Entries Tagged 'Government' ↓

Early Tuesday morning, the FBI raided a datacenter run by the Swiss hosting company DigitalOne in what it claimed was a move to thwart "international cyber crime rings distributing scareware." But it appears as though the Feds seized a lot more than just those "scareware" servers, as, according to Marco Arment, creator of Instapaper, one of the servers that the startup leased from DigitalOne was also taken.

The FBI raid on Tuesday caused outages to several services unrelated to the alleged criminal activities, including that of the bookmarking tool Pinboard. While Instapaper itself wasn't knocked offline, Arment says that the server it leases from DigitalOne remains offline.

Sponsor

"As far as I know," says Arment, "my single DigitalOne server was among those taken by the FBI (which I'm now calling "stolen" since I assume it was not included in the warrant). I'm assuming this because it became unreachable and stopped sending updates to my internal monitoring system at approximately the time that the FBI raided the datacenter, and has not come online again since then."

Arment was using this server as a MySQL replication slave to help improve the site's performance. Without this server, says Arment, Instapaper has been slower. While, yes, Instapaper did remain online, the results of the seizure are still incredibly troubling.

Arment says that the FBI now presumably is in possession of a complete copy of the Instapaper database, including a full list of users and any non-deleted bookmarks. While passwords for Instapaper are stored only as hashes, the email addresses associated with users are stored in the clear as are the contents of the bookmarks. The server also contained a complete copy of the Instapaper website codebase.

Arment laments that, "due to the police culture in the United States, especially at the federal level, I don't expect to ever get an explanation for this, have the server or its data returned, or be reimbursed for the damage they have illegally caused."

The FBI has been actively seizing domains lately, something that the EFF among others are challenging as First Amendment violations. The seizure of the DigitalOne servers certainly points to other problems that are being caused by the U.S. government's efforts to crack down on "cybercrime."

As an avid Instapaper and Pinboard user, I certainly don't feel safer now. Do you?

Criminal and black hat hackers beware - If the U.S. government finds you, it is not going to be lenient.

The stakes are rising in the world of cybersecurity and the Obama administration is not taking it lightly. The White House has proposed to congress an increase in maximum jail time for criminal hackers whose acts are "potentially endangering national security" from 10 to 20 years, according to Reuters. With Anonymous and Lulz Security bouncing around hacking seemingly anything they want, the government is pounding its gavel with one of only powerful rhetorical messages - sticking criminals in the deepest, darkest dungeon for as long as possible.

Sponsor

There Are No Lulz In Prison

The proposal would double prison time for offenses in just about every cybersecurity category when it comes to the government. Instead of 10 years for threatening national security, the maximum would be 20 years. Computer thefts would rise from five years and $5,000 to 10 years and accessing a government computer would go from one year to three years.

There have been attacks on the U.S. Senate and public site for the Central Intelligence Agency within the past month along with attacks on the International Monetary Fund and U.S. defense contractor Lockheed Martin. The attack on the CIA looks like it was a simple distributed denial of service attack (DDoS) that took down CIA.gov. That is not a serious breach (if a bit of an embarrassment for the CIA) but the hackers involved would probably get 20 years in prison under the proposal.

Catch Me, If You Can

The Reuters report quotes Frank Cilluffo, director of George Washington University's Homeland Security Policy Institute saying "smoking keyboards are hard to find."

The problem for digital forensics teams is that it is very hard to track down criminal hackers. Hiding origin points of hacks is very easy through server mis-location and botnets that, by definition, have no definitive source.

The question becomes: is it worth it to track down "hacktivists" that "do it for the lulz?"

"It seems to me that there was a big difference between attacks like those perpetrated by hacktivists which brought down the CIA website, and serious organized infiltration of networks to steal confidential information," wrote Sophos Naked Security blogger Carole Theriault.

Big Time Hacks on the Rise

The attack on CIA.gov had the essence of a "because we can" type of hack. The CIA's forward-facing website may host some user information and a lot of public documents, but the actual functioning of the CIA, the U.S. intelligence community and military are much harder to crack. Those operations often function in a different plane of Internet (more like an Intranet) existence -- think of it like a giant mote or air bubble between the World Wide Web and internal military operations - that are very difficult to bridge.

But, breaches or take-downs are making news every week. Sony's PlayStation Network is the biggest example recently. Google has been responding to what it claims has been a concerted, persistent effort of hacks coming from the Chinese government (or at least hacker groups inside China ... is there any difference?). National security experts deal constantly with what they call "persistent threat" coming from either outside the country or criminal groups inside the U.S. It is a race for government and corporations to stay one step ahead. Yet, the fact of the matter is that persistent threat and sophisticated black hat hackers are not going to go away, even if a few of them do end up serving 20-year prison sentences.

The federal government is losing its first-ever chief information officer.

Vivek Kundra, the man behind Data.gov, the government IT Dashboard and the federal initiative to reduce data centers and move to the cloud, will leave his post in August, according to Politico. He is reported to be going to Harvard to join the Kennedy School and the Berkman Center for Internet and Society, according to Federal News Radio. President Obama had tapped Kundra to be the first federal CIO in 2009 after he had been the chief technology officer of Washington, D.C.

Sponsor

The move by Kundra may be the signal of a trend. Innovative technological minds do not want to work in federal (or state and local for that matter) government. Earlier this year, one of the most innovative minds within the federal technology landscape, NASA CTO Chris Kemp left the prestigious post to become a startup developer, saying that he would prefer to work on being an entrepreneur in Pala Alto, Calif.

While the personal moves may be on the verge of becoming a trend, there is no doubt that the part of the reason behind them stems from the lack of innovation and technological adoption in government. The best way to think of the federal government is that it is a large enterprise operation that is perpetually three to five years behind the times. On aggregate, that is true, though there are a few examples of agencies that operate with present or cutting edge technology, such as NASA, many of the armed forces (which is much more device driven than IT infrastructure driven) and executive level agencies like the State Department and Internal Revenue Service (that is not an oxymoron, the IRS spends nearly $14 billion dollars on IT infrastructure and tax systems ... yet, the Treasury Department as a whole is not incredibly innovative).

Kundra was part of the first technology team ever to work as a C-suite at the executive level within the Office of Management and Budget. Aneesh Chopra is the first federal CTO and Jeffrey Zients the first chief performance officer.

Kundra most lasting legacy on the federal government will probably be his "25 Point Plan" [PDF] outlining how the government can streamline the IT infrastructure, grow to be more technologically forward and cut wasteful IT spending.

[Picture: Wikipedia]

In a digital sense, the release of former Alaska governor and vice presidential candidate Sarah Palin's email records could not have been more of a disaster. The Freedom of Information Act win by various media organizations to have the emails disclosed resulted in 24,000 printed pages and 14,000 emails. The scope of the documents was so cumbersome that even the New York Times crowd sourced triage of Palin's correspondence.

The Sunlight Foundation, an open government advocacy group, is creating a database those emails that have been scanned by investigative journalism non-progit ProPublica. Dubbed Sarah's Inbox, the database is similar to the interface of Gmail and can be searched by keyword, data or common phrase. You can even "star" ones that are important.

Sponsor

Palin had six email accounts while governor of Alaska, two official and four private. Alaska does not have the digital technology to push out the emails en masse electronically, so it printed six "standard paper boxes" totaling about 250 pounds and about $4,350.

The searchable site set up by the Sunlight Foundation is similar to a previous initiative from the group called Elena's Inbox that made Supreme Court Justice Elena Kagan's emails available during her confirmation hearings last year.

In a digital sense, the release of former Alaska governor and vice presidential candidate Sarah Palin's email records could not have been more of a disaster. The Freedom of Information Act win by various media organizations to have the emails disclosed resulted in 24,000 printed pages and 14,000 emails. The scope of the documents was so cumbersome that even the New York Times crowd sourced triage of Palin's correspondence.

The Sunlight Foundation, an open government advocacy group, is creating a database those emails that have been scanned by investigative journalism non-progit ProPublica. Dubbed Sarah's Inbox, the database is similar to the interface of Gmail and can be searched by keyword, data or common phrase. You can even "star" ones that are important.

Sponsor

Palin had six email accounts while governor of Alaska, two official and four private. Alaska does not have the digital technology to push out the emails en masse electronically, so it printed six "standard paper boxes" totaling about 250 pounds and about $4,350.

The searchable site set up by the Sunlight Foundation is similar to a previous initiative from the group called Elena's Inbox that made Supreme Court Justice Elena Kagan's emails available during her confirmation hearings last year.

The U.S. government has created what it is calling an "Internet in a suitcase" to cheat the switches on the filtering regimes of repressive countries. A kit of hardware, the suitcase creates a "shadow Internet" within a country that allows users to communicate with each other and the outside world despite electronic censorship.

The suitcase was funded by a $2 million grant from the U.S. Department of State, according to the New York Times.

Sponsor

The Suitcase Nuke (Revisited)

"(T)he suitcase," the Times reported, "could be secreted across a border and quickly set up to allow wireless communication over a wide area with a link to the global Internet." It creates a mesh network of interconnected device, each acting as a sort of miniature cell tower.

This is only one aspect of a government-wide program to create alternative communications options that could be deployable in a number of different difficult situations.

Another important project is the creation of "stealth wireless networks." The most extensive (and expensive) so far is the $50 million alternative Afghani network. It is the hope of the government that it will act as a guarantee of communications consistency in the face of Taliban attacks on the country's infrastructure.

The U.S. has already worked a great deal on the issue of communications preservation and restoration. Between the rash of hacking attacks, with the latest being against the International Monetary Fund, and the reaction of governments like Syria to the Arab Spring, communications in general, and the Internet in particular, has become an increasing priority for the U.S.

Samizdat (Vernut?sya)

Some of this, the suitcase in particular, reminds me of the machines dropped behind the Iron Curtain to encourage the development of samizdat literature. In fact, I think it's worth quoting a chunk of the review I wrote of Evgeny Morozov's book, The Net Delusion.

"Morozov makes the argument that the current belief in the redemptive effects of communications technologies comes from the U.S. experience of the cold war, in which copy machines and fax machines were smuggled into the U.S.S.R. That, combined with the enduring fiction that Reagan, and not the 'structural conditions and the inherent contradictions of the Soviet system' were responsible for that country's downfall, has led the diplomats and politicians of the U.S. to the belief that next generation technology and a strong leader will do the same thing for Islamist states and post-colonial dictatorships."

Is this the same thing? Maybe not. But it's worth considering. Will any of this work? Although this project is based on many hacktivist creations, even a lot of that stuff was more idea than actual. It may have been important to the morale of the protesters who toppled the Tunisian and Egyptian governments to know that some of these hacks made it possible to stay in touch with the world and to keep out of the shadows their regimes were hoping would cover their actions. But possibly the fact that these tools - from dial-up lines and call-up Twitter tools - were impelled by the creativity of individuals not governments may have made a difference too.

Either way, look for a great deal more effort on this front in the near future.

Suitcase photo by Jasleen Kaur, Alexanderplatz photo by Miguel | other sources: PopSci

The U.S. Supreme Court (PDF)has ruled that Microsoft is liable for $290 million damages for patent infringement for technology used in building its Word software.

The decision upholds a 2009 ruling in which Microsoft was found guilty of infringement on the patents of the Toronto-based i4i. Microsoft had appealed the verdict, but the Supreme Court agreed with the lower courts' decision, with an unanimous ruling announced today.

i4i holds a patent for building a method of processing custom XML, a method i4i claimed - and the courts haveagreed - that Microsoft violated with its 2003 and subsequent versions of Word.

Sponsor

The case was being closely watched by many as legal questions about intellectual property rights seem to be plaguing the tech industry lately. There have been a number of high profile patent infringement cases recently: the Lodsys lawsuits against app developers and Oracle's lawsuit against Google to name but two.

Microsoft and others had hoped that a decision would make it easier for companies to defend themselves in patent infringement lawsuits. Last year, the EFF and the Apache Software Foundation had filed amicus briefs in support of Microsoft in this case.

Currently, in order to invalidate a patent, "clear and convincing" evidence is required. Microsoft argued that there is no need to have a standard that high. Rather, defendants should be able to challenge patents with the less onerous "preponderance of the evidence" standard.

That's the same standard that is required for a patent-holding plaintiff to prove that a defendant has infringed on a patent, and Microsoft argues that by making both parties adhere to the lower standard, it levels the litigation playing field.

But the Supreme Court did not agree, and Justice Sonia Sotomeyer wrote today that the courts have upheld this stricter standard for decades now. Congress has never considered changing the law, and "any recalibration of the standard of proof remains in its hands."

And that seems unlikely to happen.

Hackers are turning on each other in droves. One in four hackers will snitch on their hacker buddies when pressured by the United States Secret Service or Federal Bureau of Investigation, according to an investigation done by The Guardian.

Apparently there is no omerta between hackers. The Guardian says that the FBI has so thoroughly infiltrated the hacker community "that it is now riddle with paranoia and mistrust." Arrested hackers often turn into moles for the FBI, acting on behalf of the agency as informants in underground chat rooms and forums to sniff out other hackers susceptible to arrest. Hackers of the world: how likely are you to become a snitch for the U.S. government if you are arrested?

Sponsor

The most prominent of hacker turned snitch is Adrian Lamo, who outed Bradley Manning, the source behind the Wikileaks cables. Our enterprise editor David Strom interviewed Lamo last week (listen to the podcast here).

"The good of the many outweighed the good of the one. There were no winners here. I had two options and I took the one that was less wrong," Lamo said of turning in Manning. He said he was sad to see his friend Manning behind bars but viewed him as "any of his friends that has done something reprehensible."

According to The Guardian, the moral ambiguity showed by Lamo is probably not shared by the rest of the hacker community. The Guardian interviewed Eric Corley, publisher of hacker publication 2600 who said that "owing to the harsh penalties involved and the relative inexperience with the law that many hackers have, they are rather susceptible to intimidation." So, unlike Lamo, they are not acting out of some altruistic sense of obligation but rather for fear of hard time. It is the same tactic that local law enforcement has been using with petty drug dealers for years in order to climb the ladder to major traffickers.

Next On The Hitlist: Hacker Communities

Individual hackers are one type of problem, infiltrating and picking apart hacker collectives like Anonymous or the newly arisen Lulz Security (if it is indeed a separate group of hackers) is another. To a certain extent, there is safety and anonymity in numbers. The way that hacker groups function is not like some normal type of organized crime group either. Anonymous is a global network of hackers working together, many of which (rightfully so) do not trust each other. The way to break up an amorphous collective is to break it into its constituent parts, isolate them and work up the chain of command. Given the distrust already within the hacker community, that may not be as hard as it seems.

At the same time as the U.S. military is preparing to release a policy qualifying cyberattacks as acts of war, the military of the United Kingdom is engaging in a large-scale recruitment drive. Called "Operation Cupcake"

Following from last year's "National Cyber Security Programme," this recruiting initiative will attempt to attract hundreds of computer experts to the British armed forces. Part of a £650,000 cyber-security budget will be devoted to the program.

Sponsor

The Ministry of Defense gave a statement, quoted by the BBC.

"Our forces depend on computer networks, both in the UK and in operations around the world. But our adversaries present an advance and rapidly developing threat to these networks...Future conflict will see cyber operations conducted in parallel with more conventional actions the sea, land and air operations."

Precise numbers are classified but a Ministry of Defense spokesman affirmed that the new cyber-recruits would number in the hundreds.

According to Thinq, General Jonathan Shaw of the Parachute Regiment will act as the chief of the new Ministry of Defense "cyber-operations group," overseeing the work of the new recruits. The group will be headquartered at the U.K.'s intelligence agency, Government Communications Headquartersand overseen by the Cabinet Office.

(The GCHQ grew out of the Government Code and Cypher School, based in great part at Bletchley Park. There, during the Second World War, Alan Turing broke the German Enigma code.)

GCHQ model photo by Cory Doctorow

Cyberattacks are part of the defense landscape and have been for a while. Among the more high-profile instances in the last year are the Stuxnet attack by the U.S. and Israel on Iranian nuclear facilities, the attacks by the Chinese government on Google and even a hack of a Pentagon project.

Now, the Wall Street Journal says a soon-to-be-released Pentagon policy document will announce officially that a cyberattack can be a jus ad bellum, or act of war.

Sponsor

In addition to the Pentagon's Joint Strike Fighter project being compromised, a main military supplier, Lockheed Martin, was hacked earlier this month. The military felt that an ad hoc response was no longer adequate, hence, this official policy was drafted.

The finding of a cyberattack as an act of war is one that "for the first time opens the door for the U.S. to respond using traditional military force."

"If you shut down our power grid," one unnamed military official told the Journal, "maybe we will put a missile down one of your smokestacks."

That's not just chest-beating. The notion of "equivalency" is based on the internationally-accepted Laws of War (formed from such agreements as the Geneva Conventions). This equivalency seem to be integral to the U.S. military's new official approach to cyber-threats.

However, retribution will depend on how closely the attack or the tools used to make it can be traced to a government entity. That will be the element of the report critics will probably focus on the most. What mechanisms will the military put in place to make legitimate determinations of blame?

The Pentagon will release the 12 unclassified pages of the 30-page document next month.

Other sources: PopSci