Wednesday, August 29, 2007

Good Eats

In my puttering around the internets, I often stumble on interesting stories written by people with perspectives that are significantly different from anything in my own experience. Here are a couple of stories from diverging perspectives, that have been following me around for some time.

The first is from "Army of Dude, Reporting on Truth, Justice and the American Way of War". Not sure what I can add to this. Everybody knows that the war in Iraq is a clusterfuck, but this provides a real opportunity for a fresh first person perspective. A quote that has been receiving a bit of press is:
In the future, I want my children to grow up with the belief that what I did here was wrong, in a society that doesn't deem that idea unpatriotic.
Another entry that has been on my mind for months now, is a first person 'story' from a family living in Baghdad. Really, just go read it as anything that I might say would sound trite. A quick taste:

When I heard the bomb explode last Saturday the first thing I did was telephone my father. But there was no reply. Again and again and again I tried to phone him. My fingers hurt I stabbed them onto the buttons on my phone so hard. I fell onto the floor and prayed please let him not be dead. Please let it be that he died quick if he is dead.

And my heart was sick inside me.

What will we talk about today you and I? I do not want to talk about last Saturday. Shall we talk about peace? I would like to talk about peace. I love the word. No, perhaps we are not ready to talk of peace yet you and I, we are not at peace, we are not even at truce.

I did not desire to have a blog full of links, but these stories have both haunted me a bit. Enjoy.


Friday, August 24, 2007

The floggings will continue until moral improves

"honest to goodness the bars weren't open this morning
they must have been voting for a new president of something,
do you have a quarter?"

i said yes because i did
honest to goodness the tears have been falling all over the country's face
it was better before before they voted for whats his name
this is suppose to be the new world
it was better before before they voted for whats his name
this is suppose to be the new world
X, "The New World"

Ok. I understand that the world is a complex and broken place. Politics just more so than usual. So perhaps it is just my failure to understand the adult world of politics when I wonder just exactly why the Democratic Majority would shit itself with fear over the possibility of being called soft on terror for not giving our fearless leader yet another dip into out little jar of civil liberties.

Soft on terror? How the fuck are you supposed to be hard on terror?

The thing that sent me spinning off into a Very Angry Place was the following quote:
Yet Bush administration officials have already signaled that, in their view, the president retains his constitutional authority to do whatever it takes to protect the country, regardless of any action Congress takes. At a tense meeting last week with lawyers from a range of private groups active in the wiretapping issue, senior Justice Department officials refused to commit the administration to adhering to the limits laid out in the new legislation and left open the possibility that the president could once again use what they have said in other instances is his constitutional authority to act outside the regulations set by Congress.
Fucking Article Two super powers!! That dickhead needs to Jail. Grumble grumble grumble.

Anyway, let us get on the Orwellian ride and see what is being said about the changes:

Vanee Vines, a spokeswoman for the office of the director of national intelligence, said the concerns raised by Congressional officials about the wide scope of the new legislation were “speculative.” But she declined to discuss specific aspects of how the legislation would be enacted. The legislation gives the director of national intelligence, Mike McConnell, and Attorney General Alberto R. Gonzales broad discretion in enacting the new procedures and approving the way surveillance is conducted.

Bush administration officials said the new legislation, which amends FISA, was critical to fill an “intelligence gap” that had left the United States vulnerable to attack.

The legislation “restores FISA to its original and appropriate focus — protecting the privacy of Americans,” said Brian Roehrkasse, Justice Department spokesman. “The act makes clear that we do not need a court order to target for foreign intelligence collection persons located outside the United States, but it also retains FISA’s fundamental requirement of court orders when the target is in the United States.”

Sweet. Now we have an intelligence gap. Not that it comes as a great surprise to any of us, this is a product of the Executive branch after all. Ahhhh, they mean that sort of Intelligence gap. I am not sure how dealing with the latest gap protects the privacy of Americans. No doubt in my mind that we can trust Mr. Gonzales to do the right thing. Perhaps if we look a little closer into the details a little sense might emerge?
Several legal experts said that by redefining the meaning of “electronic surveillance,” the new law undercuts the legal underpinnings several provisions in the Foreign Intelligence Surveillance Act, known as FISA, indirectly giving the government the power to use intelligence collection methods far beyond wiretapping that previously required court approval if conducted inside the United States. These new powers include the collection of business records, physical searches, and so-called “trap and trace” operations, analyzing specific calling patterns.
Now I am starting to feel a little better. The definition of “electronic surveillance” is what catches my eye for the time being - not that the other parts of it are not equally frightening. it is just that I understand this section a little better.

