There's been, since Tuesday, March 7, a remarkable turn of events regarding our spy and security agencies in this country - people are actually talking openly about it, and telling what those spook folks are using.
And guess what?
We told you about it more than two years ago.
So, we're going to re-issue - for free - what our publication brought to you in late 2014-early 2015 as a warning of what was being utilized at the time to spy on YOU...and we want you to think: If they're only just now admitting to it, and we wrote about it more than two years ago, what all have they collected from you in that amount of time? What all are the currently collecting on you? What are the going to collect in the future?
Maybe not a lot, if you read and take heed. This nonsense has to stop, and in order to stop it, we all must be aware. Here are Chris' Tech Talk columns from more than two years ago, reproduced here in full, formerly only available in print or at the e-Edition, with links embedded.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Getting “stung” by the “ray” of the cell-phone capture device, the StingRay
DECEMBER 10, 2014
Yes, it’s out there, and yes, they’re using it on you.
Steven Spielberg’s 2002 movie Minority Report was based on a futuristic vision of the year 2054. Many of the spectacular advances we saw in the film are actually either in use now or are almost ready for the marketplace. It’s been 12 years since the movie Minority Report first hit theaters. 3D TVs are now here and improving. Multitouch gesture-based computer interfaces are now commonplace on iPads, tablets and video game systems. Google and Tesla have computer-guided cars that drive themselves with astonishingly little input from the “driver.” Facebook and Google are spookily good at personal targeting ads online that follow us even off their own sites, recommending for us to buy stuff we’re already interested in buying. And the company Eyelock has already begun rolling out its HBOX iris recognition security system that scans user’s eyes and cannot even be foiled by sunglasses. It confirms your identity within a fraction of a second. The HBOX is currently being installed by Fortune 100 companies including financial services, banking, media, insurance and the health sectors.
In the film, Tom Cruise’s character is tracked and monitored throughout the movie as he tries making his way across town, eventually resorting to getting a black market eye transplant to foil detection from the eye scanners. As frightening and Orwellian as that very real and prophetic scenario is, I’m here to warn you about an even more nightmarish scenario that is already here.
An eye scan can’t tell where you been, or when. An eye scan can’t tell who your friends are, or who you talked to and what was said. Or, take pictures and video evidence…but your cellphone already can and does! And, if you’re like me and most people, you probably carry your cellphone with you everywhere. 24/7. It’s in your pocket, purse or hand or on your nightstand as you sleep. It rarely leaves your body and is usually charged and on at all times.
The ubiquitous cell phone
Cell phone use has become ubiquitous. According to The American Civil Liberties Union and the Center for Democracy & Technology, more than 90 percent of American adults own cell phones and more than a third of US households have ONLY wireless telephones.
The last time I heard of a landline phone in my circle was the story of a friend’s sister buying an old model corded phone off Amazon and her calling her sister to ask how to “activate” it. She was devastated when she learned she had to call the phone company to schedule someone to come out to actually run a physical wire to it and couldn’t add the phone to her current cellphone bill but needed a separate service and bill to use it.
The amount of information conveyed by these devices about one’s activities, whereabouts and interactions is considerable. As one attorney explained: “Because we carry our cellphones with us virtually everywhere we go, …(they) can paint a precise picture of where we are and who we spend time with, including our location in a lover’s house, in a psychologist’s office or at a political protest.”
Spielberg said of the tech in the movie years ago, that if it did exist, those in control of it would undoubtedly abuse its powers. Those who advised him on the film told him that “the right of privacy is a diminishing commodity” which will soon be thrown “right out the window.”
Welcome to that future where, as predicted, those in power are undoubtedly abusing their power to thwart privacy, illegally collect information without a warrant, are deleting evidence, committing perjury, and comprising the security of this country by obfuscation and intimidation all under the guises of fighting “terrorism.”
Tracking cell phones with a fake cell phone tower
Distributed to local police agencies as a result of grants from the Department of Homeland Security (DHS), StingRays are one of many new technologies used by law enforcement to track individuals’ cell phones—and their owners— without a court warrant or court order. Their use is driving a constitutional debate about whether the Fourth Amendment, which prohibits unreasonable searches and seizures, but which was written before the digital age, is keeping pace with the times.
