June 23, 2008 | Comments: (0)
Last week the House of Representatives passed a "compromise" amendment to the Foreign Intelligence Surveillance Act, though it sounds like the only things that have been compromised are our Constitutional rights. Now the Senate is poised to do the same.
Unfortunately, the FISA Amendments Act of 2008 adds little to existing FISA laws save for one very big thing: immunity for telecoms that violated FISA laws on orders from the White House. Essentially, all Ma Bell and her bastard offspring need to do is present a note that says Uncle Sam made them do it, and the 40-odd lawsuits pending against them vanish.
This rewards companies like AT&T and Verizon that failed to stand up to orders of questionable legality, while punishing companies like Qwest who declined the government's requests. Imagine the cojones it took to say no to the NSA. What are the odds anyone's likely to do that again?
Remember, three Bush appointees -- attorney general John Ashcroft, deputy AG James Comey, and FBI head Robert Mueller -- threatened to resign over this program. So this is clearly not a matter of the NSA forgetting to pick up a few subpoenas on the way home from the grocery store. This was something no one had seen before.
But what exactly was it? The worst thing about the immunity provision is that it closes the door on discovery. We will likely never find out what information the NSA sought, what it found, and what that data was used for. That's a problem.
It's very likely the spooks were involved in a massive data mining operation that involved data from millions of innocent non-terrorist law-abiding Americans. Think I'm being paranoid? Here's what USA Today revealed in May 2006:
The National Security Agency has been secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth, people with direct knowledge of the arrangement told USA TODAY.
The NSA program reaches into homes and businesses across the nation by amassing information about the calls of ordinary Americans — most of whom aren't suspected of any crime. This program does not involve the NSA listening to or recording conversations. But the spy agency is using the data to analyze calling patterns in an effort to detect terrorist activity, sources said in separate interviews.
In other words, they're attempting to create a profile of terrorists, and the only way to do that is to profile a whole lot of non terrorists. And if they happen to catch anyone doing anything else borderline illegal along the way, they can pick and choose whom they want to prosecute. Why should China and Russia have all the fun?
I'm all for hunting down and ferreting out the bad guys, but I draw the line at spying on ordinary Americans. I'm happy to stand in line at the airport or the baseball stadium and have them look through my bags, even though I know it's mostly Security Theater. My phone calls, emails, and Web surfing are another story. If I'm a suspect and you've got a warrant, fine, spy on me. Otherwise, I'd like to be left alone. Is that unreasonable?
Should the telecoms get off scot-free? Post your thoughts below or email me directly: cringe (at) infoworld (dot) com. And try not to say anything too unAmerican -- you know who is probably watching.
Think you've got the right stuff to pass our tech quizzes? They're not as easy as they look:
• The InfoWorld News Quiz
• Test Your Geek IQ
• Test Your Network Security IQ
Posted by Robert X. Cringely on June 23, 2008 09:10 AM
February 27, 2008 | Comments: (0)
Watch your privates; readers talk back
Here in Cringeville I've spent a lot of time lately nattering on about privacy, warrantless spying, unprovoked searches of personal electronics, and whether that IP address you're using to read this blog belongs to you, your ISP, Uncle Sam or Google.
I thought it might be nice to let the Cringesters take over the megaphone for a while. The first response from reader D. W. is a classic (edited for length and literacy):
When was the last time you had your picture taken by a surveillance camera? I bet it was yesterday when you stopped at the bank, had a cup of coffee at the corner coffee shop, or at the grocery store last night.... Privacy does not exist. It is an illusion.
My response to this is... Terrific. Now please take off your clothes. Because the odds are good that even if you did get caught on the cctv cams, you were wearing something. And you had your wallet in your pocket. And that camera doesn't know your social security number, home address, or what you searched for on Google last night. Not that surveillance cams don't intrude on your privacy or aren't abused, but the notion that since I'm being photographed I give up the rest of my rights is a tad too Orwellian for my tastes.
