Friday, July 31, 2015

OpenStack 08/01/2015 (a.m.)

  • "The bill also allows the head of a federal agency or department “to disclose to the Secretary or a private entity providing assistance to the Secretary…information traveling to or from or stored on an agency information system, notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary.”" Let's see: if your information is intercepted by the NSA and stored on its "information system" in Bluffdale, Utah, then it can be disclosed to the Secretary of DHS or any private entity providing him/her with assistance, "notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary." And if NSA just happens to be intercepting every digital bit of data generated or received in the entire world, including the U.S., then it's all in play, "notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary.”. Sheesh! Our government voyeurs never stop trying to get more nude pix and videos to view.  

    Tags: no_tag

    • If anyone in the United States Senate had any doubts that the proposed Cyber Information Sharing Act (CISA) was universally hated by a range of civil society groups, a literal blizzard of faxes should’ve cleared up the issue by now.

      What’s not getting attention is a CISA “alternative” introduced last week by Sens. Mark Warner (D-Va) and Susan Collins (R-Me). Dubbed the “FISMA Reform Act,” the authors make the following claims about the bill: 

      This legislation would allow the Secretary of Homeland Security to operate intrusion detection and prevention capabilities on all federal agencies on the .gov domain.

      The bipartisan bill would also direct the Secretary of Homeland Security to conduct risk assessments of any network within the government domain.

      The bill would allow the Secretary of Homeland Security to operate defensive countermeasures on these networks once a cyber threat has been detected.

      The legislation would strengthen and streamline the authority Congress gave to DHS last year to issue binding operational directives to federal agencies, especially to respond to substantial cyber security threats in emergency circumstances.

    • The bill would require the Office of Management and Budget to report to Congress annually on the extent to which OMB has exercised its existing authority to enforce government wide cyber security standards.

      On the surface, it actually sounds like a rational response to the disastrous OPM hack. Unfortunately, the Warner-Collins bill has some vague or problematic language and non-existent definitions that make it potentially just as dangerous for data security and privacy as CISA.

      The bill would allow the Secretary of Homeland Security to carry out cyber security activities “in conjunction with other agencies and the private sector” [for] “assessing and fostering the development of information security technologies and capabilities for use across multiple agencies.”

      While the phrase “information sharing” is not present in this subsection, “security technologies and capabilities” is more than broad — and vague — enough to allow it.

    • The bill would also allow the secretary to “acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on agency information systems and deploy countermeasures with regard to the communications and system traffic.”
    • The bill also allows the head of a federal agency or department “to disclose to the Secretary or a private entity providing assistance to the Secretary…information traveling to or from or stored on an agency information system, notwithstanding any other law that would otherwise restrict or prevent agency heads from disclosing such information to the Secretary.” (Emphasis added.)

      So confidential, proprietary or other information otherwise precluded from disclosure under laws like HIPAA or the Privacy Act get waived if the Secretary of DHS or an agency head feel that your email needs to be shared with a government contracted outfit like the Hacking Team for analysis. And the bill explicitly provides for just this kind of cyber threat analysis outsourcing:

    • (3) PRIVATE ENTITIES. — The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or information security services to acquire, intercept, retain, use, and disclose communications and other system traffic in accordance with this subsection.

      The bill further states that the content of your communications,

      will be retained only if the communication is associated with a known or reasonably suspected information security threat, and communications and system traffic will not be subject to the operation of a countermeasure unless associated with the threats. (Emphasis added.)

      “Reasonably suspected” is about as squishy a definition as one can find.


Posted from Diigo. The rest of Open Web group favorite links are here.

Thursday, July 30, 2015

OpenStack 07/30/2015 (p.m.)

  • Tags: surveillance state, Snowden, pardon, petititon, Obama

    • The White House on Tuesday ended two years of ignoring a hugely popular whitehouse.gov petition calling for NSA whistleblower Edward Snowden to be “immediately issued a full, free, and absolute pardon,” saying thanks for signing, but no.

      “We live in a dangerous world,” Lisa Monaco, President Obama’s adviser on homeland security and terrorism, said in a statement.

      More than 167,000 people signed the petition, which surpassed the 100,000 signatures that the White House’s “We the People” website said would garner a guaranteed response on June 24, 2013.

      In Tuesday’s response, the White House acknowledged that “This is an issue that many Americans feel strongly about.”

    • The White House on Tuesday ended two years of ignoring a hugely popular whitehouse.gov petition calling for NSA whistleblower Edward Snowden to be “immediately issued a full, free, and absolute pardon,” saying thanks for signing, but no.

