Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

Monthly Archives

June 2016

I’m just an average man, with an average life
I work from nine to five; hey hell, I pay the price
All I want is to be left alone in my average home
But why do I always feel like I’m in the Twilight Zone?

When I come home at night
I bolt the door real tight
People call me on the phone I’m trying to avoid
Well, can the people on TV see me
Or am I just paranoid?

Rockwell’s “Who’s Watching Me?” tells the story of a man who feels like he is under constant surveillance by some unknown entity. Two stories out of the world of tech privacy and surveillance today would likely make Rockwell think those lyrics didn’t go far enough. Or, as Max said in the cult classic movie Strange Days:

The issue’s not whether you’re paranoid, Lenny, I mean look at this shit, the issue is whether you’re paranoid enough.

It was revealed today that hacker-turned-Facebook-founder Mark Zuckerberg tapes over the camera on his laptop, as does FBI Director James Comey. That latter part is particularly ironic given that its quite likely the FBI that may be spying on you. As I mentioned yesterday, the FBI is already using software to scan almost a half billion images of Americans (despite few privacy protections). It’s also no secret that the FBI is pushing for massive new surveillance powers under the guise of “keeping us safe”.

It’s good, then that a coalition of internet companies have come together to create a public awareness and advocacy campaign. No Global Warrants is pushing to raise awareness and has a petition up to contact Congress to make your voice heard. While that is unlikely to prevent government from further suppressing your rights, it should, hopefully, make people aware of the issue and aware of how extensive the government’s expansion of its surveillance capability is.

In the meantime, there are some steps you can take to protect yourself. First, you can follow Zuckerberg’s lead and secure your cameras. Amazon sells these handy little slides for laptops and tablets that slide open and closed easily and avoid the tape residue. These cell phone camera covers are also handy and better looking than tape. You also might think twice about sharing a ton of photos of yourself. I realize that is probably unheard of in our selfie obsessed culture, but it makes facial recognition much more accurate if they have snaps of you from every angle.

There are steps you can take to secure your physical devices like ensuring your hard drive and all external storage are encrypted (I like VeraCrypt). Apple has encryption built in through FileVault, but you have to enable it through System Preferences -> Security & Privacy -> FileVault.

You should also, under NO circumstances, be using the same password on every website. I’ll be covering that soon, but there are a lot of password lockers that a) keep all of your passwords securely and b) make it so that you don’t need to remember passwords at all. They’re easy to setup, and enable you to have different, unique, and strong passwords for every site you visit. With free services like Dropbox to store the encrypted password files, you can also use them on every device.

While many of these steps will help protect you from hackers and identity thieves, the FBI has also been known to illegally hack computers. While much of the evidence stemming from that investigation has been tossed by several courts, the FBI is pushing to address that problem through these expanded powers. So you really want to get comfortable with protecting your information from actors both good and bad.

 

Monthly Archives

June 2016

Following news last week that the Government Accountability Office found the FBI in possession of 412 million images of Americans, and was doing precious little to honor the privacy (or Constitutional) rights of the citizens, the news just keeps getting better. The GAO had announced that the system was not properly tested and that it did not protect our civil liberties.

Now comes news that those images probably include you, and me, and pretty much every other American, regardless of whether they have ever committed, or even been suspected of committing, a crime.

The report says the bureau’s Facial Analysis, Comparison, and Evaluation Services Unit contains not only 30 million mug shots, but also has access to driver license photos from 16 states, the State Department’s visa and passport database, and the biometric database maintained by the Defense Department.

 

The system contains the mugshots of convicted criminals (which you would probably expect it to), but also connects to systems not owned by the FBI, but containing your personal information. But surely all of this is being done in a way to maximize effectiveness and minimize the exposure of the innocent, right? Well, not so much. From the GAO report:

“[U]ntil FBI officials can assure themselves that the data they receive from external partners are reasonably accurate and reliable, it is unclear whether such agreements are beneficial to the FBI and do not unnecessarily include photos of innocent people as investigative leads.”

Um, yeah, so that data may not be all that useful. If you have ever noticed how fallible facial recognition is, you’ll understand the depth of the problem. Facebook’s facial recognition routinely identifies a high school friend of mine as my 82 year old mother. I have seen enough examples in both Apple’s facial recognition and Facebook’s to seriously question whether the FBI’s system is that much better, after all, government IT, especially in law enforcement, is significantly lacking. It wasn’t that long ago that the Department of Justice (home of the FBI) spent years and $170 million in taxpayer funds to completely fail to build something as basic as a case management system. Healthcare.gov, more recently, indicated that Uncle Sam’s IT systems hadn’t improved much ten years later.

