Security

The Electronic Frontier Foundation has filed Jewel v. NSA to try another tactic in stopping unconstitutional warrantless wiretapping of U.S. residents. Their previous lawsuit against AT&T, Hepting v. AT&T, is still in federal court as the EFF argues with the government over whether the telecom immunity law passed by our spineless Congress is itself constitutional or applicable to the case. Jewel v. NSA names as defendants the National Security Agency, President George W. Bush, Vice President Dick Cheney, Cheney’s chief of staff David Addington, former Attorney General Alberto Gonzales, and “other individuals who ordered or participated in warrantless domestic surveillance.”

Sarah Palin has apparently been using a personal email account for State of Alaska business (perhaps following Republican precedent on how to avoid subpoenas?), and it’s been compromised. Wikileaks has the documents. UPDATE (September 19, 2008): The screenshots used by the attacker showed that he used ctunnel as his web proxy, and contained enough information to identify his source IP in ctunnel’s logs. As pointed out by commenter Schtacky, it looks like they’ve identified the culprit, who used some Google research and Yahoo’s password recovery feature to change the password on the account to break in. This shows the problem with choosing “security questions” for password recovery that have answers which are easily publicly available. I hope that this kid’s actions don’t sabotage the corruption case against Palin that may have been supported by evidence in her Yahoo email, evidence that is now tainted by the fact that it was compromised (and subsequently deleted). ...

Spammer Julian Jaynes now gets off as a result of a bad decision from the Virginia Supreme Court, reversing its own previous decision from six months ago. The court ruled that the Virginia anti-spam law’s prohibition of header falsification constitutes an unconstitutional infringement of the right to anonymous political and religious speech, suggesting that it would have been acceptable of it was limited to commercial speech. The court’s decision was predicated on the assumption that header falsification is a necessary requirement for anonymity, but this is a faulty assumption. All that is needed for anonymity is the omission of identity information that leads back to an individual, not the falsification of headers or identity information. That can be done with remailers, proxies, and anonymously-obtained email accounts, with no header falsification required. I previously made this argument in more detail in response to the arguments given by Jaynes’ attorney in the press. I also disagree with the court’s apparent assumption that commercial speech is deserving of less protection than religious or political speech. What makes spam a problem is its unsolicited bulk nature, not its specific content.

One of my prized possessions, now in a box in a closet somewhere, is a T-shirt that says on its front “This T-shirt is a munition.” Underneath it is some machine-readable barcode that encodes the RSA public-key encryption algorithm expressed in Perl. As the seller of the shirt advertised, “it’s machine washable and machine readable." When I bought and regularly wore that shirt, taking it out of the country was a crime punishable by up to a $1 million fine and 10 years in federal prison. This is because U.S. rules under the International Traffic in Arms Regulation (ITAR), then enforced by the Department of Commerce, ruled that strong encryption qualified as a munition subject to export controls and requiring a special license for export. After the Dan Bernstein case was decided in 1996, computer source code printed in a book (human readable format) was not subject to export controls, but computer source code in a machine readable format, such as on my shirt, still was. So I could wear my other T-shirt with RSA Perl code on it, which had a program in the shape of a dolphin, out of the country, but not the machine readable “This T-shirt is a munition” shirt. The implication was that you could take a copy of Bruce Schneier’s Applied Cryptography out of the country without an export license, but not a disk containing the very same code fragments printed in the book. This website authored by Adam Back, written at the time, proposed some possible motives for government restrictions on cryptography. What the ITAR regulations on cryptography did for Internet software development was prohibit web browsers and server software from implementing the strong encryption necessary to protect electronic commerce from being exported from the United States. The result was that this development work simply occurred offshore. There were no barriers to importation of the software into the U.S., only to export it out. So the software was developed and sold by companies in places like Canada, Russia, and Estonia, which had no such inane restrictions. Finally, in 1999, the U.S. wised up and relaxed the ITAR restrictions on encryption, allowing export without a license to most countries (the exceptions being countries with links to state-sponsored terrorism). But ITAR is still around, and still having the unintended effect of pushing business out of the United States. The current victim is commercial satellite production. In 1999, ITAR authority over satellite technology export was shifted from the Department of Commerce to the Department of State, and since that time the U.S. share of commercial satellite manufacturing has dropped from 83% to 50%. The company Alcatel Alenia Space, now known as Thales Alenia, took steps in the late nineties to eliminate all U.S.-manufactured components from its satellites, with the result that it has subsequently doubled its market share to over 20%. The European Space Agency, Canada’s Telesat, and the French company EADS Sodern, that makes satellite control and positioning systems, have all been phasing out their use of U.S.-supplied components. They’ve done this because dealing with U.S. vendors increases costs (due to regulatory compliance costs) and causes unpredictable delays in the supply of parts. Nevada’s Bigelow Aerospace delivered an aluminum satellite stand to Russia in 2006, which Robert Bigelow described as “indistinguishable from a common coffee table.” But because it’s associated with a satellite and officially part of a satellite assembly, it is covered by ITAR and had to be guarded by two security guards at all times. Even commodity items like screws and wiring, when part of a satellite, are covered by ITAR regulations. The purpose of ITAR is to prevent key U.S. technologies with military applications from being leaked out to other countries that might be hostile to the U.S. But the effect of its overly broad application has been to shift the development of that technology to other countries and reduce the ability of U.S. companies to compete in the commercial satellite business. Congress should look to reform ITAR–when export controls are so badly broken as to have nearly the opposite of the intended effect, they clearly need to be relaxed. (Satellite and ITAR info via “Earthbound,” The Economist, August 23, 2008, pp. 66-67.) ...