      “We live in a dangerous world,” Lisa Monaco, President Obama’s adviser on homeland security and terrorism, said in a statement.

      More than 167,000 people signed the petition, which surpassed the 100,000 signatures that the White House’s “We the People” website said would garner a guaranteed response on June 24, 2013.

      In Tuesday’s response, the White House acknowledged that “This is an issue that many Americans feel strongly about.”

    • Monaco then explained her position: “Instead of constructively addressing these issues, Mr. Snowden’s dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it.”

      Snowden didn’t actually disclose any classified information — news organizations including the Guardian, Washington Post, New York Times and The Intercept did the disclosing. And the Obama administration has yet to specify any “severe consequences” that can be independently confirmed.

    • The Snowden response was one of 20 responses to what the White House called “our We the People backlog.” The White House had been criticized for avoiding uncomfortable topics despite their popular support.

      On Twitter, the responses to the Snowden response, some from signers of the petition, were highly critica

  • NSA and crew decide to delay and try later with CISA. The Internet strikes back again.

    Tags: surveillance state, CISA, legislation, digital-privacy

    • Senate Majority Whip John Cornyn (R-Texas) on Tuesday said the upper chamber is unlikely to move on a stalled cybersecurity bill before the August recess.

      Senate Republican leaders, including Cornyn, had been angling to get the bill — known as the Cybersecurity Information Sharing Act (CISA) — to the floor this month.

      ADVERTISEMENT
      But Cornyn said that there is simply too much of a time crunch in the remaining legislative days to get to the measure, intended to boost the public-private exchange of data on hackers.  

      “I’m sad to say I don’t think that’s going to happen,” he told reporters off the Senate floor. “The timing of this is unfortunate.”

      “I think we’re just running out time,” he added.

      An aide for Senate Majority Leader Mitch McConnell (R-Ky.) said he had not committed to a specific schedule after the upper chamber wraps up work in the coming days on a highway funding bill.

      Cornyn said Senate leadership will look to move on the bill sometime after the legislature returns in September from its month-long break.

    • The move would delay yet again what’s expected to be a bruising floor fight about government surveillance and digital privacy rights.

      “[CISA] needs a lot of work,” Sen. Patrick Leahy (D-Vt.), who currently opposes the bill, told The Hill on Tuesday. “And when it comes up, there’s going to have to be a lot of amendments otherwise it won’t pass.”

      Despite industry support, broad bipartisan backing, and potentially even White House support, CISA has been mired in the Senate for months over privacy concerns.

      Civil liberties advocates worry the bill would create another venue for the government’s intelligence wing to collect sensitive data on Americans only months after Congress voted to rein in surveillance powers.

      But industry groups and many lawmakers insist a bolstered data exchange is necessary to better understand and counter the growing cyber threat. Inaction will leave government and commercial networks exposed to increasingly dangerous hackers, they say.

      Sen. Ron Wyden (D-Ore.), who has been leading the chorus opposing the bill, rejoiced Tuesday after hearing of the likely delay.

    • “I really want to commend the advocates for the tremendous grassroots effort to highlight the fact that this bill was badly flawed from a privacy standpoint,” he told The Hill.

      Digital rights and privacy groups are blanketing senators’ offices this week with faxes and letters in an attempt to raise awareness of bill’s flaws.

      “Our side has picked up an enormous amount of support,” Wyden said.

      Wyden was the only senator to vote against CISA in the Senate Intelligence Committee. The panel approved the measure in March by a 14-1 vote and it looked like CISA was barrelling toward the Senate floor.

      After the House easily passed its companion pieces of legislation, CISA’s odds only seemed better.

      But the measure got tied up in the vicious debate over the National Security Agency's (NSA) spying powers that played out throughout April and May.

      “It’s like a number of these issues, in the committee the vote was 14-1, everyone says, ‘oh, Ron Wyden opposes another bipartisan bill,’” Wyden said Tuesday. “And I said, ‘People are going to see that this is a badly flawed bill.’”

    • CISA backers hoped that the ultimate vote to curb the NSA’s surveillance authority might quell some of the privacy fears surrounding CISA, clearing a path to passage. But numerous budget debates and the Iranian nuclear deal have chewed up much of the Senate’s floor time throughout June and July.  

      Following the devastating hacks at the Office of Personnel Management (OPM), Senate Republican leaders tried to jump CISA in the congressional queue by offering its language as an amendment to a defense authorization bill.

