U.S. whistleblowers feel blowback, of 2,900 cases last year, 1,400 involved retaliation against whistleblowers, and whistleblowers prevailed less than a quarter of the time.
Former US intelligence analyst Edward Snowden has accused the US National Security Agency of routinely passing private, unedited communications of Americans to Israel, an expert on the intelligence agency said Wednesday. James Bamford, writing in the New York Times, said Snowden told him the intercepts included communications of Arab- and Palestinian-Americans whose relatives in Israel and the Palestinian territories could become targets based on the information. “It’s one of the biggest abuses we’ve seen,” Bamford quoted Snowden as saying. Snowden said the material was routinely transferred to Unit 8200, a secretive Israeli intelligence organization. Bamford cited a memorandum of understanding between the NSA and its Israeli counterpart outlining transfers that have occurred since 2009. Leaked by Snowden and first reported by the British newspaper the Guardian, it said the material included “unevaluated and unminimized transcripts, gists, facsimiles, telex, voice and Digital Network Intelligence metadata and content.” The memorandum indicates the data is routinely sent in raw form, without editing out names or other personally identifiable information, Bamford said.
Of course, everyone knew this because it was all but outright confirmed. Everyone knows that the U.S. and Israel have a “special” relationship when it comes to intelligence.
Bad guys are everywhere, good guys are somewhere!
The FBI, working with the Criminal Justice Information Services Division, says the Next Generation Identification System is now fully operational.
The system is designed to expand biometric identification capabilities across the country and eventually replace the FBI’s current fingerprint system.
The system includes two new databases.
One, called Rap Back, enables FBI authorized entities the ability to receive ongoing status notifications of any criminal history reported on specific individuals. The bureau says that it will help law enforcement agencies, probation and parole offices, and others greatly improve their effectiveness by being advised of subsequent criminal activity of persons under investigation or supervision.
The second is called the Interstate Photo System. IPS facial recognition service will provide law enforcement agencies across the country an image-searching capability of photographs associated with criminal identities. The Feds say it is a significant step forward for the criminal justice community in utilizing biometrics as an investigative tool.
This latest phase ois only one portion of the FBI’s NGI System. Since phase one was deployed in February 2011, the NGI system has introduced enhanced automated fingerprint and latent search capabilities, mobile fingerprint identification, and electronic image storage.
More than 18,000 law enforcement agencies and other authorized criminal justice partners across the country will have access to the system 24 hours a day, 365 days a year.
For one short week, a Dutch volunteer named Ton Siedsma with the digital rights group Bits of Freedom agreed to allow researchers to have full access to all his smartphone metadata. This is the information the National Security Agency (NSA) and other governments have been collecting from its own citizens while insisting the information did not violate our privacy.
Few actually believe the government’s arguments, but how much can somebody figure out just from smartphone data? Thus, the experiment with Siedsma. It turns out, as has been growing increasingly clear, you can figure out a lot. According to an article subsequently published in Dutch media, researchers (from a university and a separate security firm) gathered 15,000 records in a week, complete with timestamps. Each time he did pretty much anything on the cell phone they were able to determine physically where he was. And they were able to figure out a lot about both his personal and professional life:
This is what we were able to find out from just one week of metadata from Ton Siedsma’s life. Ton is a recent graduate in his early twenties. He receives e-mails about student housing and part-time jobs, which can be concluded from the subject lines and the senders. He works long hours, in part because of his lengthy train commute. He often doesn’t get home until eight o’clock in the evening. Once home, he continues to work until late.
His girlfriend’s name is Merel. It cannot be said for sure whether the two live together. They send each other an average of a hundred WhatsApp messages a day, mostly when Ton is away from home. Before he gets on the train at Amsterdam Central Station, Merel gives him a call. Ton has a sister named Annemieke. She is still a student: one of her e-mails is about her thesis, judging by the subject line.
They were able to determine what kind of silly viral videos Siedsma had been watching and what sort of companies were sending him email newsletters offering deals (apparently some folks don’t automatically opt out of those). From the data they were able to determine that Siedsma worked as a lawyer for Bits of Freedom. They were able to make a fairly good estimate of what sort of issues he hands for the organization and what he does for the Bits of Freedom website.