So our friends in DOJ, DOD or wherever get the idea that some person is an enemy of the state. This person is not currently residing in the geographic US there is no judicial hurdle to overcome for any sort of surveillance. I am a little confused if this applies only to non-citizens as targets not in the US. Something to look a little closer at, yes? This is where things get a little odd.

So now we have this person that you wish to monitor. This is not like the 1950's where you go plug wires into somebody's phone circuit and listen in to the lively show. We are talking about data monitoring here. Discussions using old circuit based phone tapping language are misleading and a distraction to the reader. In data monitoring, you monitor IP addresses, or some higher protocol attached to them. Since you can not strongly determine the nationality of a given data packet (in any sort of legal sense) you have to be able to look at all traffic. This really is quite important in that there are no nationalities for internet traffic.

I am a little confused at this point about the details here. It is all nice and fine to say that an individual needs to be monitored because they represent some sort of threat to national security. Perhaps it is not all that nice and fine, but for the time being I will not belabor this point. How is this person monitored? It is the tie between an individual and an internet address that things begin getting interesting. For a person located outside of the geographic US, there are jurisdictional issues for requesting an individuals data and phone monitoring. That is the point of this, yes? To speed things up? So we can not get at this persons traffic directly. What we need to do is try to tap data which traverses US owned carriers or servers within the US. This is where all the talk about this not being a big deal to tap infrastructure comes from:
“I don’t think it’s a fair reading,” the official said. “The intent here was pure: if you’re targeting someone outside the country, the fact that you’re doing the collection inside the country, that shouldn’t matter.”
With this in mind, you are now having to tap services. Say the user logs into a chat server like AOL or Yahoo. Any user on that service may now interact with the suspect. Again I am a little unclear on exactly what the threshold for interaction is. In any case from what I understand, you would need to sort this all out after you do the basic recording. On some chat services (like IRC), communications between individuals are reflected back to all users of the service. This means that privileged communications between citizens will be monitored even if they do not directly communicate with the suspect.

All this will be recorded and perhaps looked at.

It may seem like I am splitting hairs, but the scenario that I just spelled out is a clear violation of the law as I understand it that would just happen as a byproduct of this new law. I need to look at this in a little more detail and will return with more information.

I also want to look into what exactly is being requested - internet addresses or human names. The distinction is huge and requires a complete reworking of the language used to describe what is being done.

Later.

Tuesday, August 21, 2007

Hackers and Entropy

Some thoughts outside of the political ...

While at work on Friday, we had an interesting interaction with a fairly well known international hacker group. While the incident itself was normal - a little fun and frantic typing followed by lots of log reading and typing and calling soon to be very unhappy users. It was on the whole, excruciatingly uninteresting.

The one thing that was on our minds was "where is the real attack??" This group, at the height of it's power was quite good. They have broken into hundreds of computers, but are now using crappy old exploits in a place where there is no expectation of this stuff working. For whatever reason this has gotten me thinking about ruts, innovation and organized crime.

Seems like hacking groups in general follow many of the same trajectories that the old .com business followed. They start out all new and shiny - a business plan and a fridge full of free soda. A year later all the cool people have moved on to some better gig and the fridge only has the strange, off brand (clear, decaf, bubblegum flavored!!) sodas. It is a wonder that the predominant groups seem to suffer from the same issues that many of the defenders do - in this environment you must constantly evolve or you will be eaten.

No reason why this would not happen, but it does seem a little odd. To make it big you must typically either have a new tactic like automated account compromises in huge volume (think walmart), or have these boutique skillz which radically differentiate you from all the other cool kids. Time here seems to be the real killer. You have a trick that more or less works for most of the targets you encounter. Retooling is hard for everybody - attackers and defenders alike. In addition, as ones popularity increases the group tends to grow and what was once a small group of intensely talented people gets a little larger and less talented. The core group takes a rest and lets the kidz play with the tools. You get old and fat, like some IRC Jabba the Hut.

At this point the description could be for any reasonably popular small company. Or hacker group...

Into this ecosystem has stepped organized crime because Real Money can be made by those with discipline and some simple understanding of how things work. There is a palatable state of flux in the ebb and flow of computer security. What I mean by this is that the nature of the threat is changing from the ideal of the iconoclastic hacker more toward the sort of professionalism that comes with watching ROI. The individuals and small groups are still out there and doing well against some targets, but the Government is quickly learning how to hunt down and lock up these small fish.

