions about its privacy impacts. The law currently treats call content and metadata separately and makes it easier for government agencies to obtain metadata, in part because it assumes that it shouldnât be possible to infer specific sensitive details about people based on metadata alone.
The findings, reported today in the Proceedings of the National Academy of Sciences, provide the first empirical data on the privacy properties of telephone metadata. Preliminary versions of the work, previously made available online, have already played a role in federal surveillance policy and have been cited in litigation filings and letters to legislators in both the United States and abroad. The final work could be used to help make more informed policy decisions about government surveillance and consumer data privacy.
The computer scientists built a smartphone application that retrieved the previous call and text message metadata â the numbers, times and lengths of communications â from more than 800 volunteersâ smartphone logs. In total, participants provided records of more than 250,000 calls and 1.2 million texts. The researchers then used a combination of inexpensive automated and manual processes to illustrate both the extent of the reach â how many people would be involved in a scan of a single person â and the level of sensitive information that can be gleaned about each user.
From a small selection of the users, the Stanford researchers were able to infer, for instance, that a person who placed several calls to a cardiologist, a local drugstore and a cardiac arrhythmia monitoring device hotline likely suffers from cardiac arrhythmia. Another study participant likely owns an AR semiautomatic rifle, based on frequent calls to a local firearms dealer that prominently advertises AR semiautomatic rifles and to the customer support hotline of a major firearm manufacturer that produces these rifles.
One of the governmentâs justifications for allowing law enforcement and national security agencies to access metadata without warrants is the underlying belief that itâs not sensitive information. This work shows that assumption is not true.
…
See Carey’s post for the laypersons explanation of the Stanford findings or dive into Evaluating the privacy properties of telephone metadata by Jonathan Mayera, Patrick Mutchler, and John C. Mitchell, for more detailed analysis. (Thankfully open access.)
Would law enforcement and national security agencies think telephone metadata is not sensitive if hackers were obtaining it from telecommunication companies and/or from the electromagnetic field where communication signals are found?
If you were interested only in law enforcement, national security agencies and governments, a much smaller set of data for tracking and processing.
Sounds like a business opportunity, depending on what country, their degree of technology, market conditions for pro/anti government data.
U.S. government satellites collect such data but it is shared (or not) for odd and obscure reasons.
I’m thinking more along the lines of commercial transactions between willing sellers and buyers.
Think of it as a Rent-An-NSA type venture. Customers don’t want or need 24×7 rivals for power. Properly organized, they could buy as much or as little intelligence as they need. Exclusive access to some intelligence would be a premium product.
The Right to be Forgotten in the Media: A Data-Driven Study by Minhui Xue, Gabriel Magno, Evandro Cunha, Virgilio Almeida, Keith W. Ross.
Abstract:
Due to the recent âRight to be Forgottenâ (RTBF) ruling, for queries about an individual, Google and other search engines now delist links to web pages that contain âinadequate, irrelevant or no longer relevant, or excessiveâ information about that individual. In this paper we take a data-driven approach to study the RTBF in the traditional media outlets, its consequences, and its susceptibility to inference attacks. First, we do a content analysis on 283 known delisted UK media pages, using both manual investigation and Latent Dirichlet Allocation (LDA). We find that the strongest topic themes are violent crime, road accidents, drugs, murder, prostitution, financial misconduct, and sexual assault. Informed by this content analysis, we then show how a third party can discover delisted URLs along with the requestersâ names, thereby putting the efficacy of the RTBF for delisted media links in question. As a proof of concept, we perform an experiment that discovers two previously-unknown delisted URLs and their corresponding requesters. We also determine 80 requesters for the 283 known delisted media pages, and examine whether they suffer from the âStreisand effect,â a phenomenon whereby an attempt to hide a piece of information has the unintended consequence of publicizing the information more widely. To measure the presence (or lack of presence) of a Streisand effect, we develop novel metrics and methodology based on Google Trends and Twitter data. Finally, we carry out a demographic analysis of the 80 known requesters. We hope the results and observations in this paper can inform lawmakers as they refine RTBF laws in the future.
Not collecting data prior to laws and policies seems to be a trademark of the legislative process.
Otherwise, the âRight to be Forgottenâ (RTBF) nonsense that only impacts searching and then only in particular ways could have been avoided.
