Quote of the Day

“[B]ecause the cost of saving all this data is so cheap, there’s no reason not to save as much as possible, and save it all forever. Figuring out what isn’t worth saving is hard. And because someday the companies might figure out how to turn the data into money, until recently there was absolutely no downside to saving everything. That changed this past year. What all these data breaches are teaching us is that data is a toxic asset and saving it is dangerous . . . . . We can be smarter than this. We need to regulate what corporations can do with our data at every stage: collection, storage, use, resale and disposal. We can make corporate executives personally liable so they know there’s a downside to taking chances. We can make the business models that involve massively surveilling people the less compelling ones, simply by making certain business practices illegal.”

— Bruce Schneier: Data is a Toxic Asset at his website Schneier on Security. Read the whole thing.

03/7/2016: 

The OPM Hack (link roundup – updated)

Update 08.31.2015:

China and Russia are Using Hacked Data to Target U.S. Spies, Officials Say– Los Angeles Times

How Bad? Very Bad:

Newly Disclosed Hack Got ‘Crown Jewels’; ‘This is Not the End of American Human Intelligence, but it’s a Significant Blow,’ a Former NSA Official Says– Politico

Hackers May Have Obtained Names of Chinese With Ties to U.S. Government – New York Times

The Hack on the U.S. Government was Not a ‘cyber Pearl Harbor’ (But it was a Very Big Deal) – Washington Post

Officials: Chinese Had Access to U.S. Security Clearance Data for One Year – Washington Post

Attack Gave Chinese Hackers Privileged Access to U.S. Systems – New York Times

China’s Hackers Got What They Came For – The Hill

Hacking as Offensive Counterintelligence;   China’s Hack Just Wrecked American Espionage and China’s Spies Hit the Blackmail Jackpot With Data on 4 Million Federal Workers – John Schindler at his XXCommittee blog and at The Daily Beast

How Was It Discovered? During a Product Demo:

Report: Hack of Government Employee Records Discovered by Product Demo Security Tools Vendor Found Breach, Active over a Year, at OPM During Sales Pitch – ArsTechnica

Level of OPM Incompetency? High. Very Old Software, Unencrypted Databases, and Foreign Contractors, Including Chinese, with Root Access:

Encryption “would not have helped” at OPM, Says DHS Official; Attackers had Valid User Credentials and Run of Network, Bypassing Security – ArsTechnica, with details of the OPM systems and lack of security

  “!! OPM IT outsourced to foreigner contractors, with root access, working from their home country. In this case, China” – John Schindler (@20committee): June 17, 2015

Oversight Chairman: Fire Leaders of Hacked Agency – Politico

Related:

5 Chinese Cyber Attacks That Might Be Even Worse Than the OPM Hack – Defense One

Quotes:

Former NSA and CIA Director, Michael Hayden (quote via Benjamin Wittes @ Lawfare.com) as to what he would have done if he had had the ability to get Chinese records equivalent to the OPM records when he was serving in his IC positions:

“I would not have thought twice. I would not have asked permission. I’d have launched the star fleet. And we’d have brought those suckers home at the speed of light . . . This is shame on us for not protecting that kind of information.”

From Benjamin Wittes writing on the OPM hack at LawFare in his post “Is the Privacy Community Focused on the Wrong Government?“:

“For the record, I have no problem with the Chinese going after this kind of data. Espionage is a rough business and the Chinese owe as little to the privacy rights of our citizens as our intelligence services do to the employees of the Chinese government. It’s our government’s job to protect this material, knowing it could be used to compromise, threaten, or injure its people—not the job of the People’s Liberation Army to forebear collection of material that may have real utility. Yet I would have thought that privacy groups that take such strong views of the need to put limits on American collection, even American collection overseas against non-U.S. persons, would look a little askance at a foreign intelligence operation consisting of the bulk collection of the most highly-personal information—an operation involving not only government employees but also those close to them. You’d think this would raise someone’s privacy hackles, if not mine.”

Adam Elkus writing at BusinessInsider:

“[C]leaning up the systematic dysfunction in OPM and other agencies will require a harsh and swift hand and plenty of pink slips. Fantasizing about super-hackers and visions of cyber-doom are more fun than the boring but necessary drudgery, for example, of modernizing a decrepit and decaying federal information technology base or ensuring that basic security protocols are observed.”

Megan McArdle at BloombergView:

“The serial IT disasters we have seen over the past seven years do not need a blue-ribbon commission or a really stern memo to fix them. If we want these holes fixed before they become catastrophic, we need leaders with a scorched-earth determination to have adequate IT. The only way that determination happens is if these failures become an existential threat to the careers of the politicians in charge.”

