Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

Tech Policy Daily’s Gus Hurwitz has a post up today arguing that encryption is a distraction from true security. It’s an interesting read, but thoroughly misguided. Hurwitz suggests that the focus in tech should not be on encryption, but rather on the security of the systems. His argument boiled down:

Most cybersecurity incidents do not involve breaking encryption. Nor would they be prevented by stronger or more pervasive encryption. Consider recent incidents in the news: Yahoo!’s loss of data from 500 million user accounts, the unprecedented DDOS attack on security researcher Brian Krebs’s web site, and attacks on voting machines. These are the sort of incidents that are happening with alarming frequency; they are the sort of incidents that have the greatest potential to have tangible harmful effect; and they are the sort of incidents that all users are concerned about. …

Better or stronger encryption does little, if anything, to prevent these sorts of attacks. A more productive use of resources is to focus on better design and testing – ensuring that users securely use systems, designing security mechanisms that they won’t bypass, and designing systems that can continue to operate securely operate under compromised conditions.

On the importance of securing systems, Hurwitz is right. More attention must be paid to strengthening security overall. Corporate players, especially, should face serious repercussions for breaches that result in user data being compromised. Until there is a price to be paid, the cost of poor security practices is relatively minor compared to the cost of robust protections.

What Hurwitz misses, however, is what those protections are likely to look like. If corporate players suddenly faced stiff penalties for breached data, the first step most would take is end-to-end encryption. There is a good reason for that.

Despite Hurwitz’ dismissal of encryption, it is just as, if not more, important than security. If a system encrypted end-to-end is breached, there is little of consequence that could be gleaned from the breach because all data compromised would be stored in an unreadable format.

The reason hacks are so damaging currently is that most data is not stored encrypted. It is stored in plain text or as normal files. Once the  breach happens, the data is lost.

Under Hurwitz’ concept of security being most critical none of that changes. All systems will have vulnerabilities, no matter how much is invested in securing them. So what do you do when they are broken?

By starting first with encryption, you stop the hemorrhaging before the cut is even made. The system protects the data first, and the system second. Our current systems are completely backward in that regard, as is Hurwitz’ thinking. In an end-to-end world, content should never be viewable in transit. That is especially true when transit relies on anything as inherently insecure as the open Internet.

What’s more, you reduce the motive for attack by ensuring that anything gained will be of no value.

Hurwitz’ line of thinking, sadly, is typical of policy proposals in DC. There is a reason for this, too. By diverting the focus to security, rather than encryption, we guarantee the prying eyes of the surveillance state.

Only in an end-to-end world do we safeguard our data against all outside eyes, not just the “bad” ones.

 

 

 

 

Yet another mainstream tech reporter has decided to draft up an alarmist piece about the hacking of the US election based on a flawed understanding of both how our elections are conducted and the reporting of other related news. CNet’s Edward Moyer threw out this misleading story over the weekend:

“Don’t blame me, I voted for the other candidate (but hackers stole my ballot).”

You might chuckle, but apparently that’s a bumper sticker we could soon encounter for real — if election officials aren’t careful.

The US Department of Homeland Security issued a statement Saturday saying hackers have been casing state voting systems, and it offered its cybersecurity assistance to any states that request it. (emphasis mine)

That link in the last line is the critical piece. It leads to a DHS bulletin in reference to the agency’s offer of help to states looking to secure systems in it, they note:

In a few cases, we have determined that malicious actors gained access to state voting-related systems. However, we are not aware at this time of any manipulation of data. (emphasis mine)

You will notice the difference between the two passages in bold above. It may seem overly pedantic or a minor semantic distinction, but it really isn’t. A “voting system” would refer to the system by which America votes. A “voting-related system” would be a supplementary system that aids in that process, but is not actually part of the voting system. In other words, as I have commented previously, the actual conduct of elections and the storage of voter information are not one and the same. Your voter registration is not tied to the machine on which you vote. The city/county/state registration databases exist separate and apart from the machines you will use to actually cast your ballot.