Yet the same government that is demanding backdoors into our phones, building malware to hack and entrap criminals, and pushing continually for expansive powers to hack your devices, is somehow expected to show restraint when it wants to access your photos? We’re supposed to believe that the same inept government IT personnel are better able to ensure the face of the innocent will not match the face of the FBI’s suspect?

There is a need for massive, systemic overhaul of surveillance laws in the United States as our technology is significantly outpacing the basic tenets that citizens will not be the subject of investigation unless there is probable cause. These systems assume that, contrary to well established legal tenets, we are not innocent until proven guilty. Rather, every US citizen is considered guilty until proven innocent.

This facial analysis identifies people that COULD BE, but quite likely ARE NOT, the right person. Yet the FBI will investigate them in connection with crimes they likely had nothing to do with.

This is the state of surveillance in the US today.

Monthly Archives

June 2016

Sometimes the intersection of surveillance and privacy looks a little odd. That’s certainly the case with the recent revelation that the FBI is looking at way’s to develop tattoo recognition systems.  (And yes, before you ask, I’m pretty sure the guy in the image attached to this is Hillary Clinton’s STD afflicted model)

It is no secret that law enforcement uses tattoos to help identify suspects. Anyone who has watched more than a few hours of Law and Order, has probably heard the questioning of a suspect include the question of identifying tattoos or facial features. There is a reason for that. They are pretty unique to the individual. So it’s probably not a stretch, as law enforcement ideas go, to catalog these (which they already do) and to figure out ways to do something with them.

Tattoos, which are usually elective (people choose their own tattoos), can reveal a person’s cultural, religious and political beliefs, the [Electronic Frontier Foundation (EFF)] says.

That all makes sense. However, as the article goes on to note, their are first amendment implications when tattoos that may be religious in nature are used for profiling. There is also a significant issue with the research into this effort.

The National Institute of Standards and Technology (NIST) has been conducting research into tattoo recognition technology since 2014, relying on a database of 15,000 tattoo images collected by the FBI from prisoners and arrestees without their consent, according to the EFF.

Yes, that’s right, the US government, which has had a long history of mistreating prisoners and other test subjects without their knowledge or consent) is using personally identifiable information taken from prisoners without their consent to build a system to track anyone else with a tattoo (also without consent, and likely with significant likelihood of misuse.)

EFF is leading an effort to call attention to the potential misuse of tattoos that may denote political or religious affiliations, but the effort will obviously have much larger implications to the estimated 20-40% of Americans with tattoos. You can read their full report on the effort here.

 

Monthly Archives

June 2016

In case you are curious, Ledgett also answered why the NSA didn’t help the FBI crack the San Bernardino shooter’s iPhone. “We don’t do every phone, every variation of phone. If we don’t have a bad guy who’s using it, we don’t do that.”

If you look at the medical devices from the same point of view, you might only need to worry about remotely having your pacemaker, insulin pump or other wirelessly-enabled medical device hacked or monitored if you happen to have the same model as some NSA target.

This is a rather matter-of-fact and simultaneously VERY creepy thought. Assassinations are a rather convenient way to force regime change in hostile nations, and hacking medical equipment would certainly be an efficient way to carry that out. The US is already alleged to have developed things like the Stuxnet virus to very specifically target a single system in a single environment (in that case a Siemens system in an Iranian nuclear facility). If the government could legitimately develop methods of hacking medical devices ostensibly for investigatory purposes, how long would it be until they were developing them for covert assassinations?

It seems like the stuff of fictional thrillers. Something Jason Bourne would have employed, perhaps. But the reality is these things eventually go rogue. In just the last few weeks, viruses similar in design to Stuxnet have been found that target industrial control systems for nefarious purposes. Would it take long for an industrious hacker group to develop their own (assuming they aren’t already)?

The rise of ransomware attacks on hospitals has recently seen exponential growth. What if these hackers turned their attention to high net worth individuals and threatened their very lives by demanding ransom or their medical equipment would be compromised?

Report after report indicates that companies making so-called “Internet of Things” devices are often running fast and loose with our privacy and security. Everything from children’s toys to automobiles have been hacked, and now we have the US government admitting that it wants to hack medical devices. If you aren’t getting nervous about connecting your whole life to the Internet, you haven’t been paying attention.

Until we have better controls and more secure systems, putting your pacemaker online seems like a terrible idea.

