J.R.McHale

The Latest (08.01.2015) – Proposed Rules Pulled for Rewrite:

Pardon the “Intrusion” – Cybersecurity Worries Scuttle Wassenaar Changes – Lexology

Unusual Re-do of US Wassenaar Rules Applauded – Kaspersky Lab Threat Post

The US is Rewriting its Controversial Zero-day Export Policy – The Verge

Proposed Implementation:

Bureau of Industry and Standards’ Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items (pdf; 49 pages)

BIS FAQs on the Intrusion and Surveillance Items Implementation

Background:

Wassenaar Arrangement – Wikipedia

The International Rules that Have the Security World on Alert – The Verge

Analysis and Opinion:

Why an Arms Control Pact has Security Experts Up in Arms – Kim Zetter in Wired

Proposed U.S. Export Controls: Implications for Zero-Day Vulnerabilities and Exploits – Mailyn Fidler at LawFare

Changes to Export Control Arrangement Apply to Computer Exploits and More – Jennifer Granick and Mailyn Fidler at JustSecurity

What Is the U.S. Doing About Wassenaar, and Why Do We Need to Fight It? – EFF

Also from the EFF: Commerce Department FAQ on Proposed Wassenaar Implementation Gives Answers, Raises More Questions

Why Changes to Wassenaar Make Oppression and Surveillance Easier, Not Harder – ADD/XOR/ROL blog

Why You Should Fear the New Regulations More Than You Think – Dave Aitel

Related:

Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis (pdf; 78 pages) – academic paper by Mailyn Fidler forthcoming in “I/S: A Journal of Law and Policy for the Information Society”

Bruce Schneier at his Schneier on Security on the OPM Hack:

“My question is this: Has anyone thought about the possibility of the attackers manipulating data in the [OPM] database? What are the potential attacks that could stem from adding, deleting, and changing data?”

Related: It just keeps getting worse. The Massive OPM Hack Actually Hit 25 Million People – Kim Zetter at Wired

The new DOD manual is the first since 1956 (pdf; 1,176 pages, with the Cyber Operations portion (Chapter XVI) spanning 15 pages in the pdf, from page 994 to 1009).

Professor Kristen Eichensehr (UCLA Law School) writing at JustSecurity discusses how the new manual’s provisions treat hacking incidents such as the OPM hack.

Just Security’s “mini forum” (series of related posts) on the new Law of War Manual.

Washington Post’s “Net of Insecurity” series:   Part 1 – The Long Life of a Quick ‘Fix’; Internet Protocol from 1989 Leaves Data Vulnerable to Hijackers;   Part 2 – A Flaw in the Design; The Internet’s Founders Saw its Promise But Didn’t Foresee Users Attacking One Another

Should Companies Do Most of Their Computing in the Cloud? (part 1, part 2 and part 3 – Bruce Schneier

Striking a Balance – Whistleblowing, Leaks and Security Secrets (LawFare podcast)

Key portion: 00:07:29 (after intro and panelist bios) to 01:32:30 (when audience Q&A starts)
A discussion amongst Bob Litt (General Counsel for the Office of the Director of National Security), Ken Dilanian (Associated Press), Gabriel Schoenfeld (Hudson Institute) and Steve Vladeck (LawFare), about leaks, whistleblowing, the Espionage Act and Snowden.

Stewart Baker Discussion with Bruce Schneier (Steptoe CyberLaw podcast)

Key portion: 24:18 to 58:30
Bruce Schneier and Stewart Baker tangle on a variety of topics, including the wisdom and legality of “hacking back”, Bruce’s book “Data and Goliath” and some general surveillance/privacy matters. Nothing particularly new here, but always interesting to hear these two – from opposite ends of the spectrum – tangle.

“There is no argument whatsoever that the proliferation of devices and information are empowering. It is categorically true, not to mention obvious, that technology is today far more democratically available than it was yesterday and less than it will be tomorrow. 3D printing, the whole ‘maker’ community, DIY biology, micro-drones, search, home automation, constant contact with whomever you choose to be in constant contact with — these are all examples of democratizing technology. This is perhaps our last fundamental tradeoff before the Singularity occurs: Do we, as a society, want the comfort and convenience of increasingly technologic, invisible digital integration enough to pay for those benefits with the liberties that must be given up to be protected from the downsides of that integration? If, as Peter Bernstein said, risk is that more things can happen than will, then what is the ratio of things that can now happen that are good to things that can now happen that are bad? Is the good fraction growing faster than the bad fraction or the other way around? Is there a threshold of interdependence beyond which good or bad overwhelmingly dominate? Now that we need cybersecurity protections to the degree that we do, to whom does the responsibility devolve? If the worst laws are those that are unenforceable, what would we hope our lawmakers say about technologies that are not yet critical but soon will be?”

— Dan Geer on Where the Science is Taking Us in Cybersecurity; as they say, read the whole thing.

Toronto’s Citizen Lab at the Munk School of Global Affairs posits in an online report that, separate and apart from China’s “Great Firewall”, China possesses a “Great Cannon” offensive cyberattack tool which hijacks traffic to (or from) IP addresses, and which can replace unencrypted content as a man-in-the-middle. According to the report:

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of bystander’ systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system, affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.”

Re/code’s Kara Swisher interviews the President at Stanford University on February 13th (25 minute video).