A StingRay works by mimicking a cellphone tower, getting all phones to connect to it within a mile and measuring signals from the phone. It lets the StingRay operator “ping,” or send a signal to, a phone and locate it, as long as it is powered on, without police having to contact a wireless service provider like AT&T or Verizon. By collecting data on the identification and location of all phone communications within range, and then forwarding the signal on to the nearest real cell phone tower, the StingRay collects data including all outgoing numbers dialed for phone calls and text messages and the identification for a phone, which can be used to obtain call and text history. As the StingRay is usually mounted in a police vehicle, it can stay mobile and, due to the lack of familiarity the public has with the device, would be difficult to identify.
The device has various humanitarian uses, including helping police locate suspects and aiding search-and-rescue teams in finding people lost in remote areas or buried in rubble after an accident. The technology is accurate up to 3 meters in locating a subject. But the public is ignorant to how their mobile devices are perfect tracking devices. In fact, every smart phone is an adept location-tracking device because it constantly sends signals to nearby cell towers, even when it’s not being used.
An “INVITATION TO BID” for a “StingRay II System/Parts/Training, Installation & Integration of StingRay II System in Chevrolet Tahoe, and a 2012 Chevrolet Tahoe” (St. Louis Metropolitan Police Department) was placed in 2012 by members of the St. Louis Board of Police Commissioners. StingRays were in use in Ferguson when Disclosure provided live streaming coverage. Visual surveillance was being conducted on the protestors, and a StingRay was being used to download the IMSI, or unique identifier from each phone, within a protest area. After identifying the phones, locating and tracking operations could be conducted, and cell phone service providers can be forced to turn over account information identifying the phone users.
To simply take inventory through the identifying of phone numbers of all the people who might be there, including those of us who are just journalists watching or ordinary civilians just going about their business...and then end up with their personal information and telephone numbers in some FBI file somewhere – that’s troubling.
Uses
At an average cost of $100,000+, StingRays are not cheap. They are being paid for mostly by Homeland Security grant money distributed by the various state and Federal Emergency Management Agency (FEMA) agencies, under programs such as the Urban Areas Security Initiative (UASI) or the State Homeland Security Program (SHSP). Grant applications from several agencies show local law enforcement are justifying the purchase of StingRay technology as an anti-terrorism tool, but it’s being used to apprehend and prosecute suspects in routine crimes, from robberies to homicides.
The Los Angeles Police Department (LAPD) got a DHS grant in 2006 to buy a StingRay. The original grant request said it would be used for “regional terrorism investigations.” Instead LAPD has been using it for just about any investigation imaginable.
In just a four-month period in 2012, according to documents obtained by the First Amendment Coalition, the LAPD has used the device at least 21 times in “far more routine” criminal investigations.
In 2009 in Oakland, California, none of the 19 arrests made using their StingRay were related to terrorism.
The Wall Street Journal recently revealed that the US Marshals Service, a sub-agency under DOJ’s control, operates a small fleet of Cessna aircraft that are currently flying from at least five metropolitan-area airports, with a flying range covering most of the U.S. population. According to people familiar with the program, they are using StingRays to grab up masses of cellphone data to map and feed some kind of database that began around 2007.
The Electronic Frontier Foundation (EFF) discovered that the Drug Enforcement Agency (DEA) is using StingRays along the southwestern border. Other documents tweeted out by the ACLU’s Chris Soghoian show Immigrations and Customs Enforcement use them too, and we know also the DHS has at least discussed attaching cellphone interception gear to the large Predator surveillance drones that are roaming along our border (and often times far inside).
The government has used “terrorism” as a catalyst to gain powerful new surveillance tools or abilities, and then they turn around and use them on ordinary citizens, severely infringing on civil liberties in the process.
StingRays are particularly odious given they give police dangerous “general warrant” powers, which the founding fathers specifically drafted the Fourth Amendment to prevent. In pre-revolutionary America, British soldiers used “general warrants” as authority to go house-to-house in a particular neighborhood, looking for whatever they please, without specifying an individual or place to be searched.
The StingRay is the digital equivalent of the pre-revolutionary British soldier. It allows police to point a cell phone signal into all the houses in a particular neighborhood, searching for one target while sucking up everyone else’s information along with it. With one search the police potentially invade countless private residences at once.
At the same time, law enforcement has attempted to use them while avoiding many of the traditional limitations set forth in the Constitution, like individualized warrants. This is why we called the tool “an unconstitutional, all-you-can-eat data buffet,” says the EFF.
