Technology

The March 10 Wall Street Journal contains a fairly detailed description of the data mining operation being run by the NSA. The program described is more data mining than eavesdropping, though it does involve the collection of transactional data like call detail records for telephone calls, and intercepted Internet data like web search terms and email senders and recipients. Also included is financial transaction data and airline data. I think most of this had already been pieced together, but this is a fairly comprehensive summary in one place. The WSJ story reports that leads generated from the data mining effort are then fed into the Terrorist Surveillance Program, which does warrantless eavesdropping. (An earlier version of this post incorrectly referred to the whole operation as the Terrorist Surveillance Program.) ...

A few articles of interest from the last couple of issues of The Economist: February 23, 2008: “Moral thinking," a summary of recent research that sheds light on human moral reasoning processes. Video here. (A related, more in-depth story is Steven Pinker’s “The Moral Instinct” which appeared in The New York Times Magazine on January 13.) March 1, 2008: “Winds of change," a summary of research to use breathalyzer technology to diagnose medical conditions. “Telltale hairs," about new methods of forensics to use hair analysis to identify a person’s location at a given time (based on water consumption–could drinking imported bottled water be used to thwart this?).

RateMyCop.com is a new website that allows you to rate individual police officers on the basis of your interactions with them, on the attributes of authority, fairness, and satisfaction, for which you can rate them poor, average, or good, and leave specific comments about your interactions. The site describes itself like this: Welcome to RATEMYCOP.com, the online watchdog organization serving communities nationwide. RATEMYCOP.com is not affiliated with any government agency; we are an independent, privately managed organization. Our mission is to compile information on cops’ performance and to provide a forum where users can freely share individual accounts. Good, bad or indifferent. Most of all, we would like to hear your stories. Your appreciation and your disapproval. Did you witness a cop doing a good deed, or were you involved in an unfortunate altercation? Tell us about it. Tell others about it. Let it out. Don’t feel intimidated by the badge to remain quiet. While we respect their authority we are also free to question it. You have the right to remain informed.The site has lists of 120,000 individual police officers from 450 departments around the country, which the site obtained directly from police departments, asking only for the names of patrol officers who work with the general public, not undercover officers. There are no photos, addresses, or telephone numbers, only names. The city of Tempe has expressed disapproval and its intention to try to remove this information from the site, according to an ABC 15 News story which claims the site is a danger to officers. Tempe Police Department Officer Tony Miller is quoted in the story raising issues about undercover officers, and the article says that he “feels as though officers like him are scrutinized enough.” The article also states that “Tempe officer Brandon Banks says the department’s chief, human resources and even the city’s prosecutor are looking into the website and fighting it.” I don’t see that they have a case, this information should all be a matter of public record. It seems to me that there is potential for abuse (especially in the form of inaccurate ratings and comments, just as on teacher rating websites), but less so than there is from other kinds of public records about all of us that are published on the web. I disagree with Officer Miller’s opinion that there is already sufficient accountability for police officers; this blog’s previous posts in the “police abuse and corruption” category and the far more numerous and detailed posts from Radley Balko’s The Agitator blog and his article “Overkill” are overwhelming evidence to the contrary. It’s worth noting that the courts have repeatedly ruled that there is no duty of police officers to protect individual members of the public, and many states have statutes which prevent individual officers and departments from being held civilly liable for a failure to provide adequate protection, a fact often used by gun advocates to argue for widespread gun ownership for individual protection (e.g., here, here, and here). The U.S. Supreme Court also eliminated a major protection against police abuse in 2006, when it ruled in Hudson v. Michigan (PDF) that evidence from an illegal no-knock raid need not be excluded from trial, because police officers have entered a new realm of “professionalism” in which they recognize civil liberties and can be trusted to investigate and deter their own abuses. In the wake of such decisions and continuing abuses, a website such as RateMyCop.com seems to me like a good idea. What the site seems to be missing, though, is a way to quickly find officers who have received ratings (very few seem to have any yet), and to sort those in order to find those with favorable or unfavorable ratings. UPDATE (March 12, 2008): Apparently GoDaddy has pulled the plug on RateMyCop.com’s website without notice to the owner, allegedly first for “suspicious activity” and then for exceeding bandwidth limits, and the site is up with a new web hosting provider. It looks like the ratings are now on a single category, and you can see a list of the most-rated and most-recently-rated on the front page. Another feature that would be nice would be a way to allow registered users to rate the raters for reliability, similar to the way Amazon.com book reviews can be rated as helpful or not helpful. That way, ratings could be weighted based on judgments of the reliability of the raters from the user base, and ratings from those with a personal axe to grind could have their weight minimized. Looks like Rackspace has also refused to host ratemycop.com. Interestingly, apparently Gino Sesto of RateMyCop.com was a Bush voter. ...