The article does helpfully outline how to discover delistings, of which they discovered 283 known delisted links.
Seriously? Considering that Facebook has 1 Billion+ users, much ink and electrons are being spilled over a minimum of 283 delisted links?
It’s time for the EU to stop looking for mites and mole hills to attack.
Especially since they are likely to resort to outright censorship as their next move.
That always ends badly.
The Jihadistsâ Digital Toolbox: How ISIS Keeps Quiet on the Web by Jett Goldsmith.
From the post:
As the world dives deeper into the digital age, jihadist groups like ISIS and the Taliban have taken increasingly diverse measures to secure their communications and espouse their actions and ideas across the planet.
Propaganda has been a key measure of any jihadist groupâs legitimacy since at least 2001, when al-Qaeda operative Adam Yahiye Gadahn established the media house As-Sahab, which was intended to spread the groupâs message to a regional audience throughout Pakistan and Afghanistan.
Over the years, jihadist propaganda has taken a broader and more sophisticated tone. Al-Qaeda published the first issue of its digital newsmagazine, Inspire, in June of 2010. Inspire was aimed at an explicitly Western audience, and intended to call to jihad the would-be mujahideen throughout Europe and the United States.
When ISIS first took hold in Iraq and Syria, and formally declared its caliphate in the summer of 2014, the group capitalized on the groundwork laid by its predecessors and established an expansive, highly sophisticated media network to espouse its ideology. The group established local wilayat (provincial) media hubs, and members of its civil service distributed weekly newsletters, pamphlets, and magazines to citizens living under its caliphate. Billboards were posted in major cities under its control, including in Raqqah and Mosul; FM band radio broadcasts across 13 of its provinces were set up to deliver a variety of content, from fatwas and sharia lessons to daily news, poetry, and nasheeds; and Al-Hayat Media Center distributed its digital newsmagazine, Dabiq, in over a dozen languages to followers across the world.
…
Jeff covers:
That Jihadists or anyone else are using these tools maybe a surprise to some Fortune or Economist readers, but every conscious person associated with IT can probably name one or more instances for each category.
I’m sure some Jihadists drive cars, ride hoverboards, or bicycles, but dramatic recitations on those doesn’t advance a discussion of Jihadists or their goals.
Privacy software is a fact of life in all walks and levels of a digital environment.
Crying “Look! Over there! Someone might be doing something we don’t like!” isn’t going to lead to any useful answers, to anything. Including Jihadists.
Swati Khandelwal reports the departure of Lucky Green from the Tor project will result in the loss of several critical Tor nodes and require an update to Tor code. (Core Tor Contributor Leaves Project; Shutting Down Important Tor Nodes)
Here’s the Tonga (Bridge Authority) Permanent Shutdown Notice in full:
Dear friends,
Given recent events, it is no longer appropriate for me to materially contribute to the Tor Project either financially, as I have so generously throughout the years, nor by providing computing resources. This decision does not come lightly; I probably ran one of the first five nodes in the system and my involvement with Tor predates it being called “Tor” by many years.
Nonetheless, I feel that I have no reasonable choice left within the bounds of ethics, but to announce the discontinuation of all Tor-related services hosted on every system under my control.
Most notably, this includes the Tor node “Tonga”, the “Bridge Authority”, which I recognize is rather pivotal to the network
Tonga will be permanently shut down and all associated crytographic keys destroyed on 2016-08-31. This should give the Tor developers ample time to stand up a substitute. I will terminate the chron job we set up so many years ago at that time that copies over the descriptors.
In addition to Tonga, I will shut down a number of fast Tor relays, but the directory authorities should detect that shutdown quickly and no separate notice is needed here.
I wish the Tor Project nothing but the best moving forward through those difficult times,
–Lucky
As I mentioned in Going Dark With Whisper? Allies versus Soul-Mates it is having requirements other than success of a project that is so damaging to such efforts.
I could discover that IS is using the CIA to funnel money from the sales of drugs and conflict diamonds to fund the Tor project and it would not make any difference to me. Even if core members of the Tor project knew that and took steps to conceal it.
Whether intended or not, the only people who will benefit from Lucky’s decision will be opponents of personal privacy and the only losers will be people who need personal privacy.