This is critically important for reporters covering the concern over election manipulation to get right, and yet they rarely do. Instead, like Moyer, they write these sensationalist pieces that mislead the public into conflating the illegal access of voter data with the manipulation of their sacred vote. It’s unfortunate that writers like Moyer don’t bother to actually talk to people who have spent a lifetime in elections to get the story right.

I have seen a lot of posts on various tech blogs about the Yahoo! data breach announced last week and many of them make the same tired jokes about the fact that the 500 million compromised accounts were likely last used in 2003. One meme that circulated today noted that Yahoo!’s traffic was up substantially as everyone logged into their account for the first time in years – only to change their password and log out again. A good friend last week asked why this was making news, despite the fact that Yahoo! is a shadow of its former self.

To understand why the breach is a big deal – beyond the simply unimaginable scale – you have to understand how hackers are using this data. Once you grasp that, you should come away with two things, an abiding fear of your own security and a desire to correct its deficiency.

Large scale data breaches are problematic primarily because the average user somewhere between one and a small handful of passwords they reuse across many sites. You may have accounts on dozens or hundreds of sites, but precious little differentiation between the passwords. So when a large scale hack happens – especially when passwords are compromised – those records can be used to subsequently test the same login credentials on another site.

So here is what that looks like in practice. If the hacker has your Yahoo! address and password, they can script an attack on Facebook or LinkedIn to use that as your login. If they find the combo works, great!  If they also get a secondary/recovery email address, they now may have the same password you use on Gmail, or Hotmail. A quick filter of the compromised data by domain and suddenly they can script hundreds of additional attacks on other sites.

So what can you do about that? The answer is pretty simple – STOP USING THE SAME PASSWORD ON EVERY SITE.  Every site you visit should have a unique password, and ideally that password should be REALLY hard to break manually. Here is a good example:

Az\K:]<xm\,@5a4D!Z6&fn>BP

That hot mess was automatically generated by the password keeper I use, KeePassX. There are others out there, like LastPass. The point is, there are solutions for the fact that people are incapable of memorizing hundreds of unique passwords, and you should look into one – REALLY soon.

These breaches are going to continue, and as long as you are using P4$$word! as your login for every account you have, you’re going to fall victim to them – if you haven’t already.

The breach of 500 million Yahoo! accounts matters, even though Yahoo! doesn’t, because it adds fuel and armament to the tank that hackers are driving through the Internet. As it cruises along, their ability to snarf up more and more of your accounts gets better an better. And as long as you are still using the same password on every site, you are doing precious little to stop it.

It’s a good thing someone in our government is actually informed about elections. A report out yesterday afternoon noted the head of the NSA, during an Armed Services Committee weighed in on the possibility of US elections being hacked (and here).

During a Senate Armed Services Committee, Sen. John McCain, R-Ariz., asked about the possibility that Russia “could somehow harm the electoral process” in his state and “disrupt the voting results in the upcoming election.”

Admiral Mike Rogers, head of the NSA and U.S. Cyber Command, spoke about the disparate structure with some states voting manually and others electronically.

“But is it a concern?” McCain asked.

“Oh, yes sir,” Rogers responded.

Fortunately, elsewhere in government, another top official knows how things actually work.

 “The beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck,’’ said [FBI Director] Comey. “A lot of people have found that challenging over the years, but the beauty of that is it’s not exactly a swift part of the internet of things, and so it is hard for an actor to reach our voting process.’’

Rogers clearly doesn’t understand how elections work. As I pointed out the other day, there is almost ZERO chance that the election could be “hacked” in any meaningful way. The FBI Director (who I rarely agree with on matters of security, privacy and surveillance) is spot on. Our election process is a giant, decentralized mess. It is largely impervious to hacking largely because it is not standardized, not centralized, and not connected. Comey gets this. That’s ultimately good because it would probably be up to the FBI/DOJ to enforce security over elections. If the NSA was in charge, we would be screwed.