Will the time come that I will wistfully look back on the halcyon days of rogue security threats? Probably not, as I have less and less spunk when the pager goes off at 3:00 AM. For whatever strange reason, I see little thrill in having these groups locked up. Unlike some of my fellow workers, I think that they help keep us honest and a little humble. There really needs to be consequences for their actions since system downtime directly effects the research community, but this whole approach seems fundamentally broken.

Regardless, I will quite blathering and get back to work.

Sunday, August 19, 2007

Looking Under Rocks

I have come to the conclusion that trying to understand the way that the citizenry of the US is being watched from a one topic at a time linear sort of manner is the exact wrong way to go.

There is such a huge amount of historical data as well as congressional and legal information to process, that I am a little put off with how to proceed. The volume of information is compounded by the fact that my understanding of exactly how the government works is a little anemic. What I learned from high school as well as School House Rock seems to ill prepare me for reading through Cabinent/Department (DOD/DOE/DOJ/Homeland Security) vs. Federal Agencies and Commissions (such as the NSA).

So I am learning ...

I have re-read several books and dozens of web sites, and have learned a great deal of 'stuff'. I have learned that we have been down this path at least one time before, that more people are interested in monitoring than even I had cynically assumed, and that once the tools for monitoring citizenry are put in place that there are those who will always abuse them. Those of you who know me will laugh at my false naivety (spelling?), but really this is something of a problem.

The systems that are now being put into place are significantly different than those of previous generations in ways that significantly impact any notion of privacy that you might have accidentally managed to acquire over the years. This is in terms of pervasiveness, thoroughness and the ability of different systems to share information. In addition, there are non-governmental organizations that provide contracted services to those agencies that find their hands tied by legal or constitutional bounds.

I will continue looking at this and try to figure out how best to convey this information. There are many web sites that have set out to document what is being done in a clear headed and systematic manner. Not many try to put it all together in a useful way.

Perhaps I will write that book after all ...

Wednesday, August 8, 2007

Indecency

I have been spending a great deal of time working out the details for the 'Ghost in the Machine' ongoing post, so there has not been much time to add anything new here. Ran across something so morally grotesque that I can not ignore.

The New Yorker ran an essay named The Black Sites which details many of the illegal and immoral activities that are happening in OUR name. That is you and I.
"The C.I.A.’s interrogation program is remarkable for its mechanistic aura. 'It’s one of the most sophisticated, refined programs of torture ever,' an outside expert familiar with the protocol said. 'At every stage, there was a rigid attention to detail. Procedure was adhered to almost to the letter. There was top-down quality control, and such a set routine that you get to the point where you know what each detainee is going to say, because you’ve heard it before. It was almost automated. People were utterly dehumanized. People fell apart. It was the intentional and systematic infliction of great suffering masquerading as a legal process. It is just chilling.'"
Note that the past tense is just a formality here - this process is still going on. A thing that I think is worth mentioning is a quote that seems to be receiving little attention:
A former C.I.A. officer, who supports the agency’s detention and interrogation policies, said he worried that, if the full story of the C.I.A. program ever surfaced, agency personnel could face criminal prosecution. Within the agency, he said, there is a “high level of anxiety about political retribution” for the interrogation program. If congressional hearings begin, he said, “several guys expect to be thrown under the bus.” He noted that a number of C.I.A. officers have taken out professional liability insurance, to help with potential legal fees.
These people are kidnapping and torturing other human beings. This has been designed and signed off from the highest possible level. These fucknuts will want to sat that they were only doing their jobs. That they are just patriotic americans doing their duty. I can not say this clearly enough:

Every one of these people needs to go to prison for the remainder for their remainder of their useless lives if and when found guilty by the justice system that they have systematically denied others. Every one. Every torturer, every doctor, every person who signed off or touched this program.

This sickens me.