Congratulations Lucky! You are duplicating a pattern of behavior that destroyed the Black Panthers, the SDS and a host of other groups and movements before and since then.
Let’s hope others don’t imitate Lucky’s “I’ll take my ball and go home” behavior.
Securing A Travel iPhone by Filippo Valsorda.
From the post:
These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order.
I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and knobs. This list optimizes for security versus convenience.
Don’t to use anything older than an iPhone 5S, it wouldn’t have the TPM.
Needless to say, use long unique passwords everywhere.
…
There are more than forty (40) tasks/sub-tasks to securing a travel iPhone so you best start well ahead of time.
No security is perfect but if you follow this guide, you will be more secure than the vast majority of travelers.
by Dean Sysman & Gadi Evron & Itamar Sher
The description:
We will detect, bypass, and abuse honeypot technologies and solutions, turning them against the defender. We will also release a global map of honeypot deployments, honeypot detection vulnerabilities, and supporting code.
The concept of a honeypot is strong, but the way honeypots are implemented is inherently weak, enabling an attacker to easily detect and bypass them, as well as make use of them for his own purposes. Our methods are analyzing the network protocol completeness and operating system software implementation completeness, and vulnerable code.
As a case study, we will concentrate on platforms deployed in real organizational networks, mapping them globally, and demonstrating how it is possible to both bypass and use these honeypots to the attacker’s advantage.
The slides for the presentation.
This presentation addresses the question of detecting (identifying) a deception.
Detection of the following honeypots discussed:
Artillery: https://github.com/BinaryDefense/artillery (Updated URL)
BearTrap: https://github.com/chrisbdaemon/BearTrap
honeyd: http://www.honeyd.org
Dionaea: http://dionaea.carnivore.it/ (timed out on July 4, 2016)
Glastopf: http://glastopf.org/
Kippo: https://github.com/desaster/kippo
KFSensor: http://www.keyfocus.net/kfsensor/
Nova: https://github.com/DataSoft/Nova
Identification of an attack was argued to possibly result in the attack being prevented in all anti-attack code, whereas identification of an attacker, could have consequences for the attack as an operation.
Combining an IP address along with other dimensions of identification, say with a topic map, could prove to be a means of sharpening the consequences for attackers.
Of course, I am assuming that at least within an agency, agents share data/insights towards a common objective. That may not be the case in your agency.
While looking for other resources on honeypots, I did find Collection of Awesome Honeypots, dating from December of 2015.
.jpg)
Thomas Jefferson lived centuries before the internet and the rise of Tor but he is easy to see as a Tor user.
He was the author of the Declaration of Independence, which if you read the details, is a highly offensive document:
…
He has affected to render the Military independent of and superior to the Civil Power.He has combined with others to subject us to a jurisdiction foreign to our constitution, and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:
For quartering large bodies of armed troops among us:
For protecting them, by a mock Trial from punishment for any Murders which they should commit on the Inhabitants of these States:
For cutting off our Trade with all parts of the world:
For imposing Taxes on us without our Consent:
For depriving us in many cases, of the benefit of Trial by Jury:
For transporting us beyond Seas to be tried for pretended offences:
…He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation, and tyranny, already begun with circumstances of Cruelty & Perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.
…
Update the language of “For transporting us beyond Seas to be tried for pretended offences” to “Transporting people to Guantanamo Bay prison for unlawful detention” and you have a good example of what FBI wants discussed in clear text.
Make no mistake, the FBI of today, working for George III, would have arrested Thomas Jefferson if it caught wind of the Declaration of Independence. At that time, Jefferson was not the towering figure of liberty that he is today. Then he was the opponent of a nation-state.
Jefferson was too early for Tor but he is the type of person that Tor protects.
Do you want to be on the side of George III or Jefferson in history?
Secret Rules Make It Pretty Easy For The FBI To Spy On Journalists by Cora Currier.
For those of us who suffer from reflexive American exceptionalism, that press censorship happens “over there,” Cora’s story is a sobering read.
From the post:
Secret FBI rules allow agents to obtain journalistsâ phone records with approval from two internal officials â far less oversight than under normal judicial procedures.
