Security

Yesterday, the Washington Post reported on the FBI’s “Operation Bot Roast,” which busted several criminal users of botnets: _James C. Brewer, of Arlington, Texas. He was indicted Tuesday on charges of infecting more than 10,000 computers globally, including two Chicago-area hospitals operated by the Bureau of Health Services in Cook County, Ill. The computers at the two hospitals were linked to the health care bureau’s mainframe system. They repeatedly froze or rebooted from October to December last year, resulting in delayed medical services, according to the indictment. Brewer was released on a $4,500 bond, court records show. ...

Microsoft Research has partnered with Petfinder.com to come up with a new test for determining whether there’s a live human behind the keyboard or just a computer program. It’s called Asirra, Animal Species Image Recognition for Restricting Access. The method presents twelve photographs of dogs and cats from Petfinder.com (each of which has an “adopt me” link associated with it) and asks the viewer to select all of the cats. Historical Comments Einzige (2007-06-12): I definitely prefer looking at cute pictures to deciphering those frustrating CAPTCHA thingies! ...

My two-part appearance on “The Security Catalyst” podcast last year has resulted in some media coverage of botnets this week at IT World Canada. The article, “The botnet menace–and what you can do about it,” by Joaquim P. Menezes, is more detailed than most media coverage of bots has been. He draws on both my Security Catalyst interview and my colleague Bob Hagen’s blog post on bots.

Tomorrow night on PBS’s Frontline is “Spying on the Homefront”: FRONTLINE addresses an issue of major consequence for all Americans: Is the Bush administration’s domestic war on terrorism jeopardizing our civil liberties? Reporter Hedrick Smith presents new material on how the National Security Agency’s domestic surveillance program works and examines clashing viewpoints on whether the president has violated the Foreign Intelligence Surveillance Act (FISA) and infringed on constitutional protections. In another dramatic story, the program shows how the FBI vacuumed up records on 250,000 ordinary Americans who chose Las Vegas as the destination for their Christmas-New Year’s holiday, and the subsequent revelation that the FBI has misused National Security Letters to gather information. Probing such projects as Total Information Awareness, and its little known successors, Smith discloses that even former government intelligence officials now worry that the combination of new security threats, advances in communications technologies, and radical interpretations of presidential authority may be threatening the privacy of Americans.(Via the Electronic Frontier Foundation.)

Today’s the day that providers of VoIP and broadband Internet in the United States must comply with CALEA, mandating that they supply a way for law enforcement to eavesdrop on any communications carried over those mechanisms. I suspect many VoIP providers are in compliance but that fewer broadband Internet providers are, since the draft standard for CALEA for data over broadband Internet only came out in March. (And if you’d like to read the standard, it will cost you $164 for the PDF or $185 for a paper copy.) Bob Hagen at the Global Crossing blog points out some free tools that can be used to protect your privacy.

AACS keys are used to encrypt the content of HD-DVDs (this is an oversimplification; see Ed Felten’s Freedom-to-Tinker blog for more detail). A particular “processing key” for AACS has recently been distributed on the Internet, with the AACS Licensing Authority issuing cease and desist orders to try to stop it. This has led to new and creative ways of distributing this 128-bit number, just as occurred with the DeCSS code for decrypting DVDs. When a cease-and-desist order went to digg, digg’s users proceeded to give diggs to many different sites, at one point leading to the entire front page of digg being full of nothing but links to pages with the AACS key. A couple of the more interesting methods include making the number into a song and displaying it with satellite photos of buildings that resemble hex digits. One individual appears to have had it tattooed on his chest. This is exactly what we saw with DeCSS, which is memorialized in Dave Touretzky’s Gallery of CSS Descramblers. This case is even more absurd, in that AACS LA is claiming ownership of a number–and a relatively short one–not because it encodes any content or algorithm, but because it’s one of potentially millions of keys assigned for use with its system. UPDATE (May 11, 2007): As this t-shirt makes clear, trying to protect against the distribution of a 128-bit number is futile when knowledge of the number can be easily distributed without using the number itself. I’d love to see AACS LA try to make a case against the marketing and sale of this shirt.

With the FBI being directed to focus its attention on counterterrorism, its investigations of fraud, identity theft, civil rights violations, and crime in general have plummeted: – Overall, the number of criminal cases investigated by the FBI nationally has steadily declined. In 2005, the bureau brought slightly more than 20,000 cases to federal prosecutors, compared with about 31,000 in 2000 – a 34 percent drop. – White-collar crime investigations by the bureau have plummeted in recent years. In 2005, the FBI sent prosecutors 3,500 cases – a fraction of the more than 10,000 cases assigned to agents in 2000…. ...