Saturday, August 4, 2007

Ghosts in the Machine


So asking the reasonable question - "Who can monitor my computer and phone activity without bothering to do something unkind to the system I am using to communicate with?" - ends up with more answers than most people might find comfortable. While wiretapping and network monitoring (nearly one in the same now) are time honored techniques in television and written fiction, what is really out there? This is based on publicly available data and court information. It seems reasonable to assume that there exists a great deal of illegal activity as well, but really the stuff that is out there in the open is bad enough. Because of this, I will mainly focus on the lawful interception of data. There will be some interesting information on the more suspicious NSA activity which will end up in the unlawful pile

A real problem has been exactly how to tackle this topic. There is so much data some of which is quite complex (both from a technical and legal perspective) that I have been at a loss for how to best convey an overall message. To begin with, I will just try to answer a few questions that I have accumulated over the years. Hopefully there will then be time enough to go back and fill in the more useful generalizations. There are a number of sites with excellent technical overviews (and details), so they will probably be referenced with alarming regularity. In general details will be left to the links, except in the unlikely event that I have something relevant to add. And for the record this is just relevant to data communications that are in or pass through US carriers.

Here goes ...

Ghost in the Machine

Index:
Legal Aspects
  • Laws
  • CALEA
  • FISA
  • USA Patriot Act
  • Recent FISA Changes
Players:
  • FBI
  • NSA
  • DOD
  • CIA
  • Others



Legal Aspects
This first section is lifted verbatim from Wikipedia:
Laws

In the United States, two laws cover most of the governance of lawful interception. The 1968 Omnibus Crime Control and Safe Streets Act, Title III pertains mainly to lawful interception criminal investigations. The second law, the 1978 Foreign Intelligence Surveillance Act, or FISA, governs wiretapping for intelligence purposes where the subject of the investigation must be a foreign (non-US) national or a person working as an agent on behalf of a foreign country. Most of the congressionally mandated wiretap records indicate that the cases are related to illegal drug distribution, with cell phones as the dominant form of intercepted communication.

During the 1990s, to help law enforcement and the FBI more effectively carry out wiretap operations, especially in view of the emerging digital voice and wireless networks at the time, the US Congress passed the Communications Assistance for Law Enforcement Agencies Act (CALEA) of 1994 [1] This act provides broad guidelines to network operators on how to assist the LEAs in setting up interceptions and the types of data to be delivered. CALEA does not, as many believe, provide specific implementation directives on interception. More recently, the US Federal Communications Commission (FCC) mandated that CALEA be extended to include interception of publicly-available broadband networks and Voice over IP services that are interconnected to the Public Switched Telephone Network (PSTN).

As a response to the terrorist events of 9/11, the US Congress incorporated various provisions related to enhanced electronic surveillance in the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism” Act (USA Patriot Act). These wiretap provisions are mainly updates to those expressed under the FISA law.

(end of wikipedia)

CALEA
From my perspective, things really started getting interesting with the integration of the FCC decision on extending CALEA to non-PSTN networks. This is really not a surprising decision given the increasing use of IP networking in traditional phone communication networks.

CALEA is quite interesting in that it is a significant interface for one part of law enforcement to intercept data communications. It is currently in place and operational on the entire telco infrastructure. This is just to maintain perspective - as of right now a system is in place that allows for the collection of network communications under the monitoring and control of the Judiciary. Exactly how successful this monitoring and control has been is a matter of (strong) opinion.

An exceptionally useful document for finding out about CALEA is the March 2006 audit report from the DOJ Inspector General named "The Implementation of the Communications Assistance for Law Enforcement Act". Good clean fun. Equally illuminating is the shots fired back from the telco industry found in the "Comments to the Report" report. Within these long reads we find a clear illustration of the voracious hostility that exists between the two factions (FCC/DOJ and the telco industry). These issues are not over such things as civil liberties, but rather over who has to pay for all these shiny new gizmos...

For a person such as myself, the most illuminating parts of a report come with the technical descriptions of the various components. As this is an audit type report, this will be in the form of equipment costs. Needless to say, I think that I am in the wrong side of the business... Looking at the report we see:

Equipment Costs
In order to conduct CALEA wiretaps, law enforcement agencies must maintain or have access to a wireroom. A wireroom consists of a computerized system that intercepts, decodes, records, and plays back telephone communications. The installation of these facilities is both time-consuming if not already in place (it must be ordered weeks or months in advance) and expensive. [CHOP] Although law enforcement officials noted that their wirerooms are also available for use by other
law enforcement agencies in their general vicinity, the smaller law enforcement agencies are limited in conducting electronic surveillance due to the fees charged by carriers.

Of the 82 responses to our survey from law enforcement officials indicating that their agency conducts electronic surveillance, 48 agencies (59 percent) maintain their own wireroom. Law enforcement officials representing the 82 agencies indicated that the number of intercepts conducted by their agencies is hindered by the cost to purchase equipment (16 of 82 responses) and the cost of equipment
maintenance (11 of 82 responses).