Senator Edward J. Markey (D-MA) has sent detailed questions to Attorney General Holder about the recent reports that US Marshals have deployed aircraft equipped with StingRays to capture mobile phone communication. Senator Markey wrote, “the sweeping nature of this program and likely collection of sensitive records...raise important questions about how the Department protects the privacy of Americans” with no connection to unlawful activities. Electronic Privacy Information Center (EPIC) has filed amicus curiae briefs in the U.S. Supreme Court and the Supreme Court of New Jersey arguing that location tracking is a search under the Fourth Amendment and should only be conducted with a judicial warrant.
History — The Feds
The technology was originally developed for the military and intelligence agencies, including the NSA, and is part of the growing and controversial trend of local police departments obtaining military hardware and spy craft technologies throughout the United States.
EPIC successfully sued the FBI this November to obtain documents about the agency’s use of StingRay devices. Documents released to EPIC indicate the FBI has used such cell site simulator technology to track and locate phones and users since at least 1995. The Bureau has worked diligently to keep policy and operational particulars alike secret. The FBI routinely loans out StingRay and related devices to local police. FBI and Department of Justice officials say investigators don’t need search warrants because it “does not intercept communication, so no wiretap laws would apply.” Interesting since one of the nicknames given to StringRays is an “interceptor.”
This month, the Supreme Court will hear arguments over whether or not police need a warrant before secretly installing a GPS device on a suspect’s car and tracking him for an extended period.
Stingray, FishHawk, Gossamer: Spying by any other name is still SPYING
JANUARY-FEBRUARY, 2015
The FBI uses the StingRay to track suspects and says that it does not use the tool to intercept the content of communications. However, this capability does exist. Procurement documents indicate that the StingRay can also be used with software called “FishHawk,” which boosts the device’s capabilities by allowing authorities to eavesdrop on conversations. Other similar Harris software includes “Porpoise,” which is sold on a USB drive and is designed to be installed on a laptop and used in conjunction with transceivers—possibly including the StingRay—for surveillance of text messages.
Although StingRays can capture the content of phone calls and text messages, law enforcement sources and documents from the Harris Corporation say devices configured for the US law enforcement market don’t have that capability but are capable of capturing voice communications.
Harris also sells a similar device called the Gossamer. It can be used to perform a denial-of-service attack on phone users, blocking targeted people from making or receiving calls, according to marketing materials published by a Brazilian reseller of Harris equipment.
Government Contractor in Bed with the FEDs
The StingRay family of trackers is manufactured by the Harris Corporation (http://harris.com/), a military contractor with $5 billion in annual revenue and headquarters in Melbourne, Florida. Details about the devices are not disclosed on the Harris website, and marketing materials come with a warning that anyone distributing them outside law enforcement agencies or telecom firms could be committing a crime punishable by up to five years in jail.
Similar devices are sold by other government spy technology suppliers, but U.S. authorities have awarded the Harris company “sole source” contracts because its spy tools provide capabilities that authorities claim other companies do not offer. The StingRay has become so popular, in fact, that “StingRay” has become a generic name used informally to describe all kinds of IMSI catcher-style devices. StingRays are also referred to as interceptors, dirtboxes, Triggerfish, IMSI Catcher, Cell-site Simulator or Digital Analyzer among many others.
Hush-hush
Many local police departments across the nation have obtained the technology and have kept its use secret, citing nondisclosure agreements with Harris Corporation, the technology’s manufacturer, and the FBI. The Harris Corporation has forced law enforcement agencies to sign a non-disclosure agreement explicitly prohibiting them from telling anyone, including other government bodies, about their use of the secretive equipment.
Various released FOIA documents have confirmed Harris, the FBI & the FCC’s intimate involvement in requiring law enforcement agencies interested in using the devices to signing a nondisclosure agreement all across the U.S.
According to a document obtained by the ACLU, the FCC grants Harris Corporation permission to sell a city a StingRay device. Because the device intercepts and interferes with cellphone networks, which are regulated by federal law, Harris Corporation needed the FCC’s approval.
Two heavily redacted sets of files released last month show internal Justice Department guidance that relates to the use of the cell tracking equipment, with repeated references to a crucial section of the Communications Act which outlines how “interference” with communication signals is prohibited.