Jeremy Jaynes, the spammer who was convicted and sentenced to nine years in prison in 2003 for violating Virginia’s anti-spam law, has lost his appeal before the Virginia Supreme Court in a 4-3 ruling. Several of the dissents claimed that Virginia’s anti-spam law, which criminalizes unsolicited bulk email with falsified headers, even if it is political or religious in content rather than commercial, is a violation of the First Amendment. The quotations from Justice Elizabeth Lacy and Jaynes’ attorney Thomas M. Wolf both state that the law has diminished everyone’s freedom by criminalizing “bulk anonymous email, even for the purpose of petitioning the government or promoting religion." Both Lacy and Wolf misrepresent the law, which makes it a crime to “Falsify or forge electronic mail transmission information or other routing information in any manner in connection with the transmission of unsolicited bulk electronic mail through or into the computer network of an electronic mail service provider or its subscribers." There is a difference between forging headers and sending anonymous email–the latter does not require the former, and the latter is not prohibited by the law. Jaynes wasn’t just trying to be anonymous–he was engaged in fraud, and falsifying message headers and from addresses to try to avoid the consequences of his criminality. He wasn’t using anonymous remailers to express a political or religious message, and if he had been, he wouldn’t have been able to be charged under this law. UPDATE (September 12, 2008): The Virginia Supreme Court has reversed itself and struck down Virginia’s anti-spam law as unconstitutional, on the grounds that prohibiting false routing information on emails infringes upon the right to anonymous political or religious speech. This is a very bad decision for the reasons I gave above. There are ways to engage in anonymous speech without doing what Jaynes did, falsifying message headers and domain names. The court’s argument that one must falsify headers, IP addresses, and domain names in order to be anonymous is factually incorrect. Anonymity doesn’t require header falsification, it only requires omission of identifying information.

As ZDNet reports, yesterday afternoon, in response to a government order to filter YouTube (AS 36561), Pakistan Telecom (AS 17557, pie.net.pk) announced a more-specific route (/24; YouTube announces a /23) for YouTube’s IP space, causing YouTube’s Internet traffic to go to Pakistan Telecom. YouTube then re-announced its own IP space in yet more-specific blocks (/25), which restored service to those willing to accept routing announcements for blocks that small. Then Pakistan Telecom’s upstream provider, PCCW (AS 3491), which had made the mistake of accepting the Pakistan Telecom /24 announcement for YouTube in the first place, shut off Pakistan Telecom completely, restoring YouTube service to the world minus Pakistan Telecom. They got what they wanted, but not quite in the manner they intended. Don’t mess with the Internet. Martin Brown gives more detail at the Renesys Blog, including a comment on how this incident shows that it’s still a bit too easy for a small ISP to disrupt service by hijacking IPs, intentionally or inadvertently. Danny McPherson makes the same point at the Arbor Networks blog, and also gives a good explanation of how the Pakistan Internet provider screwed up what they were trying to do. Somebody still needs to update the Wikipedia page on how Pakistan censors the Internet to cover this incident. UPDATE: BoingBoing reports that the video which prompted this censorship order was an excerpt from Dutch Member of Parliament Geert Wilders’ film “Forbidden” criticizing Islam, which was uploaded to YouTube back on January 28. I’ve added “religion” and “Islam” as labels on this post, accordingly. The two specific videos mentioned by Reporters without Borders as prompting the ban have been removed from YouTube, one due to “terms of use violation” and one “removed by user." The first of these two videos was supposedly the Geert Wilders one; the second was of voters describing election fraud during the February 18 Parliamentary elections in Pakistan. This blog suggests that the latter video was the real source of the attempted censorship gone awry, though the Pakistan media says it was the former. So perhaps the former was the pretext, and the latter was the political motivator. A “trailer” for Wilders’ film is on YouTube here. Wilders speaks about his film on YouTube here and here. Ayaan Hirsi Ali defends Wilders on Laura Ingraham’s show on Fox News here. (Contrary to the blog post I’ve linked to, Hirsi Ali was not in the Theo Van Gogh film “Submission Part One,” which can itself be found here, rather, she wrote it. Van Gogh was murdered as a result of it. The beginning and end is in Arabic with Dutch subtitles, but most of it is in English with Dutch subtitles.) UPDATE (February 26, 2008): This just in, from Reuters–Pakistan “might have been” the cause of the YouTube outage. Way to be on the ball with breaking news, Reuters! The Onion weighs in on the controversy!

