Much of the debate over cybersecurity legislation like CISPA and the Cybersecurity Act focused on getting more private companies to "share data" with federal government agencies, including the FBI and the NSA. As we've pointed out time and time again, beyond the basic privacy rules that the bills tended to bulldoze through, any time you increase the sharing of private data, you're only making it that much easier for hackers
to access that info because you're putting it in more places -- some of which will almost definitely be insecure. In other words, even though these bills were ostensibly about "protecting" from hack attacks, by increasing the sharing of data, they'd almost certainly open up new attack opportunities and make it easier for hackers to get info.
While neither bill passed (yet), the latest example of what happens when you have widespread data sharing comes from some Antisec hackers, who claim that -- in response to a presentation from the NSA's General Keith Alexander -- they wanted to probe the security of various government agencies, including the FBI. End result? They claim to have hacked into the laptop of FBI agent Christopher Stangl
, who has appeared in recruitment videos
for the FBI looking to hire "cyber security experts."
The hackers claim that on his laptop, they found a csv file with
...a list of 12,367,232 Apple iOS
devices including Unique Device Identifiers (UDID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone
numbers, addresses, etc.
The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: "NCFTA_iOS_devices_intel.csv" which folks at Hacker News have pointed out likely refers to the National Cyber-Forensics & Training Alliance. According to its website
, the NCFTA...
functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime. In an effort to streamline intelligence exchange, the NCFTA will often organize SME interaction into threat-specific initiatives. Once a significant online scheme is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with the affected parties, industry partners, appropriate law enforcement, and other SMEs.
In other words, it's almost exactly
what we were told we needed CISPA to enable. In fact, during the CISPA debate, we specifically pointed to the NCFTA
to ask why we needed CISPA, since something like that was already possible.
And now it seems to also be showing why CISPA or other similar legislation focused on increased "sharing" of info could actually put many more users at risk, rather than protect them. When the feds are careless with the info they receive from companies, it's going to get hacked. These kinds of things just put a giant target on their back, and now we're seeing the harmful results of such sharing without effective privacy protections.
And the feds want more