I’m quoted in Peter Buxbaum’s “Battling Botnets” article in the August 20, 2008 Military Information Technology. It didn’t really fully capture the points I made in the interview, and I don’t remember saying the statement at the end about using botnets as an offensive measure as “a nuclear option.” I said that nullrouting is a much better method of denial of service for network service providers than flooding attacks, and made a point similar to Schneier’s about military attacks on the infrastructure of another nation that the U.S. is at war with–it would be more useful to obtain access to their systems, monitor, and disrupt than to just shut off access completely, but those points weren’t reflected in the article. I’ve written more about military use of botnets at this blog.

The Smoking Gun has a collection of documents about the government’s case against suicidal government bioweapons researcher Bruce Ivins that is fascinating. Apparently he engaged in an “edit war” on the Wikipedia entry for the Kappa Kappa Gamma sorority (which my mother belonged to). He regularly posted negative information there, and became angry when it was deleted. He claimed that KKG had labeled him an “enemy” and issued a “fatwah” against him, and he broke into a KKG sorority house to steal a KKG handbook during his postdoc fellowship at UNC Chapel Hill. The documents also show ties between Ivins and the American Family Affiliation, a conservative Christian group known for threatening boycotts against companies that do things like support gay rights, and with pro-life groups. He was a regular user of pseudonyms and multiple email addresses. The documents show that he was clearly a very disturbed individual. (Previously.) UPDATE (August 9, 2008): Ivins’ coworker Meryl Nass lays out the case for reasonable doubt about Ivins’ involvement at her blog. Hume’s Ghost points out in the comments that the anthrax attacks were used to help justify the invasion of Iraq on the grounds that the anthrax apparently originated there. One of the Glenn Greenwald articles Hume’s Ghost alludes to, about false claims that the anthrax contained bentonite which tied it to Iraq, may be found here. A nice quote from that article: ...

White House officials pressured the FBI to blame the 2001 anthrax attacks on al Qaeda, even after it was already known that the anthrax was a strain that came from U.S. Army laboratories, according to a retired senior FBI official. Just another example of Bush administration deception. Historical Comments Hume's Ghost (2008-08-06): Seen this yet?The bit about Suskind's research assistant getting detained is interesting. After his first book about Bush, the book's main subject Paul O'Neal was investigated for breaking the law (he was cleared.) I forgot to make note of it in my post, but we do already know that this administration has stepped up its surveillance effforts of journalists when it comes to pursuing leaks - which is precisely what Suskind is good at getting ... as indicated by the absolute jaw-dropper in the link.I also watched Suskind on Olbermann this evening. Two of his sources have come out saying they didn't tell Suskind what they told him, but he kind of laughed that off because he says he has the taped conversations. ...

Upon learning that he was about to be the target of a prosecution for the 2001 anthrax attacks that killed five people, U.S. government biodefense researcher Bruce Ivins killed himself on Tuesday with an overdose of Tylenol with codeine. Ivins became a suspect after it was discovered that he had failed to report anthrax contaminations at his lab at Fort Detrick, Maryland, in 2002. In late 2008, he was ordered to stay away from a social worker who had counseled him, Jean Duley, who would have testified against him at his trial. In Duley’s application for a protective order, she said that Ivins had stalked her and threatened to kill her. Ivins worked at the same lab where a prior “person of interest” in the case, Stephen Hatfill, also worked. Hatfill was cleared of involvement with the attacks and won a $5.8 million settlement from the Justice Department after he sued for harassment and privacy act violations. Hatfill also won a $10 million libel judgment against Vanity Fair and Reader’s Digest for an article by Donald Foster which claimed that Hatfill’s writings and travels connected him to the anthrax attacks. Ivins’ attorney claims that he was innocent, but if that were the case, wouldn’t his response have been more like Hatfill’s? Perhaps, perhaps not. Private investigator and former CNN reporter Pat Clawson, who was also a spokesperson for Hatfill, said on Friday that news organizations and the public should be “deeply skeptical” about any notion that Dr. Ivins was the anthrax killer unless and until solid evidence is brought forth.“Everybody is jumping to the conclusion that because this guy committed suicide, he must be the anthrax killer,” Mr. Clawson said. “That is a lousy premise. The pressure of these F.B.I. investigations on individuals is phenomenal, and it is quite likely that this guy cracked under that pressure but had nothing to do with the killings.” ...

I saw two articles this morning which I think invite comparison. First, Phil Dunkelberger, CEO of PGP Corporation, says people visiting China should take laptops with no data, or encrypt what data they have: Travelers carrying smart cell phones, blackberries or laptop computers could unwittingly be offering up sensitive personal or business information to officials who monitor state-controlled telecommunications carriers, Dunkelberger said. He said that without data encryption, executives could have business plans or designs pilfered, while journalists’ lists of contacts could be exposed, putting sources at risk. ...

Former McCain advisor and security researcher Stephen Spoonamore suggested at a press conference on Thursday that Diebold tampered with Georgia’s 2002 elections for Governor and Senator, in which Republican Sen. Saxby Chambliss defeated incumbent Democrat Sen. Max Cleland. Spoonamore was given a copy of a patch applied to Diebold machines in two strongly Democratic counties, DeKalb and Fulton, by Diebold CEO Bob Urosevich, allegedly in order to fix a clock-related problem. Spoonamore found that the patch did nothing to correct the clock problem, and contained two copies of the same program, but was unable to determine exactly what it did without access to the Diebold hardware. He has supplied a copy of the patch, which he obtained from a whistleblower in the Georgia Secretary of State’s office, to the Department of Justice.