The classified rules, obtained by The Intercept and dating from 2013, govern the FBIâs use of National Security Letters, which allow the bureau to obtain information about journalistsâ calls without going to a judge or informing the news organization being targeted. They have previously been released only in heavily redacted form.
Media advocates said the documents show that the FBI imposes few constraints on itself when it bypasses the requirement to go to court and obtain subpoenas or search warrants before accessing journalistsâ information.
…
Cora goes on to point out that the FBI issued nearly 13,000 NSLs in 2015.
After great coverage on the FBI and its use of NSLs, Cora concludes:
…
For Brown, of the Reporters Committee, the disclosure of the rules âonly confirms that we need information about the actual frequency and context of NSL practice relating to newsgathering and journalistsâ records to assess the effectiveness of the new guidelines.â
That’s the root of the problem isn’t it?
Lack of information on how NSLs are being used against journalists in fact.
Care to comment on the odds of getting an accurate accounting of the FBI’s war on journalists from the FBI?
No? I thought not.
So how can that data be gathered?
Question for discussion (NOT legal advice)
In 2005, the non-disclosure requirements for NSLs were modified to read:
18 U.S. Code § 2709 – Counterintelligence access to telephone toll and transactional records
…
(2) Exception.â
(A)In general.âA wire or electronic communication service provider that receives a request under subsection (b), or officer, employee, or agent thereof, may disclose information otherwise subject to any applicable nondisclosure requirement toâ
(i) those persons to whom disclosure is necessary in order to comply with the request;
(ii) an attorney in order to obtain legal advice or assistance regarding the request; or
(iii) other persons as permitted by the Director of the Federal Bureau of Investigation or the designee of the Director.
…
Each person in the chain of disclosure has to be advised of the requirement to keep the NSL secret.
Unless the law has changed more radically than I imagine, the burden of proving a criminal offense still rests with the government.
If I am served with an NSL and I employ one or more attorneys, who have assistants working on my case, and the NSL is leaked to a public site, it remains the government’s burden to prove who leaked the NSL.
The government cannot force the innocent in the chain of disclosure to exculpate themselves and leave only the guilty party to face justice. The innocence can remain mute, as is the privilege of every criminal defendant.
Is that a fair statement?
If so, how many brave defendants are necessary in the chain of disclosure per NSL?
As Jan says in Twitter and the Monkey Man:
“It was you to me who taught
In Jersey anything’s legal, as long as you don’t get caught”
If that sounds anarchistic, remember the government chose to abandon the Constitution, first. If it wants respect for law, it should respect the Constitution.
Chris Vickery posted to Reddit: Terrorism Blacklist: I have a copy. Should it be shared?, which reads in part as follows:
…A few years ago, Thomson Reuters purchased a company for $530 million. Part of this deal included a global database of “heightened-risk individuals” called World-Check that Thomson Reuters maintains to this day. According to Vice.com, World-Check is used by over 300 government and intelligence agencies, 49 of the 50 biggest banks, and 9 of the top 10 global law firms. The current-day version of the database contains, among other categories, a blacklist of 93,000 individuals suspected of having ties to terrorism.
I have obtained a copy of the World-Check database from mid-2014.
No hacking was involved in my acquisition of this data. I would call it more of a leak than anything, although not directly from Thomson Reuters. The exact details behind that can be shared at a later time.
This copy has over 2.2 million heightened-risk individuals and organizations in it. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.
I am posting this message in order to ask, “Should I release this database to the world?”. I want your opinion.
…
Yeah, right.
Chris’s question: “Should I release this database to the world?,” was moot from the outset.
This is pandering for attention at its very worst.
Chris could have put all of us on par with $1 million subscribers to the World-Check database but chose attention for himself instead.
There are only three sources of data:
The World-Check database clearly falls under “other” and should have been shared as widely as possible.
Thomas Reuters and similar entities survive not because of merit or performance, but because people like Chris compensate for their organizational and technical failures. The public interest is not being served by preservation of a less than stellar status quo.
Not to mention leaking the list would create marketing opportunities. The criminal defense bar comes to mind.
Don’t tease, leak!
You Can Now Turn Messages Into Secret Code Using Emoji by Joon Ian Wong.
From the post:
Emoji are developing into their own language, albeit a sometimes impenetrable one. But they are about to become truly impenetrable. A new app from the Mozilla Foundation lets you use them for encryption.