You aren’t allowed to say if you’ve received a National Security Letter. But there’s no law that says you can’t say that you haven’t received one. Thus, rsync.net has a “warrant canary”–they periodically post a cryptographically signed statement that they have not, to date, received any PATRIOT Act warrants or had any searches and seizures. If they stop updating the statement, then you can draw your own conclusions. The second of these library signs uses the same principle: “The FBI has not been here [watch closely for removal of this sign]." (Via jwz’s blog, where some commenters question whether the recent Washington Post piece by the recipient of a National Security Letter is truthful. Note that the ACLU has a lawsuit going on about this case, which I previously noted back in 2005.) ...

Yesterday’s Washington Post prints a first-hand anonymous account from the head of a small ISP who received a National Security Letter from the FBI, which was an apparent abuse of authority: Three years ago, I received a national security letter (NSL) in my capacity as the president of a small Internet access and consulting business. The letter ordered me to provide sensitive information about one of my clients. There was no indication that a judge had reviewed or approved the letter, and it turned out that none had. The letter came with a gag provision that prohibited me from telling anyone, including my client, that the FBI was seeking this information. Based on the context of the demand – a context that the FBI still won’t let me discuss publicly – I suspected that the FBI was abusing its power and that the letter sought information to which the FBI was not entitled. Rather than turn over the information, I contacted lawyers at the American Civil Liberties Union, and in April 2004 I filed a lawsuit challenging the constitutionality of the NSL power. I never released the information the FBI sought, and last November the FBI decided that it no longer needs the information anyway. But the FBI still hasn’t abandoned the gag order that prevents me from disclosing my experience and concerns with the law or the national security letter that was served on my company. In fact, the government will return to court in the next few weeks to defend the gag orders that are imposed on recipients of these letters. Living under the gag order has been stressful and surreal. Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case – including the mere fact that I received an NSL – from my colleagues, my family and my friends. When I meet with my attorneys I cannot tell my girlfriend where I am going or where I have been. I hide any papers related to the case in a place where she will not look. When clients and friends ask me whether I am the one challenging the constitutionality of the NSL statute, I have no choice but to look them in the eye and lie. I resent being conscripted as a secret informer for the government and being made to mislead those who are close to me, especially because I have doubts about the legitimacy of the underlying investigation.More at the Washington Post.

Over at Sinners in the Hands of an Angry Blog, Tim Lee points us to a dogpile of conservative criticism of Dinesh D’Souza’s book, The Enemy at Home. Some choice quotes: D’Souza has written a very bad book. If one were to take his NRO apologia seriously, his dishonesty would appear to be an issue secondary to his grandiosity. But he is not to be taken seriously and his dishonesty is the primary issue. Thus in his apologia D’Souza fails to address the thesis that frames his book. His thesis, let it be remembered, is this: “The cultural left in this country is responsible for causing 9/11.” It is a thesis, he states in the very first sentence of the book, “that will seem startling at the outset.” It is startling because he is the first writer commenting on 9/11 to have tumbled to its cause. [Scott Johnson]and “When in doubt, change the subject.” I don’t really blame Dinesh D’Souza for following that cynical bit of debater’s advice. Had I written The Enemy at Home, I would be tempted to try it, too. Alas, I fear that his 6,800-word effort to stimulate, er, “civil discussion” has failed. Why? It has nothing to do with “heresy,” as D’Souza suggests. He comes much closer when he mentions “massive errors of fact or logic.” The problem with The Enemy at Home is . . . well, everything. (I put this more politely in my original review.) What I mean is that it’s not a matter of this or that argument going astray. It’s rather that D’Souza’s major premise—that “the cultural left in this country is responsible for causing 9/11”—is wildly at odds with reality. Starting out from that mistake, D’Souza takes readers on a fantastical voyage in which white is black, day is night, and a dozen jihadists plowed jetliners into skyscrapers because of Britney Spears—or maybe it was because of Hillary Clinton, America’s high divorce-rate, or its lamentable practice of tolerating homosexuals instead of stoning them to death. [Roger Kimball]More at Sinners in the Hands of an Angry Blog, including a link to the full set of criticisms. ...