On Friday, I attended the New Mexico InfraGard Member Alliance’s “$-Gard 2008” conference in Albuquerque. It was an excellent one-day conference that should be used as a model by other chapters. The conference was open to the public, and featured an informative and entertaining two-hour seminar on fraud and white collar crimes by Frank Abagnale, author of the autobiographical Catch Me If You Can and anti-fraud books The Art of the Steal and Stealing Your Identity. (Another version of Abagnale’s talk can be viewed as an online webinar courtesy of City National Bank.) Abagnale argued that fraud has become much easier today than it was when he was a criminal forger, with numerous examples, and also offered some simple and relatively inexpensive ways for businesses and individuals to protect themselves. For example, he recommended the use of microcut shredders, and observed that his own business keeps shredders near every printer, and no documents get thrown away, everything gets shredded. He recommended the use of a credit monitoring service like Privacy Guard, and that if you write checks, you use a black uniball 207 gel pen, which is resistant to check-washing chemicals. For businesses that accept cash, he recommended training employees in some of the security features of U.S. currency rather than relying on pH testing pens, which are essentially worthless at detecting counterfeit money. By recognizing where bills use optical variable ink, for example, you can easily test for its presence in the time it takes you to accept bills from a customer and transfer them into a cash register. He also recommended that businesses use bank Positive Pay services to avoid having business checks altered. ...

This morning Canada arrested 17 people of ages ranging from 17 to 26 years old for running botnets containing “up to one million computers” in 100 countries. They face charges that could result in up to 10 years in prison. This barely scratches the surface of online criminal activity. Niels Provos of Google did a study (PDF) that found that of 4.5 million websites scanned between March of 2006 and February of 2007, 450,000 of them attempt to load malware on visiting machines. Sophos’ similar survey in July of last year that found that 29% of websites host malware, 28% host porn or gambling content, and 19% are spam-related. Drive-by malware installations (where merely visiting a website causes malware to be loaded onto your machine) are definitely the method of choice for creating botnets today. I recommend using Firefox with the NoScript plugin and the MyWOT plugin to help prevent getting infected by such sites. Tomorrow, I’ll be attending a New Mexico InfraGard conference at which I hope to learn more about recent malware trends (and get my copy of Catch Me If You Can and/or The Art of the Steal autographed by their author). This is another one open to the general public, so I expect no talk about “shoot to kill” powers except in jest. UPDATE (February 22, 2008): I’m quoted in Brian Jackson’s article on the Quebec botnet hacker bust on itbusiness.ca. I’m not entirely happy with the quotes attributed to me–I didn’t say “tens of millions,” though I said there have been botnets with more than a million hosts, and there are multiple millions of compromised hosts out there. If tens of millions is not accurate today, it will be in the future. The other quotation about IRC got a little bit garbled, but is not far off–I made the point that the bots of today have evolved from a combination of IRC bots of the past combined with denial of service attack tools, remote access trojans, and other malware, and many of them still use IRC as their mode of communication.