Meanwhile, back at reader ranch, my rant about Google and IP addresses brought forth this well-reasoned response from an anonymous Cringester:
If you don't want Google to know who you are... then don't ask them for information. It's as simple as that. For some reason, people want to use the Internet, but they don't want the Internet to know they are using it. This is absurd. Either you are comfortable with the Internet, or you're not. You can't rely on it and use it and, at the same time, try to tear down the very fabric by which is has blossomed in the first place.
Seems a bit harsh to me, frankly. Even if I can't have my cake and eat it too, can't I nibble a bit at the crumbs? Do I have to give up everything just to search for video clips of Lindsay Lohan? Isn't viewing all those Google ads enough?
Many many readers talked about the need -- even inevitability -- of encryption as a response to search engine and/or government nosiness. Reader T. G. writes:
When browsing the Internet in standard mode ... nobody should have any expectation of privacy. It’s like sending a postcard.... When you use a secure connection using SSL, it's like putting your letter in an envelope. In this mode you should have a complete expectation of privacy. If a search engine followed the simple plan of [SSL] connections as absolutely private, I (and probably you) would use it if privacy was warranted.
Then again, what do we mean by "privacy"? What you and I think of as private information doesn't necessarily jibe with what your ISP, the RIAA, Uncle Sam, or reader D. W. thinks is private. Cringeman J. B. writes:
The real problem is that we're in limbo, and nobody with the cash to muster the legal battles is working to define what "personal information" and "privacy" mean on the internet.... Seems to me like we need to figure out just how personally identifiable IP address data is. Can you or your readers produce compelling evidence, one way or the other, so we geeks can rise up with more than rhetoric and demand some standardization?
How about it, readers and fellow geeks? Can we solve this problem for Google et al? Post your suggestions below or email them to me here. Top submitters get to run for president--err, qualify for cool Cringe swag. (Which may be better than running for president.)
Posted by Robert X. Cringely on February 27, 2008 05:46 AM
February 13, 2008 | Comments: (0)
Borderline illegal: Your laptop is not your own
Planning to travel out of the country? Maybe you want to think twice about bringing your laptop, your cell phone, or even that iPod. (And if you're of Asian or Middle Eastern descent, that goes double.)
Last week, the Washington Post ran a story detailing the electronic abuses international travelers have suffered at the U.S. border. (Infoworld's Ed Foster has also blogged about this topic.) Travelers are being asked to open up their laptops, hand over their passwords, and let customs agents have their way with their hard drives -- sometimes copying the contents onto another device or even confiscating the machine outright. Some folks report receiving the same treatment for their BlackBerrys and cell phones.
U.S. customs sees your laptop as no different than your suitcase, only instead of pawing through your socks and boxers, it gets to rifle through your e-mail, documents, photographs, and Web surfing histories. You say your laptop holds confidential business information, sensitive medical data, or the secret sauce that will make your company billions? Tough luck. It's all just socks and underwear to the Feds.
As security wonk and former federal prosecutor Mark Rasch notes, the dangers from this kind of digital body cavity search are far reaching:
Your kid can be arrested because they can't prove the songs they downloaded to their iPod were legally downloaded... Lawyers run the risk of exposing sensitive information about their client. Trade secrets can be exposed to customs agents with no limit on what they can do with it. Journalists can expose sources, all because they have the audacity to cross an invisible line.
What are they looking for? Good question. So far, the Department of Homeland Security has ignored the Freedom of Information Act requests asking it to clarify its policies. Nor will it reveal its criteria for whose gear gets the full monty, though Asian and Arab individuals appear to be singled out with greater frequency.
Last week, the Electronic Freedom Foundation and the Asian Law Center filed suit, demanding to know the how and why of U.S. customs searches and what happens to the data that's confiscated. Meanwhile, some corporations have ordered employees to avoid taking confidential data with them when they travel across borders.
In a related case, a Canadian man who's a legal U.S. resident has been accused of carrying child porn after customs officials found files with suspicious names on his laptop. By the time police arrested Sebastian Boucher, he'd encrypted his data using PGP. The government demanded he turn over his private key to unlock the data; Boucher refused, and so far the courts have upheld his Fifth Amendment right against self-incrimination. That case is under appeal, and no matter which way it ultimately goes, it's going to have major ramifications for all of us.