 

Recent news reports that the election databases in Arizona and Illinois have a whole lot of people up in arms, and have caused numerous publications that have precious little understanding of election systems to proclaim that the US election in November could be hacked. For instance, there is this from the Daily Signal:

“If it’s an organized effort, and someone hacks into a system and falsely registers bogus voters, you could hire a crew of people to vote multiple times under different names,” von Spakovsky told The Daily Signal. “That’s a problem for states with no voter ID laws. There is no way to prevent that.”

Guess what, there is nothing that prevents that currently. You can fill in a ton of false registrations in a state and hire a crew of people to vote multiple times. Yet it doesn’t happen. Just about every major study of voter fraud has found that when it does occur, it is a) generally on a very small scale and b) frequently caught. Why? Several reasons:

  • The sudden appearance of a large number of extra voter registrations would be noticed. Most states publish the number of registered voters publicly and there are people who look at the numbers, literally, on a daily or weekly basis to see how they have changed, and how the change tracks against changes over time. A sudden shift in the number would stand out.
  • The size of the “crew” required to throw an election is significant. Few states decide Presidential or Congressional elections by a few votes and rigging them is VERY difficult. The Florida results in 2000 are the rare exception, not the rule in Presidential elections. To swing a state like Ohio in 2004, you would have needed 60,000 votes. The size of the crew that could pull that off is so large it is unlikely that somebody wouldn’t brag about it to a friend. Occasionally you have a down ballot race for something like dog catcher that is decided by a handful of votes. Those are frequently fixed and very frequently caught.
  • The decentralization of American election systems would make a large scale hack almost impossible. Typically each county in a state is responsible for providing their own election systems. You vote, the aggregate vote from your precinct/ward/division is sent to the county election official, who then sends it along to the state. To “hack” an election in a single state, you may have to compromise dozens or even hundreds of individual polling systems in a state, and quite frequently a mix of different systems is in use. So you may have to compromise dozens of different types of machines. You could possibly hack the secretary of state’s central computer, but all the counties have to reconcile their votes, then meet with the state election officials to certify that what the state shows is correct. So the hack at the state would eventually be revealed.

The biggest threat to our election systems is not the hacking of an election, but the workaday hacking of our personal information. That, however, is something that threatens every major database – be it commercial, private or government. In just the last few years, an alphabet soup of government agencies has been hacked. The IRS, NSA, and OPM, to name just a few, compromised the personal information of millions of citizens. Corporate hacks on everything from Target to porn sites have resulted in even more.

Election agencies maintain huge databases of information about voters. In many states the use of a voter ID number is prohibited, so they often use your Social Security Number to identify you. When the database gets hacked, the attackers will often get your name, address, date of birth, driver’s license number and SSN. That’s all the ingredients needed for identity theft. What’s worse, is the leak of that information happens all to frequently.

A lawsuit filed this week revealed what Kemp said his office learned on Friday — that Social Security numbers, dates of birth and driver’s license numbers for 6.1 million registered voters was included in a voter file provided last month to 12 organizations.

That’s among the largest breaches affecting states, if not the largest, according to a timeline kept since 2005 by the Privacy Rights Clearinghouse. South Carolina in 2012 discovered that unencrypted data from tax returns was hacked from its Department of Revenue, affecting 3.8 million adults, 1.9 million dependents and 700,000 businesses.

Despite that danger not only existing, but coming to fruition, Georgia’s elections director refused help in securing their systems, claiming a fear that the federal government was using it to get their nose under the tent to take over elections.

The reality is there is precious little chance that elections can be hacked, unless and until we centralize and standardize our election systems. While some have called for that as a way to provide better oversight and protection, it is actually quite likely that would create worse problems. Instead, the real election reform we need as voters is the creation of a national voter ID number that could keep track of voters without compromising their social security and drivers license information. Many on both the left and the right oppose a voter ID number though for different reasons. The left is generally opposed to voter IDs because they feel they suppress minority and low-income voters. The right fears them as a way for government to track individuals’. Both are likely justified in those complaints.

However, we already have ID numbers that are frequently surrendered on registering to vote, but those IDs are tied to everything else we do in life, and our system, currently, is ill-equipped to protect them.