The free web app, called Codemoji, lets users write a message in plain-text, then select an emoji âkeyâ to mask the letters in that message with a series of emoji. To decrypt a message, the correct key must be entered in the app, turning emoji back into the alphabet.
…
Caesar ciphers (think letter substitution) are said to be “easy” to solve with modern computers.
Which is true, but the security of an Emoji cipher depends on how long the information must remain secret.
For example, you discover a smart phone at 11:00 AM (your local) and it has the following message:
Detonate at 12:15 P.M. (your local)
but that message is written in Emoji using the angry face as the key:
That Emoji coded message is as secure as a message encoded with the best the NSA can provide.
Why?
If you knew what the message said, detonation time, assuming that is today, is only 75 minutes away. Explosions are public events and knowing in hindsight that you had captured the timing message, but broke the code too late, isn’t all that useful.
The “value” of that message being kept secret expires at the same time as the explosion.
In addition to learning more about encryption, use Codemoji as a tool for thinking about your encryption requirements.
Some (conflicting) requirements: Ease of use, resistance to attack (how to keep the secret), volume of use, hardware/software requirements, etc.
Everyone would like to have brain-dead easy to use, impervious to even alien-origin quantum computers, scales linearly and runs on an Apple watch.
Not even the NSA is rumored to have such a system. Become informed so you can make informed compromises.
Investigatory Powers Bill 2015-16 to 2016-17.
Bill Summary:
A Bill to make provision about the interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information; to make provision about the treatment of material held as a result of such interception, equipment interference or acquisition or retention; to establish the Investigatory Powers Commissioner and other Judicial Commissioners and make provision about them and other oversight arrangements; to make further provision about investigatory powers and national security; to amend sections 3 and 5 of the Intelligence Services Act 1994; and for connected purposes.
Whatever criticisms you may have of the UK Parliment, you must admit its delivery of legislative information is quite nice.
Via email today I received notice of “sitting” and “provisional sitting” on the Investigatory Powers Bill. A quick check of their glossary reveals that “sitting” is another term for committee meeting.
The first “sitting” or committee meeting on this bill will be 11.07.2016.
A process described on the homepage of this bill as:
Committee stage – line by line examination of the Bill – is scheduled to begin on 11 July.
Considering its progress so far, I’m not expecting “line by line examination” to impede its progress.
Still, it’s not, yet, a law so delay, diversion, dilution, remain possibilities.
The privacy you protect could well be your own.
Video conference for campus and community organizers (June 2016)
From the webpage:
Are you part of a campus or community organization concerned about digital rights?
If not, do you want to raise a voice in your community for privacy and access to the intellectual commons?
We'd like to help! EFF will host a video conference to highlight opportunities for grassroots organizers on Wednesday, June 29, 2016 at 3pm PST / 6pm EST.
We'll hear from speakers describing campaigns and events available for your group's support, as well as best practices that you might consider emulating with your friends and neighbors. We're also eager to hear from you about any digital rights campaigns on which you're working in your community, and to expose others in this growing grassroots network to social media opportunities to support your activism and organizing.
Please register to receive the link through which to participate using an open, encrypted, video chat platform.
No word on removing the tape from your video camera for this event. đ
Spread the word about this video conference!
If you ever doubted “anti-terror group surveillance tools” should always be called titled “group surveillance tools,” New online ecology of adversarial aggregates: ISIS and beyond. Science, 2016; 352 (6292): 1459 DOI: 10.1126/science.aaf0675 by N. F. Johnson, et al., puts those to rest.
Unintentionally no doubt, but the “…ISIS and beyond” part of the title signals this technique is not limited to ISIS.
Consider the abstract:
Support for an extremist entity such as Islamic State (ISIS) somehow manages to survive globally online despite considerable external pressure and may ultimately inspire acts by individuals having no history of extremism, membership in a terrorist faction, or direct links to leadership. Examining longitudinal records of online activity, we uncovered an ecology evolving on a daily time scale that drives online support, and we provide a mathematical theory that describes it. The ecology features self-organized aggregates (ad hoc groups formed via linkage to a Facebook page or analog) that proliferate preceding the onset of recent real-world campaigns and adopt novel adaptive mechanisms to enhance their survival. One of the predictions is that development of large, potentially potent pro-ISIS aggregates can be thwarted by targeting smaller ones.