00:20    Cybersecurity breaches
04:17    U.S. offensive capabilities
06:22    U.S. cybercommand
08:02    Government relationship with Silicon Valley
10:51    Encryption and Backdoors
15:24    Privacy and Data Ownership
18:13    Immigration, STEM, diversity, loss of U.S. tech leadership
23:22    President’s personal tech habits

But:

President Obama’s Cyber Pitch Misses Mark in Silicon Valley – The Hill

What President Obama is Getting Wrong about Encryption – The Washington Post

Background: Russian Researchers Expose Breakthrough U.S. Spying Program – Reuters

Additional Detail: How ‘Omnipotent’ Hackers Tied to NSA Hid for 14 Years and Were Found at Last – ArsTechnica

The Kaspersky Report that started it all: “Equation Group: Questions and Answers” (pdf – 44 pages)

Additional Links: The Equation Group’s Sophisticated Hacking and Exploitation Tools – Bruce Schneier at LawFare:

“This is targeted surveillance. There’s nothing here that implies the NSA is doing this sort of thing to every computer, router, or hard drive. It’s doing it only to networks it wants to monitor . . . On one hand, it’s the sort of thing we want the NSA to do. It’s targeted. It’s exploiting existing vulnerabilities. In the overall scheme of things, this is much less disruptive to Internet security than deliberately inserting vulnerabilities that leave everyone insecure. On the other hand, the NSA’s definition of ‘targeted’ can be pretty broad . . . On the other other hand — can I even have three hands? — I remember a line from my latest book: ‘Today’s top-secret programs become tomorrow’s PhD theses and the next day’s hacker tools.’ . . . We need to figure out how to maintain security in the face of these sorts of attacks, because we’re all going to be subjected to the criminal versions of them in three to five years. That’s the real problem.”

The entire (not-too-lengthy) post by Schneier at LawFare is worth a read.

Surprise: America Already Has a Manhattan Project for Developing Cyber Attacks – Kevin Poulsen in Wired

Point: How to Leak to The Intercept – Micah Lee at The Intercept

Counterpoint: The Intercept’s Invitation to Criminality — and to Intelligence Agencies – Benjamin Wittes at LawFare

Additional Debate: The Intercept, SecureDrop, and Foreign Intelligence Services: A Response – Benjamin Wittes at LawFare

Background: “DeadDrop/StrongBox Security Assessment (August 11, 2013)” (pdf)

Tor Browser 4.0.3 and Tails 1.2.3 have been released, in each case allegedly addressing security issues in their respective prior releases.

News Report: The Verge

Text of Bill: Text and legislative history at leginfo.legislature.ca.gov

Explainer: California’s Cellphone ‘Kill Switch’ Law: What You Need to Know at Mashable

Cautionary Note: How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law at WIRED.

“The path to a proper encrypted email system isn’t that far off. At minimum, any real solution needs:

‘A proper approach to key management. This could be anything from centralized key management as in Apple’s iMessage — which would still be better than nothing — to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.’

‘Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system.’

‘Cryptography that post-dates the Fresh Prince. Enough said.’

‘Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.'”

— Professor Matthew Green, Johns Hopkins University, writing at his blog: A Few Thoughts on Cryptographic Engineering.

Dan Geer, CISO for In-Q-Tel, a not-for-profit investment firm that invests in technology that supports the missions of the CIA and broader U.S. intelligence community (i.e., the CIA’s venture arm), garnered headlines this past week for the proposal that the U.S. intelligence community corner the market on security vulnerabilities and then disclose them. His presentation at Black Hat 2014, however, is well worth watching in its entirety, as he touches on policy proposals on a wider variety of topics including:

Mandatory Vulnerability Reporting: 16:46
Net Neutrality: 22:20
Product Liability for Software: 25:31
Cyber Attack Counterstrikes: 32:12
Fallbacks/Resiliency: 33:28
Vulnerability Finding: 38:44
Right to be Forgotten: 40:15
Internet Voting: (only in Transcript)
Software Abandonment: 44:47
Convergence of Cyberspace and “Meatspace”: 47:04

Another Reminder That Anonymity Tools Aren’t Foolproof – Vice’s MotherBoard: “Tails, the operating system favoured by journalists, activists, and Edward Snowden for its high degree of privacy protection, has been shown to have critical vulnerabilities in its code. By exploiting these, attackers could peal away a Tails user’s cloak of anonymity. It’s just the latest reminder that tools touted as ‘anonymous’ are not infallible.”

Back Doors in Apple’s Mobile Platform for Law Enforcement, Bosses, Spies (Possibly) — Cory Doctorow at BoingBoing: “Jonathan Zdziarski’s HOPE X talk, ‘Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices’, suggests that hundreds of millions of Iphone and Ipad devices ship from Apple with intentional back-doors that can be exploited by law enforcement, identity thieves, spies, and employers.”

Tor Break Talk Axed from Black Hat Conference — ZDNet: “A proposed talk by two Carnegie Mellon University researchers demonstrating how to de-anonymise Tor users on a budget of US$3,000 has been axed from the Black Hat USA 2014 conference in Las Vegas next month. The talk, ‘You don’t have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ by speakers, Alexander Volynkin and Michael McCord, from Carnegie Mellon University’s Computer Emergency Response Team, had reportedly been highly anticipated by punters.”

Visit the Wrong Website, and the FBI Could End Up in Your Computer — Wired: “Security experts call it a ‘drive-by download’: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes . . . For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.”

Putin Sets $110,000 Bounty for Cracking Tor as Anonymous Internet Usage in Russia Surges — Bloomberg.