You are browsing the archive for Cybersecurity.

Sen. John McCain Renews Push for Senate Committee to Halt WikiLeaks’ Undermining of America

11:05 am in Uncategorized by Kevin Gosztola

(photo: Wikimedia Commons)

On Wednesday, Republican Senator John McCain of Arizona renewed his push for the creation of a temporary Senate committee to investigate WikiLeaks and the hacktivist group Anonymous that would be called the Committee on Cyber Security and Electronic Intelligence Leaks.

In a letter to Democratic Majority Leader Harry Reid of Nevada and Republican Minority Leader Mitch McConnell of Kentucky, he urges the creation of a committee to get around the issue of “competing committees of jurisdiction.” (Essentially, establishing the committee means no discussion over who has the right to develop legislation to take down WikiLeaks or Anonymous once and for all. Every senator will have an opportunity for glory now, however, only a few will be chosen.)

McCain opens by suggesting a committee must be developed to address “the continuing risk of insider threats that caused thousands of documents to be posted on the website WikiLeaks.”  The alleged whistleblower to WikiLeaks, Bradley Manning may have been on the inside, however, as far as one can tell, he does not fit the classic definition of an insider. His story is different from Aldrich Ames, an insider who did commit real espionage against the United States, at all. Manning did not do what he is alleged to have done for money. He did not allegedly give secrets to another country like Russia, China or Iran but WikiLeaks.

The White House and several committees in Congress have been deliberating over the development of national cybersecurity proposals that can be implemented. As McCain notes, “The White House put forward a legislative proposal in May and the Department of Energy put forth requirements and responsibilities for a cyber security program that same month.  Earlier this month, the Department of Commerce sought comment on its proposal to establish voluntary codes of behavior to improve cyber security and the Department of Defense issued its strategy for operating in cyberspace.”

McCain argues the development of cybersecurity policy and legislation would benefit from using a model recommended by the 9/11 Commission Report for the organization of a committee that a small group of members could be a part of to conduct oversight of the intelligence establishment. He says it would help the creation of “adequate safeguards to detect and defeat any insider threat of disclosure of classified documents such as we experienced with the Wikileaks fiasco that endangered the security of many of our nation’s diplomats and soldiers serving abroad.”

That diplomats or soldiers serving abroad have been endangered is phony and speculative in the same way that former Vice President Dick Cheney or Karl Rove’s suggestion voting John Kerry in 2004 could’ve meant US had another 9/11 was phony and speculative.

There is significant doubt as to whether soldiers or diplomats have been harmed.

Secretary of Defense Robert Gates said on October 17, 2010 “the review to date has not revealed any sensitive intelligence sources and methods compromised by the disclosure.” A senior NATO official on that same day said, “There has not been a single case of Afghans needing protection.” The Associated Press has reported, “There is no evidence that any Afghans named in the leaked documents as defectors or informants from the Taliban insurgency have been harmed in retaliation.” And Pentagon spokesman Geoff Morrell said on August 11, 2010, “We have yet to see any harm come to anyone in Afghanistan that we can directly tie to exposure in the WikiLeaks documents.”

There is no concrete conclusion that people have suffered or died as a result of the releases.

McCain closes his letter saying:

Just this month former CIA Chief and current Secretary of Defense Leon Panetta appeared before the Senate Armed Services Committee and said, “The next Pearl Harbor we confront could very well be a cyber attack …”  We must act now and quickly develop and pass comprehensive legislation to protect our electric grid, air traffic control system, water supply, financial networks and defense systems and much more from a cyber attack.

When it comes to WikiLeaks, McCain has raised the issue of WikiLeaks in Senate Armed Services hearings. In a hearing to consider the nomination of General Martin E. Dempsey for appointment to chief of staff of the US Army in March, McCain said, “I’m very concerned about WikiLeaks. Almost daily, we see some additional revelation of the WikiLeaks situation. First of all, how did this happen? And second of all, who has been held responsible for this greatest disclosures, frankly, of classified information in the history of this country?”

During a hearing on defense budget requests for 2012 and future years, McCain asked Defense Secretary Robert Gates, “Mr. Chairman, just briefly, anything more on the WikiLeaks investigation?” Gates said:

Well, sir, after our last hearing, I went back and — and I had been told that I had to keep my hands off of it because of the criminal investigation, but I have been able to narrow an area of where I have asked the secretary of the army to investigate in terms of procedures and — and the command climate and — and so on that has nothing to do with the individual, the accused individual. But — but to see what lapses there were where somebody perhaps should be held accountable.

McCain considers the release of WikiLeaks cables to be “America’s worst security breach in the history of the country.” That’s quite reactionary when you consider the fact that, in 1942, in the aftermath of the Battle of Midway, the Chicago Tribune published a story strongly suggesting that the decisive American naval victory at Midway owed to the fact that the United States had been successfully reading Japanese codes.” No information has been revealed like that at all. Nothing has been published that could give any “enemies” information on the location of US troops, which could help them launch successful attacks.

In November 2010, McCain told the National Review, the WikiLeaks “scandal” will have consequences “far beyond the cables. ” He predicted it would have a “devastating and chilling effect on our ability to carry on relationships with foreign leaders, harming our ability to fight this war against radical Islamic extremism.”