      Democrats — including the bill’s original co-sponsor Sen. Dianne Feinstein (D-Calif.) — revolted, angry they could not offer amendments to CISA’s language before it was attached to the defense bill.

      Cornyn on Tuesday chastised Democrats for stalling a bill that many of them favor.

      “As you know, Senate Democrats blocked that before on the defense authorization bill,” Cornyn said. “So we had an opportunity to do it then.”

      Now it’s unclear when the Senate will have another opportunity.

      When it does, however, CISA could have the votes to get through.

    • There will be vocal opposition from senators like Wyden and Leahy, and potentially from anti-surveillance advocates like Sens. Rand Paul (R-Ky.), Mike Lee (R-Utah) and Dean Heller (R-Nev.).

      But finding 40 votes to block the bill completely will be a difficult task.

      Wyden said he wouldn’t “get into speculation” about whether he could gather the support to stop CISA altogether.

      “I’m pleased about the progress that we’ve made,” he said.


Posted from Diigo. The rest of Open Web group favorite links are here.

Wednesday, July 29, 2015

Tuesday, July 28, 2015

OpenStack 07/29/2015 (a.m.)

  • Tags: surveillance state, legislation, CISA, digital-privacy

    • OPERATION: Fax Big Brother

      Congress is rushing toward a vote on CISA, the worst spying bill yet. CISA would grant sweeping legal immunity to giant companies like Facebook and Google, allowing them to do almost anything they want with your data. In exchange, they'll share even more of your personal information with the government, all in the name of "cybersecurity." CISA won't stop hackers — Congress is stuck in 1984 and doesn't understand modern technology. So this week we're sending them thousands of faxes — technology that is hopefully old enough for them to understand.

      Stop CISA. Send a fax now!

    • (Any tweet w/ #faxbigbrother will get faxed too!)

      Your email is only shown in your fax to Congress. We won't add you to any mailing lists.

    • CISA: the dirty deal between government and corporate giants.

      It's the dirty deal that lets much of government from the NSA to local police get your private data from your favorite websites and lets them use it without due process.

      The government is proposing a massive bribe—they will give corporations immunity for breaking virtually any law if they do so while providing the NSA, DHS, DEA, and local police surveillance access to everyone's data in exchange for getting away with crimes, like fraud, money laundering, or illegal wiretapping.

      Specifically it incentivizes companies to automatically and simultaneously transfer your data to the DHS, NSA, FBI, and local police with all of your personally-indentifying information by giving companies legal immunity (notwithstanding any law), and on top of that, you can't use the Freedom of Information Act to find out what has been shared.

    • The NSA and members of Congress want to pass a "cybersecurity" bill so badly, they’re using the recent hack of the Office of Personnel Management as justification for bringing CISA back up and rushing it through. In reality, the OPM hack just shows that the government has not been a good steward of sensitive data and they need to institute real security measures to fix their problems. The truth is that CISA could not have prevented the OPM hack, and no Senator could explain how it could have. Congress and the NSA are using irrational hysteria to turn the Internet into a place where the government has overly broad, unchecked powers.

      Why Faxes?

      Since 2012, online and civil liberties groups and 30,000+ sites have driven more than 2.6 million emails and hundreds of thousands of calls, tweets and more to Congress opposing overly broad cybersecurity legislation. Congress has tried to pass CISA in one form or another 4 times, and they were beat back every time by people like you. It's clear Congress is completely out of touch with modern technology, so this week, as Congress rushes toward a vote on CISA, we are going to send them thousands of faxes, a technology from the 1980s that is hopefully antiquated enough for them to understand.

      Sending a fax is super easy — you can use this page to send a fax. Any tweet with the hashtag #faxbigbrother will get turned into a fax to Congress too, so what are you waiting for? Click here to send a fax now!

  • Tags: surveillance state, telephone-metadata, purge, pending-litigation

    • Four months from now, at the same time that the National Security Agency finally abandons the massive domestic telephone dragnet exposed by whistleblower Edward Snowden, it will also stop perusing the vast archive of data collected by the program.

      The NSA announced on Monday that it will expunge all the telephone metadata it previously swept up, citing Section 215 of the U.S.A Patriot Act.

      The program was ruled illegal by a federal appeals court in May. In June, Congress voted to end the program, but gave the NSA until the end of November to phase it out.

      The historical metadata —  records of American phone calls showing who called who, when, and for how long — will be put out of the reach of analysts on November 29, although technical personnel will have access for three more months. The program started 14 years ago, and operated under rules requiring data be retained for five years, and then destroyed.