According to law enforcement officials we interviewed and those who responded to our survey, law enforcement agencies have spent between hundreds of thousands to several million dollars to equip their wirerooms. The equipment costs depend upon the desired capacity of simultaneous wiretaps and the need to accommodate the carriers’ various delivery methods (as discussed in the following section). A
typical wireroom, as pictured below, consists of the following equipment:

As an example, the equipment listed below was located in one of the wirerooms that we visited. This particular wireroom has the capacity to conduct eight regular wiretaps or four [LAW ENFORCEMENT SENSITIVE INFORMATION REDACTED] wiretaps simultaneously.
• 8 computer workstations;
• 3 servers (one to conduct regular cell phone intercepts, one to conduct [LAW ENFORCEMENT SENSITIVE INFORMATION REDACTED] intercepts, and one to conduct pager and Internet intercepts);
• 1 jukebox, which saves the data on a magnetic drive;
• 1 separate router for [LAW ENFORCEMENT SENSITIVE INFORMATION REDACTED] intercepts (all other carriers are on a Virtual Private Network (VPN)); and
• 1 computer monitor to switch between the 3 servers.

In addition to the initial purchase of equipment, law enforcement agencies also pay approximately $30,000 per year in maintenance fees to their equipment vendor. Law enforcement agencies said they spend additional funds for hardware and software upgrades to keep up with improvements and emerging technology.
When reading the report, there is another table listing current and foreseen threats to data monitoring as perceived by law enforcement, may of the redacted sections in the above listing become somewhat more guessable. This will be left as an exercise for the gentle reader to help ensure class participation.

The report also reveled the answer to a question that I have had for a while - CALEA defines an interface for law enforcement, but how does the FBI feed it's Carnivore like (now DCS-1000 like) systems? Indirectly it also reveled that I am a Big Fucking Dork for thinking about these things. For the record, the agreement says that the following for options for data transport between the CALEA capture system and the law enforcement systems (described above) :

The four delivery methods are dial-out, virtual private network (VPN), frame relay, and T-1 lines. While dial-out and VPN are increasingly popular and favored among law enforcement agencies,some carriers only deliver data via a T-1 line which we found to be the most expensive delivery method. Using a T-1 line costs law enforcement agencies approximately $1,300 for each switch, and can take up to two months to install. One law enforcement official told us that his agency pays approximately $20,000 per month to carriers to maintain T-1 line connections.
Like I said, there is a hostile relationship between law enforcement and the telcos. In this day and age, that is a lot of money to be put into a set of T1 connections probably within a telco building.

Where am I going with this? Really I am just trying to understand how this stuff all works together and am using this writing assignment as a tool for said cause. There is a huge amount of technical detail that is hard to get around without writing a book. I do not want to write a book. What have I tried to say so far? There is this legal requirement for telecommunications providers to give law enforcement a way to access an individuals data stream via court order. It has requited both groups to pony up a great deal of money to do so. Some groups in DOJ seemed to think that this was a Right Fine Idea. Perhaps the report might give us some indication as to who is using this mighty instrument of justice?

Indeed it can. As part of the report, there was a user survey. In this survey a number (82 agencies, ~ 1200 individuals) described there discussed there use of the system. Responses were grouped into 5 major groups: FBI, DEA, Attorneys, sheriff / co police, and police dept. From the information in the report, the significant majority of all wiretap instances were non-CALEA related. This seems more or less consistent with a summary in wired.com "Why the U.S. News is Wrong About Internet Taps" which summarizes a series of annual reports reports from the Administrative Office of the US Courts:

But according to annual reports on incidents of wiretapping issued by the Administrative Office of the U.S. Courts, the hype from this particular law may be overplayed. The vast majority of wiretaps granted through this avenue, known as a "Title III" surveillance, are issued for phones. In 2006, only 13 of the 1,714 intercept orders were for electronic communication, down from 23 out of a total of 1,694 in 2005.
While I find the conclusions drawn in the article interesting, the real importance to the small numbers of official warrants rests with the relationship of the DOJ with other means of gathering data that they are interested in .

The CALEA legislation and rules are enormously interesting and complex. In light of the large cross section of information that needs to be covered, it will be left here for now. The importance of CALEA in this case can be seen as a first major step in the monitoring of user activity in a contemporary telco environment.

FISA



[TO BE CONTINUED...]