Yes, it would have profound implications on Sen. McCain’s ability to meet Libyan dictator Muammar Gaddafi and discuss terms of for providing US military aid again. It would limit the chances of him ever having another “interesting meeting with an interesting man” at his “ranch” in Libya. It would put limits on all leaders meeting with despots of the world, as there is now a trove of information to question the US’ diplomatic relationships with countries all over the world.

This committee would likely be building off of procedures that have already begun to be implemented to “create ‘insider threat’ programs to ferret out disgruntled workers who may leak state secrets.” It would likely reinforce plans among agencies to look for “behavioral changes” among employees with access to secret documents.

There is a federal grand jury based in Alexandria, Virginia, empanelled to investigate WikiLeaks for crimes of espionage that is currently issuing subpoenas to those the government thinks are connected to or have information on WikiLeaks. David House, Bradley Manning Support Network co-founder, has gone before the grand jury already and pled the fifth.

Would this committee be something that could complement the grand jury’s fishing expedition by developing law that can turn what was done into a crime that could lead to indictments?

The pursuit of mechanisms to clampdown on who the government presumes is responsible for the release of material to WikiLeaks and the increased regulation of access to secret documents within government agencies will not address the problem. It won’t because the problem is overclassification, something the Department of Defense, with a new rule to safeguard unclassified information, simply are making worse.

The government has told a court that there should be no such thing as “good leaks.” This virtually ensures that individuals, instead of going through proper channels to blow the whistle on government waste or criminal wrongdoing in government, will turn to organizations like WikiLeaks and create further problems for the government in the future.

The public is growing to understand that overclassification is rampant. Nick Davies of The Guardian illuminates the situation:

…If you look for example at the Afghan war logs what you see is a military which routinely classified every single instance in which they were involved as secret. Why should we respect that kind of mechanical routine classification. Just pull back and look at what’s going on here and ask yourself, is the attempt to prosecute Bradley Manning something to do with the judicious application of the law or a really rather vile piece of political persecution?…

If a committee is established, it won’t prevent future acts of whistleblowing by individuals and guarantee information doesn’t get released to WikiLeaks. A press that tolerates overclassification of information and only asks for selective leaking of materials on secret government operations every now and then, a press that does not ask more questions about the operations of power domestically and internationally will inevitably lead to, in this age of widespread corruption, individuals in government, who have not lost their conscience, finding a way to share the truth.

If a committee is established, it won’t ensure that the world never learns what is really going on behind closed doors in America again because the people of this country are living in a very broken democracy. Many of its citizens know government officials are outright lying when they stand before them and speak. They suspect government officials and whole entire agencies are serving powerful corporate and special interests instead of them. They know coverups of mass misconduct and criminal wrongdoing are being carried out. And so, information will continue to be released to WikiLeaks and there’s nothing Sen. John McCain or any senator can do to stop it so long as they defend the system that created the symptom that is the release of information to WikiLeaks.

My Own Farewell to Emptywheel

10:15 am in Uncategorized by Kevin Gosztola

As Marcy and bmaz leave and Jeff Kaye and I step in to take up the responsibility of chronicling the growing bipartisan consensus among the American corporate and political class that civil rights and civil liberties are disposable and expendable, I would like to share my own memories of Marcy and my appreciation for her work.

Marcy endorsed me for a Democracy for America Netroots Nation 2011 scholarship (that I ended up earning). I don’t know when she started to pay attention to what I was doing, but I went to see who was supporting my scholarship and her name was listed. It was an honor to have someone, who was doing exactly what I could see myself doing, covering WikiLeaks, torture, national security issues, etc, support me. (I thought she kept up a great Twitter account too.)

At the National Conference for Media Reform 2011 in Boston, I met her as an intern with The Nation magazine. I planned to interview and WikiLeaks live blogger extraordinaire Greg Mitchell (who I was interning for). I arranged to do a video interview with Marcy.

I came to hear her speak during a panel on investigative journalism. After she spoke, she asked me if I wanted to eat lunch. Eating together and finally being introduced to the person behind the great snarky tweeting was such a great experience. Not only could Marcy write but she could also talk in detail, off-the-cuff, on these issues.

We talked about some of the topics, which were raised in this interview posted below.

Read the rest of this entry →

Liveblogging the ‘Protecting Children from Internet Pornographers’ Hearing

5:54 am in Uncategorized by Kevin Gosztola

(photo: Project Counsel)

The House Judiciary Subcommittee on Crime & Terrorism, chaired by GOP Representative James Sensenbrunner, is holding a hearing on the “Protecting Children from Internet Pornographers Act” at 10 am ET. The bill might seem like something that would be free from debate, as we all should agree children do not deserve to be subjected to pornography. But, the legislation includes a “data retention” requirement that should fuel debate over rights to privacy.

[*Watch the hearing here.]