    • The only possible hold-up, ironically, would be if any of the civil lawsuits prompted by the program prohibit the destruction of the data.

      “The telephony metadata” will be “preserved solely because of preservation obligations in pending civil litigation,” the Office of the Director of National Intelligence announced. “As soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.”

      ACLU staff attorney Alex Abdo told The Intercept his organization is “pleased that the NSA intends to purge the call records it has collected illegally.” But, he added: “Even with today’s pledge, the devil may be in the details.”


Posted from Diigo. The rest of Open Web group favorite links are here.

OpenStack 07/28/2015 (p.m.)


Posted from Diigo. The rest of Open Web group favorite links are here.

Monday, July 20, 2015

OpenStack 07/21/2015 (a.m.)

  • The Dark State takes another hit.

    Tags: surveillance state, GCHQ, UK, litigation

    • UK's High Court found the rushed Data Retention and Investigatory Powers Act (DRIPA) to be illegal under the European Convention on Human Rights and EU Charter of Fundamental Rights, both of which require respect for private and family life, as well as protection of personal data in the case of the latter.

      DRIPA was challenged by two members of Parliament (MPs), Labor's Tom Watson and the Conservative David Davis, who argued that the surveillance of communications wasn't limited to serious crimes, that individual notices for data collection were kept secret, and that no provision existed to protect those who need professional confidentiality, such as lawyers and journalists.

      DRIPA was pushed through in three days last year after the European Court of Justice ruled that the EU data retention powers were disproportionate, which invalidated the previous data retention law in the UK.

      The UK High Court also ruled that sections 1 and 2 of DRIPA were unlawful based on the fact that they fail to provide precise policies to ensure that data is only accessed for the purpose of investigating serious crimes. Another major point against DRIPA was that it didn't require judicial approval, which could limit access to only the data that is strictly necessary for investigations.

    • DRIPA passed in only three days, but the Court allowed it to continue for another nine months, to give the UK government enough time to draft new legislation. Although this almost doubles the time in which this law will exist, it might be better in the long term, as it gives the members of Parliament enough time to debate its successor, without having to rush yet another law fearing that the government's surveillance powers will expire.

      This court ruling arrived at the right time, as the UK government is currently preparing the draft for the Investigative Powers Bill (also called Snooper's Charter by many), which further expands the government's surveillance powers and may even request encryption backdoors. It also joins other recent reviews of the government's surveillance laws that called for much stricter oversight done by judges rather than the government's own members.

      "Campaigners, MPs across the political spectrum, the Government's own reviewer of terrorism legislation are all calling for judicial oversight and clearer safeguards," said James Welch, Legal Director for Liberty, a human rights organization.


Posted from Diigo. The rest of Open Web group favorite links are here.

Friday, July 10, 2015

OpenStack 07/11/2015 (a.m.)

  • Tags: surveillance state, NSA, tracking-cookies, browsers, XKeyscore

    • The Intercept published an expose on the NSA's XKeyscore program. Along with information on the breadth and scale of the NSA's metadata collection, The Intercept revealed how the NSA relies on unencrypted cookie data to identify users. As The Intercept says:

      "The NSA’s ability to piggyback off of private companies’ tracking of their own users is a vital instrument that allows the agency to trace the data it collects to individual users. It makes no difference if visitors switch to public Wi-Fi networks or connect to VPNs to change their IP addresses: the tracking cookie will follow them around as long as they are using the same web browser and fail to clear their cookies."

      The NSA slides released by The Intercept give detailed guides to understanding the data transmitted by these cookies, as well as how to find unique machine identifiers that analysts can use to differentiate between multiple machines using the same IP address. We've written before about how spy agencies piggyback on social media account data to find Internet users' names or other identifying info, and these slides drive home the point that HTTP cookies leave users vulnerable to government surveillance, since any intermediary (or spy agency) can read the sensitive data they contain.

    • Worse yet, most of the time these identifying cookies come from third-party sources on webpages, and users have no meaningful way to opt out of receiving them (short of blocking all third party cookies) since advertisers (the main server of these types of cookies) refuse to honor the Do Not Track header. 

      Browser makers could help address this sort of non-consensual tracking by both advertisers and the NSA with some simple technical changes—changes that have been shown to reduce the number of third party cookies received by 67%. So far, though, they've been unwilling to build privacy protecting features in by default. Until they do, the best way for users to protect themselves is by installing a privacy protecting app like Privacy Badger, which is designed to block these types of uniquely identifying tracking cookies, or HTTPS Everywhere to block the transmission of HTTP cookies.