In response to the “So what?” crowd there’s more to be concerned about. Because Bits of Freedom is a politically involved organization, access to Siedsma’s metadata provides a window into what Siedsma and his co-workers are doing that would be of interest to those in government who may see the group as adversaries. Researchers discovered an active e-mail thread with the subject title “Van Delden must go,” referring to the head of the chairman of a Dutch intelligence supervisory body. They can see which members of parliament the Siedsma has contacted to discuss issues related to international trade agreements. They can see that he is likely a supporter of the Dutch “green left” party on the basis of him receiving e-mails from them at a private address, not as part of his political work. They could see which journalists he has been corresponding with via e-mail. All of this information has all sorts of potential to be abused politically.
And, they figured out how to hack his other accounts to get even more information about him:
The analysts from the Belgian iMinds compared Ton’s data with a file containing leaked passwords. In early November, Adobe (the company behind the Acrobat PDF reader, Photoshop and Flash Player) announced that a file containing 150 million user names and passwords had been hacked. While the passwords were encrypted, the password hints were not. The analysts could see that some users had the same password as Ton, and their password hints were known to be ‘punk metal’, ‘astrolux’ and ‘another day in paradise’. ‘This quickly led us to Ton Siedsma’s favourite band, Strung Out, and the password “strungout”,’ the analysts write.
With this password, they were able to access Ton’s Twitter, Google and Amazon accounts. The analysts provided a screenshot of the direct messages on Twitter which are normally protected, meaning that they could see with whom Ton communicated in confidence. They also showed a few settings of his Google account. And they could order items using Ton’s Amazon account – something which they didn’t actually do. The analysts simply wanted to show how easy it is to access highly sensitive data with just a little information.
Read the Dutch report here.
A prominent national security reporter for the Los Angeles Times routinely submitted drafts and detailed summaries of his stories to CIA press handlers prior to publication, according to documents obtained by The Intercept.
Email exchanges between CIA public affairs officers and Ken Dilanian, now an Associated Press intelligence reporter who previously covered the CIA for the Times, show that Dilanian enjoyed a closely collaborative relationship with the agency, explicitly promising positive news coverage and sometimes sending the press office entire story drafts for review prior to publication. In at least one instance, the CIA’s reaction appears to have led to significant changes in the story that was eventually published in the Times.
“I’m working on a story about congressional oversight of drone strikes that can present a good opportunity for you guys,” Dilanian wrote in one email to a CIA press officer, explaining that what he intended to report would be “reassuring to the public” about CIA drone strikes. In another, after a series of back-and-forth emails about a pending story on CIA operations in Yemen, he sent a full draft of an unpublished report along with the subject line, “does this look better?” In another, he directly asks the flack: “You wouldn’t put out disinformation on this, would you?”
Dilanian’s emails were included in hundreds of pages of documents that the CIA turned over in response to two FOIA requests seeking records on the agency’s interactions with reporters. They include email exchanges with reporters for the Associated Press, Washington Post, New York Times, Wall Street Journal, and other outlets. In addition to Dilanian’s deferential relationship with the CIA’s press handlers, the documents show that the agency regularly invites journalists to its McLean, Va., headquarters for briefings and other events. Reporters who have addressed the CIA include the Washington Post‘s David Ignatius, the former ombudsmen for the New York Times, NPR, and Washington Post, and Fox News’ Brett Baier, Juan Williams, and Catherine Herridge.
Dilanian left the Times to join the AP last May, and the emails released by the CIA only cover a few months of his tenure at the Times. They show that in June 2012, shortly after 26 members of congress wrote a letter to President Obama saying they were “deeply concerned” about the drone program, Dilanian approached the agency about story that he pitched as “a good opportunity” for the government.
The letter from lawmakers, which was sent in the wake of a flurry of drone strikes that had reportedly killed dozens of civilians, suggested there was no meaningful congressional oversight of the program. But Dilanian wrote that he had been “told differently by people I trust.” He added:
Not only would such a story be reassuring to the public, I would think, but it would also be an opportunity to explore the misinformation about strikes that sometimes comes out of local media reports. It’s one thing for you to say three killed instead of 15, and it’s another for congressional aides from both parties to back you up. Part of what the story will do, if you could help me bring it to fruition, is to quote congressional officials saying that great care is taken to avoid collateral damage and that the reports of widespread civilian casualties are simply wrong.
Of course, journalists routinely curry favor with government sources (and others) by falsely suggesting that they intend to amplify the official point of view. But the emails show that Dilanian really meant it.
Over the next two weeks, he sent additional emails requesting assistance and information from the agency. In one, he suggested that a New America Foundation report alleging that drone attacks had killed many civilians was exaggerated, writing that the report was “all wrong, correct?”