So sleep well tonight knowing that our election systems will likely keep our democracy safe, but not your personal information.

Remember that scene at the end of The Bourne Identity where Brian Cox is testifying before the Intelligence Committee about Treadstone and Black Briar and describes the former as a training op and the second as a communications program despite both being covert death squads? It’s easy enough to think that stuff like that doesn’t happen in the real world, but don’t be too sure. The FBI has been running a “pilot project” to test iris scanning technology whose original stated objective was just to evaluate the technology available at the time. That started in 2013.

Now it’s easy enough to assume that the government moves REALLY slowly and that they simply haven’t gotten very far.  Unfortunately, there ability to gather scanned irises hasn’t ben quite so slow. The iris database now contains more than 430,000 iris scans, with almost half coming from San Bernardino, California. San Bernardino has become so proficient at obtaining iris scans that over the last two and a half years they have snapped up almost ten percent of the city’s population of 2 million.

That a database of nearly a half million people has been amassed by the FBI is perhaps not too surprising, but what might be shocking is the fact that as a pilot project, there has been no oversight and no privacy disclosure or assessment. As Colin Lecher at The Verge describes it, “The result amounts to a new national biometric database that stretches the traditional boundaries of a pilot program, while staying just outside the reach of privacy mandates often required for such data-gathering projects.” What is worse the gathering of iris data may be for minor offenses and is often taken pre-trial and submitted in near real-time to the FBI.

The California Justice Department, like other agencies the FBI has partnered with, can log a scan as part of the booking process, even for low-level crimes, and well before a conviction. When the scans are sent to the national database, the FBI says, they are bundled with fingerprints and mug shots.

Had you been arrested in California for a minor offense and ultimately released without charges, your iris may still be on file with the feds. Because this is ostensibly a pilot project, and not a fully functioning identification system, a complete privacy assessment was not done. It’s not even clear if one will be done as the project is part of the FBI’s Next Generation Identification database and the FBI is looking to exempt that from privacy laws.

 

Over the last week there has been a lot of fretting about a decision by the US Court of Appeals for the Ninth Circuit regarding a case in which a former employee gained access to his former employer’s proprietary database using a current employee’s password. A veritable who’s who of tech blogs have been spun up claiming that the decision makes it illegal to share your Netflix password.

In his dissenting opinion, Judge Stephen Reinhardt pointed out the trouble of ambiguous phrases like “unauthorized access” is that it could be interpreted to criminalize the actions of millions of Americans who might share their Netflix passwords.

The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.

Simply put, this is nonsense. In the case, David Nosal, a headhunter, left his employer to start a new firm, and brought several other employee’s along for the ride. Together, they used the password of a current employee of their former employer to access sensitive and proprietary data belonging to their former firm. This is, quite simply, hacking. Had they used a brute force attack to compromise their former employer’s data, it would be no different. As former employees, they simply were not allowed to access the system. Period.

I have my issues with many of our cybercrime laws. For instance, the defacement of a website is essentially the equivalent of spray painting your name on a building wall. In many ways it is actually less serious as it can typically be undone with a backup restore, and has almost zero cost associated with it. Compare that to the cost of having to hire someone to paint over or sandblast your wall. Yet the defacement of a website is a serious crime and the punishment for physical vandalism is typically very minor.

In Nosal’s case, however, the comparison to the real-world equivalent of his crime is pretty spot on.

If Nosal had been employed by a department store, quit, then got his buddy the night-shift stock clerk to open the door so he could come in and steal all of their clothing to resell it, he still stole the clothing. It doesn’t matter that he had a friend on the inside. In fact, the friend on the inside should be charged as well for facilitating the burglary. The tech blogs, however, want to draw a different comparison. They want you to believe that his friend helping to steal from Target is the same as his friend simply lending Nosal the key to his house despite the fact that his roommate was home.

To be clear, nobody was charged with sharing a password. Nosal was charged with illegally accessing a proprietary database to steal something of value from a system he was not authorized to access. The facts of the case are not in dispute. The Computer Fraud and Abuse Act, under which Nosal was tried, was meant to handle exactly this sort of incident – an individual circumventing prohibitions on system access to steal something of great value.

The comparison to sharing a Netflix password, specifically, is completely ridiculous given that Netflix actively encourages you to share your account by allowing you to specify multiple account users. Nothing in this decision makes that illegal.

If the tech community wanted to make a sensationalist claim, a more apt comparison might be the sharing of an Amazon password to get a Prime discount tomorrow. Even that, however, is not an apt comparison as you are still paying for the goods, albeit at a savings. You are still paying the full price that any Prime member would pay. The CFAA does, however, give Amazon the legal authority to prosecute that if they would like to do so.

Despite the wishes of the “everything should be free” crowd, their is still a concept of ownership. The CFAA decision reinforces that concept and holds individuals (in this case Nosal) responsible for theft of goods owned by someone else. Despite the public outcry, this decision was rightly decided and is, in fact, a feature of the law, not a bug.

I’m just an average man, with an average life
I work from nine to five; hey hell, I pay the price
All I want is to be left alone in my average home
But why do I always feel like I’m in the Twilight Zone?

When I come home at night
I bolt the door real tight
People call me on the phone I’m trying to avoid
Well, can the people on TV see me
Or am I just paranoid?

Rockwell’s “Who’s Watching Me?” tells the story of a man who feels like he is under constant surveillance by some unknown entity. Two stories out of the world of tech privacy and surveillance today would likely make Rockwell think those lyrics didn’t go far enough. Or, as Max said in the cult classic movie Strange Days:

The issue’s not whether you’re paranoid, Lenny, I mean look at this shit, the issue is whether you’re paranoid enough.

It was revealed today that hacker-turned-Facebook-founder Mark Zuckerberg tapes over the camera on his laptop, as does FBI Director James Comey. That latter part is particularly ironic given that its quite likely the FBI that may be spying on you. As I mentioned yesterday, the FBI is already using software to scan almost a half billion images of Americans (despite few privacy protections). It’s also no secret that the FBI is pushing for massive new surveillance powers under the guise of “keeping us safe”.

It’s good, then that a coalition of internet companies have come together to create a public awareness and advocacy campaign. No Global Warrants is pushing to raise awareness and has a petition up to contact Congress to make your voice heard. While that is unlikely to prevent government from further suppressing your rights, it should, hopefully, make people aware of the issue and aware of how extensive the government’s expansion of its surveillance capability is.

In the meantime, there are some steps you can take to protect yourself. First, you can follow Zuckerberg’s lead and secure your cameras. Amazon sells these handy little slides for laptops and tablets that slide open and closed easily and avoid the tape residue. These cell phone camera covers are also handy and better looking than tape. You also might think twice about sharing a ton of photos of yourself. I realize that is probably unheard of in our selfie obsessed culture, but it makes facial recognition much more accurate if they have snaps of you from every angle.

There are steps you can take to secure your physical devices like ensuring your hard drive and all external storage are encrypted (I like VeraCrypt). Apple has encryption built in through FileVault, but you have to enable it through System Preferences -> Security & Privacy -> FileVault.

You should also, under NO circumstances, be using the same password on every website. I’ll be covering that soon, but there are a lot of password lockers that a) keep all of your passwords securely and b) make it so that you don’t need to remember passwords at all. They’re easy to setup, and enable you to have different, unique, and strong passwords for every site you visit. With free services like Dropbox to store the encrypted password files, you can also use them on every device.

While many of these steps will help protect you from hackers and identity thieves, the FBI has also been known to illegally hack computers. While much of the evidence stemming from that investigation has been tossed by several courts, the FBI is pushing to address that problem through these expanded powers. So you really want to get comfortable with protecting your information from actors both good and bad.

 

Following news last week that the Government Accountability Office found the FBI in possession of 412 million images of Americans, and was doing precious little to honor the privacy (or Constitutional) rights of the citizens, the news just keeps getting better. The GAO had announced that the system was not properly tested and that it did not protect our civil liberties.