Here’s the abstract re-written for the anti-war movement of the 1960’s:
Support for an extremists such as the anti-Vietnam War movement somehow manages to survive nationally online despite considerable external pressure and may ultimately inspire acts by individuals having no history of extremism, membership in a anti-war faction, or direct links to leadership. Examining longitudinal records of online activity, we uncovered an ecology evolving on a daily time scale that drives online support, and we provide a mathematical theory that describes it. The ecology features self-organized aggregates (ad hoc groups formed via linkage to a Facebook page or analog) that proliferate preceding the onset of recent real-world campaigns and adopt novel adaptive mechanisms to enhance their survival. One of the predictions is that development of large, potentially potent pro-anti-War aggregates can be thwarted by targeting smaller ones.
Here’s the abstract re-written for the civil rights movement of the 1960’s:
Support for an extremists such as SNCC somehow manages to survive nationally online despite considerable external pressure and may ultimately inspire acts by individuals having no history of extremism, membership in a SNCC faction, or direct links to leadership. Examining longitudinal records of online activity, we uncovered an ecology evolving on a daily time scale that drives online support, and we provide a mathematical theory that describes it. The ecology features self-organized aggregates (ad hoc groups formed via linkage to a Facebook page or analog) that proliferate preceding the onset of recent real-world campaigns and adopt novel adaptive mechanisms to enhance their survival. One of the predictions is that development of large, potentially potent SNCC aggregates can be thwarted by targeting smaller ones.
Here’s the abstract re-written for the gay rights movement:
Support for an extremists such as gay rights somehow manages to survive nationally online despite considerable external pressure and may ultimately inspire acts by individuals having no history of extremism, membership in a gay rights faction, or direct links to leadership. Examining longitudinal records of online activity, we uncovered an ecology evolving on a daily time scale that drives online support, and we provide a mathematical theory that describes it. The ecology features self-organized aggregates (ad hoc groups formed via linkage to a Facebook page or analog) that proliferate preceding the onset of recent real-world campaigns and adopt novel adaptive mechanisms to enhance their survival. One of the predictions is that development of large, potentially potent gay rights aggregates can be thwarted by targeting smaller ones.
The government has admitted to the use of surveillance against all three, civil rights, anti-Vietnam war, and gay rights, which in the words of Justice Holmes, “…was an outrage which the Government now regrets….”
I mention those cases so the current fervor against “terrorists” doesn’t blind us to the need for counters to every technique for disrupting “terrorists.”
“Terrorists” being a label applied to people with who some group or government disagrees. Frequently almost entirely fictional, as in the case of the United States. The FBI recruits the mentally ill in order to provide some credence to its hunt for terrorists in the US.
One obvious counter to the aggregate analysis proposed by the authors would be a series of AI-driven aggregates that are auto-populated and supplied with content derived from human users.
Defeating suppression with a large number of “fake” aggregates. Think of it as social media “chaff.”
If you think about it, separating wheat from chaff is a subject identity issue. đ
Production of social media “chaff” and influencing papers such as this one, is a open research subject.
If you have a cause, I have some time.
FBI Can Access Hundreds of Millions of Face Recognition Photos by Jennifer Lynch.
From the post:
Today the federal Government Accountability Office (GAO) finally published its exhaustive report on the FBIâs face recognition capabilities. The takeaway: FBI has access to hundreds of millions more photos than we ever thought. And the Bureau has been hiding this fact from the publicâin flagrant violation of federal law and agency policyâfor years.
According to the GAO Report, FBIâs Facial Analysis, Comparison, and Evaluation (FACE) Services unit not only has access to FBIâs Next Generation Identification (NGI) face recognition database of nearly 30 million civil and criminal mug shot photos, it also has access to the State Departmentâs Visa and Passport databases, the Defense Departmentâs biometric database, and the drivers license databases of at least 16 states. Totaling 411.9 million images, this is an unprecedented number of photographs, most of which are of Americans and foreigners who have committed no crimes.
…
I understand and share the concern over the FBI’s database of 411.9 million images from identification sources, but let’s be realistic about the FBI’s share of all the image data.