It’s a small but significant detail. Why? Because it demonstrates that “there are clearly concerns, even within the agency, that the use of StingRay technology might be inconsistent with current regulations,” says EPIC attorney Alan Butler. “I don’t know how the DOJ justifies the use of StingRays given the limitations of the Communications Act prohibition.”
“It’s not clear to me why the FCC would have an interest in requiring law enforcement agencies to sign NDAs with the FBI, unless they were concerned that the spread of this technology could harm users of American communications networks.”
“It’s part and parcel of the militarization of local police driven by federal grants without local notice or debate,” says Doug Honig, communications director at the ACLU of Washington. “The nondisclosure agreement puts elected officials and the public in a position of the police having a powerful surveillance device but not being allowed to tell the public fully what it does.”
The fact that the FBI receives notification from Harris that police departments are even interested in a StingRay reveals a surprising level of coordination between a private corporation and a federal law enforcement agency. The agreement also makes clear that completing the NDA is compulsory by order of the FCC.
The excuse for keeping secret the fact that police departments across the country have this technology is “that criminals or terrorists could use the information to thwart important crime-fighting and surveillance techniques.”
Deleting evidence — no breadcrumbs
It was revealed to The Wall Street Journal that the FBI considers the devices to be so critical that it has a policy since the 1990s of deleting all information obtained during a location operation when using StingRay-type gear, mainly to keep suspects in the dark about their capabilities.
Evidence gathered by StingRays raises concerns. Defense lawyers argue that a proper search warrant is not being served, because among other things, it allows investigators to delete all the tracking data and evidence collected, rather than reporting it back to the judge.
But it is “odd” for a search warrant to allow deletion of evidence before a case goes to trial, says Paul Ohm, a professor at the University of Colorado Law School and a former computer-crime attorney at the Department of Justice. The law governing search warrants specifies how the warrants are to be executed and generally requires information to be returned to the judge.
Even if the court finds the government’s actions acceptable under the Fourth Amendment, deleting the data is “still something we might not want the FBI doing,” Mr. Ohm says.
The government says the data from the use of the StingRay has been deleted and isn’t available to the defendant.
Perjury
Emails released earlier this year through the Freedom of Information Act showed that the US Marshal’s service was literally encouraging local police to deceive judges into believing information obtained through StingRays were actually coming from a “confidential source” and not gathered by a StingRay device.
Police in Florida, at the request of the U.S. Marshals Service, using StingRays, have been routinely telling judges, in applications for warrants, that they obtained knowledge of a suspect’s location from a “confidential source” rather than disclosing that the information was gleaned using a StingRay.
In emails sent by Sarasota police Sgt. Kenneth Castro to colleagues at the North Port (Florida) Police Department, Castro informs his colleague that the application should be revised to conceal the use of the surveillance equipment. “In the past,” Castro writes, “and at the request of the U.S. Marshalls (sic), the investigative means utilized to locate the suspect have not been revealed so that we may continue to utilize this technology without the knowledge of the criminal element. In reports or depositions we simply refer to the assistance as ‘received information from a confidential source regarding the location of the suspect.’ To date this has not been challenged, since it is not an integral part of the actual crime that occurred.”
Two weeks earlier agents from the Marshals Service took the extraordinary measure of seizing other public documents related to StingRays from the Sarasota Police Department in order to prevent the ACLU from examining them. Only hours before ACLU attorneys arrived for a FOIA appointment to view the documents, someone from the Marshals Service swooped in to seize the documents and cart them to another location.
No Stool Pigeons here (case dropped to protect how StingRays work)
Prosecutors withdrew evidence in a Baltimore Circuit Court this November after a local judge threatened to hold a police detective in contempt of court for refusing to disclose how police located a 16-year-old robbery suspect’s phone. Once the Baltimore Police were able to locate the suspect’s phone, they then searched his house and found a gun as well. Prosecutors sidestepped the threat by agreeing to withdraw all the evidence police had gathered using the StingRay.
It was the second time since September that prosecutors had given up evidence rather than divulge the details of how it was obtained siting a “classified” DHS nondisclosure agreement.
Hanni Fakhoury, a lawyer with the EFF and a former federal public defender says, “[The detective] may have been following orders but it’s ridiculous that superiors, whether police or prosecutors, direct officers to evade answering questions about surveillance technology that is now widely known about. Its even more remarkable the prosecutors simply chose to not use the evidence rather that disclose details about it. That says a few things: first, maybe we don’t really need the surveillance if the government can prove a criminal case without the evidence they gather from it (though that remains to be seen in this specific case). Second, that the technology must really be capable of some remarkable things if the government is so desperate to keep it under wraps.”