A number of early news accounts reported that more than a dozen people died in the June 4, 2012, drone strike that killed Al Qaeda leader Abu Yahya al-Libi in Pakistan. But in a June 20 email to the CIA, Dilanian shared a sentence from his story draft asserting that al-Libi had died alone. “Would you quibble with this?” he asked the CIA press officer.
US whistleblower Edward Snowden will not be deported to the United States if he travels to Switzerland to testify against his country’s National Security Agency (NSA), the SonntagsZeitung newspaper reported Monday.
The newspaper claims to have obtained a document titled “What rules would apply if Edward Snowden is brought to Switzerland and the United States makes an extradition request,” in which the Swiss attorney general concluded that Snowden would be guaranteed safe conduct.
The attorney general is interested in Snowden’s testimony against the NSA to investigate the surveillance of foreign countries in the United States on charges of espionage and theft of government property.
Following his escape, Snowden lived in Moscow’s Sheremetyevo Airport’s international zone for more than a month, and then received one-year’s temporary asylum in Russia. On August 1, Russia granted Snowden a three-year residence permit.
Throughout the last year, the U.S. government has repeatedly insisted that it does not engage in economic and industrial espionage, in an effort to distinguish its own spying from China’s infiltrations of Google, Nortel, and other corporate targets. So critical is this denial to the U.S. government that last August, an NSA spokesperson emailed The Washington Post to say (emphasis in original): “The department does ***not*** engage in economic espionage in any domain, including cyber.”
After that categorical statement to the Post, the NSA was caught spying on plainly financial targets such as the Brazilian oil giant Petrobras; economic summits; international credit card and banking systems; the EU antitrust commissioner investigating Google, Microsoft, and Intel; and the International Monetary Fund and World Bank. In response, the U.S. modified its denial to acknowledge that it does engage in economic spying, but unlike China, the spying is never done to benefit American corporations.
Director of National Intelligence James Clapper, for instance, responded to the Petrobras revelations by claiming: “It is not a secret that the Intelligence Community collects information about economic and financial matters…. What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of—or give intelligence we collect to—U.S. companies to enhance their international competitiveness or increase their bottom line.”
But a secret 2009 report issued by Clapper’s own office explicitly contemplates doing exactly that. The document, the 2009 Quadrennial Intelligence Community Review—provided by NSA whistleblower Edward Snowden—is a fascinating window into the mindset of America’s spies as they identify future threats to the U.S. and lay out the actions the U.S. intelligence community should take in response. It anticipates a series of potential scenarios the U.S. may face in 2025, from a “China/Russia/India/Iran centered bloc [that] challenges U.S. supremacy” to a world in which “identity-based groups supplant nation-states,” and games out how the U.S. intelligence community should operate in those alternative futures—the idea being to assess “the most challenging issues [the U.S.] could face beyond the standard planning cycle.”
One of the principal threats raised in the report is a scenario “in which the United States’ technological and innovative edge slips”— in particular, “that the technological capacity of foreign multinational corporations could outstrip that of U.S. corporations.” Such a development, the report says “could put the United States at a growing—and potentially permanent—disadvantage in crucial areas such as energy, nanotechnology, medicine, and information technology.”
How could U.S. intelligence agencies solve that problem? The report recommends “a multi-pronged, systematic effort to gather open source and proprietary information through overt means, clandestine penetration (through physical and cyber means), and counterintelligence” (emphasis added). In particular, the DNI’s report envisions “cyber operations” to penetrate “covert centers of innovation” such as R&D facilities.
In May, the U.S. Justice Department indicted five Chinese government employees on charges that they spied on U.S. companies. At the time, Attorney General Eric Holder said the spying took place “for no reason other than to advantage state-owned companies and other interests in China,” and “this is a tactic that the U.S. government categorically denounces.”
But the following day, The New York Times detailed numerous episodes of American economic spying that seemed quite similar. Harvard Law School professor and former Bush Justice Department official Jack Goldsmith wrote that the accusations in the indictment sound “a lot like the kind of cyber-snooping on firms that the United States does.” But U.S. officials continued to insist that using surveillance capabilities to bestow economic advantage for the benefit of a country’s corporations is wrong, immoral, and illegal.
Yet this 2009 report advocates doing exactly that in the event that ”that the technological capacity of foreign multinational corporations outstrip[s] that of U.S. corporations.” Using covert cyber operations to pilfer “proprietary information” and then determining how it ”would be useful to U.S. industry” is precisely what the U.S. government has been vehemently insisting it does not do, even though for years it has officially prepared to do precisely that.
