NSA Director Admiral Michael Rogers said at a cyber security conference in Washington DC Monday this week that the government needs to develop a “framework” so that the NSA and law enforcement agencies could read encrypted data when they need and he was immediately challenged by top security experts from the tech industry, most notably Yahoo’s chief information security officer Alex Stamos (see transcript).
This is probably the most telling moment of how US President Barack Obama is still on the wrong frequency on cyber matters…
Obama blamed the “impact on their [the tech companies] bottom lines” for the mistrust between the government and Silicon Valley in the aftermath of the Snowden revelations. These were his words, straight from the POTUSA mouth rather than reading from the scripts, in an exclusive interview with Re/code’s Kara Swisher (see video below) following the well publicized cybersecurity summit at Stanford University last Friday, when he signed an executive order to encourage the private sector to share cybersecurity threat information with other companies and the US government.
Contrast that with the high-profile speech by Apple CEO Tim Cook (see video below), who warned about “life and death” and “dire consequences” in sacrificing the right to privacy as technology companies had a duty to protect their customers.
His speech was delivered before Obama’s address to the summit – which the White House organized to foster better cooperation and the sharing of private information with Silicon Valley – best remembered for the absence of leaders from tech giants like Google, Yahoo and Facebook who gave Obama the snub amid growing tensions between Silicon Valley and the Obama administration. Heavyweights whom Obama counted as “my friends” in the Re/code interview (watch closely his expression at the 39th second of the clip above).
Popular search engines like Google, Yahoo and Bing can only access 5 percent of all the contents in the internet space. So that’s one good reason to be excited about the new breed search engine Memex, now at beta stage, developed by the US military’s Defense Advanced Research Projects Agency (DARPA) which is capable of ploughing through the entire web space including the Dark Web, that part (much of the other 95 percent) of the cyber ecosystem where criminals operate in the shadows to buy, sell and advertise their illegal trades such as weapons and sex trafficking.
Find out more about MEMEX from this exclusive 60 Minutes clip:
And more about the Dark Web:
In what looks like the opening salvo in response to the major cyberattack on Sony Pictures Entertainment, the United States slapped North Korea with a new round of sanctions last Friday when President Obama signed an Executive Order authorizing the imposition of sanctions and designated 3 entities and 10 individuals for being agencies or officials of the North Korean government.
According to a Treasury Department statement:
The identifiers of these 10 individuals are:
But the US government knew sanctions have had limited impact on the Hermit Kingdom. The new sanctions might be deemed as swift and decisive measures in some quarters but it is really nothing more than a window-dressing of sorts – much like animating a gun with one’s fingers under a coat as a first warning at best. Consider, for example, what kind of impact should one expect from these new sanctions anyway? The 3 organizations were already on the US sanctions list and the 10 North Koreans are highly unlikely to have assets in the US, at least not under their name.
In any case, the horizon ahead of 2015 is likely to be proliferated with more headlines about catastrophic data breaches.
And the Sony cyberattack actually pale in comparison to other data breaches on record, as shown (below) by independent data journalist and information designer David McCandless – you can also click on the bubbles to find out about these cases shown in the chart and table nicely compiled and presented in his blog.
Question: If the NSA managed to threaten and make Internet and technology giants like Yahoo, Google, Apple, Facebook, etc to hand over our metadata, who else could they target?
The US Postal Service?
And why not – since the information like names, addresses and postmark dates of both the senders and recipients conveniently splashed on the package covers could provide valuable investigative leads to law enforcement agencies?
As it turned out, the USPS Office of Inspector General (OIG) — the internal watchdog of the postal service – found that “USPS captured information from the outside of about 49,000 pieces of consumer mail in 2013 and turned much of it over to law enforcement organizations throughout the country, unbeknownst to the intended senders and recipients” – see full story below.
The US Postal Service has been quietly surveilling more mail than anyone thought
Program captured information from the outside of 49,000 pieces of mail in 2013 alone, sharing it with law enforcement agents
By Carl Franzen on October 28, 2014 02:15 pm
Snail mail is growing steadily less popular thanks to the internet, but people in the US still send lots of it every year — over 158 billion pieces of mail were handled by the US Postal Service in 2013 alone. As it turns out, the USPS has also been quietly spying on way more of the mail passing through its doors than previously acknowledged. A report from the agency’s internal watchdog — the USPS Office of Inspector General (OIG) — found that USPS captured information from the outside of about 49,000 pieces of consumer mail in 2013 and turned much of it over to law enforcement organizations throughout the country, unbeknownst to the intended senders and recipients. This information reportedly did not include the contents of letters and packages, but rather was limited to the information appearing only on the exterior, such as names, addresses, and postmark dates.
The report on the USPS information capturing program, called “mail covers,” was initially published to little fanfare over the summer and subsequently reported on by Politico, but is getting more attention now with an article appearing today in The New York Times that includes additional details.
First some background: the mail covers program is hardly new, it’s been in existence for over a hundred years, as The Times notes. It’s also not as invasive as a full search warrant for the contents of mail, which the USPS also grants (although only for federal search warrants; state search warrants aren’t accepted by the agency). In a guide for law enforcement agencies, the USPS explains exactly how the program works: a police officer/law enforcement agent needs to be already conducting an investigation into a suspected felony and have the names and addresses for their intended surveillance targets. The officer must send this information to the USPS through the mail or provide it verbally (in person or over the phone), along with a reason why the mail cover is needed. Then the USPS will begin capturing the information from the exterior of all the targets’ incoming and outgoing mail for up to 30 days (although extensions are available). The USPS says that “information from a mail cover often provides valuable investigative leads,” but adds that it “is confidential and should be restricted to those persons who are participating in the investigation.”
However, as the OIG report found, there are numerous problems with the way the USPS has been running the mail covers program. For starters, the USPS has a mail cover app that apparently doesn’t work very well and is blamed for the agency continuing to capture information from the mail of 928 targets even after the surveillance period was supposed to have ended. The USPS also appears to have started mail cover surveillance on targets without sufficient justification from law enforcement as to why it was needed, and some USPS employees didn’t even keep the written justification on file like they were supposed to. And in a further failure of duty, several mail covers weren’t started on time. Perhaps most troubling of all, the USPS doesn’t appear to have been accurately reporting the total number of mail covers in its official records provided to the Times under Freedom of Information Act requests, which show only 100,000 total requests for mail surveillance between 2001 and 2012 (an average of 8,000 a year, way fewer than the 49,000 mail covers acknowledged in the OIG report). The USPS said it agreed with the findings of the OIG report and would work to implement changes, but for an agency already struggling with how to move into the future, the findings are hardly good news.
From China with Love
It’s the one year anniversary of what is now known as the Snowden revelations, which appeared on June 5 and June 9 when The Guardian broke news of classified National Security Agency documents and Edward Snowden revealed himself in Hong Kong as the source of those leaks.
There is still much to decipher from the chronology of events in the aftermath and the sudden global awakening to the end of privacy. Among the impacts on the personal, business and political fronts, one interesting salient feature is the hypocritical rhetorical spats between the US and China in recent weeks, which could set the undertone for US-Sino relations for years to come.
Snowden said his biggest fear is that nothing would change following his bold decision a year ago.
You can find the entire column here.
The open source OpenSSL project revealed Monday a serious security vulnerability known as the “Heartbleed” bug that is used by two-third of the web to encrypt data, ie. to protect usernames, passwords and any sensitive information on secure websites. Yahoo is said to be the most exposed to Heartbleed but the company said it has fixed the core vulnerability on its main sites. There are several things you would need to do to check for Heartbleed bug and protect yourself from it, apart from changing your passwords. And according to the Tor project, staying away from the internet entirely for several days might be a good idea.
Time for Standardized Data Breach Law
The latest hack on Bitcoin exchange Mt.Gox, leading to its sudden bankruptcy late February, and the spate of recent cyber-attacks have prompted warnings of a wave of serious cybercrimes ahead as hackers continue to breach the antiquated payment systems of companies like many top retailers.
Stock exchange regulators like the American SEC have rules for disclosures when company database were hacked but the general public is often at the mercy of private companies less inclined or compelled to raise red flags.
The private sector, policymakers and regulators have been slow to respond and address the increasing threats and sophistication of cybercriminals – only 11 percent of companies adopt industry-standard security measures, leaving our personal data highly vulnerable.
Time for a standardized data breach law?
Take your pick: Edward Snowden, Internet and phone service providers, or just everybody?
The furor over the past week about how US intelligence agencies like the National Security Agency and the Federal Bureau of Investigation have for years scooped up massive loads of private communications data raises one critical and distressing question.
Who, worldwide and in the US, are the general public supposed to trust now that it seems all forms of digital and cyber communications risk being read by the American authorities? The Americans, it seems, don’t believe it’s that big a deal. By 62-34, according to the latest poll by Pew Research and the Washington Post, they say it’s more important to investigate the threats than protect their privacy. But what about the rest of the world?
The immediate acknowledgement, rather than point blank denial, of the massive clandestine eavesdropping programs is no doubt alarming even for those long suspicious of such covert undertakings. But the more disturbing part is that the official response amounts to plain outright lies.
Please read this entire Opinion Column here.