Orwellian spying destroying US tech jobs
FEBRUARY-MARCH 2015
Are you reading this article online? If so, understand that the device you are on is infected. And right now, this very second, the likelihood that someone or something is watching and logging that you are even reading this article, when you’re reading it, where you are reading it, what you clicked on before or after it, your whole and complete history on the internet, who you talk to, where you’ve been, what you read, your likes, your dislikes, your darkest secrets, on your phone, or even that old ancient computer that is not, and never has been, connected to the Internet in any way, shape or form, uh, yeah. Afraid so. It’s not even in debate. Yes, there is an overwhelmingly high probability that they are ALL infected!
iPhone, android, iPad, tablet, laptop, desktop, Mac, Windows, Linus, UNIX, your smart TV, Internet phone, Internet, no Internet, the 10-year-old computer in storage in your closet…does not matter…you and everyone of those machines ARE infected and being watched!
Whether your cell phone is on, off, when you think the battery is dead…doesn’t matter. It’s listening. All of that is being saved and gone through by either a computer program and/or an actual human being somewhere. Your new Samsung smart TV with a webcam so you can Skype to grandma or talk to it instead of using the remote…is constantly recording with its microphone every conversation inside your house. Recording with the video camera anything it sees or that passes past its lens. Most of them with facial recognition software enabled. It knows WHO you are, WHAT you said, and never forgets. It knows who your known associates are, who your friends are, when they come over, what you talk about, what you like, what they like, what scares you.
But WHO has infected and hacked into all your stuff, you ask. Russian spyware trying to sell you Viagra? Somalian princes trying to sucker you out of your life’s savings? ISIS terrorists trying to fund their cause? Some zit-faced geeky twelve-year-old deep in his parents’ basement trying to add your credit card or bank information to a list of millions of stolen credit card numbers to sell on the black market? Nope. None of those. It’s YOUR government. In what is being called the most colossal and the mother of all hacks EVER, the NSA has not only exceeded their reach into each and every computing device on the planet, but likely added the final nail in the coffin of one of the FEW last great, and only redeeming, industries of the United States, our high tech industry centered mostly in Silicon Valley.
In Russia, you watch TV; in America, TV watches YOU
Ever have sex in front of the TV? Yeah, it not only knows, but recorded it and saved it deep in the NSA Utah Data Center, also known as the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center, or some other secret NSA data center somewhere.
You, or your kids, ever run through the house naked past the TV or your laptop? Yeah, there are now naked pictures of you and/or your children on some data center somewhere waiting to be gone through, or worse, hacked and leaked onto the Internet or just simply traded by pedophile employees working at or who have access to the data at that data center. Remember, Snowden was just a contractor and the access he had to NSA was incredible. The sheer arrogance of what they have done is staggering.
What’s that, you say? Don’t think it can happen? Think that feature is turned “off”; you’re not worried about it; you got nothing to hide? hmmm. You so sure? NOTHING is secure. Let me repeat that…NOTHING! Try using that excuse if you were one of the celebrities that had your private naked photos stolen and leaked all over the internet from hacked Apple iCloud accounts last year in what was known as “The Fappening.”
In previous tech talk columns you might remember me recommending how to try regaining the little privacy you could nowadays. Trying to keep up with multiple scandals and revelations practically every week for going on nearly TWO YEARS now since Edward Snowden started releasing documents and revelations to the media starting in June 2013, is beyond overwhelming. Even I can’t keep up.
At this point we’ve heard about mass surveillance of private nude Webcam chats on Yahoo Chat and the storing of those, the NSA tapping international leaders’ phones including its own allies, mass cell phone metadata collection of U.S. citizens, spies pretending to be Facebook to infect computers, the direct involvement of major internet and tech companies including Facebook, among others, working directly with the government and law enforcement to give live and unfettered access to its customers’ actions thru Operation PRISM and ordered to lie about it and countless other programs.
Now, something even more frightening has been unveiled recently.
Be very, very afraid
Have no fear—or, rather, be very, very, very fearful—because two big new revelations show just how far the NSA will go to make sure it collects everything about everybody.