The Mocmex virus and other trojans have been found on digital photo frames from China sold at Target, Costco, Sam’s Club, and Best Buy. The photo frames are connected to a computer via USB to load photographs; on a Windows machine this will cause an executable stored on the photo frame to run, infecting the computer. The SANS Internet Storm Center has documented more details here and here. As more and more devices have built-in storage and can be connected via USB to PCs, we’ll see more and more attacks like this.

The picture is of a pair of breasts, composed of 32,000 Barbie dolls. 32,000 is the number of elective breast augmentation surgeries in the U.S. in 2006. This picture, along with a partial zoom and closeup and other similar works by Chris Jordan, may be found at his website. The photos depict such things as 2 million discarded plastic bottles (the number used in the United States every five minutes), a skull made from images of 200,000 packs of cigarettes (the number of Americans who die from cigarette smoking every six months), a version of Seurat’s “Sunday Afternoon on the Island of La Grande Jatte” made from 106,000 images of aluminum cans (the number used in the U.S. every 30 seconds), and so forth. Hat tip to Barry Williams, who posted this on the SKEPTIC list. UPDATE (June 11, 2009): Jordan gave a TED Talk about his work last year:

An article in The Progressive by Matthew Rothschild worries that the FBI’s InfraGard program is deputizing businesses, training them for martial law, and giving them a free pass to “shoot to kill.” Rothschild writes: The members of this rapidly growing group, called InfraGard, receive secret warnings of terrorist threats before the public does—and, at least on one occasion, before elected officials. In return, they provide information to the government, which alarms the ACLU. But there may be more to it than that. One business executive, who showed me his InfraGard card, told me they have permission to “shoot to kill” in the event of martial law.Nonsense. I’ve been a member of the Phoenix InfraGard Members Alliance for years. It’s a 501(c)(3) organization sponsored by the FBI whose members have been subjected to some rudimentary screening (comparable to what a non-cleared employee of the federal government would get). Most InfraGard meetings are open to the general public (contrary to Rothschild’s statement that “InfraGard is not readily accessible to the general public”), but the organization facilitates communications between members about sensitive subjects like vulnerabilities in privately owned infrastructure and the changing landscape of threats. The FBI provides some reports of threat information to InfraGard members through a secure website, which is unclassified but potentially sensitive information. InfraGard members get no special “shoot to kill” or law enforcement powers of any kind–and membership in the organization is open to anyone who can pass the screening. As Rothschild notes in the first sentence of his article, there are over 23,000 members–that is a pretty large size for a conspiracy plot. At one point in the article, Rothschild quotes InfraGard National Members Alliance chairman Phyllis Schneck referring to a “special telecommunications card that will enable your call to go through when others will not.” This is referring to a GETS card, for the Government Emergency Telecommunications Service, which provides priority service for call completion in times of emergency or disaster to personnel who are working to support critical infrastructure. There is a similar service for wireless priority (Wireless Priority Service), and yet another for critical businesses and organizations (like hospitals) which need to have their telecommunications service re-established first after a loss of service due to disaster (Telecommunications Service Priority). These programs are government programs that are independent of InfraGard, though InfraGard has helped members who represent pieces of critical infrastructure obtain GETS cards. The ACLU’s concern about InfraGard being used as a tip line to turn businesses into spies is a more plausible but still, in my opinion, unfounded concern. Businesses are not under any pressure to provide information to InfraGard, other than normal reporting of criminal events to law enforcement. The only time I’ve been specifically asked to give information to InfraGard is when I’ve been asked to speak at a regular meeting, which I’ve done a few times in talks that have been open to the public about malware threats and botnets. Check out the comments in The Progressive for some outright hysteria about fascism and martial law. I saw similar absurdity regarding the Department of Homeland Security’s TOPOFF 4 exercise, which was a sensible emergency planning exercise. Some people apparently are unable to distinguish common-sense information sharing and planning in order to defend against genuine threats from the institution of a fascist dictatorship and martial law. Now, I think there are plausible criticisms to be made of the federal government’s use of non-governmental organizations–when they’re used to sidestep