The proposed legislation includes a section that reads:

Retention of Certain Records- A provider of an electronic communication service or remote computing service shall retain for a period of at least 18 months the temporarily assigned network addresses the service assigns to each account, unless that address is transmitted by radio communication (as defined in section 3 of the Communications Act of 1934).’. [emphasis added]

Julian Sanchez of the CATO Institute argues, “The handful of provisions in the bill that really deal specifically with child porn are a fig leaf for its true purpose: A sweeping data retention requirement meant to turn Internet Service Providers and online companies into surrogate snoops for the government’s convenience.” And, the Electronic Frontier Foundation (EFF), in a page outlining the issue of data retention, notes not only is storing large databases of IP data expensive but “mandatory data retention harms individuals’ anonymity, which is crucial for whistleblowers, investigators, journalists, and for political speech.”

I will be live blogging this hearing. The witnesses coming before the committee include: Mr. Ernie Allen, President and CEO of the National Center for Missing and Exploited Children; Sheriff Michael J. Brown, Bedford County Sheriff’s Office and Mr. Marc Rotenberg, President of the Electronic Privacy Information Center (EPIC). [Statements that are to be put into the public record will be posted on this blog, as they are made available.]

Here’s the live blog of today’s hearing:

11:32 AM Rep. Sensenbrunner concerned that data retention will be used to investigate crimes other than child pornography.

Sheriff Brown says he is more interested in 18 months. He wants a standard, a uniformed amount of time. Sheriff Brown doesn’t like that there is no standard among ISPs.

Rep. Sensenbrunner addresses subpoena authority in the legislation in Section 11. From the ISP address, how do you know if someone is a registered sex offender?

Allen says that 95% of cases where marshals are able to locate child predators is through Internet-based or communication data.Currently, they have to get all writs act that can take two months. Very nature that he is a fugitive means there has been judicial review. This would allow circumventing the all writs act.

Rep. Sensenbrunner, why do marshals need additional subpoena authority if they are already going after these people? They’re fugitives.

Allen says this is essential tool.

Rep. Sensenbrunner says he has always felt negatively about administrative subpoenas. I fought to keep administrative subpoena authority out of the PATRIOT Act. And what does law enforcement do? They use national security letters (NSLs) to get around the fact that they didn’t get authority.

This could be used for fishing expedition like law enforcement did on PATRIOT Act with NSLs. You should be concerned about that, says Rep. Sensenbrunner.

Thank you witnesses. This bill needs a lot of fixing up. This bill is “not ready for prime time.” Statements being introduced into the record now.

Hearing is adjourned.

11:24 AM Rep. Thomas Marino respects Rotenberg’s opinion but fails to see concern he has over 18 month period of data retention because of what happens to these children and many times the child does not bring information on being victimized til quite some time later. Law enforcement is already finding new techniques for finding perpetrators. Enlighten me.

Rotenberg addresses this remark saying that resources should be given so that law enforcement can go through enormous amounts of data and they would work to focus investigations on perpetrators. Data retention doesn’t focus on the problem. It says we don’t know the problem and will go fishing.

Rep. Marino – Data retention is critical. I’ve been in hospitals with children…Please do more research so you can see what they are put through. We have to double the punishment for child predators. I’ve seen situations where 3 months old children have been exposed.

I can’t find any defense in not increasing 18 month period, concludes Rep. Marino.

11:17 AM Rep. Dan Lungren says sad to say that my own area of Sacramento is one of the top areas for trafficking problems, at least under FBI statistics. There does appear to be a nexus between trafficking and children, trafficking and young women and trafficking and images of child pornography.

He says this is a bipartisan bill and he introduced form of this legislation in the last Congress.

Lungren asks Marc Rotenberg of EPIC, is there a problem that you have with the access to this information by law enforcement in the event or that the extension of time for which they are required to hold this information allows the potential for abuses in other circumstances?

Rotenberg is concerned with government mandate requiring private companies to keep data it wouldn’t otherwise keep. Congress have made adjustments over time to deal with exigencies (like if you can’t get a warrant). Techniques have developed but this would cross line because up to this time in history of Electronic Privacy Act this has not been allowed.

Here’s more from what I think is a critical exchange:

REP. LUNGREN: Our bill provides that it be 18 months. So, why is that different in nature in terms of the action, the activity of the business and the activity of law enforcement when they have a need to get this data?

ROTENBERG: It’s truly a very different view of wiretap law because up to this point in time the general approach has been to say we will come to you when we have some reason to believe that one of your customers is doing something wrong—

REP. LUNGREN: That’s exactly what they are doing here. All they are saying is they want to make sure that the data is retained.

ROTENBERG: No, because the way data retention works and the distinction between data retention and the current data preservation is data retention says at the outset that you are going to keep this information on everybody because we don’t know at this point in time –

LUNGREN: You’re keeping the information on everybody but you are not making a request for everybody. They’re coming to you with a request based on some information they have on a crime having been committed, allegedly.

ROTENBERG: Yes, so there are at least two concerns there. And this goes to the second part of your question. The two concerns are one, everybody and I do mean everybody know is looking more closely at data minimization techniques because they are realizing just how difficult it is to safeguard the information they’re storing.

REP. LUNGREN: So, when you are talking about data minimization, you are talking about cutting down on the amount of information they store as opposed to criminal minimization…

ROTENBERG: That’s correct.

Time expired.

11:11 AM Rep. Cohen asks if sentencing for child predators should be doubled and if that would be effective deterrent?

Sheriff Brown says we need to impose sentences as judges issue them. I would not say they need to be doubled but judges should give predators their due.