Now comes news that those images probably include you, and me, and pretty much every other American, regardless of whether they have ever committed, or even been suspected of committing, a crime.

The report says the bureau’s Facial Analysis, Comparison, and Evaluation Services Unit contains not only 30 million mug shots, but also has access to driver license photos from 16 states, the State Department’s visa and passport database, and the biometric database maintained by the Defense Department.

 

The system contains the mugshots of convicted criminals (which you would probably expect it to), but also connects to systems not owned by the FBI, but containing your personal information. But surely all of this is being done in a way to maximize effectiveness and minimize the exposure of the innocent, right? Well, not so much. From the GAO report:

“[U]ntil FBI officials can assure themselves that the data they receive from external partners are reasonably accurate and reliable, it is unclear whether such agreements are beneficial to the FBI and do not unnecessarily include photos of innocent people as investigative leads.”

Um, yeah, so that data may not be all that useful. If you have ever noticed how fallible facial recognition is, you’ll understand the depth of the problem. Facebook’s facial recognition routinely identifies a high school friend of mine as my 82 year old mother. I have seen enough examples in both Apple’s facial recognition and Facebook’s to seriously question whether the FBI’s system is that much better, after all, government IT, especially in law enforcement, is significantly lacking. It wasn’t that long ago that the Department of Justice (home of the FBI) spent years and $170 million in taxpayer funds to completely fail to build something as basic as a case management system. Healthcare.gov, more recently, indicated that Uncle Sam’s IT systems hadn’t improved much ten years later.

Yet the same government that is demanding backdoors into our phones, building malware to hack and entrap criminals, and pushing continually for expansive powers to hack your devices, is somehow expected to show restraint when it wants to access your photos? We’re supposed to believe that the same inept government IT personnel are better able to ensure the face of the innocent will not match the face of the FBI’s suspect?

There is a need for massive, systemic overhaul of surveillance laws in the United States as our technology is significantly outpacing the basic tenets that citizens will not be the subject of investigation unless there is probable cause. These systems assume that, contrary to well established legal tenets, we are not innocent until proven guilty. Rather, every US citizen is considered guilty until proven innocent.

This facial analysis identifies people that COULD BE, but quite likely ARE NOT, the right person. Yet the FBI will investigate them in connection with crimes they likely had nothing to do with.

This is the state of surveillance in the US today.

Sometimes the intersection of surveillance and privacy looks a little odd. That’s certainly the case with the recent revelation that the FBI is looking at way’s to develop tattoo recognition systems.  (And yes, before you ask, I’m pretty sure the guy in the image attached to this is Hillary Clinton’s STD afflicted model)

It is no secret that law enforcement uses tattoos to help identify suspects. Anyone who has watched more than a few hours of Law and Order, has probably heard the questioning of a suspect include the question of identifying tattoos or facial features. There is a reason for that. They are pretty unique to the individual. So it’s probably not a stretch, as law enforcement ideas go, to catalog these (which they already do) and to figure out ways to do something with them.

Tattoos, which are usually elective (people choose their own tattoos), can reveal a person’s cultural, religious and political beliefs, the [Electronic Frontier Foundation (EFF)] says.

That all makes sense. However, as the article goes on to note, their are first amendment implications when tattoos that may be religious in nature are used for profiling. There is also a significant issue with the research into this effort.

The National Institute of Standards and Technology (NIST) has been conducting research into tattoo recognition technology since 2014, relying on a database of 15,000 tattoo images collected by the FBI from prisoners and arrestees without their consent, according to the EFF.

Yes, that’s right, the US government, which has had a long history of mistreating prisoners and other test subjects without their knowledge or consent) is using personally identifiable information taken from prisoners without their consent to build a system to track anyone else with a tattoo (also without consent, and likely with significant likelihood of misuse.)

EFF is leading an effort to call attention to the potential misuse of tattoos that may denote political or religious affiliations, but the effort will obviously have much larger implications to the estimated 20-40% of Americans with tattoos. You can read their full report on the effort here.