Not an exhaustive list but:
Facebook alone is equaling the FBI photo count every 1.3 days. Moreover, Facebook data is tied to both Facebook and very likely, other social media data, unlike my driver’s license.
Instagram takes a little over 5 days to exceed the FBI image count. but like the little engine that could, it keeps trying.
I’m not sure how to count YouTube’s 300 hours of video every minute.
No reliable counts are available for porn images, which streamed from Pornhub in 2015, accounted for 1,892 petabytes of data.
The Pornhub data stream includes a lot of duplication but finding non-religious and reliable stats on porn is difficult. Try searching for statistics on porn images. Speculation, guesses, etc.
Based on those figures, it’s fair to say the number of images available to the FBI is somewhere North of 100 billion and growing.
Oh, you think non-public photos off-limits to the FBI?
Hmmm, so is lying to federal judges, or so they say.
The FBI may say they are following safeguards, etc., but once a agency develops a culture of lying “in the public’s interest,” why would you ever believe them?
If you believe the FBI now, shouldn’t you say: Shame on me?
Signed By the Governor: Sweeping Vermont Privacy Law Will Hinder Several Federal Surveillance Programs by Mike Maharrey.
From the post:
Vermont Gov. Peter Shumlin has signed a sweeping bill that establishes robust privacy protections in the state into law. It not only limits warrantless surveillance and helps ensure electronic privacy in Vermont, it will also hinder several federal surveillance programs that rely on cooperation and data from state and local law enforcement.
The new law bans warrantless use of stingray devices to track the location of phones and sweep up electronic communications, restricts the use of drones for surveillance by police, and generally prohibits law enforcement officers from obtaining electronic data from service providers without a warrant or a judicially issued subpoena.
…
Some random examples of federal government lying:
So, Mike would have us believe that Vermont (drum roll) passing a bill and the governor signing into law is going to interfere with federal surveillance programs in what way?
“But, but…, it’s a law!” (in a shocked tone of voice).
And you think that means what? Exactly?
Laws don’t enforce themselves. I know that comes as a surprise but there it is.
As Andrew Jackson once remarked, of Chief Justice John Marshall, “John Marshall had made his decision, now let him enforce it.” (For constitutional history buffs, that’s Cherokee Indian Cases (1830s).)
If the police, state and federal, ignore this new Vermont state law and no one will prosecute them, how much hindering of Federal surveillance programs do you see?
My multiple-choice survey questionnaire has only one response for that question:
None.
If we disagree, the missing piece maybe that the executive branch consists of the people who put laws into effect.
When the executive branch ignores the law, the judicial and legislative branches become distractions, nothing more.
Researchers Uncover a Flaw in Europeâs Tough Privacy Rules by Mark Scott.
From the post:
Europe likes to think it leads the world in protecting peopleâs privacy, and that is particularly true for the regionâs so-called right to be forgotten. That legal right allows people connected to the Continent to ask the likes of Google to remove links about themselves from online search results, under certain conditions.
Yet that right â one of the worldâs most widespread efforts to protect peopleâs privacy online â may not be as effective as many European policy makers think, according to new research by computer scientists based, in part, at New York University.
The academic team, which also included experts from the Federal University of Minas Gerais in Brazil, said that in roughly a third of the cases examined, the researchers were able to discover the names of people who had asked for links to be removed. Those results, based on the researchersâ use of basic coding, came despite the individualsâ expressed efforts to remove their names from online searches.
The findings, which had not previously been made public and will be presented at an academic conference next month, raise questions about how successful Europeâs âright to be forgottenâ can be if peopleâs identities can still be found with just a few clicks of a mouse. The paper says such breaches may undermine âthe spiritâ of the legal ruling.
…
From the positive conclusions on the Right to Be Forgotten (RTBF) by the paper authors:
…
We end this paper with a few opinions and recommendations based on the results and observations of this paper. After having studied RTBF and its consequences from a data perspective, the authors feel that RTBF has been largely working and responding to legitimate privacy concerns of many Europeans. We feel that Google’s process for determining which links should be delisted seems fair and reasonable. We feel that Google is being fairly transparent about how it processes RTBF requests [13]. Other academics have called more transparency [12]. However, by being more specific about how delisting decisions are made, it may become easier for the attacker to rediscover delisted URLs and the corresponding requesters.