First up is not a leak from Snowden, actually, but a discovery from Moscow-based Kaspersky Lab, one of the most highly-regarded cybersecurity firms in the world. We’re now learning that America is the source of the greatest and most devious software exploitation (hacking) ever reported.
Kaspersky Lab revealed that the NSA has hacked virtually every hard drive on the planet (even including those in “airgap” mode, unconnected to any network, via hidden code on all USB thumb drives); then, embed its code in the hard drive’s firmware, so securely and covertly that even a disk-wipe won’t erase the spyware on the drive!
The NSA can access hard drives made by major U.S. manufacturers in computers in over 30 countries, including NATO allies, although Iran and Russia were the primary targets.
“The discovery … is significant because this omnipotent cyber espionage entity managed to stay under the radar for almost 15 years, if not more,” a spokesman for Kaspersky said. “Their incredible skills and high tech abilities, such as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen and second to none. As we discover more and more advanced threat actors, we understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown.” He went on to say, “There is zero chance that someone could rewrite the [hard drive] operating system using public information,” indicating that the NSA was given the sensitive code by manufacturers.
A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It’s possible they’re lying but it’s also possible that the NSA figured out other ways to get that information.
What can you do? A recent Motherboard article on vice.com put it this way: “The only way you can delete this NSA malware is to smash your hard drive to bits.” Others recommend you never plug a USB device, CD, nor any such thing into your computer. Ever! With some network admins literally plugging the security holes by filling all computer USB plugs with glue and removing CD drives.
NSA’s strategy could serve to severely hobble the American tech industry, the American economy and ultimately American jobs. This is an example of shortsighted leadership and military thinking. Revelations may impact the technology sector in the U.S. as institutions around the world seek non-U.S. alternatives.
SIM card hack
And that brings us to number two: your mobile phone's SIM card.
New Snowden documents reveal how the NSA and GCHQ (the British equivalent to NSA) were able to hack into Gemalto, the world’s largest manufacturer of mobile phone SIM security cards, in order to steal encryption keys.
Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. Gemalto also happens to make the security chips in US passports and most next-generation credit cards from Visa, MasterCard, American Express, JP Morgan, Chase, and Barclays…among other things.
With these stolen encryption keys, intelligence agencies can monitor cellular communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also alleviates the need to get a warrant or a wiretap, while leaving no trace on the cellular provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to decrypt any previously encrypted communications they had already intercepted, but did not yet have the ability to unlock.
“When the NSA and GCHQ compromised the security of potentially billions of phones,” Snowden wrote, “they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.”
“Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute.
Gemalto only learned about the five-year-old hack when a website focused on examining the Snowden documents called Gemalto up for a comment recently. “That doesn’t sound like they’re on top of things, and it certainly suggests they don’t have the in-house capability to detect and thwart sophisticated state-sponsored attacks,” says Christopher Soghoian, the chief technologist at the ACLU.
Gemalto tried to downplay the significance of NSA and GCHQ efforts against its mobile phone encryption keys — and, in the process, made erroneous statements about cellphone technology and sweeping claims about its own security that experts describe as highly questionable.
After the half-billion-dollar hit
The company was eager to address the claims that its systems and encryption keys had not been massively compromised. At one point in stock trading after publication of the report, Gemalto suffered a half billion dollar hit. Its stock only partially recovered in the following days.
Matthew Green added, “This is an investigation that seems mainly designed to produce positive statements. It is not an investigation at all.”
“[A]lthough firmware exploitation is nasty,” Snowden responded, “it’s at least theoretically reparable: tools could plausibly be created to detect the bad firmware hashes and re-flash good ones. This isn’t the same for SIMs, which are flashed at the factory and never touched again.”
“We hear a great deal lately about the value of information sharing in cybersecurity,” Snowden said about the hack of Gemalto. “Well, here’s a case where NSA had information that the technology American citizens and companies rely on to protect their communications was not only vulnerable, but had in fact been compromised….[T]his is one more demonstration that proposals to require telecommunications providers and device manufacturers to build law enforcement backdoors in their products are a terrible, terrible idea. As security experts have rightly insisted all along, requiring companies to keep a repository of keys to unlock those backdoors makes the key repository itself a prime target for the most sophisticated attackers—like NSA and GCHQ.”