1. The vulnerability is Security 101 stuff.
Up until Monday, Apple had a significant and known brute-force vulnerability in its Find My iPhone service, where you type in your Apple ID and password on your computer in order to locate your iPhone on a map. Most services that use passwords, from Facebook to Google to banks, will lock your account or at least throttle logon attempts after a certain number of failed access tries to prevent a person who is not you from making endless guesses at common passwords. Apple itself will do this in most places—but not through its Find My iPhone service, where hackers are allowed unlimited attempts at guessing passwords. You can endlessly try password after password as quick as you like. Once a correct Apple ID password is confirmed through Find My iPhone, a hacker then has access to your iCloud account. So a hacker could simply run an automated tool and knock on the door enough times with password guesses until he broke through. Even a decent password, like “D0nM@tt1ngly!” would still be vulnerable to this sort of attack. The Find My iPhone vulnerability doesn’t really rise to the level of a bug, since limiting brute-force attacks is part of the basic security design of any system—or should be.
2. The vulnerability was publicly known since May.
A Russian security group called HackApp released iBrute, a proof-of-concept tool to exploit this vulnerability, on Aug. 30. But don’t blame them, because the celebrity hacking probably took place quite a while before that. The Register publicized the lack of any sort of limit on iCloud logon attempts in May, and Apple did nothing about it, giving hackers plenty of time to bash away at accounts. Even after iBrute was publicly released, Apple didn’t patch the vulnerability until Sept. 1 and did nothing to secure accounts in the meantime. I cannot fathom how the company left this one out in the wild for months, and I suspect it will cost someone at Apple his or her job.
3. Apple defaults users into the cloud.
Clouds are wispy and ephemeral, the very opposite of secure, so why would you want to store anything in them? No one particularly does: Cloud storage has been forced on users because it suits tech companies, not because it’s what’s best for consumers. But Apple makes it very hard not to store photos in its cloud, nude or otherwise. Camera Roll automatically backs up photos (all photos) to the cloud by default, and Apple makes it difficult for average users to change the default. It’s worked. And it’s too bad, because whatever you store on the cloud has far less legal and security protection than what’s on your own computer. Even deleting photos from your phone doesn’t delete them from the cloud, as security expert Nik Cubrilovic pointed out on Twitter. (The American Civil Liberties Union’s Christopher Soghoian has wisely suggested a “private photo” feature that doesn’t upload certain photos to the cloud.)* Defaulting to the cloud is like checking baggage on an airline: People might look through your stuff, and even steal it. And like the airlines, Apple’s liability is strictly limited by the extremely generous (to Apple) agreement you sign when you purchase any of its products.
4. Apple does not encourage two-factor authentication.
Two-factor authentication, in which physical possession of a particular device (like a phone) is necessary to log in to an account, is one of the most common and effective supplements to the problematic security of regular passwords. Google, Yahoo, Facebook, Twitter, and many other services offer two-factor, though rarely by default. Still, as the Daily Dot writes, “For reasons that defy all logic, Apple makes it extraordinarily difficult to enable two-step verification,” making users wait three days just to turn it on. (In other words, if you had found out about the vulnerability on Aug. 30, you couldn’t have protected yourself until Sept. 2.) Apple barely publicizes its two-factor authentication and has not encouraged users to adopt it. Apple controls the default user experience for its products, and it has the responsibility for that default to be reasonably secure—which it currently is not.
5. Two-factor authentication wouldn’t have worked anyway.
Even if you were a celebrity who had enabled two-factor authentication, it wouldn’t have helped in this case because Apple doesn’t enforce two-factor authentication for iCloud logons even if you have it turned on, as was reported by Ars Technica all the way back in May of 2013. Apple primarily uses two-factor to prevent credit card purchases, not to protect the privacy of your data. Though probably the least exploited loophole (due to the difficulty of using Apple’s two-factor in the first place), this is perhaps the most sheerly irresponsible security decision Apple has made. The false sense of security created by offering two-factor and then not enforcing it is appalling.
These are all problems Apple has known about for months, if not years, and did nothing to stop. Apple’s two-factor is still fundamentally broken, so even today Apple is still misrepresenting the security it can offer to its users. This is not to excuse any other services that may have been compromised, nor the hackers themselves. But whether or not anyof these problems were directly responsible for the leak, Apple users, from Jennifer Lawrence to corporate executives to laptop musicians to you, should be out for blood, and other companies should use this as a lesson to double- and triple-check their own security stories. Apple will probably survive though. IPhones are so cool and pretty.