Rep. Cohen says judges find sentencing guidelines are too high. He says 71% think sentencing should not be increased.

Rep. Cohen now describing friend who was convicted of having child porn on his computer and he thinks there could have been alternative ways to handle his crime. There is no proof he did anything to children. And he probably had a brother who had some problem… Anyways, I don’t need to go into those details…

11:09 AM Rep. Steve Cohen now asking questions about system of penalties for child predators.

11:07 AM Rep. Ted Poe asks how many cases are going right now and Sheriff Brown says several hundred.

Rep. Poe asks if there would be an issue in civil litigation. Would anyone want to subpoena data that will be available for 18 months?

Rotenberg says yes, if you’re a good lawyer, you might want to subpoena data.

On Rep. Poe’s question on how they could do better job, Sheriff Brown says they could use more funding.

11:07 AM Allen says that many of the perpetrators are parents, someone trusted and in their lives. Already a hurdle to prosecutions.

11:05 AM First nugget that could make significant headlines: Ernie Allen suggests Attorney General Eric J. Holder is for data retention on all crimes. In Rep. Conyers’ line of questioning, Allen doesn’t argue against having data to go after all crimes. This just feeds into the idea that this is a way to start a system that could be expanded to track all users and not just go after child predators. This is the spread of suspect society into cyberspace.

11:00 AM Rotenberg agrees that there would have to be no wireless provider exemption if this were to work.

Rep. Conyers notes the bill might institute accidentally a data retention policy for all crime and is that over the top, Mr. Rotenberg, or just an exaggeration?

Rotenberg says that is clear from the bill. Let’s establish the ability to identify in ISP record every single user.

Rep. Conyers asks Sheriff Brown asks if he might be troubled by idea that we might set up a system that would have retention of all crime. That isn’t what you came to testify for.

Sheriff Brown says his primary concern was with the retention. I am here for that. We need more time for investigations.

Rep. Conyers says that Allen already noted you are already under-resourced. The big problem is that you don’t have resources necessary.

Sheriff Brown agrees law enforcement already needs more.

Rep. Conyers asks again if they want all crime. Don’t you just want to get at child pornography?

Sheriff Brown doesn’t quite know what to say. He is here for child porn cases, only.

10:53 AM Rep. Trey Gowdy asks if Rotenberg is willing to help a sheriff investigate a crime to strike balance between protecting privacy and

It is not clear that this proposal would make it easier to investigate child predators. This has the potential to turn 99.97% of users into criminals.

Rep. Gowdy asks if Rotenberg has a different way of doing this.

Rotenberg suggests their be more strict penalties for child predators.

Rep. Gowdy wants to know how to get computers if you cannot link to an IP address.

Rotenberg talks about information available to get access to data already available. He concedes it won’t be perfect and there may be cases that won’t be able to be solved.

Rep. Gowdy moves on to Ernie Allen and asks if computer generated images are still defended as not a real image of a child. Allen says defenses in cases still argue images aren’t really kids. And this is why we started a unit to identify child victims.

Rep. Gowdy says this is one more layer that law enforcement has to overcome. The fact we have to prove is real child and not computer-generated. He asks if other countries are cooperative.

Allen says virtual global task force is making progress. Absolutely. Interpol is working with us to collect images.

Rep. Gowdy thanks Sheriff Brown for service.

10:51 AM Rep. Scott asks if sheriffs need probable cause to sift through data. Sheriff Brown says they receive “cyber tip” and then they go to ISP to track that information.

Rep. Scott follows up and ask Rotenberg what is retained. Rotenberg then describes what’s logged and says there can be names of files that were transferred and you could see what information was transferred by reading name of files.

10:50 AM Rep. Scott, what would this data be available for?

Rotenberg says that this data could be used, if retained, for other cases like divorce, contract disputes, copyright infringement and civil subpoena cases. It may not be limited to child porn cases if the ISPs have it.

10:48 AM Rep. Scott asking if law enforcement has enough resources to pursue child predators. Allen confirms this is a problem.

10:44 AM Allen now says child pornography is exploding; 13 million child pornography images and videos reviewed last year, he alleges

We hear all the time isn’t child pornography just adult pornography. Based on what’s sent to us, overwhelmingly there is problem with kids who don’t tell when their image or video of them is put up.

Allen talks about percentage of child predators victimizing children.

Rep. Smith says he took comments from Rotenberg as sincere, constructive criticism. If it is a 50/50 decision, we are going to give law enforcement benefit of doubt.

10:43 AM Rep. Smith asks Sheriff Brown for examples of cases where ISPs were unable to not obtain data so child predators went free; Sheriff Brown essentially repeats what he said in prepared remarks

10:38 AM Marc Rotenberg’s remarks: Purpose of privacy laws is to protect privacy data that companies obtain from consumers. “Good faith” reason can push companies to turn data over governments.

Draws attention to serious concerns about data retention: We live in time where there is a great deal of data breaches. Companies are not able to provide protection. This would mandate retention of information companies might not keep. The problem is also that Section 5 and 6 create new type of immunity that has never existed. At same time that ISPs might be told to keep information, what ever happens, if improperly accessed or used, you are off the hook.

As we read Section 5 it doesn’t have qualifying language that normally exists when ISPs cooperate with investigations.