Encryption can be used to mask criminal activity. At the same time, it can also be used legitimately to protect the very things being put at risk by overzealous customs agents, like sensitive corporate or personal data. Suddenly, I'm having a flashback to the 1990s debate over the Clipper chip and whether intelligence agencies should be able to have a "backdoor" to access encrypted information.
To me, it all boils down to this: what do you trust more, the U.S. Constitution or the U.S. government? When in doubt, I tend to side with the founding fathers. At a time when "national security" was far more tenuous than it is today, they enacted far-reaching laws that put the rights of individuals on at least a par with the rights of the state.
What do you think? Are customs officials right to have free reign over people's gear? Does encryption trump the Fifth Amendment? Post your responses below or e-mail them to me here. (And please, no name calling, OK?)
Posted by Robert X. Cringely on February 13, 2008 05:27 AM
November 14, 2007 | Comments: (0)
I've got this Uncle with a problem. He can't keep his nose out of my business. My email, my web surfing – for all I know he's into my Quicken files, my Netflix queue and my Amazon account. Worse, he thinks it's perfectly justified and I should just get over it.
My Uncle is also your Uncle, and his name is Sam. In a speech last month [PDF], the nation's #2 spook -- Deputy Director of National Intelligence Donald M. Kerr -- staked a claim to all of your Internet records.
Kerr's pedigree: He runs our nation's satellite spy program, has worked for both the CIA and the FBI, and also at Science Applications International Corp. Among other things, SAIC is hired by the Feds to scan the Web looking for 'hostile' sites. So he has some experience in scooping up your Internet breadcrumbs.
Kerr believes anonymity is impossible. (He's wrong, of course. Anonymity is just difficult, especially when the spooks are secretly sniffing the bitstream at the backbone, but it's not impossible.)
Too often, privacy has been equated with anonymity; and it’s an idea that is deeply rooted in American culture. The Long Ranger wore a mask but Tonto didn’t seem to need one even though he did the dirty work for free. You’d think he would probably need one even more. But in our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past.
Then again, maybe it's because the Lone Ranger and Tonto only had one mask between them. Kerr's solution apparently is for the Lone Ranger to take his off. I say give Tonto another mask, kemosabe.
Kerr also gives hints about the depth of data mining the US government engages in.
Anonymity results from a lack of identifying features. Nowadays, when so much correlated data is collected and available – and I’m just talking about profiles on MySpace, Facebook, YouTube here – the set of identifiable features has grown beyond where most of us can comprehend.
No, you're not paranoid. Yes, they really are creating dossiers by correlating information across social networking sites. Better scrub that "I (heart) Osama" jpeg from your MySpace page.
To his credit, Kerr talks a lot about protecting privacy, even if anonymity is lost. But his approach to privacy is like Godzilla's approach to Tokyo -- destroy it first, and let other folks rebuild it later.
... privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured.
And here's the real howler (which I've truncated slightly):
Today... I’m willing to call up... share my credit card number and expiration date with a person I have never seen, have no idea whether they’ve been vetted or not.... at the FBI, I also had electronic surveillance as part of my responsibility. And people were very concerned that the ability to intercept emails was coming into play. ... they were saying, well, we just can’t have federal employees able to touch our message traffic. ... for that federal employee, it was a felony to misuse the data – it was punishable by five years in jail and a $100,000 fine...but they were perfectly willing for a green-card holder at an ISP who may or may have not have been an illegal entrant to the United States to handle their data.
Bet you didn't know that AT&T, Comcast, and Roadrunner employ thousands of undocumented aliens to pore over your email, did you? They find them at freeway onramps holding signs saying "Will spy for food."
Kerr's point isn't exactly clear. Is it that if we hand our information over to our ISP, we should be happy to give it to our Uncle? Or that we're better off letting the government spy on us, because if they do anything really nasty an Inspector General will issue a report condemning it five years later? Either way, he's saying 'your data is also our data.'