Posted from Diigo. The rest of Open Web group favorite links are here.

Wednesday, July 08, 2015

OpenStack 07/09/2015 (a.m.)


Posted from Diigo. The rest of Open Web group favorite links are here.

OpenStack 07/08/2015 (p.m.)

  • Our system of government does not expect that every criminal will be apprehended and convicted. There are numerous values our society believes are more important. Some examples: [i] a presumption of innocence unless guilt is established beyond any reasonable doubt; [ii] the requirement that government officials convince a neutral magistrate that they have probable cause to believe that a search or seizure will produce evidence of a crime; [iii] many communications cannot be compelled to be disclosed and used in evidence, such as attorney-client communications, spousal communications, and priest-penitent communications; and [iv] etc. Moral of my story: the government needs a much stronger reason to justify interception of communications than saying, "some crooks will escape prosecution if we can't do that." We have a right to whisper to each other, concealing our communicatons from all others. Why does the right to whisper privately disappear if our whisperings are done electronically? The Supreme Court took its first step on a very slippery slope when it permitted wiretapping in Olmstead v. United States, 277 U.S. 438, 48 S. Ct. 564, 72 L. Ed. 944 (1928). https://goo.gl/LaZGHt It's been a long slide ever since. It's past time to revisit Olmstead and recognize that American citizens have the absolute right to communicate privately. "The President … recognizes that U.S. citizens and institutions should have a reasonable expectation of privacy from foreign or domestic intercept when using the public telephone system." — Brent Scowcroft, U.S. National Security Advisor, National Security Decision Memorandum 338 (1 September 1976) (Nixon administration), http://www.fas.org/irp/offdocs/nsdm-ford/nsdm-338.pdf   

    Tags: encryption, government-backdoors, expert-report

    • An elite group of security technologists has concluded that the American and British governments cannot demand special access to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.

      A new paper from the group, made up of 14 of the world’s pre-eminent cryptographers and computer scientists, is a formidable salvo in a skirmish between intelligence and law enforcement leaders, and technologists and privacy advocates. After Edward J. Snowden’s revelations — with security breaches and awareness of nation-state surveillance at a record high and data moving online at breakneck speeds — encryption has emerged as a major issue in the debate over privacy rights.

    • That has put Silicon Valley at the center of a tug of war. Technology companies including Apple, Microsoft and Google have been moving to encrypt more of their corporate and customer data after learning that the National Security Agency and its counterparts were siphoning off digital communications and hacking into corporate data centers.
    • Yet law enforcement and intelligence agency leaders argue that such efforts thwart their ability to monitor kidnappers, terrorists and other adversaries. In Britain, Prime Minister David Cameron threatened to ban encrypted messages altogether. In the United States, Michael S. Rogers, the director of the N.S.A., proposed that technology companies be required to create a digital key to unlock encrypted data, but to divide the key into pieces and secure it so that no one person or government agency could use it alone.

      The encryption debate has left both sides bitterly divided and in fighting mode. The group of cryptographers deliberately issued its report a day before James B. Comey Jr., the director of the Federal Bureau of Investigation, and Sally Quillian Yates, the deputy attorney general at the Justice Department, are scheduled to testify before the Senate Judiciary Committee on the concerns that they and other government agencies have that encryption technologies will prevent them from effectively doing their jobs.

    • The new paper is the first in-depth technical analysis of government proposals by leading cryptographers and security thinkers, including Whitfield Diffie, a pioneer of public key cryptography, and Ronald L. Rivest, the “R” in the widely used RSA public cryptography algorithm. In the report, the group said any effort to give the government “exceptional access” to encrypted communications was technically unfeasible and would leave confidential data and critical infrastructure like banks and the power grid at risk.

      Handing governments a key to encrypted communications would also require an extraordinary degree of trust. With government agency breaches now the norm — most recently at the United States Office of Personnel Management, the State Department and the White House — the security specialists said authorities could not be trusted to keep such keys safe from hackers and criminals. They added that if the United States and Britain mandated backdoor keys to communications, China and other governments in foreign markets would be spurred to do the same.

    • “Such access will open doors through which criminals and malicious nation-states can attack the very individuals law enforcement seeks to defend,” the report said. “The costs would be substantial, the damage to innovation severe and the consequences to economic growth hard to predict. The costs to the developed countries’ soft power and to our moral authority would also be considerable.”

Posted from Diigo. The rest of Open Web group favorite links are here.