Section 6, that creates “good faith” defense is quite broad and would apply under any other law. There are many state laws that require companies to notify consumers when a breach occurs. Now it appears ISPs will not be obligated to notify consumers of harms.

Problem is not just data retention obligation but also the immunity being offered.

Additionally, clearly a movement toward data minimization in security field. It’s a sensible approach that prevents misues. Data retention pulls in wrong direction.

European countries have tried to implement sweeping data retention requirement and users have objected. Users, ISPs and others have objected. Coruts have found obligations unconstitutional. Please consider this.

10:36 AM Sheriff Brown concludes that the act will ensure the predators, most vilest of society, are punished. It will allow us to protect against evil in the world.

10:35 AM ISPs hold data records for days or months. Lack of uniformity in data retention time can significantly hinder law enforcement’s ability to track down child predators. Rep. Lamar Smith and Rep. Debbie Wasserman-Schultz have introduced this legislation to address this problem and ensure that when law enforcement contacts ISPs identifying information will still exist.

Sheriff Brown describes a case where they were trying to get information on child predator and the ISP only kept information for 30 days. He says this and hundreds like it demonstrate need to make sure ISPs retain data for significant and standard period of time.

10:33 AM Expansion and development of technology has allowed child porn to become epidemic, says Sheriff Brown. Law enforcement often has tough time unmasking child predators on Internet.

10:31 AM Sheriff Brown begins remarks. He’s a retired officer and part of a National Sheriff’s Association.

10:25 AM Allen says center identifies child porn sites with method of payment. Law enforcement makes purchases and captures information that is reported to payment company so they are able to stop payments.

On Section 2, want to make sure nothing in bill prevents financial companies from stopping payments

On Section 4, we think data retention is reasonable and balanced approach. It doesn’t mean content retained but that connectivity data is retained. We have to establish linkage between IP address and a persons. This is analogous to records phone companies are required to keep.

Many companies have policy on data retention but very widely policies are not kept consistently.

10:22 AM Ernie Allen giving remarks now.

10:21 AM Rep. Conyers concludes: Limit law enforcement’s access to Internet pornography crimes against children. It would institute a data retention requirement for all crimes including street crimes.

The bill’s title is a misnomer. It’s not really about protecting children from this crime. It would not exempt wireless providers and would target child exploitation

10:20 AM Rep. Lamar Smith stops Rep. Conyers to say they are working out way to not exempt wireless providers

10:18 AM Rep. John Conyers continues The ACLU, Center for Democracy & Technology, EPIC and some Internet providers and advocates of children oppose the bill. It fails to protect children from Internet pornographers.

First, eliminate exemption of data retention mandate for wireless providers. They’ve got to be included. If it’s important, why wouldn’t we include them? The bill in current form exempts every wireless service that exists. If it’s good enough for others, it might be very important for wireless internet providers.

10:15 AM Rep. John Conyers (D-MI) discussing the legislation. He says protecting children from child pornographers is laudable and a noble objective but the problem is that the legislation, if enacted, would not achieve that goal. It does other damage that doesn’t exist, would create whole new host of problems. It is not accidental that there are negative views about this proposal that are shared by a wide group of leaders and other organizations.

10:14 PM Internet has become virtual playground for sex predators. Rep. Lamar Smith concludes remarks.

10:13 AM Data retention allows law enforcement to get the abusers and stop children from being abused. By the time investigators discover child pornographers, ISPs have already purged the records. Claims both Democrats and Republicans have wanted data retention for decade. ISPs in deleting records delete data to save a child.

The bill strengthens child witnesses and victims.

10:10 AM Rep. Lamar Smith reading his prepared remarks says that this will protect our children from pornography. He claims that ISPs make it difficult if not impossible to access data to apprehend child pornographers.

Bill does not threaten any legitimate privacy interest of Internet users, Smith claims.

Smith says the 18-month data retention requirement mirrors a requirement that has been placed on phone companies.

10:06 AM Rep. Bobby Scott  reads prepared remarks and says  data retention requirement, which adds unknown costs to ISPs. Information before me doesn’t indicate there will be benefit.

In 80% of cases they are able to obtained the data they need. ISPs already hold data for 6-12 months. Rather than addressing the myriad factors against child pornography prosecutions, bill focuses on data retention requirements.

Bill ignores issues of resources and it could add data that would exacerbate an already growing back log of cases.

DOJ has more data than it has adequate personnel to investigate. Budgets cuts already call for cuts to number of FBI agents.

Blanket exemption for all wireless providers, in addition to child porn cases, is concerning. By the end of the year, there were over 300 million wireless connections in the US. This exemption undermines the legislation.

Could data be vulnerable to hacking? Concerns we need to look into.

I too am concerned about the administrative subpoena.

Anonymous Plans Series of Leaks to Show Intelligence Community’s Vulnerability

4:27 pm in Uncategorized by Kevin Gosztola

Anonymous hacked into Booz Allen Hamilton, a US public consulting firm who primarily does work as a federal contractor for the US government on defense and homeland security matters. They infiltrated the company’s server, ran their own application and began to “plunder some booty.”