Monthly Archives

June 2016

A bill that would expand personal privacy as it relates to your email, and one that looked likely to pass given its unanimous passage in the House, has hit a major snag due to a Republican Senator’s poison pill amendment. In a bill intended to make it harder for government to spy on you, Texas Senator John Cornyn introduced an amendment that would make it easier for the FBI to access your data without a warrant. The senator’s amendment would have greatly expanded the use of what are known as National Security Letters. Sponsors of the email privacy legislation have pulled it from consideration.

National Security Letters are issued without a warrant and would allow the Bureau to snarf up your browser history. Proponents of the Amendment portray it as fixing a typo in current law, but privacy advocates note that it would represent a dramatic increase in warrantless surveillance and gathering of personal data. The Senate has moved similar provisions in other bills hoping to expand the FBI’s surveillance capability, but the amendment was a step too far for supporters of the bill.

Senator Mike Lee suggested that the inclusion of the National Security Letter language would essentially negate many of the protections the bill sought to expand.

Many of the amendments offered to the bill the House passed include exceptions in the case of national security or “emergencies”, but opponents fear those vague exceptions could be abused.

Monthly Archives

June 2016

"The answer will come through public debate through unfortunate cases and a new batch of laws. And I can only see that in ending up in one place; because seeing what I have on security and how unacceptable it is in a modern society for the security of the mass of the population to be jeopardised, I can’t see that an absolute right to privacy can with stand the pressure of argument and events over the coming years," said Hague.

This is a UK Foreign Secretary speaking, but these exact sentiments have been expressed by law enforcement agencies at every level in the US. This is the single reason that THE FUNDAMENTAL DEBATE of the next 10-20 years will be encryption and privacy versus state surveillance.

Law enforcement will position this as ensuring that we do not have undetected conversations between nefarious actors, but we have those EVERY SINGLE DAY through face-to-face meetings, coded conversations, etc. The notion that banning encryption or requiring backdoors will end undetected conversations is nonsense.

In the meantime, there comes news that even without these backdoors someone is selling 32 million Twitter passwords on the dark web and a report from IBM that indicates 60% of cyber attacks were an inside job.

The constant drumbeat of hacked services and compromised personal data will be made FAR, FAR worse with government’s bungling ham-handed approach to surveillance as ‘malicious insiders’ (as IBM calls them) from government agencies will have access to personal conversations. And if you don’t think that will happen, just look at the 41 Secret Service agents being reprimanded for illegally accessing a Congressman’s personal data because they didn’t like what he had to say about their agency.

Monthly Archives

June 2016

It seems that almost every day there is another story of a company, website, or celebrity that has been hacked. Sensitive information – everything from banking details to naked selfies – gets posted online and embarrassment and financial devastation grows. Despite the constant flow of information about high-profile hacks and the commonplace occurrence of identity theft, people still don’t take basic precautions to protect themselves, and websites don’t take basic precautions to protect user data.

When a hacker breaches a site like MySpace, and compromise their user database, they can compromise your email/username and password combinations. If you reuse that same combination on other sites, it is very easy for hackers to write a script to compare those credentials against other popular sites, and identify which ones give them access. It is no surprise that the number of Twitter accounts hacked in the past few weeks is exploding, given that many or most of those people likely also had MySpace or LinkedIn accounts, and were likely using the same password on all of them.

Twitter acknowledged as much when discussing the announcement that 32 million user credentials were available on the dark web.

“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.”

Many websites are now informing you when a login is attempted on your account from a new location, but this is still neither common or foolproof. Some sites still store user credentials in plain text, though encryption of user credentials is more common than not, these days. The strength of that encryption varies, however.

If you are using the same password across many websites, it is just a matter of time before you will be hacked. You really should be using a better method to keep yourself secure. Password locker systems (KeePass or KeePassX, for instance) allow you to keep an unlimited number of passwords stored in a single location and allow you to simply click to copy the correct password and paste it into login forms. You don’t need to remember them all, and most of these systems have a mobile app version that keeps a synchronized copy for logging in via your devices.

Whatever system you choose, it is well past time when you should be taking your personal information security much more seriously. If you are using the same password for your Facebook account and your online banking, you are dancing in a virtual minefield and it’s just a matter of time before something blows up.

We’ve launched this blog to look at developments in the area of cybersecurity, privacy, encryption, and government surveillance, because their intersection is the epicenter of the digital world. Discussions of the balance between security and privacy will drive most tech discussions for the next ten years. Much of this starts with you being better informed and empowered to take an active role in securing your personal data.