…
I have to conclude they are collectively innocent of reading George Orwell’s 1984.
-if all records told the same tale — then the lie passed into history and became truth. ‘Who controls the past,’ ran the Party slogan, ‘controls the future: who controls the present controls the past.’ (George Orwell, 1984, Part 1, Chapter 2)
The paper does expose the EU efforts to control the past are akin to playing whack-a-mole:
with URLs.
Except that unlike the video, the EU doesn’t play very well.
As the paper outlines in some detail, delisting isn’t the same thing as making all records tell the same tale.
No only can you discover the “delisted,” you can often find evidence of who requested the “delisting.”
If “delisting” at Google becomes commonplace it will create opportunities for new web services. A web service that accepts URLs and passes through the content, annotated with Google Delisted Content – Suspected Delister: (delister’s name and current twitter handle).
1984 did not end well.
For a different (not necessarily better) outcome, resist all attempts to control the past, or to at least make it harder to discover.
While listening to ICYMI #17: Mike Katz-Lacabe – The Center for Human Rights & Privacy courtesy of North Star Post (NSP), the host commented on a possible detection of a stingray device because it was mobile.
The ACLU describes such devices as:
…devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspectâs cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.
…
Do you see anything about “mobile” in that description?
Granting that there are use cases for mobile surveillance devices, where else are you likely to encounter stingrays?
Airports, public transportation: Calls and messages to and from passengers.
Courthouses: Where lawyers, defendants and witnesses may be sending/receiving calls and text messages they would prefer to keep private.
Jails: Calls and text messages by inmates and visitors.
Schools: Calls and texts between students and others.
Other places?
Working on a data set that may help with avoiding mobile or stationary stingrays. More on that next week.
What a difference fifteen years make!
Is Google or Facebook evil? Forget it!
Russian nerds have developed a new Face Recognition technology based app called FindFace, which is a nightmare for privacy lovers and human right advocates.
FindFace is a terrifyingly powerful facial recognition app that lets you photograph strangers in a crowd and find their real identity by connecting them to their social media accounts with 70% success rate, putting public anonymity at risk.
…
(From This App Lets You Find Anyone’s Social Profile Just By Taking Their Photo by Mohit Kumar)
Compare that breathless, “…nightmare for privacy lovers…public anonymity at risk…” prose to:
Super Bowl, or Snooper Bowl?
As 100,000 fans stepped through the turnstiles at Super Bowl XXXV, a camera snapped their image and matched it against a computerized police lineup of known criminals, from pickpockets to international terrorists.
It’s not a new kind of surveillance. But its use at the Super Bowl â dubbed “Snooper Bowl” by critics â has highlighted a debate about the balance between individual privacy and public safety.
Law enforcement officials say what was done at the Super Bowl is no more intrusive than routine video surveillance that most people encounter each day as they’re filmed in stores, banks, office buildings or apartment buildings.
But to critics, the addition of the face-recognition system can essentially put everyone in a police lineup.
“I think it presents a whole different picture of America,” said Howard Simon, executive director of the American Civil Liberties Union in Florida.
…
(From Biometrics Used to Detect Criminals at Super Bowl by Vickie Chachere)
If you don’t keep up with American football, Super Bowl XXXV was held in January of 2001.
Facial recognition being common in 2001, why the sudden hand wringing over privacy and FindFace?
Oh, I get it. It is the democratization of the loss of privacy.
Those whose privacy would be protected by privilege or position are suddenly fair game to anyone with a smartphone.
A judge coming out of a kinky bar can be erased or not noticed on police surveillance video, but in a smartphone image, not so much.
The “privacy” of the average U.S. citizen depends on the inattention of state actors.
I’m all for sharing our life-in-the-goldfish-bowl condition with the powerful and privileged.
Get FindFace and use it.
Create similar apps and use topic maps to bind the images to social media profiles.
When the State stops surveillance, perhaps, just perhaps, citizens can stop surveillance of the State. Maybe.
If “privacy” advocates object, ask them what surveillance by the State they support? If the answer isn’t “none,” they have chosen the side of power and privilege. What more is there to say? (BTW, take their photo with FindFace or a similar app.)
Powered by WordPress