Ninety thousand military emails were and password hashes were allegedly hacked in a move that led Anonymous to declare in a press release, “Thanks to the gross incompetence at Booz Allen probably all military personnel of the US will now have to change their passwords.”

The “mangling” of Booz Allen was a part of “Military Meltdown Monday.” And they planned more releases in the coming days.

Unlike WikiLeaks, the success and impact of an Anonymous release of data or information does not depend upon the content of the data. One can download the data, but, for many of the releases, there may be little to be gained from it if you are looking for details on the inner operations of Booz Allen (or if you know next to nothing about hacking and unpacking encrypted data).

The content of this release is primarily military emails and passwords.

What makes the hack important is the hack itself—the mere fact that a hack took place. Anonymous has demonstrated to those who do business with Booz Allen Hamilton, like the US government, that it does not take proper precautions to protect its operations from cyber attacks. Anonymous has shown this contractor is vulnerable, which could essentially cost Booz Allen business.

Booz Allen was allegedly targeted because of its involvement in numerous electronic surveillance activities. Anonymous recalls how they uncovered a program after they hacked HBGary’s email server in February. The program uncovered showed several companies were involved in a military project “designed to manipulate social media.”

The main aims of the project were two fold: Firstly, to allow a lone operator to control multiple false virtual identities, or “sockpuppets”. This would allow them to infiltrate discussions groups, online polls, activist
forums, etc and attempt to influence discussions or paint a false representation of public opinion using the highly sophisticated sockpuppet software. The second aspect of the project was to destroy the concept of online anonymity, essentially attempting to match various personas and accounts to a single person through recognition shared of writing styles, timing of online posts, and other factors. This, again, would be used presumably against any perceived online opponent or activist.

[For more on the planned Sockpuppet Army, go here.]

One of the companies that they discovered were involved in this project, which they called Operation Metal Gear, was Booz Allen. They say they had been planning this hack for quite some time but somehow “Expect Us” didn’t preven them from an “epic security fail:”

…Anonymous has been investigating them for some time, and has uncovered all sorts of other shady practices by the company, including potentially illegal surveillance systems, corruption between company and government officials, warrantless wiretapping, and several other questionable surveillance projects.
All of this, of course, taking place behind closed doors, free from any public
knowledge or scrutiny.

“For the lazy,” Anonymous put together a release that contained information on the company they just embarrassed.

They noted the following individuals, who have held positions in federal government or now currently hold positions in the federal government and have worked for Booz Allen:

*John Michael “Mike” McConnell, Executive Vice President of Booz Allen and former Director of the National Security Agency (NSA) and former Director of National Intelligence.

* James R. Clapper, Jr., current Director of National Intelligence, former
Director of Defense Intelligence.

* Robert James Woolsey Jr, former Director of National Intelligence and head
of the Central Intelligence Agency (CIA).

* Melissa Hathaway, Current Acting Senior Director for Cyberspace for the
National Security and Homeland Security Councils

They highlighted a 2007 Democracy Now! interview with investigative journalist Tim Shorrock, who reproted on Booz Allen’s involvement as a sub-contractor in the Trailblazer and Pioneer Groundbreaker programs at the US National Security Agency (NSA).

Trailblazer is a data mining program that ended up costing about $4 billion and didn’t work well. It’s the program that the NSA wound up using, which NSA whistleblower Thomas Drake spoke out against because he knew there was a program called ThinThread that would likely be more efficient. Drake was afraid Trailblazer would be a waste of taxpayer money and that it called for illegal and unconstitutional surveillance. (Drake is one of the whistleblowers the Obama Administration has pursued in its war on whistleblowing.)

Shorrock described Groundbreaker:

Booz Allen was a chief advisor to another program, which was the NSA’s internal communications. This was a program called Groundbreaker. And all of these programs are analyzing, you know, the phone calls that they intercept, the government communications from abroad they intercept. And when they’re intercepting phone calls between US citizens and people abroad, the corporations are involved. They have people there working not only as just technical advisors, but also doing analysis. And so, if the NSA is listening in on our phone calls, you can bet that Booz Allen is participating in that.

Part of the “AntiSec” or anti-security movement that Anonymous is intent to inspire, this hack came days after hacking IRC Federal, which is an IT contractor that does work with US federal agencies like the FBI and NASA.

It is groups like Anonymous that have claimed headlines recently and put members of Congress and people in government on alert. Cybersecurity hearings have become a regular thing on Capitol Hill, as the government works to develop and enact a national cybersecurity policy to prevent the hacks like the ones Anonymous perpetrates.

In a cybersecurity hearing organized by Republican Rep. Darrell Issa last week, Democratic Rep. Elijah Cummings said he hoped law enforcement got all the tools necessary to go after hackers. Republican Rep. Blake Farenthold wondered how the US might go after “hobby hackers” because not a day goes by now that he doesn’t have to download some update to his McAfee software.

Greg Schaffer of the Homeland Security Department declared, “There is no security issue facing our nation more pressing than cybersecurity.”

“The reality is the United States is increasingly confronted by a dangerous cyber environment where threats are more targeted, they’re more sophisticated and more serious than they’ve ever been before,” he said, “Hackers probe critical infrastructure companies on a daily basis. The status quo is simply unacceptable.”