laws and regulations like the Freedom of Information Act, to give lots of government grant money to organizations run by former government employees, to legally mandate funding of and reporting to private organizations and so forth. The FBI has created quite a few such organizations to do things like collect information about missing and exploited children, online crime, and so forth, typically staffed by former agents. But personally, I’ve not witnessed anything in InfraGard that has led me to have any concerns that it’s being used to enlist private businesses into questionable activities–rather, it’s been entirely devoted to sharing information that private businesses can use to shore up their own security and for law enforcement to prosecute criminals. UPDATE (February 9, 2008): The irony is that Matthew Rothschild previously wrote, regarding 9/11 truthers: We have enough proof that the Bush administration is a bunch of lying evildoers. We don’t need to make it up.He’s right about that, but he’s now helped spread nonsense about InfraGard and seriously damaged his own credibility. I find it interesting that people are so willing to conclude that InfraGard is a paramilitary organization, when it’s actually an educational and information sharing organization that has no enforcement or even emergency, disaster, or incident response function (though certainly some of its members have emergency, disaster, and incident response functions for the organizations they work for). UPDATE (February 10, 2008): I suspect tomorrow Christine Moerke of Alliant Energy will be getting calls from reporters asking what specifically she confirmed. I hope they ask for details about the conference in question, whether it was run by InfraGard or DHS, what the subject matter was, and who said what. If there’s actually an InfraGard chapter endorsing the idea that InfraGard members form armed citizen patrols authorized to use deadly force in time of martial law, that’s a chapter that needs to have its leadership removed. My suspicion, though, is that some statements about protection of infrastructure by their own security forces in times of disaster or emergency have been misconstrued. Alliant Energy operates nuclear plants, nuclear plants do have armed guards, and in Arizona, ARS 13-4903 describes the circumstances under which nuclear plant security officers are authorized to use deadly force. Those people, however, are thoroughly trained and regularly tested regarding the use of force and the use of deadly force in particular, which is not the case for InfraGard members. UPDATE (February 11, 2008): Somehow, above, I neglected to make the most obvious point–that the FBI doesn’t have the authority to grant immunity to prosecution for killing. If anyone from the FBI made that statement to InfraGard members, they were saying something that they have no authority to deliver on. UPDATE (February 12, 2008): I’ve struck out part of the above about the ACLU’s concern about spying being unfounded, as I think that’s too strong of a denial. There is a potential slippery slope here. The 9/11 Commission Report pointed to various communication problems that led to the failure to prevent the 9/11 attacks. These problems included failure to share information (mainly from the CIA to the FBI and INS), failure to communicate information within the FBI (like Phoenix Special Agent Ken Williams’ memo about suspicious Middle Easterners in flight schools), and failure to have enough resources to translate NSA intercepts (some specific chatter about the attacks was translated after the attacks had already occurred). As a result, the CIA has been working closely with the FBI on counterterrorism and counterintelligence at least since 2001. (Also see Dana Priest, “CIA Is Expanding Domestic Operations,” The Washington Post, October 23, 2002, p. A02, which is no longer available on the Post’s site but can be found elsewhere on the web, on sites whose other content is so nutty I refuse to link, as well as this January 2006 statement from FBI Director Robert Mueller on the InfraGard website, which includes the statement that “Today, the FBI and CIA are not only sharing information on a regular basis, we are exchanging employees and working together on cases every day.”) The slippery slope is this–the CIA is an organization which recruits and develops in its officers a sense of flexible ethics which has frequently resulted in incredible abuses, and which arguably has done more harm than good to U.S. interests. (My opinion on the CIA may be found in my posts on this blog labeled “CIA”; I highly recommend Tim Weiner’s Legacy of Ashes: The History of the CIA.) Some of that ethical flexibility may well rub off on FBI agents who work closely with CIA case officers. (The FBI itself has also had a history of serious abuses, an objective account of which may be found in Ronald Kessler’s book The Bureau: The Secret History of the FBI.) And then, that same ethical flexibility may rub off on InfraGard members as a result of their relationships with the FBI (and potentially relationships with the CIA, as well). The intelligence community seems to have a hunger