08/31/2015: 

Wassenaar Arrangement Implementation (updated)

The Latest (08.01.2015) – Proposed Rules Pulled for Rewrite:

Pardon the “Intrusion” – Cybersecurity Worries Scuttle Wassenaar Changes – Lexology

Unusual Re-do of US Wassenaar Rules Applauded – Kaspersky Lab Threat Post

The US is Rewriting its Controversial Zero-day Export Policy – The Verge

Proposed Implementation:

Bureau of Industry and Standards’ Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items (pdf; 49 pages)

BIS FAQs on the Intrusion and Surveillance Items Implementation

Background:

Wassenaar Arrangement – Wikipedia

The International Rules that Have the Security World on Alert – The Verge

Analysis and Opinion:

Why an Arms Control Pact has Security Experts Up in Arms – Kim Zetter in Wired

Proposed U.S. Export Controls: Implications for Zero-Day Vulnerabilities and Exploits – Mailyn Fidler at LawFare

Changes to Export Control Arrangement Apply to Computer Exploits and More – Jennifer Granick and Mailyn Fidler at JustSecurity

What Is the U.S. Doing About Wassenaar, and Why Do We Need to Fight It? – EFF

Also from the EFF: Commerce Department FAQ on Proposed Wassenaar Implementation Gives Answers, Raises More Questions

Why Changes to Wassenaar Make Oppression and Surveillance Easier, Not Harder – ADD/XOR/ROL blog

Why You Should Fear the New Regulations More Than You Think – Dave Aitel

Related:

Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis (pdf; 78 pages) – academic paper by Mailyn Fidler forthcoming in “I/S: A Journal of Law and Policy for the Information Society”

New Department of Defense Law of War Manual Chapter on Cyber Operations (updated)

The new DOD manual is the first since 1956 (pdf; 1,176 pages, with the Cyber Operations portion (Chapter XVI) spanning 15 pages in the pdf, from page 994 to 1009).

Professor Kristen Eichensehr (UCLA Law School) writing at JustSecurity discusses how the new manual’s provisions treat hacking incidents such as the OPM hack.

Just Security’s “mini forum” (series of related posts) on the new Law of War Manual.

07/4/2015: 

Two Recent Podcasts of Note:

Striking a Balance – Whistleblowing, Leaks and Security Secrets (LawFare podcast)

Key portion: 00:07:29 (after intro and panelist bios) to 01:32:30 (when audience Q&A starts)
A discussion amongst Bob Litt (General Counsel for the Office of the Director of National Security), Ken Dilanian (Associated Press), Gabriel Schoenfeld (Hudson Institute) and Steve Vladeck (LawFare), about leaks, whistleblowing, the Espionage Act and Snowden.

Stewart Baker Discussion with Bruce Schneier (Steptoe CyberLaw podcast)

Key portion: 24:18 to 58:30
Bruce Schneier and Stewart Baker tangle on a variety of topics, including the wisdom and legality of “hacking back”, Bruce’s book “Data and Goliath” and some general surveillance/privacy matters. Nothing particularly new here, but always interesting to hear these two – from opposite ends of the spectrum – tangle.

Quote of the Day:

“There is no argument whatsoever that the proliferation of devices and information are empowering. It is categorically true, not to mention obvious, that technology is today far more democratically available than it was yesterday and less than it will be tomorrow. 3D printing, the whole ‘maker’ community, DIY biology, micro-drones, search, home automation, constant contact with whomever you choose to be in constant contact with — these are all examples of democratizing technology. This is perhaps our last fundamental tradeoff before the Singularity occurs: Do we, as a society, want the comfort and convenience of increasingly technologic, invisible digital integration enough to pay for those benefits with the liberties that must be given up to be protected from the downsides of that integration? If, as Peter Bernstein said, risk is that more things can happen than will, then what is the ratio of things that can now happen that are good to things that can now happen that are bad? Is the good fraction growing faster than the bad fraction or the other way around? Is there a threshold of interdependence beyond which good or bad overwhelmingly dominate? Now that we need cybersecurity protections to the degree that we do, to whom does the responsibility devolve? If the worst laws are those that are unenforceable, what would we hope our lawmakers say about technologies that are not yet critical but soon will be?”

— Dan Geer on Where the Science is Taking Us in Cybersecurity; as they say, read the whole thing.

05/5/2015: 

China’s Great Cannon

Toronto’s Citizen Lab at the Munk School of Global Affairs posits in an online report that, separate and apart from China’s “Great Firewall”, China possesses a “Great Cannon” offensive cyberattack tool which hijacks traffic to (or from) IP addresses, and which can replace unencrypted content as a man-in-the-middle. According to the report:

“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of bystander’ systems outside China, silently programming their browsers to create a massive DDoS attack. While employed for a highly visible attack in this case, the Great Cannon clearly has the capability for use in a manner similar to the NSA’s QUANTUM system, affording China the opportunity to deliver exploits targeting any foreign computer that communicates with any China-based website not fully utilizing HTTPS.”

04/10/2015: 

President Obama on Surveillance, Cybersecurity and Related Matters


Re/code’s Kara Swisher interviews the President at Stanford University on February 13th (25 minute video).