The attacks from Anonymous, however, do not seem intent to sabotage critical infrastructure of any company. Up to this point, the attacks are all political and designed to call attention the world wide apparatus of surveillance—the burgeoning national security state that has grown in the aftermath of 9/11.

The companies targeted are the companies most likely to go after Anonymous. They are the companies that threaten the ability of members of the group to remain anonymous.

Anonymous is the closest thing the US and possibly the world has to an anti-security movement that can make headlines and draw attention to the ways that companies are becoming increasingly powerful and more capable of intruding into people’s privacy and violating their civil liberties.

It may not seem like a traditional resistance group. What Anonymous is doing is providing the space and cover for an offline movement to actually challenge the surveillance state that citizens have learned to live under without being appalled or upset with it much at all.

New US International Cybersecurity Strategy: Using the Language of Open Internet Advocates to Expand Power

12:15 pm in Uncategorized by Kevin Gosztola

WikiLeaks Omitted from the US International Cybersecurity Strategy

The United States officially launched its international cybersecurity strategy in a White House event on Monday, May 16. Secretary of State Hillary Clinton joined by the following administration officials: John Brennan, the president’s counterterrorism and homeland security adviser; Howard Schmidt, White House cybersecurity coordinator; Attorney General Eric Holder; Secretaries Janet Napolitano of Homeland Security and Gary Locke of Commerce; and Defense Deputy Secretary William Lynn.

The presentation of the cyber security presented several principles, outlined the approach the US intends to take in the further development of cyber security protections, and indicated how the US might use the Internet to preserve its status as a superpower in the world.

Featured during the presentation were seven principles, which appear in the framework: economic engagement, protecting networks, law enforcement, military cooperation, multi-stakeholder Internet governance, international development and Internet freedom. Within the presentation, Clinton sought to explain that cyber crime, Internet freedom and network security could no longer be “disparate stovepipe discussions.”

At no time during the launch of the strategy was WikiLeaks mentioned. Not even Clinton bothered to mention it, despite the fact that she heads a State Department that had their department’s classified information leaked and published by media organizations and continue to have new information published each day.

Yochai Benkler, faculty co-director of the Berkman Center for Internet and Society, has detailed the following:
Read the rest of this entry →

At US Chamber of Commerce, US Government Strategy for “Identity Ecosystems” in Cyberspace Unveiled

12:54 pm in Uncategorized by Kevin Gosztola

The National Strategy for Trusted Identities in Cyberspace (NSTIC), which some believe could establish and require Internet users to have ID on the Internet, was unveiled today at the US Chamber of Commerce. NSTIC aims to establish “identity ecosystems,” what the National Institute for Standards in Technology describes as a “a user-centric online environment, a set of technologies, policies, and agreed upon standards that securely supports transactions ranging from anonymous to fully authenticated and from low to high value.”

Secretary of Commerce Gary Locke delivered the following remarks:

“I’m optimistic that NSTIC will jump-start a range of private-sector initiatives to enhance the security of online transactions. This strategy will leverage the power and imagination of entrepreneurs in the private sector to find uniquely American solutions. Other countries have chosen to rely on government-led initiatives to essentially create national ID cards. We don’t think that’s a good model, despite what you might have read on blogs frequented by the conspiracy theory set. To the contrary, we expect the private sector to lead the way in fulfilling the goals of NSTIC. Having a single issuer of identities creates unacceptable privacy and civil liberties issues. We also want to spur innovation, not limit it. And we want to set a floor for privacy protection that is higher than what we see today, without placing a ceiling on the potential of American innovators to make additional improvements over time. “

What might this mean for the Internet as citizens of the world know it today? As the US government, in cooperation with the private sector, works to preserve cyber infrastructure or networks that it considers to be “strategic national assets,” how might this protection of assets fundamentally alter key characteristics of the Internet, which many have grown to appreciate? In the age of WikiLeaks and Anonymous, in an era where the US government has been unable to prevent the Chinese government and military from stealing usernames and passwords for State Department computers, it seems that this strategic plan could transform the Internet into a realm that requires you to prove your identity with an approved and issued identification card every time you move in to a new website.

President George W. Bush, in the aftermath of the September 11th attacks, used the climate to fundamentally transform security. The “global war on terror” was launched and the Bush Administration led a conditioning and recalibration of the way citizens in the country thought of civil liberties. This made possible a warrantless wiretapping program, which the American Civil Liberties Union (ACLU) considers to be “part of a broad pattern of the executive branch using “national security” as an excuse for encroaching on the privacy and free speech rights of Americans without adequate oversight.”

The memory of a horrific tragedy allowed for the metamorphosis of society into a suspect society. Born were two wars in Afghanistan and Iraq. Other countries became zones for launching unmanned aircraft or drone strikes. And, citizens saw the US government detain and imprison indefinitely terror suspects in Guantanamo Bay, Baghram Air Force Base and other prisons denying them due process and in many cases subjecting them to harsh interrogations or torture.

All of these developments have, for the most part, become something US citizens have found a way to justify. In a society where citizens are told “if they see something, say something,” they believe the escalation of security, the detention, the strikes, and all the expansions of the deep state, which controls and operates the national security apparatuses in the US, is allowable. The civil liberties one has are not to be given up except in cases where one might be in danger and then, in that case, it is okay. So, in the past months, the Transportation Security Administration (TSA) expanded the scope of its security forcing travelers to go through body scanners that might pose a risk to travelers’ health because of radiation or be subject to a pat-down procedure that if witnessed in public by a police officer would likely lead to the arrest of the person doing the pat-down.