====CYBER SECURITY CONFERENCE======
Which brings us to the 2015 Cybersecurity for a New America conference held February 23 in Washington D.C., at which Yahoo’s Chief Information Security Officer Alex Stamos stood up and squared off with NSA director Adm. Mike Rogers over cyber-spying and whether intelligence officials should have broad access to the products being developed by the nation's top technology firms.
At the event, NSA Director Adm. Mike Rogers called for a “legal framework” that would enable law enforcement and anti-terrorism officials to tap into encrypted communication between ordinary consumers—echoing a stance already laid out by other administration officials, including FBI Director James Comey and Attorney General Eric J. Holder.
Alex Stamos (AS): “Thank you, Admiral. My name is Alex Stamos, I’m the CISO for Yahoo!. … So it sounds like you agree with Director Comey that we should be building defects into the encryption in our products so that the US government can decrypt…
Mike Rogers (MR): That would be your characterization. [laughing]
AS: No, I think Bruce Schneier and Ed Felton and all of the best public cryptographers in the world would agree that you can’t really build backdoors in crypto. That it’s like drilling a hole in the windshield.
AS: We’ll agree to disagree on that. So, if we’re going to build defects/backdoors or golden master keys for the US government, do you believe we should do so — we have about 1.3 billion users around the world — should we do for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give backdoors to?
MR: So, I’m not gonna… I mean, the way you framed the question isn’t designed to elicit a response.
AS: Well, do you believe we should build backdoors for other countries?
Technology executives as well as many cybersecurity experts argue there is no way to build in such “backdoors” without fundamentally undermining the security that protects online communications around the world. In response to recent revelations about government snooping, firms such as Apple and Google have designed their latest mobile software to make it impossible for the companies to turn over data from smartphones and tablet computers to police—even when authorities have a search warrant.
A couple things came to light at that conference:
That all the NSA phone meta data spying “HAS NOT and WILL NOT stop another terror attack like 9/11” but that they want the legal authority to collect and process even more information.
That the current authorization for all NSA spying measures recently brought to light by the Snowden leaks comes DIRECTLY out of the Patriot Act (section 215) which is set to end this June and from Obama’s recent Presidential Policy Directive 28 (PPD-28) issued by the White House when it failed to get support for CISPA/CISA/SOPA & numerous other similar proposed “cybersecurity” acts passed in Congress!
The NSA, FBI and White House are demanding new “legal frameworks” (ie, laws like CISPA) to allow them backdoor access into ALL private companies software, especially those using encryption! Congress is debating how to allow the NSA to spy on networks to screen for terrorist threats while still observing privacy and consumer rights. Lawmakers face extra pressure to pass a bill ahead of June, when the NSA loses its legal authority for domestic surveillance provided by Section 215 of the Patriot Act. Rogers said intelligence gathering would suffer without that spying authority, but the agency would find a way to continue its work depending on what lawmakers decide.
That the NSA works DIRECTLY with the FBI to spy on U.S. citizens, since legally the NSA cannot, but the FBI can!
Refused to comment (in this “open debate”) about both: the NSA SIM card and NSA hard drive firmware hacks.
Admits that foreign countries (ie, China, Russia, among others) ARE likely spying on U.S. citizen’s communications inside the U.S. in addition to the NSA.
Three U.S. companies stood up and complained to Rodgers about already losing business internationally over fears and loss of faith in U.S. tech companies in light of recent NSA spying scandals and asked what NSA could do to calm their client’s fears to retain that business. Rogers acknowledged businesses have a “valid concern” about losing consumer trust, but the government needs to be able to legally monitor encrypted private communications.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you enjoyed this article, would you consider getting an online membership to the e-Edition? We remain ahead of the curve in bringing you material that matters...even if you don't, at the time, understand exactly how much it matters! We've been going at this for 15 years now...jump on board. At the very least, you'll be able to be quietly prepared...because no other news organizations on the local level dig into the things - and bring to you the stuff like this - that matters. No one has, in the 15 years we've been in existence, except us. Stay with us for as long as we're here...we promise we'll continue to produce this material for as long as we can online, and when that fails (and it will), we'll still have print, where you'll find my column this month that was not produced for the e-Edition due to the "sensitive" nature of the subject tackled, and how it could negatively impact us here. Get out and get the current issue, on stands only until the election edition hits next Tuesday...or get an online membership to the e-Edition...or both. Be informed. It could mean the difference between life and death these days...and we're not kidding.