Ryan Singel has a fine piece for Wired.com detailing what your Uncle can do with this information that your friendly neighborhood ISP can't, so I won't go into it here.
Of course, when it comes to its own matters, the Bush administration is a fierce advocate for privacy. A half dozen Congressional committees are still trying to obtain copies of White House emails – and, unlike the NSA tapping into AT&T's net backbone, they actually do have a subpeona.
(To quote former AT&T tech turned whistleblower Mark Klein's testimony to a Senate committee: “These installations only make sense if they’re doing a huge, massive domestic dragnet on everybody in the United States.")
The counter argument is that terrorism trumps everything. But I don't buy that. There's always an 'ism.' Before terrorism there was communism. Before communism there was anti-Americanism and generic xenophobia. Somebody always has a reason for Americans to give up their rights to be "secure in their persons, houses, papers, and effects," to quote some crumbling document. (What was it again? Oh, right, the US Constitution.) But it's never been a good enough one. And it still isn't.
Got a different opinion? Weigh in below or email it to me here. But remember that your Uncle will be reading it, so please try to keep it clean.
Posted by Robert X. Cringely on November 14, 2007 06:15 AM
November 07, 2007 | Comments: (0)
The e-Jihadists are coming, the e-Jihadists are coming!
Stop me if you've heard this one: The Internet arm of Al Queda is targeting 15 anti-Islamist sites on November 11, urging its followers to download the new point-and-click Electronic Jihad 2.0 software and start their attacks. (Actually, you might have heard about it in my blog last week.)
Despite the software's silly name, I was curious whether this might be something worth worrying about. So I did a little more digging. The software is real -- in fact, I downloaded a copy of it yesterday off an archived copy of al-jinan.org. But if this is a serious terror threat, I'm Arnold Schwarzennegger.
Blogger BlackFlag, a computer security pro who writes about cyber terror tactics and wishes to remain anonymous, notes that the software is "the equivalent of a re-written 'nuker' DoS program circa 1995." He blogs:
It’s just a basic packet generator that sends ping requests, garbage packets and GET requests to the target. ...In my opinion these "e-Jihad hack-tools" aren’t all they are cracked up to be ... it has been my experience that the average script kiddie possesses more capable tools than this. Having these tools downloaded and installed probably helps the haji’s morale more than anything else.
This description of the software, from the Jamestown Foundation's "Terrorism Focus," makes it sound more like Space Invaders. Among other things, it lets e-Jihadders tally up the hours they've spent attacking and post their high scores online.
The account registers the number of hours the user spends attacking targets and every two weeks to a month the names of those who scored the highest are posted. Currently, the highest score is claimed by a user nicknamed "George Bush" who spent 4,211.50 hours, or 70 full days, hacking anti-Islamic websites.
Yet if you were to believe the sites that have been promulgating the "cyber jihad threat" -- like Jamestown, DEBKAfile, and the Northeast Intelligence Network -- you might be hiding under your desk right about now.
Paul Henry, VP of technology evangelism at Secure Computing, says the threat is nothing to lose sleep over, though it's always a good idea to review your defenses against DDoS attacks. He adds it will be interesting to see just how many e-Jihadists will be pinging away on November 11, if for nothing else than as a measure of how many cyber enemies we've made during the last ten years.
Sure, there are terrorists out there using the Net. But if these guys were interested in doing serious harm they'd be renting a botnet to run a real DDoS attack -- and they wouldn't be publicizing it first. This sounds more like a publicity campaign, or a recruiting tool for noobs, or an attempt to show just how gullible Westerners really are.
Or maybe it really is all just a game, Henry says.
"I wonder how many points you need to qualify for 72 virgins in the afterlife," he jokes.
Got hot tips on tech or terror? Spill the beans below or email me here. Cool swag is available for tipsters who deliver the goods.
Posted by Robert X. Cringely on November 7, 2007 03:00 AM
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Help Simplify Virtualization
- Solution for Open Virtualization Provides Server Consolidation
- A Guide to Rich Internet Application (RIA) Security