for more and more information from more and more sources, but it is already awash in a sea of information that it has trouble processing today. (It doesn’t help that the Army fires direly needed Arabic translators because they are gay.) The need is to accurately assess the information that it has, and ensure that bits and pieces aren’t cherry-picked to produce desired conclusions, as well as ensure that information isn’t sought or assembled to serve personal and political ends of particular interests rather than combatting genuine threats to the country and its citizens. My recommendation is that all InfraGard members read Kessler’s The Bureau, Weiner’s Legacy of Ashes, and view the film that won the 2007 Academy Award for best foreign film, “The Lives of Others,” to help innoculate them against such a slippery slope. UPDATE: Amy Goodman interviewed Matt Rothschild for “Democracy Now!” on Wisconsin Public Television, in which it is pretty clear to me that Rothschild is exaggerating something he doesn’t understand–what he cites as evidence doesn’t support what he claims. Here’s a key excerpt, see the link for the full transcript: MR: […] And one other member of InfraGard [Christine Moerke of Alliant Energy] confirmed to me that she had actually been at meetings and participated in meetings where the discussion of lethal force came up, as far as what businesspeople are entitled to do in times of an emergency to protect their little aspect of the infrastructure. AG: But just to clarify, Matt Rothschild, who exactly is empowered to shoot to kill if martial law were declared? The business leaders themselves? MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told. […] You know, this is a secretive organization. They’re not supposed to talk to the press. You need to get vetted by the FBI before you can join it. They get almost daily information that the public doesn’t get. And then they have these extraordinary, really astonishing powers being vested in them by FBI and Homeland Security, shoot-to-kill powers. I mean, this is scary stuff. MR: The business leaders themselves were told, at least in this one meeting, that if there is martial law declared or if there’s a time of an emergency, that members of InfraGard would have permission to protect—you know, whether it’s the local utility or, you know, their computers or the financial sector, whatever aspect. Whatever aspect of the infrastructure they’re involved with, they’d have permission to shoot to kill, to use lethal force to protect their aspect of the infrastructure, and they wouldn’t be able to be prosecuted, they were told.It looks to me like the following transformation has occurred: 1. At a DHS conference on emergency response, somebody asks if owners of critical pieces of infrastructure should be expected to use deadly force if necessary to protect it (e.g., a nuclear power plant). 2. Somebody at DHS answers yes. They may even add that in some cases the law provides specific justification for use of deadly force (as in the Arizona statute I cite above). 3. Matt turns that into a general right to “shoot-to-kill” in times of martial law by any InfraGard member. 4. The blogosphere turns that into roving citizen patrols unleashed on the nation as the Bush hit squad after declaration of martial law. I don’t see his key source–Christine Moerke–confirming anything beyond #1 and #2. Note other exaggerations and contradictions–Rothschild claims that InfraGard is highly secretive and selective, yet has quickly grown to over 23,000 members and has multiple public websites. He fails to note that most InfraGard meetings are open to the general public, or that it has been discussed in many articles in the national press over the last decade. Rothschild speaks of “business leaders,” which the blogosphere has turned into “CEOs,” yet I suspect the most common “business leader” represented in InfraGard is an IT or physical security manager. UPDATE (February 15, 2008): The FBI has issued an official response to Rothschild’s Progressive article (PDF), which says, in part: In short, the article’s claims are patently false. For the record, the FBI has not deputized InfraGard, its members, businesses, or anything else in the program. The title, however catchy, is a complete fabrication. Moreover, InfraGard members have no extraordinary powers and have no greater right to “shoot to kill” than other civilians. The FBI encourages InfraGard members – and all Americans – to report crime and suspected terrorist activity to the appropriate authorities.The FBI response also states that Rothschild has “refused even to identify when or where the claimed ‘small meeting’ occurred in which issues of martial law were discussed,” and promises to follow up with further clarifying details if they get that information. UPDATE (February 25, 2008): Here’s another blogger with a rational response to The Progressive article. UPDATE (March 2, 2008): Matthew Rothschild has responded to the FBI’s response on Alex Jones’ Info Wars blog, and he stands behind every word of his original article. He doesn’t display any knowledge of or response to any of the criticisms I’ve offered. ...