On Monday this week Christopher Soghoian will hold a virtual conversation with Edward Snowden during SXSW 2014. Not everybody is pleased. Congressman Michael Richard Pompeo (Kansas) has written to the organizers requesting that the invitation to Snowden be withdrawn.
People of the world, I urge you to read Pompeo’s letter in full (click the image on the right), to witness authoritarian doublespeak claptrap at its best.
People of Kansas — just get rid of him.
Pompeo writes, “In case you did not have access to the full facts in making your initial decision to extend your invitation, I want to call a few undisputed facts about the actions taken by Mr Snowden to your attention…”
OK, let’s have a look at Pompeo’s ‘undisputed facts’.
Only a tiny sliver of the materials stolen by Mr Snowden had anything to do with United States telecommunications or the privacy rights of Americans.
That ‘tiny sliver’ shows that the NSA interprets the law to allow it to spy on all Americans at all times. A recent example of the extent of NSA legal contortions will suffice to demonstrate. The spy agency discussed the feasibility of classifying Wikileaks as a “malicious foreign actor” for surveillance purposes. “If the foreign IP is consistently associated with malicious cyber activity against the U.S., so, tied to a foreign individual or organization known to direct malicious activity our way, then there is no need to defeat any to, from, or about U.S. Persons. This is based on the description that one end of the communication would always be this suspect foreign IP, and so therefore any U.S. Person communicant would be incidental to the foreign intelligence task.”
This argument could be applied to any ‘dubious’ website that ever questions US foreign and domestic policy. The Pirate Bay was discussed. Others could easily be included. RT? Al Jazeera? If the argument were applied, then any American visitor to any such circumscribed website would become a legitimate target of surveillance; and the NSA document makes it clear that is the primary purpose – a method of circumventing US law. Americans should remember, this surveillance would not simply be metadata, but actual content.
So, Pompeo’s ‘tiny sliver’ clearly demonstrates that all Americans are to be considered targets at all times. But just in semantic terms, how can it be an ‘undisputed fact’ when the vast majority of the documents have not yet been disclosed?
I would here appeal to the American people. Just consider the utter contempt that the NSA shows towards all foreigners. I am a foreigner, a journalist and a blogger – and I am a legitimate target for the NSA. This cannot be right. You have a strong sense of ‘freedom’. Much of that stems from the Declaration of Independence, which most famously states:
We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.
It says ‘all men’, not just ‘all Americans’. Should that not include me? Am I to be excluded from your view of freedom? (Lest you believe me a hypocrite, let me just say that I believe that the UK and GCHQ is far worse – you at least are discussing this; open discussion here has effectively been squashed by the UK government.)
Mr. Snowden cares more about personal fame than personal privacy
I would question that. He handed the documents to a journalist and has played no part in their publication. He does not seek out publicity nor interviews; but grants them when requested and if possible.
Mr. Snowden gives real whistleblowers a bad name
Excuse me? If he had attempted the official routes he would rapidly have been silenced. I don’t know about the US, but I strongly believe it to be similar to the UK, where potential whistleblowers tend to get suicided (Dr David Kelly and Gareth Williams are two relatively recent examples). Official whistleblowing routes are simply not an option at this level. If he were in the UK, his best bet for survival would be to feign madness – consider David Icke (who espouses the Lizard conspiracy) and David Shayler (who told the world he was the Messiah).
When I served in the Army along the Iron Curtain we had a word for a person who absconds with information and provides it to another nation: traitor. We also had a name for a person who chooses to reveal secrets he had personally promised to protect: common criminal. Mr. Snowden is both a traitor and a common criminal.
This is the biggest lie of all put forward by NSA apologists from Obama downwards. Snowden is charged under the Espionage Act, which makes him a traitor. But the Espionage Act is a law subservient, as all laws are, to the US Constitution. There are some who say that NSA actions are constitutional; but there is a growing legal, ethical and moral view that it at least contravenes the Fourth Amendment.
I suspect that all Americans consider themselves bound by the US Oath of Allegiance. I know that all who work in or for government – and that includes Obama, Pompeo and Edward Snowden, are so bound. That oath includes, “I will support and defend the Constitution and laws of the United States of America against all enemies, foreign and domestic.”
The Constitution is primary, and if Snowden believed (as many academics and legal minds also believe) that the NSA was acting in defiance of the Constitution, then he was duty bound to try to defend the Constitution. By that same token, those who support the NSA in breach of the Constitution are themselves in breach of their Oath of Allegiance – and that makes them, not Snowden, the traitors.
It is perfectly reasonable to question Snowden’s actions, and to have any view you like on them. But to twist reality to blacken his name and dampen open discussion is, frankly, pretty despicable.
I did a news story in Infosecurity Magazine yesterday: Meetup Fighting Prolonged DDoS Attack. The gist is that the social network site, meetup — which promotes the idea of both dispersed and local ‘groups’ and group activities — had been under intermittent DDoS attack since last Thursday.
CEO Scott Heiferman has blogged about the attack. It started with an email warning that said the attacker had been commissioned by a competitor to attack him — but that he would abandon the attack on payment of $300. Heiferman thinks the $300 was just to test the water; to see if meetup would be susceptible to further extortion in the future.
That’s possible; but given the commoditization of DDoS as a service, it is equally likely to be the actual cost of the attack; and the attacker was seeing if he could get his fee without the effort of the attack.
But in all of this there is one question unanswered. Heiferman stresses that throughout the attack his engineers have been toiling to keep the site up and running, and actually says that he spends millions of dollars every year on security. What is clear is that he has spent little or nothing on DDoS mitigation — and is possibly still spending nothing on third-party mitigation (else his problem would probably have long been solved).
I spoke to Ashley Stephenson, CEO of Corero Network Security (a DDoS mitigation firm) to try to understand what’s going on. While we don’t yet know who is behind the attack, what if any competitor was involved, nor the type of DDoS attack used, what is clear, Stephenson told me, is that “it appears the meetup site had no proactive defence in place. Similarly their primary ISP or Hosting Provider was not able to successfully defend their customer against the volume or sophistication of the threat.”
But it would have started much earlier. “Long before the demand for cash was made, attackers were likely probing the meetup service, searching for vulnerabilities and preparing to launch an attack that would do the most harm.”
This is one reason why companies need to be proactive and mitigate DDoS before it starts rather than be reactive and attempt to contain an attack when in full sway. “A technology solution with the capabilities to detect, analyze and ultimately mitigate DDoS attacks, could provide an early alert on such suspicious activity, and help to protect against the malicious activity as soon as it escalates.”
Most companies’ preparation for a DDoS attack is simply to ask themselves, ‘would I pay or would I fight?’; but then they fail to ask themselves: ‘OK, how would I fight this?’
“The lesson to be learned here, unfortunately at the expense of meetup,” said Stephenson, “is that businesses need to think proactively and prepare for cyber attack scenarios, before they hit.”
It makes sense. Most companies buy an anti-malware system not because they have a malware infection, but because of the possibility that they might get one. The same mentality needs to be developed about DDoS attacks and DDoS mitigation — it’s best to get the defence in before the attack, because that attack is becoming increasingly more likely, and increasingly more dangerous.
I got an email this morning from a friend, a world-renowned security expert, and — dare I say it — an ex-detective.
He was in trouble. In Ukraine. He’d been mugged and lost his money. His passport had been impounded by his hotel, and he was stuck. Could I help?
Well, even Google can recognise a London Scam (Dear Mum, I’ve been mugged in London — please send money); although I personally haven’t seen one for a couple of years now.
But the interesting thing here is that the scammer used the correct email address: email@example.com. Closer inspection showed, however, that the reply address was slightly different: firstname.lastname@example.org.
So what we have is a scammer who had taken the trouble to find a relationship between two people and register an email address close to one of them. We can assume that the real a.person hasn’t been hacked and lost his contact list otherwise the scammer wouldn’t have needed the separate reply-to address. So the question is, how did the scammer tie the two of us together?
Finding my email is not a problem — as a journalist I hardly keep it secret. I would expect the real a.person to be more circumspect, however. And then there’s the relationship. I guess LinkedIn and Twitter serve a few more functions than most of us realise…
When I wrote the piece, Is the AV industry in bed with the NSA, I concluded that on balance it probably is. I have no evidence. It’s just that I cannot believe that an organization complicit in developing and deploying its own malware, and able to ‘socially engineer’ RSA into doing its bidding, would leave AV untouched.
Obviously I spoke to people in the industry. In private conversation with one contact, while accepting his own protestations of innocence, I asked, “What about McAfee and Symantec?” He paused; but then said, “If I had to question anyone, those are the two names that would come to mind.”
I should say, again, that I have no evidence. It’s just doubts born out of the repetition of hyped-up statistics, frequently used by government to justify its actions, and what appears to be preferential treatment from government.
A couple of months later, the Dutch digital liberty group Bits of Freedom wrote to the leading AV companies for a formal position. One of the questions it asked was, “Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software?”
My understanding is that some, but not all, AV companies replied, in writing, that they do not collaborate with governments.
F-Secure’s Mikko Hyppönen spoke yesterday at the TrustyCon conference. I wasn’t there, so this is from The Register’s report:
A surprising number of governments are now deploying their own custom malware – and the end result could be chaos for the rest of us, F-Secure’s malware chief Mikko Hyppönen told the TrustyCon conference in San Francisco on Thursday…
While ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro replied to Bits of Information, Symantec and McAfee (among others) have not responded, Hyppönen claimed.
Same names. Coincidence? I wonder.
The American tech giants – Facebook in this instance – still don’t get it over the NSA spying programmes
The following is a transcription of a brief interview given by Mark Zuckerberg. The original can be found on TechCrunch here.
I’ve tidied it up a bit – removed the ‘ums’ and ‘rights’ and ‘you knows’ – just to make it more legible. I struggled over that because they clearly demonstrate where Zuckerberg is comfortable and where he is not comfortable with what he says; but I went ahead because what he says rather than his level of comfort is important to me. Anyway, here’s what is left:
We take our role really seriously. I think its my job and our job to protect everyone who uses Facebook and all the information that they share with us. It’s our government’s job to protect all of us and also to protect our freedoms and protect the economy, and companies; and I think they did a bad job of balancing those things. So frankly I think that the government blew it. I think that they blew it on communicating what they [were doing]; basically the balance of what they were going for.
The morning after the start of [the scandal] breaking, people asked [the government] what they thought; and the government’s comment was, “Oh don’t worry, basically we’re not spying on any Americans.”
Right. Wonderful. That’s really helpful to companies who are trying to serve people around the world, and [it's] really gonna inspire confidence in American internet companies. Thanks for going out there and being really clear about what you’re doing. I think that was really bad.
We’ve being pushing just to get more transparency on this, and I actually think we’ve made a big difference. The big question that you get from all the coverage is, what’s the volume of the total number of requests going on? Is it closer to a thousand requests that the government is making of us, or is it closer to 100 million? I mean, from the coverage and from what the government has said you would not know the difference. But we worked really hard with the government, behind the scenes, to get to the point where we could release the aggregate number of requests. It was around 9000 in the last half year.
Does that number tell us everything we want? No. And that’s why when the conversations get to the point where we weren’t going to make further progress, we decided to sue them so that we could reveal, is it 1000 or 2000 or 3000 or 4000 or 8000 of the 9000 requests. But the reality is, because of the transparency that we pushed for, now people can know and deserve to know that the number of requests that the government is making is closer to 1000 (it’s 9000 or less in the last six months), and definitely not, you know, 10 million or 100 million…
Really, Mark? Do you think that knowing the NSA made just over 1000 requests for your customers’ details rather than 9000 makes it all right – and that they can carry on, without judicial oversight, as they are? It’s the fact, not the volume, of NSA spying that is wrong, just plain wrong. Until the American tech giants stop hiding behind their really quite meaningless ‘transparency’ demands and empty successes over the NSA, then anger – and especially non-American anger – will remain at a high level.
Oh; and did I mention the word ‘hypocrite’? Facebook suggesting that the NSA isn’t taking sufficient care over users’ privacy? Really?
There was never any doubt that the detention of David Miranda at Heathrow under section 7 of the Terrorism Act was in fact legal. Now the arbiters of The Law have confirmed it in a judgment delivered earlier this week.
There is some good news, some bad news and a lot of not-unexpected news in this judgment. The not-unexpected news is that the Terrorism Act allows GCHQ to do just about whatever it pleases. The manufactured War against Terror has had the effect of turning the UK into a police state under the control of the security services and enforced by Her Majesty’s Constabulary. Anything can be defined, with a little imagination, as a potential act of terrorism; and therefore under the jurisdiction of the over-broad power of the Terrorism Act.
The good news is that the police did not immediately nor automatically accept GCHQ’s request for a port stop (ie, detention) on David Miranda as he passed through Heathrow. It was not until the police received a detailed request precisely applied to the Terrorism Act that they were effectively forced to respond. From the ruling:
“We assess that MIRANDA is knowingly carrying material, the release of which would endanger people’s lives. Additionally the disclosure, or threat of disclosure, is designed to influence a government, and is made for the purpose of promoting a political or ideological cause. This therefore falls within the definition of terrorism and as such we request that the subject is examined under Schedule 7.”
from the David Miranda judgment
Compare this to my assessment at the time:
So, three tests for terrorism. Applying these to David Miranda, and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),
- the stated purpose of the leaks is to influence government
- the stated purpose could be described as both ‘political’ and ‘ideological’
- the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).
I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
Was David Miranda’s detention a legal and reasonable application of the Terrorism Act?
The bad news is that this is absurd. David Miranda is clearly not a terrorist. That means that what he was doing was an act of terrorism. That means that helping a journalist (in this case Glenn Greenwald) do his job, which most people would define as being in the public interest, can in itself be an act of terror — and that, frankly, is scary.
The Arbiters of The Law effectively confirm that the invocation of the Terrorism Act removes all other freedoms and rights:
In my judgment the Schedule 7 stop was a proportionate measure in the circumstances. Its objective was not only legitimate, but very pressing. The demands of journalistic free expression were qualified in the ways I have explained. In a press freedom case, the fourth requirement in the catalogue of proportionality involves as I have said the striking of a balance between two aspects of the public interest: press freedom itself on one hand, and on the other whatever is sought to justify the interference: here national security. On the facts of this case, the balance is plainly in favour of the latter.
This is a sad day for natural justice. But we cannot blame the judges. Their function is to interpret the law. Nor can we blame the police. Their function is to enforce the law. The blame rests solely on our weak politicians, under the sway of over-powerful intelligence services, who make the laws. It is the intelligence services, through threats and blackmail, who get their wishes translated into law. It is weak politicians who have sold out the people.
The United States would be well advised not to dismiss European anger over the NSA — but so far the US doesn’t seem to be taking the EU’s concerns seriously. Consider the safe harbour agreement, and the growing movement to suspend it.
Safe harbour is an official arrangement that allows American companies to circumvent the European data protection laws. These laws prohibit the export of personal European data to any country that does not have comparable data protection laws. The United States does not. On the face of it, then, this would stop companies like Google and Yahoo and Facebook operating in Europe since they ‘export’ their users’ data to servers in the US.
To avoid this, the EU and US developed the Safe Harbour. Provided individual companies are certified to provide a comparable level of data protection to that required in the EU, safe harbour allows US companies to store EU data in the US. That certification can be provided by a qualified third-party, or it can be self-certification. One of the conditions included is that personal EU data will not be passed on to third parties.
But this requirement is clearly being breached by the NSA’s Prism programme. It doesn’t matter whether US cloud companies are giving EU data to the NSA willingly or even knowingly — that it happens is in contravention to safe harbour. So the mood in Europe is simple: if safe harbour isn’t being honoured, it would be better to suspend it. If this were to happen as things stand, companies like Google and Facebook would no longer be able to operate in Europe.
Why I don’t think America is taking this threat seriously
In December 2013, a US think tank called Future of Privacy Forum (FPF) published a report concluding, “It would be unwise at this stage of the Safe Harbor to pull back on this effective program.” It claims that safe harbour is working — when Prism shows it is not.
FPF’s first argument is that “eliminating the Safe Harbor will not prevent the NSA from accessing EU citizens’ data.” Seriously? Is FPF really suggesting that since the NSA will disregard the law, we shouldn’t bother having any laws?
Its second argument is that even US companies that allow their safe harbour certifications to lapse are “still subject to FTC Section 5 enforcement for any substantive violations of
the Safe Harbor principles committed while it claims to be a member.” Luckily, we can test that assertion because the FTC has just made enforcement on 12 US companies for that very infringement.
Following complaints, the FTC took action against the companies which resulted in settlements. The settlement agreements now prohibit the companies from falsely stating to be Safe Harbour certified.
FTC takes safe harbor enforcement action against 12 US corporations
So, the punishment for ignoring safe harbour rules is to agree to stop ignoring safe harbour rules; which can be done via self certification.
This is not the behaviour of a country that is taking Europe seriously.
Is it even possible for Europe to suspend safe harbour?
This is the crux of the problem. America clearly believes that it would be impossible: Google, Facebook, Microsoft, Yahoo etc, etc are so deeply woven into the social and economic fabric of Europe that it would not dare, in the final analysis, to pull the plug. That, I fear, would be a catastrophic underestimate of European determination.
Consider some of Europe’s recent announcements. It is preparing itself for a life without US tech giants, and even a life without the UK. (Incidentally, David Cameron will rapidly discover how insignificant the UK will be considered by the US if it can no longer influence the EU in favour of the US; and GCHQ, like the NSA, can no longer spy on Europe.)
Firstly, the EU has declared it wishes to be an honest broker between US and UN ownership of internet governance. In other words, the European bloc is no longer in blind support of the US position — it is preparing for, and in doing so it is making inevitable, a time when US control is removed.
Secondly, Angela Merkel has indicated a Franco-German intent to build a European internet outside of the NSA’s reach. US companies will either have to agree to play by European rules, or be excluded from Europe. (That, of course, applies equally to the UK and GCHQ. Nigel Farage of UKIP wants the UK to leave the EU; Cameron, who doesn’t, is close to getting the UK excluded by default.)
Faced with such a decision, the US companies will take a commercial position and play by the rules of what will effectively be a heavily policed virtual internet within and for Europe. Microsoft has already broken ranks and said it will ensure European data remains in servers within Europe. The problem for Microsoft will come when it receives a FISC order demanding EU data from those European servers. The danger for the United States is that under such circumstances, some of those companies will emigrate from America in order to maintain their European presence.
So, as I said at the beginning, the US would be well-advised to take Europe seriously. Europe is older and more patient than America. It can and will take the long view over this issue.
I had to speak to my GP today. It was a telephone consultation with what is, generally speaking, a pretty good surgery.
When we finished, I said, “While I’ve got you, I’d like to state my objection to inclusion in care.data.”
“In what?” he replied. “Care…?”
I explained. “I want to stress that I must not personally be identifiable with any health data that leaves your premises, nor any data that leaves HSCIC.”
“Oh,” he said. “You’ll have to write to the practice manager about that.” (Well, I have already done that; but the advantage of repeating it here is that I now have a recording of the event. Letters can be lost or denied; a recording in my possession cannot. It’s good, this VoIP thing.)
“No,” I said. “According to the official NHS documentation, all I have to do is tell you.”
“Oh, all right. I’ll pass it on to the practice manager. She’s probably got a form for you to fill in.”
“While we’re at it,” I added, “I’d like a comment added to my notes, please. I object to any of my personal records leaving your care at all. It is my opinion that if that happens, it will be in contravention of the European Union’s Data Protection Directive.”
I’m not a lawyer, obviously — but then neither is he.
But actually I do believe it would contravene the data protection principles for two basic reasons. Despite all the publicity about an explanatory leaflet from the NHS, I have never received one. That means that I have not been informed that my personal data is going to be passed to a third-party, nor have I had the process explained to me; and that while I should have to opt in to this process, I haven’t even been given the opportunity to opt out.
It all just goes to show that the whole thing is a deceitful farce.
I got this Skype message this morning from a much-loved and well-respected colleague:
Well it was news to me; so I asked what made him think that. He sent me a link; and that link led me to this:
And so it continues – I am mentioned 28 times on this page.
I quickly checked my emails to see if some rich aunt had passed over and left me a new website in her will; but all I could find were a few other opportunities:
…my name is Michael Smith and I want you to assist me received huge sum of (Ten Million Five Hundred Thousand United States Dollars) for Investment purpose in your country and am willing to offer you 40% of the total sum for your great support. You might also wonder how i got your contact, I got it through the internet when i was looking for a trust worthy person i can trust to handle this project.
(yes, there was my rich aunt in all her glory still very much alive), and this
…a woman with the name (Ms. Gail Jackson) Came to Our Office with an Application Stating That she is your sister and You Gave Her the Power Of Attorney to Be the Beneficiary of Your Outstanding Contract Award Funds. She Made Us To Believe That You Are Dead And That She Is Your Next Of Kin…
That last one was worth $5.6 million; but sadly it was mistaken identity – I’ve never had a sister.
The reality is probably less interesting. It’s probably a new site under development. The developer is using a privacy statement template, and where it says ‘enter your name’, he entered mine. Or maybe all of the variables are in a separate file and are merged automatically; but in this instance they’ve got out of sync.
Sadly, I do not have a new gig with wossname; and I have no idea how my name became so elevated. But it is gratifying, nevertheless…