Now, the connecting of systems in more and more ways, the increased complexity that has come as a result of innovation and the reality that, without cyber-connectivity, the economy of the United States could grind to a halt and its national security could be breached has pushed the US government in the past years to work in concert with the private sector to begin to bring order to a networked public sphere that many value because it does not require you to authenticate your identity and does not require you to be inspected before moving along to your destination.
Read the rest of this entry →

Security Contractor HBGary Tries to Protect US from Anonymous, WikiLeaks

3:03 pm in Uncategorized by Kevin Gosztola

We Are Anonymous by OperationPaperStorm

HBGary Federal, provider of classified cybersecurity services to the Department of Defense, Intelligence Community and other US government agencies, has opted over the past months to go to war with the group of WikiLeaks supporters known as Anonymous. The Tech Herald reported today on HBGary Federal and two other data intelligence firms “strategic plan” for an attack against WikiLeaks.

The company is considered to be “a leading provider of best-in-class threat intelligence solutions for government agencies and Fortune 500 organizations.” It provides “enhanced threat intelligence” so “the federal government can better protect our national cyber infrastructure.”

Almost a year ago, the company received an extension to their contract with the US Department of Homeland Security to “conduct a series of hands-on memory forensics and malware analysis training events with local, state, and federal law enforcement officials around the country.” A company contracted by the government to help out with cybersecurity initiatives for the United States is spending company time and resources and possibly even taxpayer money going after individuals who support WikiLeaks and spend lots of time in a chat room talking about what they can do to defend freedom of expression. The CEO of this cybersecurity service company is targeting a group that poses no threat to the government infrastructures it is supposed to be protecting from real cyber criminals.

Along with Palantir Technologies and Berico Technologies, which both have worked to help the government in some capacity, HBGary developed a proposal called “The WikiLeaks Threat.” They requested that the law firm Hunton and Williams meet with Bank of America. The law firm held a meeting on December 3, and they began to plan against WikiLeaks. According to Tech Herald, Hunton and Williams would “act as outside council on retainer,” Palantir would “take care of network and insider threat investigations” and Berico Technologies and HBGary would “analyze WikiLeaks” to find if “WikiLeaks was hosting data in certain countries and make prosecution easier.” CEO Aaron Barr also led an infiltration into Anonymous, hoping to unearth identification information that could unveil who these people are that are operating in support of WikiLeaks.

HBGary and Palantir are partners. Palantir Technologies has been sought by the CIA, DHS and FBI to help government analysts “integrate unstructured open source information with data from various agency databases to analyze them for outstanding correlations and connections in an attempt to mitigate the burden of rummaging around through the immense amount of information available to them.” Either Palantir Technologies found the time to stop serving government and work with Hunton and Williams to help Bank of America stop WikiLeaks from releasing documents that might impact Bank of America operations, or, possibly the US government had given tacit approval to Palantir to participate in this operation.

Berico Technologies worked with the National Security Agency (NSA) to invent technology that “made finding roadside-bomb makers easier and helped stanch the number of casualties from improvised explosive.” They also decided to participate in this initiative or, again, possibly someone in the US government suggested private corporations begin to go after WikiLeaks.

The three security service companies proposed the following tactics for going after WikiLeaks: “Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done. Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.” Part of their plan involves turning Salon’s Glenn Greenwald against WikiLeaks.

HBGary counts as an advisor Andy Purdy, who was a member of the White House staff team that helped to draft the U.S. National Strategy to Secure Cyberspace in 2003. He joined the Department of Homeland Security and served on “the tiger team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT).” He worked for three and a half years and spent the last two heading the NCSD and US-CERT as a “Cyber Czar.” With HBGary he is involved in an Anonymous style hacktivist attack.

For fiscal year 2011, the federal budget for homeland security will provide “$364 million to the Department of Homeland Security to support the operations of the National Cyber Security Division which protects Federal systems as well as continuing efforts under the Comprehensive National Cybersecurity Initiative to protect our information networks from the threat of attacks or disruptions.” Should companies engaged in this kind of conduct be allowed to take government money to fund their company’s operations, which are supposed to protect government cyber infrastructure?

HBGary’s infiltration led to the company “getting pwned.” Anonymous figured out what was going on and seized HBGary’s domain, temporarily posting this image—a letter with an opening line that reads “claims of ‘infiltrating’ Anonymous amuse us, and so do your attempts at using Anonymous as a means to garner press attention for yourself.”

Even though Anonymous is known to have hacked into companies like PayPal and Visa, does HBGary or any other cybersecurity service have any business mounting operations to infiltrate or target anyone linked to Anonymous? Unless HBGary is working for the FBI, it does not seem as though they should be allowed to engage in such activity.

The president of HBGary, Penny Leavy, says, “Today’s sophisticated cybercriminals require a sophisticated approach to network security.” That may be true. But, one might ask Leavy, “Do today’s sophisticated cyber activists require amateur cyber snoops?”

*Post originally appeared at