00:20    Cybersecurity breaches
04:17    U.S. offensive capabilities
06:22    U.S. cybercommand
08:02    Government relationship with Silicon Valley
10:51    Encryption and Backdoors
15:24    Privacy and Data Ownership
18:13    Immigration, STEM, diversity, loss of U.S. tech leadership
23:22    President’s personal tech habits

But:

President Obama’s Cyber Pitch Misses Mark in Silicon Valley – The Hill

What President Obama is Getting Wrong about Encryption – The Washington Post

Equation Group (link roundup)

Background: Russian Researchers Expose Breakthrough U.S. Spying Program – Reuters

Additional Detail: How ‘Omnipotent’ Hackers Tied to NSA Hid for 14 Years and Were Found at Last – ArsTechnica

The Kaspersky Report that started it all: “Equation Group: Questions and Answers” (pdf – 44 pages)

Additional Links: The Equation Group’s Sophisticated Hacking and Exploitation Tools – Bruce Schneier at LawFare:

“This is targeted surveillance. There’s nothing here that implies the NSA is doing this sort of thing to every computer, router, or hard drive. It’s doing it only to networks it wants to monitor . . . On one hand, it’s the sort of thing we want the NSA to do. It’s targeted. It’s exploiting existing vulnerabilities. In the overall scheme of things, this is much less disruptive to Internet security than deliberately inserting vulnerabilities that leave everyone insecure. On the other hand, the NSA’s definition of ‘targeted’ can be pretty broad . . . On the other other hand — can I even have three hands? — I remember a line from my latest book: ‘Today’s top-secret programs become tomorrow’s PhD theses and the next day’s hacker tools.’ . . . We need to figure out how to maintain security in the face of these sorts of attacks, because we’re all going to be subjected to the criminal versions of them in three to five years. That’s the real problem.”

The entire (not-too-lengthy) post by Schneier at LawFare is worth a read.

Surprise: America Already Has a Manhattan Project for Developing Cyber Attacks – Kevin Poulsen in Wired

02/19/2015: 

How Secure are SecureDrop and Similar Services – in Design and in Use?

Point: How to Leak to The Intercept – Micah Lee at The Intercept

Counterpoint: The Intercept’s Invitation to Criminality — and to Intelligence Agencies – Benjamin Wittes at LawFare

Additional Debate: The Intercept, SecureDrop, and Foreign Intelligence Services: A Response – Benjamin Wittes at LawFare

Background: “DeadDrop/StrongBox Security Assessment (August 11, 2013)” (pdf)

02/19/2015: 

Matthew Green on Email Encryption

“The path to a proper encrypted email system isn’t that far off. At minimum, any real solution needs:

‘A proper approach to key management. This could be anything from centralized key management as in Apple’s iMessage — which would still be better than nothing — to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.’

‘Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system.’

‘Cryptography that post-dates the Fresh Prince. Enough said.’

‘Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.'”

— Professor Matthew Green, Johns Hopkins University, writing at his blog: A Few Thoughts on Cryptographic Engineering.

Dan Geer: Cybersecurity as Realpolitik (video)

Dan Geer, CISO for In-Q-Tel, a not-for-profit investment firm that invests in technology that supports the missions of the CIA and broader U.S. intelligence community (i.e., the CIA’s venture arm), garnered headlines this past week for the proposal that the U.S. intelligence community corner the market on security vulnerabilities and then disclose them. His presentation at Black Hat 2014, however, is well worth watching in its entirety, as he touches on policy proposals on a wider variety of topics including:

Mandatory Vulnerability Reporting: 16:46
Net Neutrality: 22:20
Product Liability for Software: 25:31
Cyber Attack Counterstrikes: 32:12
Fallbacks/Resiliency: 33:28
Vulnerability Finding: 38:44
Right to be Forgotten: 40:15
Internet Voting: (only in Transcript)
Software Abandonment: 44:47
Convergence of Cyberspace and “Meatspace”: 47:04


08/11/2014: 


Another Reminder That Anonymity Tools Aren’t Foolproof – Vice’s MotherBoard: “Tails, the operating system favoured by journalists, activists, and Edward Snowden for its high degree of privacy protection, has been shown to have critical vulnerabilities in its code. By exploiting these, attackers could peal away a Tails user’s cloak of anonymity. It’s just the latest reminder that tools touted as ‘anonymous’ are not infallible.”

Back Doors in Apple’s Mobile Platform for Law Enforcement, Bosses, Spies (Possibly) — Cory Doctorow at BoingBoing: “Jonathan Zdziarski’s HOPE X talk, ‘Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices’, suggests that hundreds of millions of Iphone and Ipad devices ship from Apple with intentional back-doors that can be exploited by law enforcement, identity thieves, spies, and employers.”

Tor Break Talk Axed from Black Hat Conference — ZDNet: “A proposed talk by two Carnegie Mellon University researchers demonstrating how to de-anonymise Tor users on a budget of US$3,000 has been axed from the Black Hat USA 2014 conference in Las Vegas next month. The talk, ‘You don’t have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ by speakers, Alexander Volynkin and Michael McCord, from Carnegie Mellon University’s Computer Emergency Response Team, had reportedly been highly anticipated by punters.”

Visit the Wrong Website, and the FBI Could End Up in Your Computer — Wired: “Security experts call it a ‘drive-by download’: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes . . . For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.”

Putin Sets $110,000 Bounty for Cracking Tor as Anonymous Internet Usage in Russia Surges — Bloomberg.

08/6/2014: