Archive for category Cyber Security

FBI launches $1 billion nationwide facial recognition system | ExtremeTech

Posted by Michael B. Calyn in Big Brother, Cyber Security on September 8, 2012


 

FBI launches $1 billion nationwide facial recognition system

By Sebastian Anthony on September 7, 2012

Facial recognition

 

The US Federal Bureau of Investigation has begun rolling out its new $1 billion biometric Next Generation Identification (NGI) system. In essence, NGI is a nationwide database of mugshots, iris scans, DNA records, voice samples, and other biometrics, that will help the FBI identify and catch criminals — but it is how this biometric data is captured, through a nationwide network of cameras and photo databases, that is raising the eyebrows of privacy advocates.

Until now, the FBI relied on IAFIS, a national fingerprint database that has long been due an overhaul. Over the last few months, the FBI has been pilot testing a facial recognition system — and soon, detectives will also be able to search the system for other biometrics such as DNA records and iris scans. In theory, this should result in much faster positive identifications of criminals and fewer unsolved cases.

According to New Scientist, facial recognition systems have reached the point where they can match a single face from a pool of 1.6 million mugshots/passport photos with 92% accuracy, in under 1.2 seconds [PDF]. In the case of automated, biometric border controls where your face and corresponding mugshot are well lit, the accuracy approaches 100%. Likewise, where DNA or iris records exist, it’s a very expedient way of accurately identifying suspects.

FBI Biometrics logoSo far, so good — catching criminals faster and making less false arrests must be a good thing, right? Well, yes, but there are some important caveats that we must bear in mind. For a start, the pilot study has only used mugshots and driving license photos of known criminals — but the FBI hasn’t guaranteed that this will always be the case. There may come a time when the NGI is filled with as many photos as possible, from as many sources as possible, of as many people as possible — criminal or otherwise. This might be as overt as parsing CCTV footage and collating every single face into a database; or maybe you’re just unlucky and your face ends up in the system because you’re in the background of a photo starring a known criminal.

Imagine if the NGI had full access to every driving license and passport photo in the country — and DNA records kept by doctors, and iris scans kept by businesses. The FBI’s NGI, if the right checks and balances aren’t in place, could very easily become a tool that decimates civilian privacy and freedom. Time to invest in a hoodie, I think…

 FBI launches $1 billion nationwide facial recognition system | ExtremeTech.

Related articles

 

, , , , , , ,

1 Comment

Your E-Book Is Reading You – WSJ.com

Posted by Michael B. Calyn in Cyber Security, Internet, Perspective, Social Media, Society, Technology on June 30, 2012


Your E-Book Is Reading You

Digital-book publishers and retailers now know more about their readers than ever before. How that’s changing the experience of reading.

By ALEXANDRA ALTER

It takes the average reader just seven hours to read the final book in Suzanne Collins’s “Hunger Games” trilogy on the Kobo e-reader—about 57 pages an hour. Nearly 18,000 Kindle readers have highlighted the same line from the second book in the series: “Because sometimes things happen to people and they’re not equipped to deal with them.” And on Barnes & Noble’s Nook, the first thing that most readers do upon finishing the first “Hunger Games” book is to download the next one.

For centuries, reading has largely been a solitary and private act, an intimate exchange between the reader and the words on the page. But the rise of digital books has prompted a profound shift in the way we read, transforming the activity into something measurable and quasi-public. Eben Shapiro explains on Lunch Break. Photo: AP.

 

In the past, publishers and authors had no way of knowing what happens when a reader sits down with a book. Does the reader quit after three pages, or finish it in a single sitting? Do most readers skip over the introduction, or read it closely, underlining passages and scrawling notes in the margins? Now, e-books are providing a glimpse into the story behind the sales figures, revealing not only how many people buy particular books, but how intensely they read them.

We Know What You Read

[SB10001424052702303561504577495030371045956]

Illustration by John Cuneo

The perfect man, according to data collected by digital publisher Coliloquy from romance-novel readers, has a European accent and is in his 30s with black hair and green eyes.

For centuries, reading has largely been a solitary and private act, an intimate exchange between the reader and the words on the page. But the rise of digital books has prompted a profound shift in the way we read, transforming the activity into something measurable and quasi-public.

The major new players in e-book publishing—Amazon, Apple and Google—can easily track how far readers are getting in books, how long they spend reading them and which search terms they use to find books. Book apps for tablets like the iPad, Kindle Fire and Nook record how many times readers open the app and how much time they spend reading. Retailers and some publishers are beginning to sift through the data, gaining unprecedented insight into how people engage with books.

Publishing has lagged far behind the rest of the entertainment industry when it comes to measuring consumers’ tastes and habits. TV producers relentlessly test new shows through focus groups; movie studios run films through a battery of tests and retool them based on viewers’ reactions. But in publishing, reader satisfaction has largely been gauged by sales data and reviews—metrics that offer a postmortem measure of success but can’t shape or predict a hit. That’s beginning to change as publishers and booksellers start to embrace big data, and more tech companies turn their sights on publishing.

Barnes & Noble, which accounts for 25% to 30% of the e-book market through its Nook e-reader, has recently started studying customers’ digital reading behavior. Data collected from Nooks reveals, for example, how far readers get in particular books, how quickly they read and how readers of particular genres engage with books. Jim Hilt, the company’s vice president of e-books, says the company is starting to share their insights with publishers to help them create books that better hold people’s attention.

The stakes are high for the company as it seeks a greater share of the e-book market. Sales of Nook devices rose 45% this past fiscal year, and e-book sales for the Nook rose 119%. Overall, Nook devices and e-books generated $1.3 billion, compared to $880 million the previous year. Microsoft recently invested $300 million for a 17.6% stake of the Nook.

Mr. Hilt says that the company is still in “the earliest stages of deep analytics” and is sifting through “more data than we can use.” But the data—which focuses on groups of readers, not individuals—has already yielded some useful insights into how people read particular genres. Some of the findings confirm what retailers already know by glancing at the best-seller lists. For example, Nook users who buy the first book in a popular series like “Fifty Shades of Grey” or “Divergent,” a young-adult series by Veronica Roth, tend to tear through all the books in the series, almost as if they were reading a single novel.

Barnes & Noble has determined, through analyzing Nook data, that nonfiction books tend to be read in fits and starts, while novels are generally read straight through, and that nonfiction books, particularly long ones, tend to get dropped earlier. Science-fiction, romance and crime-fiction fans often read more books more quickly than readers of literary fiction do, and finish most of the books they start. Readers of literary fiction quit books more often and tend skip around between books.

Those insights are already shaping the types of books that Barnes & Noble sells on its Nook. Mr. Hilt says that when the data showed that Nook readers routinely quit long works of nonfiction, the company began looking for ways to engage readers in nonfiction and long-form journalism. They decided to launch “Nook Snaps,” short works on topics ranging from weight loss and religion to the Occupy Wall Street movement.

Pinpointing the moment when readers get bored could also help publishers create splashier digital editions by adding a video, a Web link or other multimedia features, Mr. Hilt says. Publishers might be able to determine when interest in a fiction series is flagging if readers who bought and finished the first two books quickly suddenly slow down or quit reading later books in the series.

“The bigger trend we’re trying to unearth is where are those drop-offs in certain kinds of books, and what can we do with publishers to prevent that?” Mr. Hilt says. “If we can help authors create even better books than they create today, it’s a win for everybody.”

Some authors welcome the prospect. Novelist Scott Turow says he’s long been frustrated by the industry’s failure to study its customer base. “I once had an argument with one of my publishers when I said, ‘I’ve been publishing with you for a long time and you still don’t know who buys my books,’ and he said, ‘Well, nobody in publishing knows that,’ ” says Mr. Turow, president of the Authors Guild. “If you can find out that a book is too long and you’ve got to be more rigorous in cutting, personally I’d love to get the information.”

Others worry that a data-driven approach could hinder the kinds of creative risks that produce great literature. “The thing about a book is that it can be eccentric, it can be the length it needs to be, and that is something the reader shouldn’t have anything to do with,” says Jonathan Galassi, president and publisher of Farrar, Straus & Giroux. “We’re not going to shorten ‘War and Peace’ because someone didn’t finish it.”

Publishers are only just beginning to mull over the potential uses for e-reading data. Many are skeptical that analytics can aid in the industry’s ongoing battle to woo consumers who are increasingly distracted by games and social media. But at a time when traditional publishers are losing ground to tech giants like Amazon and Apple, better analytics seem to offer tantalizing possibilities.

Amazon, in particular, has an advantage in this field—it’s both a retailer and a publisher, which puts the company in a unique position to use the data it gathers on its customers’ reading habits. It’s no secret that Amazon and other digital book retailers track and store consumer information detailing what books are purchased and read. Kindle users sign an agreement granting the company permission to store information from the device—including the last page you’ve read, plus your bookmarks, highlights, notes and annotations—in its data servers.

Amazon can identify which passages of digital books are popular with readers, and shares some of this data publicly on its website through features such as its “most highlighted passages” list. Readers digitally “highlight” selections using a button on the Kindle; they can also opt to see the lines commonly highlighted by other readers as they read a book. Amazon aggregates these selections to see what gets underlined the most. Topping the list is the line from the “Hunger Games” trilogy. It is followed by the opening sentence of “Pride and Prejudice.”

“We think of it as the collective intelligence of all the people reading on Kindle,” says Amazon spokeswoman Kinley Pearsall.

Some privacy watchdogs argue that e-book users should be protected from having their digital reading habits recorded. “There’s a societal ideal that what you read is nobody else’s business,” says Cindy Cohn, legal director for the Electronic Frontier Foundation, a nonprofit group that advocates for consumer rights and privacy. “Right now, there’s no way for you to tell Amazon, I want to buy your books, but I don’t want you to track what I’m reading.”

Amazon declined to comment on how it analyzes and uses the Kindle data it gathers.

EFF has pressed for legislation to prevent digital book retailers from handing over information about individuals’ reading habits as evidence to law enforcement agencies without a court’s approval. Earlier this year, California instituted the “reader privacy act,” which makes it more difficult for law-enforcement groups to gain access to consumers’ digital reading records. Under the new law, agencies must get a court order before they can require digital booksellers to turn over information revealing which books their customers have browsed, purchased, read and underlined. The American Civil Liberties Union and EFF, which partnered with Google and other organizations to push for the legislation, are now seeking to enact similar laws in other states.

Bruce Schneier, a cyber-security expert and author, worries that readers may steer clear of digital books on sensitive subjects such as health, sexuality and security—including his own works—out of fear that their reading is being tracked. “There are a gazillion things that we read that we want to read in private,” Mr. Schneier says.

There are some 40 million e-readers and 65 million tablets in use in the U.S., according to analysts at Forrester Research. In the first quarter of 2012, e-books generated $282 million in sales, compared to $230 million for print, the Association of American Publishers recently found.

Meanwhile, the shift to digital books has fueled an arms race among digital start-ups seeking to cash in on the massive pool of data collected by e-reading devices and reading apps. New e-reading services, which allow readers to purchase and store books in a digital library and read them on different devices, have some of the most sophisticated reader tracking software. The digital reading platform Copia, which has 50,000 subscribers, collects detailed demographic and reading data—including the age, gender and school affiliation of people who bought particular titles, as well as how many times the books were downloaded, opened and read—and shares its findings with publishers. Copia aggregates the data, so that individual users aren’t identifiable, and shares that information with publishers that request it.

Kobo, which makes digital reading devices and operates an e-reading service that stocks 2.5 million books and has more than eight million users, has recently started looking at how readers as a whole engage with particular books and genres. The company tracks how many hours readers spend on particular titles and how far they get. Kobo recently found, for example, that most readers who started George R.R. Martin’s fantasy novel “A Dance With Dragons” finished the book, and spent an average of 20 hours reading it, a relatively fast read for a 1,040-page novel.

[image]William Duke

Some publishers are already beginning to market test books digitally, before releasing a print edition. Earlier this year, Sourcebooks, which publishes 250 titles a year, began experimenting with a new model of serial, online publishing. Sourcebooks has released early online editions for half a dozen titles, ranging from romance to young adult to nonfiction books, and has solicited questions and suggestions from readers. Eventually, readers’ feedback will be incorporated into the print version.

Scholastic, which publishes popular young-adult fiction such as Harry Potter and “The Hunger Games,” created online message boards and interactive games connected to its popular series “39 Clues.” The online game and message board, which has 1.9 million registered users, allows the publisher to track which story lines and characters are resonating with young readers. David Levithan, Scholastic’s publisher and editorial director, says the online feedback has shaped the ongoing “39 Clues” series and helped to turn it into a global franchise with more than 15 million copies in print.

“You very rarely get a glimpse into the reader’s mind,” he says. “With a printed book, there’s no such thing as an analytic. You can’t tell which pages are dog-eared.”

Few publishers have taken the experiment as far as Coliloquy, a digital publishing company that was created earlier this year by Waynn Lue, a computer scientist and former Google engineer, and Lisa Rutherford, a venture capitalist and former president of Twofish, a gaming-analytics firm.

Coliloquy’s digital books, which are available on Kindle, Nook and Android e-readers, have a “choose-your-own-adventure”-style format, allowing readers to customize characters and plot lines. The company’s engineers aggregate and pool the data gleaned from readers’ selections and send it to the authors, who can adjust story lines in their next books to reflect popular choices.

“Data and analytics, we’ve seen how it revolutionized certain industries like mobile apps and gaming,” says Mr. Lue. “With reading, we don’t yet have that engagement data, and we wanted to provide a feedback mechanism that didn’t exist before between authors and readers.”

Coliloquy developed its software through Amazon’s Kindle data developer program, which allows outside companies to create interactive content for Kindle. Their proprietary data platform draws on complex algorithms, similar to gaming software, that lets readers choose from different narrative pathways.

The company hired six editors and five technology and product developers and began recruiting authors from a range of genres, including romance, nonfiction, young adult fantasy and erotica. Since launching this past January, the company has released eight titles, and is expanding into crime fiction, legal thrillers and experimental fiction. Mr. Lue and Ms. Rutherford declined to provide sales figures for Coliloquy’s titles, citing a nondisclosure agreement with Amazon. But they say more than 90% of readers who buy Colloquy’s books, which range from $2.99 to $7.99, finish reading them, and 67% reread the books.

In “Parish Mail,” Kira Snyder’s young adult mystery series set in New Orleans, readers can decide whether the teenage protagonist solves crimes by using magic or by teaming up with a police detective’s cute teenage son. Readers of “Great Escapes,” an erotic romance series co-written by Linda Wisdom and Lynda K. Scott, can customize the hero’s appearance and the intensity of the love scenes. A recent report from Coliloquy showed that the ideal hero for “Great Escapes” readers is tall with black hair and green eyes, a rugged, burly build and a moderately but not overly hairy chest.

In Tawna Fenske’s romantic caper “Getting Dumped”—which centers on a young woman who finds work at a landfill after getting laid off from her high-profile job at the county’s public relations office—readers can choose which of three suitors they want the heroine to pursue. The most recent batch of statistics showed that 53.3% chose Collin, a Hugh Grant type; 16.8% chose Pete, the handsome but unavailable co-worker; and 29.7% of readers liked Daniel, the heroine’s emotionally distant boyfriend.

Ms. Fenske originally planned to get rid of Daniel by sending him to prison and writing him out of the series. Then she saw the statistics. She decided 29.7 % was too big a chunk of her audience to ignore.

“So much of the time, it’s an editor and agent and publisher telling you, ‘This is what readers want,’ but this is hands-on reader data,” says Ms. Fenske, 37, who lives in Bend, Ore. “I’ve always wondered, did that person buy it and stop after the first three pages? Now I can see they bought it and read it in the first week.”

 Your E-Book Is Reading You – WSJ.com.

Related articles

, , , , , , ,

Leave a Comment

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy – ProPublica

Posted by Michael B. Calyn in Cyber Security, Ethics, Internet, Opinion, Perspective, Social Media, Society on June 30, 2012


How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

Jonathan Mayer (Peter McCollough/ Wired)

by Peter Maass
ProPublica, June 28, 2012, 6:30 a.m.

 

June 28: This story has been corrected.

This story was co-published with Wired.

Jonathan Mayer had a hunch.

A gifted computer scientist, Mayer suspected that online advertisers might be getting around browser settings that are designed to block tracking devices known as cookies. If his instinct was right, advertisers were following people as they moved from one website to another even though their browsers were configured to prevent this sort of digital shadowing. Working long hours at his office, Mayer ran a series of clever tests in which he purchased ads that acted as sniffers for the sort of unauthorized cookies he was looking for. He hit the jackpot, unearthing one of the biggest privacy scandals of the past year: Google was secretly planting cookies on a vast number of iPhone browsers. Mayer thinks millions of iPhones were targeted by Google.

This is precisely the type of privacy violation the Federal Trade Commission aims to protect consumers from, and Google, which claims the cookies were not planted in an unethical way, now reportedly faces a fine of more than $10 million. But the FTC didn’t discover the violation. Mayer is a 25-year-old student working on law and computer science degrees at Stanford University. He shoehorned his sleuthing between classes and homework, working from an office he shares in the Gates Computer Science Building with students from New Zealand and Hong Kong. He doesn’t get paid for his work and he doesn’t get much rest.

If it seems odd that a federal regulator was scooped by a sleep-deprived student, get used to it, because the federal government is often the last to know about digital invasions of your privacy. The largest privacy scandal of the past year, also involving Google, wasn’t discovered by federal regulators, either. A privacy official in Germany forced Google to hand over the hard drives of cars equipped with 360-degree digital cameras that were taking pictures for its Street View program. The Germans discovered that Google wasn’t just shooting photos: The cars downloaded a panoply of sensitive data, including emails and passwords, from open Wi-Fi networks. Google had secretly done the same in the United States, but the FTC, as well as the Federal Communications Commission, which oversees broadcast issues, had no idea until the Germans figured it out.

Nearly every day, and often several times a day, there is fresh news of privacy invasions as companies hone their ability to imperceptibly assemble a vast amount of data about anyone with a smartphone, laptop or credit card. Retailers, search engines, social media sites, news organizations — all want to know as much as they can about their visitors and users so that ads can be targeted as precisely as possible. But data mining, which has become central to the corporate bottom line, can be downright creepy, with companies knowing what you search for, what you buy, which websites you visit, how long you browse — and more. Earlier this year, it was revealed that Target realized a teenage customer was pregnant before her father knew; the firm identifies first-term pregnancies through, among other things, purchases of scent-free products. It’s akin to someone rifling through your wallet, closet or medicine cabinet, but in the digital sphere no one picks your pocket or breaks into your house. The tracking is done mostly without your knowledge and, in many cases, despite your attempts to stop it, as Mayer discovered.

The FTC is the lead agency in the government’s effort to ensure that companies do not cross the still-hazy border between acceptable and unacceptable data collection. But the agency’s ambitions are clipped by a lack of both funding and legal authority, reflecting a broader uncertainty about the role government should play in what is arguably America’s most promising new industry. Companies like Facebook and Google are global brands for which data mining is at the core of present and future profits. How far should they go? Current laws provide few limits, mainly banning data collection from children under 13 and prohibiting the sale of personal medical data. Beyond that, it’s a digital mosh pit, and it’s likely to remain that way because more regulation tends to be regarded by politicians in both parties as meaning fewer jobs. Students will probably continue to beat the FTC to the punch: The agency just has one privacy technologist working in its Division of Privacy and Identity Protection and one in the Division of Financial Practices. “I don’t think it’s controversial to note that they seem to be understaffed,” Mayer said in a phone interview between classes. “I think that’s pretty clear.”

This isn’t the usual sort of story about regulation watered down by intimate ties between government officials and the industry they oversee. Unlike the U.S. Minerals Management Service, where not long ago a number of officials were found to have shared drugs and had sex with representatives of the oil and gas industry, key FTC officials hired by the Obama administration are privacy hawks who worked previously for consumer-rights groups like Public Citizen and the Electronic Frontier Foundation. Under Chairman Jon Leibowitz, a Democrat appointed to the FTC in 2004 and tapped as chairman by President Obama in 2009, the FTC has pushed boundaries; its first privacy technologist, hired shortly after Liebowitz became chairman, was a semifamous activist who made a name for himself by printing fake boarding passes to draw attention to airline security lapses (the FBI, which raided his house, was not pleased). The agency is working with the tech industry to create and voluntarily adopt a Do Not Track option, so that consumers can avoid some intrusive web tracking by advertising firms. And it issued a report this year that called for new legislation to define what data miners can and cannot do.

Yet the FTC is ill-equipped to find out, on its own, what companies like Google and Facebook are doing behind the scenes. For instance, ProPublica discovered that the FTC’s Privacy and Identity Protection technologist has a digital hand tied behind his back because the computer in his office has security filters that restrict access to key websites. While Mayer has an ultrafast Internet connection, top-of-the-line computer, an office chair he loves and tasty lunches for free (“Stanford students do not want in any way,” he notes), the FTC technologist uses his personal laptop and, because there is no Wi-Fi at the agency, connects to the Internet by tethering it to his iPhone. He browses the Web at cellphone speed. There are no free lunches.

***

The Federal Trade Communications building with the sculpture 'Man Controlling Trade' in front. (<a href='http://www.flickr.com/photos/mvjantzen/3089726522/'>Rounded Corner</a>, by <a href='http://www.flickr.com/photos/mvjantzen/'>M.V. Jantzen</a>, using a <a href='http://creativecommons.org/licenses/by-nc/2.0/deed.en'>Creative Commons</a> license.)

The Federal Trade Communications building with the sculpture ‘Man Controlling Trade’ in front. (Rounded Corner, by M.V. Jantzen, using a Creative Commons license.)

The FTC is headquartered in a landmarked building on Pennsylvania Avenue flanked by two sculptures of a man trying to restrain a muscle-bound horse that is straining to gallop away. The sculptures, completed in 1942, are entitled “Man Controlling Trade,” and they explain a lot about the FTC’s current dilemma. The notion of controlling trade, popular when the sculptures were erected a half-century ago, is not a vote-winner today. The FTC was an early battleground of the movement that began in the Reagan era to reduce government regulation. The agency had more than 1,700 employees in the 1970s, but is down to 1,176 today, even though the economy has more than doubled in that span. The FTC’s responsibilities are vast: It must police everything from financial scams to antitrust activity, identity theft and misleading advertising.

Especially among Republicans, there is little interest in providing more resources. California Rep. Mary Bono-Mack, at a recent hearing on privacy legislation, warned that the government “has this really bad habit of overreaching whenever it comes to new regulations.” Although the American Civil Liberties Union may see an epidemic of privacy violations, Bono-Mack said, “I haven’t gotten a single letter from anyone back home urging me to pass a privacy bill.” The skepticism is not just an outside-the-building phenomenon; it comes from within the FTC, too. One of the agency’s five commissioners, Republican Thomas Rosch, dissented from its 2013 budget request, which asks for less money than the prior year budget of $312 million. Rosch said he believed the FTC still wanted too much. “In these austere times we should do more … with fewer resources,” his dissent said.

The cold shoulder is not entirely Republican. Earlier this year the Obama administration unveiled a “Privacy Bill of Rights” that sets a variety of enviable standards for consumer privacy. “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” President Obama said. The document, which among other things would allow individuals to control the data collected on them, was welcomed by consumer groups. But it’s not legislation. It’s a wish-list. The administration hopes that some of its wishes, like a Do Not Track system, will be granted through voluntary industry standards. But many of the wishes require Congress to pass laws that it is unlikely to pass anytime soon. The FTC’s meager budget request would seem to be the best indication yet of the prospects for significantly greater federal privacy protection.

It’s an old story with a new twist. Few industries have as many admirers in Washington, D.C., as Silicon Valley, which unlike the oil industry has what appears to be an equally large number of friends on both sides of the aisle. The tech industry is generally regarded as liberal-leaning — for instance, Eric Schmidt, the Google chairman, was an Obama campaign adviser and serves on the president’s Council of Advisors on Science and Technology. But Sen. John McCain, R-Ariz., was counseled in his presidential bid by both Carly Fiorina, the former CEO of Hewlett-Packard, and by Meg Whitman, the former CEO of eBay who now heads HP. Silicon Valley is one of the country’s few global growth industries; politicians are reluctant to put restrictions on what it can and cannot do.

The FTC tries to do the best with what it has. In 2009, with new Obama-era appointees aboard, it hired Christopher Soghoian, a privacy technologist who could perform the sort of sophisticated forensics that Mayer conducted on Google. A year later, in 2010, the FTC hired its first chief technologist, Edward Felten, a Princeton computer scientist who is highly regarded in tech policy circles. But the three men who have filled the privacy technologist job that Soghoian filled first (each have served for about a year) faced an awkward problem: The desktop in their office is digitally shackled by security filters that make it impossible to freely browse the Web. Crucial websites are off-limits, due to concerns of computer viruses infecting the FTC’s network, and there are severe restrictions on software downloads. When Soghoian tried to download a Wi-Fi-sniffing app, his boss told him within a few minutes that he had tripped a security alarm; he could not use the app on his computer. It had to be deleted immediately.

To defend against hackers, filtered computers are standard in the government, but they are problematic for officials who are trying to discover dishonest activity on the Web; it’s a bit like telling a cop he can’t patrol in high-crime neighborhoods. A handful of unfiltered computers are available in restricted labs at the FTC’s headquarters on Pennsylvania Avenue and its satellite offices on New Jersey Avenue and M Street, but this is an ungainly setup. Rather than leaving their office, waiting for an elevator, swiping their ID badges across a sensor at the lab’s locked door and logging into a computer soaked with malware (because the lab computers are used to test suspicious applications and websites), the technologists have instead stayed in their office and tethered their personal laptops to their personal cellphones. The office does not have a window, and the cell signals are not strong; even by phone standards, their Web connection is slow.

Soghoian and the current privacy technologist, Michael Brennan, tried to get an unfiltered desktop installed in their office. Each time — Soghoian in 2010, Brennan in 2011 — they got tantalizingly close, with new machines delivered to them. But the computers were never connected to the Internet. Someone at the agency — they don’t know who — got cold feet. “I basically had a two-thousand-dollar computer doing nothing,” Soghoian said. Brennan isn’t even at the office so much these days; he is a part-timer who lives in Philadelphia, where he is getting a Ph.D. in computer science at Drexel University. When he works in Washington, the FTC’s privacy gunslinger crashes at a friend’s house.

Only one FTC official has an unfiltered desktop: Felten, the chief technologist. He is the sort of unconventional public servant the FTC has hired in recent years. He was an expert witness in the landmark antitrust suit against Microsoft, a board member of the Electronic Frontier Foundation, and in April he participated in a privacy hackathon with his teenage daughter. Felten, hired mainly to provide policy advice to the FTC chairman, also conducts investigations of suspicious websites or apps — this is what he uses the unshackled computer for. During an interview, he pointed to it, a bit like a museum guide gesturing toward a priceless artwork, and said, “This is rare. I think this is the only one.”

He acknowledged the agency is hindered by a shortage of technical experts who can find the sorts of violations that Mayer stumbled on.

“We could for sure do more if we had more people,” he said while sitting in his office, which is nearly bare, with a few FTC posters on the walls, a small table and chairs, and a large desk for his two computers. “There are a lot of opportunities that we have to let go by because we don’t have the people to seize them … opportunities to measure and evaluate what’s happening every day in people’s computers and phones.”

Felten, who plans to resume full-time teaching at Princeton in the fall, was asked whether he has better technological resources there.

“Oh yes,” he replied. “That’s certainly the case.”

***

Christopher Soghoian (Graeme Mitchell/Wired Magazine)

Christopher Soghoian (Graeme Mitchell/Wired Magazine)

The mismatch between FTC aspirations and abilities is exemplified by its Mobile Technology Unit, created earlier this year to oversee the exploding mobile phone sector. The six-person unit consists of a paralegal, a program specialist, two attorneys, a technologist and its director, Patricia Poss. For the FTC, the unit represents an important allocation of resources to protect the privacy rights of more than 100 million smartphone owners in America. For Silicon Valley, a six-person team is barely a garage startup. Earlier this year, the unit issued a highly publicized report on mobile apps for kids; its conclusion was reflected in the subtitle, “Current Privacy Disclosures Are Disappointing.” It was a thin report, however. Rather than actually checking the personal data accessed by the report’s sampling of 400 apps, the report just looked at whether the apps disclose, on the sites where they are sold, the types of personal data that would be accessed and what the data would be used for. The body of the report is just 17 pages. (The FTC says it will do deeper research in future reports.)

The mobile unit has an equipment problem, too. Like most government agencies, the FTC issues Blackberries to key officials. Poss, the unit’s director, has one. The Blackberry dominated when Al Gore ran for president, but today it’s barely an also-ran with just 12 percent of the smartphone market. That’s not a problem if you only use your Blackberry for texts, emails and calls. But it’s a problem if, like Poss, your job is to keep track of what’s happening in the smartphone market. Most consumers use Androids or iPhones, and most of the apps written for them are not available on the Blackberry.

If Poss wants to learn what’s going on in the 88 percent of the smartphone market that her Blackberry cannot access, she would need to leave her office and go to one of the FTC labs, where she can use or check out an iPhone or Android. It’s a clunky setup, so she resorts to a familiar workaround: She uses her personal smartphones. She has an iPhone as well as an Android.

A moment after she mentioned this in an interview, she added, “I probably shouldn’t be saying that.”

FTC officials are reluctant to talk about their lack of funding, partly because public whining, especially during hard economic times, is infrequently rewarded. It’s also politically unwise. A vocal portion of the electorate believes the government and its regulatory arms have too much money and power as it is. Additionally, the FTC is trying to keep the tech industry honest by hinting that the feds are watching everything. It does not help if Silicon Valley realizes the FTC possesses just a handful of iPhones and Androids that are kept under lock and key in the basement.

The interview with Poss was conducted in an office on the third floor of the FTC’s headquarters, with an FTC spokeswoman on hand. When Poss was asked whether it wouldn’t make sense for the director of the Mobile Technology Unit to have a government-issued iPhone or Android, the spokeswoman, Claudia Farrell, interceded.

“He’s trying to get you to bitch, Patti. Don’t do it.”

Poss, a lawyer who has worked at the FTC for more than 12 years, began to look uncomfortable, as though she was in the witness box, unsure what she was supposed to say. She made amends by noting she can use her office computer to look at the smartphone app descriptions posted on the websites where they are sold. Then she reversed herself.

“Actually, you can’t,” Poss said. “We have some restrictions on the sites we can visit on government computers.”

She hesitantly mentioned that Apple’s app store is among the sites blocked by the FTC’s security system. If she wants to look at the most popular websites for mobile apps, she has to go to a basement lab.

Farrell joined the conversation again.

“You’re not going to make this a gut-wrenching story about how Patti has to leave the confines of her office to do her work?”

***

Director of the FTC's Bureau of Consumer Protection David Vladeck testifies in a hearing on cell phone privacy on May 19, 2011, in Washington, D.C. (Alex Brandon/AP Photo)

Director of the FTC’s Bureau of Consumer Protection David Vladeck testifies in a hearing on cell phone privacy on May 19, 2011, in Washington, D.C. (Alex Brandon/AP Photo)

The FTC maintains an aura of secrecy about its Internet testing labs in Washington. Their location is known but not much else. Officials would not talk about the equipment in the labs. Poss and Farrell refused to divulge the number of iPhones and Androids, though it appears to be not much more than a handful. “I don’t want to lead you to think we have an unlimited supply,” Poss acknowledged before being discouraged from acknowledging anything more.

It is hard for outsiders to know more because the FTC refuses to let reporters visit the labs.

“We’re not going to show it to you, no way,” said David Vladeck, who directs the agency’s Bureau of Consumer Protection and controls access to the labs.

It was pointed out that government agencies conducting far more secret operations — such as the Pentagon and the Central Intelligence Agency — often allow journalists and other outsiders to visit classified facilities. The embedding program during the Iraq war gave reporters the chance to report on the planning and execution of secret military operations. The FTC’s labs would not seem to rival the technology displayed when journalists ride aboard nuclear-powered submarines, for instance.

Vladeck would not bend.

“We don’t trust anybody,” he said.

Current and former FTC officials say the labs are the size of suburban living rooms, with computers and accessories that do not look much different from what would be seen at a Kinko’s. “There’s nothing special there,” Soghoian said. “It looks like a computer room in a public library or middle school.”

Vladeck’s appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. A conversation with Vladeck, who has argued four cases before the U.S. Supreme Court and won three of them, is akin to a combative courtroom session. He often leans across the table and speaks in a high-pitched bellow. During an interview in his office, he said that when he arrived at the FTC, “We weren’t geared up for this battle.” That’s partly because the Bush-era FTC was not terribly aggressive on privacy but also because data mining has particularly taken off in the past few years.

“No regulator is ever going to tell you that he or she is satisfied with the resources,” Vladeck said. “Would I like more resources? Of course, and I think I could put them to good use. But let me toot our own horn. We’ve gotten an enormous amount done in three years. I think we are sending a strong signal to the industry — you’ve got to straighten up and do the right thing.”

Since he arrived, the FTC has reached privacy settlements with the some of the largest tech firms, including Facebook, Google and Twitter, though in each case, there were no fines, because the FTC’s authority to issue fines on a first offense is limited. The agency is like a runner with two sprained ankles, because in addition to its narrow legal power, it has a surprisingly small staff to pursue its legal cases.

Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC’s privacy work and is under Vladeck’s control, slid from 51 in 2011 to 50 in 2012, even though the data mining industry it oversees has rapidly expanded; it now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst and newsletter publisher Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC. “The bottlenecks are the lawyers for the most part,” Soghoian said. And the FTC has another problem: Republican Rep. John Mica, chairman of the House Committee on Transportation and Infrastructure, is trying to evictthe agency from its headquarters, which is on a prime block of Pennsylvania Avenue.

Vladeck has improvised. He described his strategy as similar to highway cops — the point isn’t to catch every car that breaks the speed limit, but enough to signal to the others that they can’t get away with much. He goes after the shiniest cars.

“When we sue a company like Google and get them under order for doing what we thought was a plain violation of the FTC Act, which was making material changes to their privacy policy without notifying people and getting their consent, the message we hope we sent loud and clear was, ‘You can’t do that. If we’re going to go after Google, which is one of the biggest corporations in the world, you can bet were going to go after you too.’”

Yet those cases demonstrated the FTC’s limits, too. The agency was created in 1914 to prevent unfair and deceptive practices in commerce. Unfairness is harder to prove in privacy — what’s inappropriate data collection to one person might be fair and harmless to another — so the FTC is focusing enforcement efforts on deception. That means a company has to say one thing about its data-collection practices and do another. But many companies have privacy policies that say very little — in which case, they aren’t deceiving consumers if they do things that might be untoward.

Ironically, the best way for a company to avoid privacy tussles with the FTC is to not say much about their privacy practices. On the other side of things, many companies protect themselves from prosecution by fully disclosing their policies in dense legal jargon that few consumers bother to read or, when they do, they have a hard time understanding that their personal data will be collected and shared in nearly infinite ways. Companies that follow these strategies — and many do — are difficult targets for the FTC.

Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. They are the shiny cars that the FTC pulls over when it can. The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don’t really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large — this is akin to a two-strike rule.

The settlement process is time-consuming, however. Due to the agency’s small legal staff, some settlements take years to complete, and by the time they’re done, the targeted companies are not what they used to be. Last month, the FTC announced a privacy settlement with Myspace, which it accused of disclosing user information to third parties despite pledging not to do that. The investigation was opened in 2009, when Myspace was already a fading giant; by the time it was concluded in May, Myspace was all but a museum artifact. On Twitter, reaction to the suit included jokes to the effect of, “You mean Myspace still exists?”

Although the agency has some sway with Google and other companies that are sensitive to reputational issues — an FTC settlement might not hurt Google’s bottom line but the bad press could — it has less influence over data mining firms like LexisNexis, Choicepoint and RapLeaf, whose revenues come mostly from businesses rather than consumers. This is a major hole in the government’s effort to protect consumers from privacy violations, and the FTC has all but thrown up its hands in futility. The privacy report it issued earlier this year called on Congress to pass legislation that would set guidelines on acceptable practices by data miners. The odds of that happening are quite long, because of industry opposition to government oversight and the difficulty of getting agreement in Congress on what should and should not be allowed.

***

Even though he lives in university housing, Jonathan Mayer is a star in the world of digital privacy; he is the mop-haired kid who busted Google in his spare time. Silicon Valley companies seek him out to learn what he’s up to. Mayer, being clever, uses these encounters to learn about the companies. What are they thinking about the most? What do they fear the most? He has made another discovery.

“The FTC doesn’t strike fear into the heart of tech companies,” he says. “They know that as long as they stay within lax boundaries, it’s unlikely the FTC will bring enforcement actions against them.”

Yet there is a feared privacy watchdog, Mayer notes: the European Union. American companies have far less political influence in Europe, and Europeans are far more attentive to privacy issues, partly due to memories of Nazi-era totalitarianism. Because most tech services offered to Europeans are the same as offered to Americans, protections required by EU regulators are usually extended to American consumers. It’s the globalization of digital regulation: What happens in one country can affect all countries.

For instance, under Irish privacy law, citizens are entitled to know the information a company possesses on them — and this was used against Facebook by a 24-year-old Austrian, Max Schrems, who asked the company to hand over all the data it had on him. Facebook’s international headquarters are located in Dublin, so the firm had to comply. Last year it gave Schrems more than 1,200 pages of data that included just about every keystroke he had made while on the social network, including items he had deleted and location information he had never provided. Facebook had kept almost every poke and like, every friend and defriend, every invitation accepted or rejected. Schrems posted the information online and compared his Facebook dossier to the data that the East German secret police, the Stasi, had kept on millions of citizens.

In effect, Schrems exposed Facebook’s data retention practices, and this led to a big change. In May, Facebook said its 900 million customers — not just the ones in Europe — would receive far more detail on its data collection, making it easier for them to know what information was being collected and what was being done with it. The company acknowledged that the change was the result of a harsh report issued by Irish authorities looking into the Schrems case. Ireland wasn’t trying to protect the privacy rights of Americans, but its pressure on Facebook had precisely that effect.

The outsourcing of consumer data protection has been going on for a number of years. In 2008, European privacy officials asked Google, Microsoft and Yahoo! to delete, far quicker than they were doing, the data they were retaining about user searches. In short order, the search giants complied — not only for their European customers but for Americans, too. “The EU drives regulation worldwide,” Mayer says. “While we make nods to self-regulation and cooperation, the reality is that the EU is getting all of this done.”

The power of Europe’s privacy regulators — and the weakness of America’s — was demonstrated most vividly in the Street View dustup. While there was only modest protest against Google photographing American streets and homes, the company immediately ran into big trouble when its cars began to roam around Europe. The collection and abuse of personal information also was a hallmark of communist regimes that ruled Eastern Europe during the Cold War. Throughout Europe, local and national authorities expressed concerns about Street View, and the project quickly hit a number of walls.

Google promised its cars were only taking pictures — and the firm’s word was enough for U.S. officials — but French authorities demanded to know for sure. They inspected one of the vehicles in 2010 and realized that Google was not telling the whole story: The hard drives in the cars were downloading data from Wi-Fi networks. Google downplayed the revelation by contending the downloads were innocuous — just technical data, not personal information.

In Germany, where popular opposition to Street View was strongest, the data commissioner of Hamburg, Johannes Caspar, demanded to inspect a Street View car, too. At first, Google reportedly told him it didn’t know where the cars were. The firm eventually found one — but its hard drive was gone. At that point, Google said it was taking a new look at what the cars were downloading. Caspar insisted the company hand over a hard drive. After a few months, Google complied. Caspar discovered that Google had downloaded vast amounts of personal data.

It had done the same in the United States.

Vladeck had a quick response when it was suggested the Europeans were better privacy watchdogs.

“That’s a lie,” he shot back.

He leaned forward, speaking a bit more slowly.

“That is a lie.”

He argued that although the Germans uncovered Street View’s data collection, the FTC was not asleep at the wheel because it was investigating Street View at the time. But Vladeck said the FTC could not have done much even if it had examined a hard drive, since the agency’s reach extends only to unfair or deceptive practices. Google had never told consumers it wasn’t downloading Wi-Fi data, so it hadn’t deceived them by doing so. To prove an unfair practice, the FTC would have needed to show that the data downloads caused consumers an unavoidable harm. “Street View would have been a very difficult case for us,” Vladeck said. The agency quietly closed its investigation in late 2010 with no action.

Google was not yet free of the government’s watchdogs. The Federal Communications Commission conducted a separate investigation of its own and discovered the data collection was not accidental, as Google had claimed once it owned up to downloading the data. The FCC sharply criticized Google in April but fined the company just $25,000, which is not even a rounding error in the Web giant’s first quarter profit of $2.89 billion.

 How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy – ProPublica.

Related articles

, , , , , , ,

Leave a Comment

FBI arrests dozens in credit card fraud sting – The Hill’s Hillicon Valley

Posted by Michael B. Calyn in Banking, Cyber Security, Fraud on June 27, 2012


 

FBI arrests dozens in credit card fraud sting

By Brendan Sasso - 06/26/12 04:20 PM ET

  

Police around the world arrested 24 people in a massive crackdown on online fraudsters, the Justice Department announced Tuesday.

The sting, codenamed “Operation Card Shop,” led the FBI to arrest 11 people in California, New York and five other states. Officials in seven foreign countries, including the United Kingdom and Bosnia, nabbed another 13 people in the operation.

The authorities accuse the defendants of stealing credit card numbers and other personal financial information.

According to court documents, the FBI set up an undercover website called “Carder Profit” in 2010, which pretended to be a forum for fraudsters to buy and sell financial information and exchange tips about hacking.

The site was designed to allow the FBI to monitor and record all of its discussion threads and private messages. 

To make the site seem safe from police, new users could only access it if they were recommended by two existing users. 

The FBI monitored the site and its users’ communications for two years. 

The United States shared the evidence it collected with the foreign authorities for Tuesday’s coordinated crackdown. 

The U.S. Attorney’s Office for the Southern District of New York said the operation was the “largest coordinated international law enforcement action in history aimed at ‘carding’ crimes” — offenses in which criminals traffic stolen credit cards on the Internet. 

Officials claimed the sting protected more than 400,00 victims and prevented the theft of more than $205 million.

 FBI arrests dozens in credit card fraud sting – The Hill’s Hillicon Valley.

Related articles

, , , , , , ,

Leave a Comment

U.S., China Butt Cyber Heads | China Power

Posted by Michael B. Calyn in China, Cyber Legislation, Cyber Security, Government on June 26, 2012


U.S., China Butt Cyber Heads

By Adam Segal

June 19, 2012

 

Navy Cyber Defense Operations Command, Watchfloor

I was in China last week for a cyber dialogue sponsored by the China Institutes of Contemporary International Relations and the Center for Strategic and International Studies. The good news is the two sides are continuing to talk. The not so good news is mistrust is high and the next steps won’t be easy or quick.

In diplomatic speak, the talks were candid and constructive. Both sides acknowledged the mistrust that characterizes the relationship. The Chinese felt their contributions to global cybersecurity, especially by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), weren’t adequately acknowledged. Both sides believe their respective governments have a strong desire for cooperation.

But there was little clarity on what concretely the two sides could actually do to build trust (except for the obvious but seemingly unattainable: for the United States, China should stop stealing so much intellectual property; and for China, the U.S. should stop trying to maintain its hegemony in cyberspace, contain Beijing, and militarize cyberspace). Calls for greater transparency were met from the Chinese with the habitual protest that this was difficult for the weaker side. When pressed for areas where China and the United States might cooperate, Chinese analysts pointed to protecting critical infrastructure and fighting crime, but also noted that cyber cooperation was a work in progress and the conditions might not be right for moving forward.

To be sure, I’m not privy to what happens behind closed-door meetings, but the Chinese response to the New York Times’ reporting about Stuxnet was more indirect than I expected. The Chinese seemed more direct and aggrieved in their critique of what they saw as the U.S. refusal to engage the International Code of Conduct for Information Security, the norms of behavior in cyberspace that China – along with Russia, Tajikistan, and Uzbekistan – has circulated at the United Nations. Their basic line? “In your International Strategy for Cyberspace you said the United States would work collaboratively to develop norms. We suggested some, not insisting that they were for everyone, and since then silence. Isn’t there anything in the International Code that you like?”

The mistrust has been worsened by both sides inability to signal intentions. This is of course difficult in cyberspace; governments can say that they have nothing to do with attacks, but the attribution problem makes it difficult to verify those statements. Moreover, the United States has repeatedly stated that the primary mission of Cyber Command is the defense of U.S. networks, not offensive operations. Not surprisingly, the Chinese are weighing capabilities as much as, if not more than, expressed intent.

The signaling problem has been exacerbated by what one Chinese academic called the “hype of the media” – breathless reporting about cyberwar and digital espionage. You could see the negative effects of this, as at least one Chinese analyst seemed to accept everything in U.S. newspapers as not only true, but also as the official U.S. government position. For example, the story of Secretary of State Hillary Clinton admitting that the State Department hacked al-Qaeda websites in Yemen, later clarified as the purchase of advertisements, was used as evidence of American attacks.

The big takeaway from the meeting was the need for more communication and the development of official points of contact and crisis communication procedures. There was some worrying confusion over how many hotlines exist between the two countries (at least two) and how effective they are (basically, from the U.S. perspective, not at all). It’s a cliché that cyber events can occur in hours, if not minutes, but the two sides need to prepare for the almost inevitable crisis. Summoning the other side’s ambassador for an explanation may have worked in the past, but it will be too slow today. People and procedures need to be prepositioned. Sino-U.S. cyber cooperation is a work in progress, but let’s hope this is one area where the conditions allow for progress.

 U.S., China Butt Cyber Heads | China Power.

Related articles

, , , , , , ,

Leave a Comment

Is U.S. in Iran Cyber War? | The Diplomat

Posted by Michael B. Calyn in Cyber Security, Foreign Affairs, Global Affairs on June 26, 2012


Is U.S. in Iran Cyber War?

June 26, 2012

By Robert Dreyfuss

 

A series of revelations suggest that the U.S. and Israel are engaged in a cyber war with Iran. If true, any hope of progress in talks over Iran’s nuclear program could be jeopardized.

Is U.S. in Iran Cyber War?

Related Features

·         On the Cyber Warpath

·         China’s Cyber Moves Hurting Beijing

·         Did China Tip Cyber War Hand?

·         China’s Arab Spring Cyber Lessons

·         The Trick to Sabotaging Iran

 

On June 21, Iran’s intelligence minister, Heydar Moslehi, announced that Iran had detected what he called a “massive cyber attack” against Iran’s nuclear facilities planned by “America and the Zionist regime (Israel) along with the [British spy agency] MI6.”

Moslehi may or may not have been making this up, but based on recent history and a striking series of revelations from U.S. national security officials in leaks to the New York Times, the Washington Post and in a new book, Confront and Conceal by David E. Sanger, the Iranian official has plausibility on his side.

More importantly, the Iranian charges suggest that a long-running cyberwar campaign against Iran by the United States and Israel has the potential to fatally undermine the already difficult negotiations between Iran and the so-called P5+1 world powers over Iran’s nuclear research and uranium enrichment plans. “Obama [is] prepared to let half-baked schemes undermine any chance he might have had, at least in theory, to pursue serious diplomacy with Iran,” wrote Flynt Leverett and Hilary Mann Leverett, both former officials at the National Security Council under George W. Bush, who’ve criticized Obama’s approach toward Iran.

In the worst case, in fact, the U.S.-led cyberwar effort – which, analysts in Washington say, is a form of offensive, undeclared warfare – could drastically heighten tensions between Iran and the United States even to the point of open conflict.

In Confront and Conceal, Sanger describes in detail the never-before-told story of “Olympic Games,” the code name for a major U.S. covert operation against Iran launched by the Bush administration, with Israel’s cooperation, in 2007-2008 and then vastly expanded by President Barack Obama. “You can’t help but describe it as an attack on critical infrastructure,” Michael Hayden, former director of the CIA, told Sanger. “Somebody has crossed the Rubicon,” he said, likening the cyber sabotage of Iran’s plants in some senses to the August 1945 atomic bombing of Hiroshima.

Using information gleaned from Israeli on-the-ground spies with access to facilities such as Natanz, where Iran’s centrifuges spin, the U.S. team reportedly implanted a spyware “beacon,” likely by means of a small thumb drive, making use of insider knowledge from the German industrial giant Siemens. Apparently, reports Sanger, Israeli spies recruited or subverted engineers from Siemens to help out in the cause.

Using a model of a P-1 centrifuge obtained from Libya, which appears to have used the same model as Iran, “destructive testing” using a cyber bug took place.

Obama is said to have overseen the entire operation closely, despite his concern that Iran might respond by launching attacks on American troops in Iraq, Afghanistan and the Persian Gulf, on Israel, and on the vast Saudi oil complex. He is alleged to have continued the program even after the virus, called Stuxnet by those who later analyzed it, escaped the confines of Iran’s nuclear program and spread around the globe, especially in India and Indonesia. According to media reports, discovery led to panic inside the White House. “Inside the Pentagon and the CIA, there were meetings about whether the United States would be accused of being among the first to use a cyberweapon against a sovereign state,” writes Sanger.

Indeed, the United States has spent billions of dollars developing a defense system against cyberwar attacks from abroad while, more quietly, developing its own offensive cyberwar capability at the Pentagon. More often than not, the United States is quick to accuse China and Russia of conducting cyberwarfare against the United States, though so far mostly limited, it says, to espionage and industrial secrets. To ring alarm bells about cyberwarfare against the United States, the threat has been compared with the 1941 Japanese attack on Hawaii. “There’s a strong likelihood that the next Pearl Harbor we confront could very well be a cyberattack that cripples our power systems, our grid, our security systems, our financial systems, our governmental system,” said Leon Panetta, the U.S. defense secretary.

In the case of Iran, it seems, it was the United States playing the role of 1941 Japan.

For years, there have been repeated reports of U.S. efforts to acquire and refine offensive cyberwarfare capabilities. The Pentagon, under a project dubbed Plan X, is using the Defense Advanced Research Projects Agency (DARPA) in a five-year, $110 million effort. They hope to hone the military’s ability to use cyber-warfare to “dominate the digital battlefield just like they do the traditional battlefield,” notes Herbert S. Lin, a cyber security expert with the National Research Council of the National Academies.

Besides Stuxnet, the United States and Israel also collaborated on developing a cyber bug called Flame designed to penetrate Iran’s computer systems and send back massive amounts of data that could be used to target and disrupt its nuclear research and other industrial facilities in Iran, including oil production. According to The Washington Post: “Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its American partners off guard, according to several U.S. and Western officials who spoke on the condition of anonymity.”

Added the Post:

“The virus is among the most sophisticated and subversive pieces of malware to be exposed to date. Experts said the program was designed to replicate across even highly secure networks, then control everyday computer functions to send secrets back to its creators. The code could activate computer microphones and cameras, log keyboard strokes, take screen shots, extract geo­location data from images, and send and receive commands and data through Bluetooth wireless technology.”

So the charges from Moslehi last week don’t seem unlikely at all. What’s uncertain, now, is what Iran’s response might be.

 Is U.S. in Iran Cyber War? | The Diplomat.

Related articles

, , , , , , ,

1 Comment

Stuxnet Will Come Back to Haunt Us – NYTimes.com

Posted by Michael B. Calyn in Cyber Legislation, Cyber Security on June 25, 2012


A Weapon We Can’t Control

By MISHA GLENNY

Published: June 24, 2012

 

Henning Wagenbreth

THE decision by the United States and Israel to develop and then deploy the Stuxnet computer worm against an Iranian nuclear facility late in George W. Bush’s presidency marked a significant and dangerous turning point in the gradual militarization of the Internet. Washington has begun to cross the Rubicon. If it continues, contemporary warfare will change fundamentally as we move into hazardous and uncharted territory.

It is one thing to write viruses and lock them away safely for future use should circumstances dictate it. It is quite another to deploy them in peacetime. Stuxnet has effectively fired the starting gun in a new arms race that is very likely to lead to the spread of similar and still more powerful offensive cyberweaponry across the Internet. Unlike nuclear or chemical weapons, however, countries are developing cyberweapons outside any regulatory framework.

There is no international treaty or agreement restricting the use of cyberweapons, which can do anything from controlling an individual laptop to disrupting an entire country’s critical telecommunications or banking infrastructure. It is in the United States’ interest to push for one before the monster it has unleashed comes home to roost.

Stuxnet was originally deployed with the specific aim of infecting the Natanz uranium enrichment facility in Iran. This required sneaking a memory stick into the plant to introduce the virus to its private and secure “offline” network. But despite Natanz’s isolation, Stuxnet somehow escaped into the cyberwild, eventually affecting hundreds of thousands of systems worldwide.

This is one of the frightening dangers of an uncontrolled arms race in cyberspace; once released, virus developers generally lose control of their inventions, which will inevitably seek out and attack the networks of innocent parties. Moreover, all countries that possess an offensive cyber capability will be tempted to use it now that the first shot has been fired.

Until recent revelations by The New York Times’s David E. Sanger, there was no definitive proof that America was behind Stuxnet. Now computer security experts have found a clear link between its creators and a newly discovered virus called Flame, which transforms infected computers into multipurpose espionage tools and has infected machines across the Middle East.

The United States has long been a commendable leader in combating the spread of malicious computer code, known as malware, that pranksters, criminals, intelligence services and terrorist organizations have been using to further their own ends. But by introducing such pernicious viruses as Stuxnet and Flame, America has severely undermined its moral and political credibility.

Flame circulated on the Web for at least four years and evaded detection by the big antivirus operators like McAfee, Symantec, Kaspersky Labs and F-Secure — companies that are vital to ensuring that law-abiding consumers can go about their business on the Web unmolested by the army of malware writers, who release nasty computer code onto the Internet to steal our money, data, intellectual property or identities. But senior industry figures have now expressed deep worries about the state-sponsored release of the most potent malware ever seen.

During the cold war, countries’ chief assets were missiles with nuclear warheads. Generally their number and location was common knowledge, as was the damage they could inflict and how long it would take them to inflict it.

Advanced cyberwar is different: a country’s assets lie as much in the weaknesses of enemy computer defenses as in the power of the weapons it possesses. So in order to assess one’s own capability, there is a strong temptation to penetrate the enemy’s systems before a conflict erupts. It is no good trying to hit them once hostilities have broken out; they will be prepared and there’s a risk that they already will have infected your systems. Once the logic of cyberwarfare takes hold, it is worryingly pre-emptive and can lead to the uncontrolled spread of malware.

Until now, America has been reluctant to discuss regulation of the Internet with Russia and China. Washington believes any moves toward a treaty might undermine its presumed superiority in the field of cyberweaponry and robotics. And it fears that Moscow and Beijing would exploit a global regulation of military activity on the Web, in order to justify and further strengthen the powerful tools they already use to restrict their citizens’ freedom on the Net. The United States must now consider entering into discussions, anathema though they may be, with the world’s major powers about the rules governing the Internet as a military domain.

Any agreement should regulate only military uses of the Internet and should specifically avoid any clauses that might affect private or commercial use of the Web. Nobody can halt the worldwide rush to create cyberweapons, but a treaty could prevent their deployment in peacetime and allow for a collective response to countries or organizations that violate it.

Technical superiority is not written in stone, and the United States is arguably more dependent on networked computer systems than any other country in the world. Washington must halt the spiral toward an arms race, which, in the long term, it is not guaranteed to win.

 Stuxnet Will Come Back to Haunt Us – NYTimes.com.

Related articles

, , , , , , ,

2 Comments

U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say – The Washington Post

Posted by Michael B. Calyn in Cyber Security, Security on June 19, 2012


U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say

By Ellen Nakashima, Greg Miller and Julie Tate, Tuesday, June 19

The United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort. 

 

The massive piece of malware secretly mapped and monitored Iran’s computer networks, sending back a steady stream of intelligence to prepare for a cyberwarfare campaign, according to the officials.

1302

Iran’s quest to possess nuclear technology: Iran said it has made advances in nuclear technology, citing new uranium-enrichment centrifuges and domestically made reactor fuel.

The effort, involving the National Security Agency, the CIA and Israel’s military, has included the use of destructive software such as the Stuxnet virus to cause malfunctions in Iran’s nuclear-enrichment equipment.

The emerging details about Flame provide new clues to what is thought to be the first sustained campaign of cyber-sabotage against an adversary of the United States.

“This is about preparing the battlefield for another type of covert action,” said one former high-ranking U.S. intelligence official, who added that Flame and Stuxnet were elements of a broader assault that continues today. “Cyber-collection against the Iranian program is way further down the road than this.”

Flame came to light last month after Iran detected a series of cyberattacks on its oil industry. The disruption was directed by Israel in a unilateral operation that apparently caught its American partners off guard, according to several U.S. and Western officials, speaking on the condition of anonymity.

There has been speculation that the United States had a role in developing Flame, but the collaboration on the virus between Washington and Israel has not been previously confirmed. Commercial security researchers last week reported that Flame contained some of the same code as Stuxnet. Experts described the overlap as DNA-like evidence that the two sets of malware were parallel projects run by the same entity.

Spokesmen for the CIA, the NSA and the Office of the Director of National Intelligence, as well as the Israeli Embassy in Washington, declined to comment.

The virus is among the most sophisticated and subversive pieces of malware to be exposed to date. Experts said the program was designed to replicate across even highly secure networks, then control everyday computer functions to send secrets back to its creators. The code could activate computer microphones and cameras, log keyboard strokes, take screen shots, extract geolocation data from images, and send and receive commands and data through Bluetooth wireless technology.

Flame was designed to do all this while masquerading as a routine Microsoft software update; it evaded detection for several years by using a sophisticated program to crack an encryption algorithm.

“This is not something that most security researchers have the skills or resources to do,” said Tom Parker, chief technology officer for FusionX, a security firm that specializes in simulating state-sponsored cyberattacks. He said he does not know who was behind the virus. “You’d expect that of only the most advanced cryptomathematicians, such as those working at NSA.”

Flame was developed at least five years ago as part of a classified effort code-named Olympic Games, according to officials familiar with U.S. cyber-operations and experts who have scrutinized its code. The U.S.-Israeli collaboration was intended to slow Iran’s nuclear program, reduce the pressure for a conventional military attack and extend the timetable for diplomacy and sanctions.

The cyberattacks augmented conventional sabotage efforts by both countries, including inserting flawed centrifuge parts and other components into Iran’s nuclear supply chain.

The best-known cyberweapon let loose on Iran was Stuxnet, a name coined by researchers in the antivirus industry who discovered it two years ago. It infected a specific type of industrial controller at Iran’s uranium-enrichment plant in Natanz, causing almost 1,000 centrifuges to spin out of control. The damage occurred gradually, over months, and Iranian officials initially thought it was the result of incompetence.

The scale of the espionage and sabotage effort “is proportionate to the problem that’s trying to be resolved,” the former intelligence official said, referring to the Iranian nuclear program. Although Stuxnet and Flame infections can be countered, “it doesn’t mean that other tools aren’t in play or performing effectively,” he said.

To develop these tools, the United States relies on two of its elite spy agencies. The NSA, known mainly for its electronic eavesdropping and code-breaking capabilities, has extensive expertise in developing malicious code that can be aimed at U.S. adversaries, including Iran. The CIA lacks the NSA’s sophistication in building malware but is deeply involved in the cyber-campaign.

The CIA’s Information Operations Center is second only to the agency’s Counterterrorism Center in size. The IOC, as it is known, performs an array of espionage functions, including extracting data from laptops seized in counterterrorism raids. But the center specializes in computer penetrations that require closer contact with the target, such as using spies or unwitting contractors to spread a contagion via a thumb drive.

Both agencies analyze the intelligence obtained through malware such as Flame and have continued to develop new weapons even as recent attacks have been exposed.

Flame’s discovery shows the importance of mapping networks and collecting intelligence on targets as the prelude to an attack, especially in closed computer networks. Officials say gaining and keeping access to a network is 99 percent of the challenge.

“It is far more difficult to penetrate a network, learn about it, reside on it forever and extract information from it without being detected than it is to go in and stomp around inside the network causing damage,” said Michael V. Hayden, a former NSA director and CIA director who left office in 2009. He declined to discuss any operations he was involved with during his time in government.

Years in the making

The effort to delay Iran’s nuclear program using cyber-techniques began in the mid-2000s, during President George W. Bush’s second term. At that point it consisted mainly of gathering intelligence to identify potential targets and create tools to disrupt them. In 2008, the program went operational and shifted from military to CIA control, former officials said.

Despite their collaboration on developing the malicious code, the United States and Israel have not always coordinated their attacks. Israel’s April assaults on Iran’s Oil Ministry and oil-export facilities caused only minor disruptions. The episode led Iran to investigate and ultimately discover Flame.

“The virus penetrated some fields — one of them was the oil sector,” Gholam Reza Jalali, an Iranian military cyber-official, told Iranian state radio in May. “Fortunately, we detected and controlled this single incident.”

Some U.S. intelligence officials were dismayed that Israel’s unilateral incursion led to the discovery of the virus, prompting countermeasures.

The disruptions led Iran to ask a Russian security firm and a Hungarian cyber-lab for help, according to U.S. and international officials familiar with the incident.

Last week, researchers with Kaspersky Lab, the Russian security firm, reported their conclusion that Flame — a name they came up with — was created by the same group or groups that built Stuxnet. Kaspersky declined to comment on whether it was approached by Iran.

“We are now 100 percent sure that the Stuxnet and Flame groups worked together,” said Roel Schouwenberg, a Boston-based senior researcher with Kaspersky Lab.

The firm also determined that the Flame malware predates Stuxnet. “It looks like the Flame platform was used as a kick-starter of sorts to get the Stuxnet project going,” Schouwenberg said.

 U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say – The Washington Post.

Related articles

, , , , , , ,

Leave a Comment

Stuxnet cyberattack by US a ‘destabilizing and dangerous’ course of action, security expert Bruce Schneier says

Posted by Michael B. Calyn in Cyber Legislation, Cyber Security, Defense, Global Affairs, Internet, Technology on June 19, 2012


Stuxnet cyberattack by USA ‘destabilizing and dangerous’ course of action, security expert Bruce Schneier says

Schneier calls Stuxnet ‘mistake’ for US, argues world needs to tackle cyber-arms control

By Ellen Messmer, Network World
June 18, 2012

Bruce Schneier

Revelations by The New York Times that President Barack Obama in his role as commander in chief ordered the Stuxnet cyberattack against Iran’s uranium-enrichment facility two years ago in cahoots with Israel is generating controversy, with Washington in an uproar over national-security leaks. But the important question is whether this covert action of sabotage against Iran, the first known major cyberattack authorized by a U.S. president, is the right course for the country to take. Are secret cyberattacks helping the U.S. solve geopolitical problems or actually making things worse?

Bruce Schneier, noted security expert and author, whose most recent book is “Liars and Outliers,” argues the U.S. made a mistake with Stuxnet, and he discusses why it’s important for the world to tackle cyber-arms control now in an interview with Network World senior editor Ellen Messmer.

SLIDESHOW: Worst data breaches of 2012 — so far

The question is going to be debated whether Stuxnet was a good tactic to stop Iran from developing a nuclear weapon by sabotaging its facility through a malware attack in a covert action that was ultimately discovered. In an interview with Chris Wallace on Fox News last night, former National Security Agency director, retired Gen. Michael Hayden, said he thought it amounted to “taunting Iran.” Based on the mix of military leadership, governmental leadership and ethical questions it raises, is Stuxnet a suitable approach?

There are two parts to this analysis. The first is tactical: Is a cyber-weapon more or less suitable than a conventional weapon? In 2007 Israel attacked a Syrian nuclear facility; it was a conventional attack with warplanes and bombs. Comparing the two, Stuxnet seems far more humane — even though it damaged networks outside of Iran. The other part to the analysis is more strategic. Stuxnet didn’t just damage the Natanz nuclear facility; it damaged the U.S.’s credibility as a fair arbiter and force for peace in cyberspace. Its effects will be felt as other countries ramp up their offensive cyberspace capabilities in response. For that reason, Stuxnet was a destabilizing and dangerous course of action.

David Sanger’s NY Times article of June 1, headlined “Obama order sped up wave of cyberattacks against Iran,” offers a vivid account of how President Obama decided cyberattacks against Iran should proceed through cooperation with Israel through use of the Stuxnet malware. However effective this might have been in stopping Iran from developing a nuclear weapon, it’s now widely thought that the Stuxnet malware got out of control, spreading in the wild. What’s your view on this, assuming the Times article is fully accurate?

It seems to be correct.

Sanger’s article was very interesting, and it is worth reading, but it basically confirmed everything we all knew. We knew that Stuxnet was the work of Israel and the United States. We knew that it was intended as a pinpoint attack, and spread beyond its intended target. Other investigative journalists uncovered these truths already. What Sanger’s article added to the discussion was detail about the program from inside both the Obama and the Bush administrations.

Richard Clarke’s book “Cyber War” draws the distinction between cyber-espionage and cyberattacks. He argues cyber-espionage should basically be considered a routine, acceptable practice of any country as part of government intelligence operations. But he argues other state-sponsored operations, such as putting malware secretly into a power grid for example, or launching an actual attack, is distinctly different, and has to be considered in the realm of offensive weapons. Clarke suggests cyberweapons should be subject to arms control agreements of various sorts much as other types of weapons that can be used in war are today. Do you draw the distinction between cyber-espionage and cyberweapons along these lines? And should there be an effort by the U.S. and others to craft treaties related to cyber-arms?

Of course there’s a difference between intelligence gathering and offensive military actions. Throughout history, there has been a bright line between the two. And what’s true in the geopolitics of the physical world is no different in cyberspace. This same distinction also exists in computer security more generally. There is a fundamental difference between passive eavesdropping attacks and more active attacks that delete or overwrite data. As to arms control agreements, I think it is vital for both society and cyberspace that we begin these discussions now. We’re in the early years of a cyberwar arms race, an arms race that will be expensive, destabilizing, and dangerously damaging. It will lead to the militarization of cyberspace, and the transformation of the Internet into something much less free and open. Perhaps it’s too late to reverse this trend — certainly you can argue that military grade cyberweapons like Stuxnet and Flame have already destroyed the U.S.’s credibility as a leader for a free and open Internet — but the only chance we have are cyberweapons treaties.

If so, how do you think that should proceed?

I’m not an idealist. I know that cyberwar treaties will be difficult to negotiate and even more difficult to enforce. Given how easy it is for a country to hide a chemical weapons plant, I know that it will be even easier to hide a cyberweapons plant. I also know that there is a lot of money and power trying to sow cyberwar fears.

But even with all of this, I think there is enormous value in the treaty process — and in the treaties themselves. I think we need to proceed by starting the dialogue. We made a mistake with Stuxnet: We traded a small short-term gain for a large longer-term loss. We can’t undo that, but we can do better in the future.

 Stuxnet cyberattack by US a ‘destabilizing and dangerous’ course of action, security expert Bruce Schneier says.

Related articles

, , , , , , ,

Leave a Comment

Adopt the cloud, kill your IT career | Data Center – InfoWorld

Posted by Michael B. Calyn in Cyber Security, Internet, Security on June 11, 2012


JUNE 11, 2012

Adopt the cloud, kill your IT career

It’s irresponsible to think that just because you push a problem outside your office, it ceases to be your problem

By Paul Venezia

 

It’s safe to say that you receive many solicitations from vendors of every stripe hawking their new cloud services: software, storage, apps, hosted this, managed that. “Simplify your life! Reduce your burden! It’s a floor wax and a dessert topping!” Some of these services deliver as promised, within fairly strict boundaries, though some are not what they seem. Even more have a look and feel that can make you swoon, but once you start to peer under the covers, the specter of integrating the service with your infrastructure stares back at you and steals your soul.

It’s not just the possibility of empty promises and integration issues that dog the cloud decision; it’s also the upgrade to the new devil, the one you don’t know. You might be eager to relinquish responsibility of a cranky infrastructure component and push the headaches to a cloud vendor, but in reality you aren’t doing that at all. Instead, you’re adding another avenue for the blame to follow. The end result of a catastrophic failure or data loss event is exactly the same whether you own the service or contract it out. The difference is you can’t do anything about it directly. You jump out of the plane and hope that whoever packed your parachute knew what he or she was doing.

A common counter to this perspective is that a company can’t expect to be able to hire subject experts at every level of IT. In this view, working with a cloud or hosted service vendor makes sense because there’s a high concentration of expert skill at a company whose sole focus is delivering that service. There’s some truth to that, for sure, but it’s not the same as infallibility. Services can fail for reasons well outside the technological purview, no matter how carefully constructed it may be. Of course, they can and do fail without outside assistance as well. The Titanic was unsinkable, if you recall.

Let’s look at LinkedIn, eHarmony, and Last.fm. Although they may not be considered cloud providers in the strictest sense, they’re veteran Internet companies that employ many highly skilled people to build and maintain their significant service offerings. They are no strangers to this game. Yet in the past week, all three had major security issues wherein thousands or millions of user account details were compromised. LinkedIn reportedly lost 6.5 million account details, including passwords, to the bad guys.

Just imagine if LinkedIn were a cloud provider responsible for handling your CRM or ERP application. You now have to frantically ensure that all your users change passwords or have them changed and relayed to the right party. You have to deal with what could conceivably be compromised data, rendering the application less than useless. What’s left of your hair is on fire — but you can’t do anything about it directly. You can only call and scream at some poor account rep who has no technological chops whatsoever, yet is thrown to the wolves. Don’t think that this can’t or won’t happen. It’s guaranteed to happen — again and again.

Now imagine where you’ll be when you’ve successfully outsourced the majority of your internal IT to cloud providers. All your email, apps, storage, and security rest easy in the cloud. You have fancy Web consoles to show you what’s going where and what resources you’re consuming. You no longer have to worry about the pesky server hardware in the back room or all those wires. If a problem arises, you fire off an email or open a support ticket, sit back, and wait.

Once that becomes the norm, the powers that be might realize they don’t need someone to do any of those tasks. I mean, if they’re paying good money to these vendors for this hosted cloud stuff, why do they need an IT department? They’d be mistaken, of course, but frankly, they’d also have a point. After all, anyone can call a vendor and complain.

Don’t get me wrong. I believe there are many areas in which the cloud brings significant benefits to an organization of any size. Data warehousing, archiving, and backup using cloud storage providers that offer block-level storage, tightly integrated security, and local storage caching and abstraction devices come to mind.

But on the opposite end of that spectrum are application and primary storage services that function at higher levels and can be compromised with a single leaked password. Aside from the smallest of companies, these services collected into any form cannot serve as a full-on replacement for local IT. Doing so places the organization in unnecessary jeopardy on a daily basis. 

Cloud vendors necessarily become targets for computer criminals, and however vigilant the vendor may be, at some point they’re going to be compromised. Judging by the recent revelations of Stuxnet, Flame, and Duqu, this may have already happened. Don’t think that I’m being overly paranoid, either. If I’d told you a month ago that several widespread viruses were completely undetectable by antivirus software due to the fact they were signed using Microsoft certificates, you’d have thought the same. But it happened.

If and when it comes to light that a major cloud vendor has been compromised for months and has divulged significant amounts of sensitive customer information to hackers over that period, we should not be surprised. I mean, City College of San Francisco had been compromised for more than a decade before anyone figured it out.

The fact of the matter is that a significant internal or external event occurring at one or more cloud providers can be ruinous for that provider and, by extension, its customers. That means you in IT. The best idea is to use cloud offerings wisely, and be ever vigilant about maintaining control over what little you can. Trust, but verify — and keep your cards close to the vest.

 

 Adopt the cloud, kill your IT career | Data Center – InfoWorld.

Related articles

, , , , , , ,

Leave a Comment

Follow

Get every new post delivered to your Inbox.

Join 263 other followers

%d bloggers like this: