The Democratic National Committee, still reeling from the hack on its computer system that resulted in a bunch of leaked emails and the resignation of basically all of its top people, has now created a "cybersecurity advisory board" to improve its cybersecurity and to "prevent future attacks."
“To prevent future attacks and ensure that the DNC’s cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field,” interim DNC Chairwoman Donna Brazile wrote in a memo. “The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces—today and in the future.”
Sure. That sounds like a good idea. But, then there's this:
Members include Rand Beers, former Department of Homeland Security acting secretary; Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter; Aneesh Copra, co-founder of Hunch Analytics and former chief technology officer of the U.S.; and Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor.
I've met and/or dealt with Chopra (misspelled Copra in the article) and Wong -- and both are very smart and good policy people. The other two seem to have good policy chops as well. But none of them are actual cybersecurity experts. I have no problem with these people being on this advisory board, but it's insane to put together a cybersecurity advisory board that doesn't include at least a single (and probably more) actual technologist with experience in cybersecurity. And that's doubly true when the goal of the board is to help the DNC with its own cybersecurity.
If the goal of the board was to advise on cybersecurity policy, then the makeup of it is at least slightly more understandable, but that's not the goal. It's to actually improve the cybersecurity of the DNC. Even if the goal were just policy, having someone with actual technology experience with cybersecurity would be sensible. Again, I don't think there's anything wrong with these four people on the board if they also included some actual technologists who understood this stuff at a core level. Instead, they're just asking for more problems.
Some prominent Democrats have demonized end-to-end encryption, the kind that might have helped lesson the impact of this hack by making emails look like gibberish to anyone without a key. It’s only readable when a person on one end of the communication opens the email, excluding the company storing the exchange, a hacker, and law enforcement.
Senator Dianne Feinstein (D-Calif.) has led the charge on a bill that would make end-to-end encryption illegal, requiring companies be able to decrypt data if served with a court order. Hillary Clinton herself has pushed for breakable encryption, claiming that, “Otherwise, law enforcement is blind—blind before, blind during, and, unfortunately, in many instances, blind after.”
Using end-to-end encryption would have prevented attackers from accessing the content of most of the emails they obtained. It wouldn't have prevented any content from being accessed, but would have greatly mitigated the damage.
Unfortunately, there's a very good chance the wrong lessons will be learned from this experience.
While it would seem obvious that the best way forward would be to encourage the use of strong encryption for everyone, it's far more likely legislators and presidential candidates will continue to try to carve holes for law enforcement access and expand government powers to "hack back" or perform preemptive attacks. The proposed Rule 41 changes will likely slide on through at the end of this year, allowing the FBI to break into computers all over the world.
Another solution suggested by Hill is to move government communications to private platforms like Gmail where end-to-end encryption can be implemented and, more importantly, handled by professionals rather than, say, a bunch of lawyers with access to the spare bedroom.
Government officials may be wary of allowing private companies to handle (and store) government communications, but the public should be just as wary of any government agency that makes a private company its official communications platform. Private platforms used for public business tend to create lots of unnecessary FOIA litigation. Without legislation in place, or additional stipulations added to contracts with private entities, government agencies will not only be able to keep malicious hackers at bay, but also pesky members of the public demanding access to officials' communications.
The worst end result may also be the one most likely to occur. The security of some communications may become more equal than others. Law enforcement backdoors for the public. Secure end-to-end encryption for their representatives. The sort of hybrid approach to legislating we see far too often -- whether it's in response to Congressional insider trading or the numerous buffers placed between law enforcement officers and any form of accountability.
Various degrees of hand-wringing (and hasty resignations) have greeted the news that our old Cold War foe -- the Russkies -- were behind the hacking of the Democratic National Committee's computers. (And the eventual embarrassment of those caught on unofficial record jumping on the Hillary Clinton bandwagon well before it became clear Bernie Sanders wasn't going to land the nomination.)
Certainly, Vladimir Putin gives absolutely no indication that he cares at all what the rest of the world thinks of him, much less the United States. And if the US government feels the Russian government can't be trusted, a) it's probably right and b) Putin will remain unperturbed. There are indications this was done to assist Trump in his presidential run, but I imagine it makes little difference to those handing down hacking orders -- just as long as it embarrassed US government officials and political leaders.
The United States is, by far, the world’s most aggressive nation when it comes to cyberspying and cyberwarfare. The National Security Agency has been eavesdropping on foreign cities, politicians, elections and entire countries since it first turned on its receivers in 1952.
If this sounds like the sort of things the NSA should actually be doing, then there's not really a problem. If it sounds like overreach -- aided and abetted by technological advances -- then there might be few issues, going beyond the hypocrisy of acting shocked when foreign intelligence agencies engage in the same tactics we do… like attempting to influence elections.
NSA operations have, for example, recently delved into elections in Mexico, targeting its last presidential campaign. According to a top-secret PowerPoint presentation leaked by former NSA contract employee Edward Snowden, the operation involved a “surge effort against one of Mexico’s leading presidential candidates, Enrique Peña Nieto, and nine of his close associates.” Peña won that election and is now Mexico’s president.
This is in addition to other US actions, including weaponizing centrifuge components in Iran and (inadvertently) taking Syria's leading internet provider offline. Every agency under the Defense Department's control plays a part in the government's undeclared Cyber War. Leaked documents show the NSA aspires to deploy millions of malicious implants in millions of computers, to better assist with the wide scale harvesting of data and communications it grabs from internet backbones located outside of the US.
However, the twist in the Russian attack is what was done with the information obtained.
What is new is a country leaking the intercepts back to the public of the target nation through a middleperson.
As Bamford points out, the US public is supposed to be outraged by the Russian-led hacking while ignoring similar efforts made by our own government. The DNC wants to enjoy its outrage, even if it was the DNC's own election-influencing efforts that got it into hot water -- the same sort of activity US government officials claim is so evil when the Russians do it. Russia may be a convenient villain but its actions are not so far afield from our own. The twist is the dumping of purloined documents in the laps of the US public, where they'd do far more damage than they would in the sole possession of the Russian government. Who needs misinformation when you can uncover damaging statements made by political leaders in assumed confidence?
We've long been supporters of the concept of Wikileaks around here, though we've had some concerns about some of the decisions it has made. Generally speaking, though, we find the accusations and conspiracy theories around Wikileaks to be somewhat ridiculous. The latest comes buried in a Politico article about the massive amount of dysfunction within the Democratic National Committee. Apparently since Wikileaks released a bunch of DNC emails, leading to chair Debbie Wasserman Schultz stepping down, it has freed up a bunch of people to bitch and whine about her (lack of) leadership and what a mess the whole DNC has been recently.
But, buried deep within that article is this wacky tidbit:
Staff members were briefed in a Tuesday afternoon meeting in Washington that their personal data was part of the hack, as were Social Security numbers and other information for donors, according to people who attended. Don’t search WikiLeaks, they were told — malware is embedded throughout the site, and they’re looking for more data.
We've seen various organizations impacted by Wikileaks come up with all sorts of excuses and claims about why people shouldn't use the site, but "the site is embedded with malware" is a new one. It also seems hellishly unlikely. It's the kind of thing that someone would discover and it would destroy whatever credibility Wikileaks has left. I guess anything is possible, but this sounds like the DNC freaking out over the leaks and trying to spread bogus rumors in the hopes that it will get people to stop looking at their leaked files.
As you almost certainly know by now, on Friday Wikileaks released a bunch of hacked DNC emails just before the Democratic Presidential convention kicked off. While Wikileaks hasn't quite said where it got the emails, speculation among many quickly pointed to Russian state sponsored hackers. That's because of the revelation last month of two sets of hackers breaching the DNC's computer system and swiping (at the very least) opposition research on Donald Trump. Various cybersecurity research firms, starting with CrowdStrike, which was hired by the DNC to investigate, pointed the finger at the Russians.
Of course, whether or not you believe that may depend on how credible you find the big cybersecurity firms like CrowdStrike, FireEye and Mandiant (the big names that always pop up in situations like this). For what it's worth, these guys have something of a vested interest in playing up the threat of big hacks from nation-state level hackers. For a good analysis of why this finger-pointing may be less than credible, I recommend two articles by Jeffrey Carr, one noting that these firms come from a history of "faith-based attribution" whereby they are never held accountable for being wrong -- and another highlighting serious questions about the designation of Russia as being responsible for this particular hack (he notes that some of the research appeared to come pre-arrived at that conclusion, and then ignored any evidence to the contrary).
Still, the claim that the data came from the Russians has become something of a story itself. And, of course, who did the hack and got the info is absolutely a news story. But it's an entirely separate one from whether or not the leaked emails contain anything useful or newsworthy. And yet, because this is the peak of political silly season, some are freaking out and claiming that anyone reporting on these emails "has been played" by Putin and Russia. Leaving aside the fact that people like to claim that Russia's behind all sorts of politicians that some don't like, that should be entirely unrelated to whether or not the story is worth covering.
And yet, we already have stories arguing that "Putin weaponized Wikileaks to influence" the US election. That's ridiculous on multiple levels. Wikileaks releases all kinds of stuff, whether you agree with them or not. And the idea that this will actually impact the election seems... unlikely. Is the (not at all surprising) fact that the DNC is fully of cronyism and favoritism really suddenly going to shift voters to Trump? Of course, Wikileaks implicitly threatening someone with legal action for saying there's a connection between Russia and Wikileaks is pretty ridiculous as well.
To some extent, this reminds me of some people who freaked out over the Sony Pictures hack, a while back. There the culprit blamed was North Korea, a claim that at least many people remained skeptical of. But, even so, there were some (including Sony) who tried to argue that no one should report on the contents of the emails because it would somehow support the North Korean regime's goals.
Yes, whoever is behind such hacks is a story. But it does nothing to lessen or impact whether or not the leaked emails themselves are newsworthy. Arguing against anyone publishing stories about them just because they may have begun with Russian hackers is just a way of desperately trying to block embarrassing stories about the DNC from getting published.
Protip: maybe don't laugh off accusations that you're bad at cybersecurity in emails on a network that has already been infiltrated by hackers. That message did not make it through to one Eric Walker, deputy communications director for the Democratic National Committee. As you've heard by now, the DNC got hacked and all the emails were posted on Wikileaks. An anonymous user in our comments pointed us to a now revealed email from Walker brushing off a story in BuzzFeed, quoting cybersecurity professionals arguing that both the RNC and the DNC are bad at cybersecurity, mainly because they're handing out USB keys at their conventions.
Reporters who registered for the Republican and Democratic National Conventions were given tote bags by convention organizers filled with instructions and logistical information. Buried inside the totes were thumb drives, also known as USB flash drives, with information on the upcoming events.
“Who does that anymore? It’s just asking to get infected with any variety of malware,” said Ajay Arora, CEO of VERA, a cybersecurity firm. “Those thumb drives are the number one way to infect a computer… It is borderline stupidity to give them out to people, or for people to even think of using them.”
Thumb drives are known within the cybersecurity world for their fundamental security weaknesses, because when someone plugs a thumb drive into their computers they are opening up their system to anything on that drive — from the best hotels to stay in during the Republican National Convention to a virus that silently uploads itself onto the hard drive. Neither the Republican or Democratic National Committees replied to a BuzzFeed News inquiry about the thumb drives.
That's a reasonable assessment. It's dumb to hand out USB keys these days and anyone should be aware of that by now. But Walker's email sarcastically mocked this:
The thesis: we hand out thumb drives at events, which could infect the reporters/attendees' computers. So that means that we're bad at cybersecurity. Okay.
Well, truth be told, there are many reasons why you may be bad at cybersecurity, including the fact that you apparently let a group of hackers sit on your network for a year or more. But also, handing out USB keys is a super bad idea too.
You may recall, from last month, that a hacker (who many have accused of working for the Russian government) got into the Democratic National Committee's computers and copied a ton of stuff. All of the emails that were obtained (a little over 19,000, from seven top DNC officials) are now searchable on Wikileaks, so there are tons of stories popping up covering what's been found. The Intercept, for example, appears to be having a field day exposing sketchy behavior by the DNC.
But one point that hasn't received as much attention: the DNC appears to have flat out lied right after the hack happened. In its statement on the hack, the DNC had insisted that no personal donor info got out:
The hackers had access to the information for approximately one year, but that access was wiped clean last weekend, The Washington Post reported, noting that the DNC said that no personal, financial or donor information had been accessed or taken.
Except, well, no. There had been reports, driven by the hacker, that the files absolutely did include personal donor info, and now you can see some of that for yourself. For example, it took me all of about 5 minutes to find a list of donors and their email addresses, which I won't be sharing here, but I'm sure others can find as well. And, then, of course, you can find things like this discussion about a potential donor, Niranjan Shah, with "ties" to disgraced and convicted former Illinois Governor Rod Blagojevich, noting that there were "pay to play" accusations associated with him. The DNC noted that they "could be ok" with Shah donating to the DNC, but that the administration might not want him to show up at their events. And, of course, there are emails detailing specific donations by specific people.
There are claims that some emails contain credit card data, though I haven't seen that myself. Either way, it certainly appears that in the rush to "nothing to see here" the leak of the info, the DNC simply lied about what was leaked.
Ever since Larry Lessig announced his campaign for the Presidency a few months ago, we noted that it wasn't just a long shot, but seemed more like a gimmick to get the (very real) issue of political corruption into the debates. I like Larry quite a bit and support many of his efforts, but this one did seem kind of crazy. I'm glad that he's willing to take on crazy ideas to see if they'll work, because that's how real change eventually comes about, but the whole thing did seem a bit quixotic. That said, the last thing I expected was that the Democratic Party would be so scared of him as to flat out lie and change the rules to keep his ideas from reaching the public. Yet, that's what it did, and because of that, Lessig has dropped his campaign for the Presidency. You can see the video of him explaining this decision below:
An article from one of his advisers, Steve Jarding, explains the situation in more detail. We already knew that the Democratic Party had tried to keep him out of the debates by not "officially" welcoming him to the race -- as it had done with candidates like Jim Webb and Lincoln Chaffee who had raised less money and were polling lower than Lessig. And many polling operations hadn't included Lessig in their polls because they relied on the DNC's official welcome to start polling.
In response, Lessig had dropped his original gimmicky promise to resign the Presidency after getting campaign finance reform through Congress. Based on that, it was expected that the DNC would recognize his campaign. In the meantime, more polling operations started putting Lessig in their polls, and he was polling over 1% -- which was the threshold that the DNC had clearly told Lessig's campaign was necessary to cross to get into the debates. In fact, Lessig's campaign had specifically asked and gotten confirmation on the rules:
The DNC's rules for candidate participation in their debates were pretty straightforward--or so we thought. In August, before the Lessig campaign began, DNC Chair, Debbie Wasserman-Schultz, announced the standards for being included in the debates. As she described the rule, a candidate had to have 1 percent in three DNC sanctioned national polls, "in the six weeks prior to the debate."
Yet, about this time, Lessig's campaign manager received a troubling email from the DNC, suggesting the debate participation standards were different. The email included a memo that stated that the three polls had to be "at least six weeks prior to the" debate--contradicting what Wasserman-Schultz had said that they could be "in the six weeks prior to the debate." To try to clear up the contradiction, I arranged a call with the DNC. On that call, the DNC political director confirmed to me the rule was as the Chair had stated it--three polls finding 1 percent "in the six weeks prior to the debate."
But... then the rules magically changed, despite the fact that it shows that the previous debate wouldn't have allowed some candidates if the DNC had followed the same rules:
And indeed, that is precisely the rule that was applied in the first debate. As CNN specified in a late September memo, to qualify a candidate had to poll at 1 percent in the "polls released between August 1, 2015 and October 10, 2015." The first debate was October 12.
So, we believed we had our guidelines. And as such, we worked hard--and spent our campaign's resources--to meet this clarified goal. It wasn't easy, as most of the national polls didn't even include Lessig's name. But then a week ago, a Monmouth poll of Democrats nationally found him at the qualifying percentage. Then an NBC poll found the same. HuffPost Pollster now lists three polls at 1%. Since the Monmouth poll, no poll that included Lessig's name found him with anything less than 1%.
The new rules, which seem solely designed to block Lessig out:
Late last week, the DNC again changed the rules for participation in the debates. Just at the point that it seemed Lessig was about to get in, the DNC has shut the door.
We were informed of this change in a phone call late last week that I had with the DNC political director. During that call, I was told that the DNC participation standard for the debates was for a candidate to be at one percent in three polls conducted, "six weeks prior to the debate"--not the clarified rule cited earlier by Wasserman-Shultz and the DNC political director that a candidate had to be at one percent in three polls conducted "in the six weeks prior to the debate." To further make the point, the political director confirmed the new rule in a follow-up email to me.
Under this new rule, Lessig obviously cannot qualify for the November 14 debate. He would have had to qualify four weeks ago! Under this new rule, all the work--and expense--of the past four weeks has been for naught. The door has been shut. By DNC mandate, Larry Lessig won't be participating in the Democratic Party debates.
This seems pretty fucked up. Yes, politics is a nasty business, but let's face it: Lessig had no chance to win, but could have had a real impact on the campaigns and what followed by participating in the debates. And he did everything by the rules... and still got fucked over for it.
If Debbie Wasserman-Shultz and the Democratic National Party wanted to do a job highlighting just how corrupt the process is, they just did a great job.
from the yeah,-THIS-makes-everyone-respect-copyright-MORE dept
Here we go again. Less than 24 hours ago, content-protection bots killed a livestream of the Hugo Awards, thanks to the brief appearance of fully approved clips from an episode of Dr. Who. The whole situation was completely absurd to anyone harboring the tiniest vestige of common sense, but IP-protection software isn't built on common sense: it's built on algorithms.
The video, posted by the official YouTube account for the convention, DemConvention2012, was blocked, according to YouTube, for ostensibly infringing on the copyright of one of many possible suspects:
This video contains content from WMG, SME, Associated Press (AP), UMG, Dow Jones, New York Times Digital, The Harry Fox Agency, Inc. (HFA), Warner Chappell, UMPG Publishing and EMI Music Publishing, one or more of whom have blocked it in your country on copyright grounds.
Sorry about that.
When contacted by Wired for comment, Erica Sackin, an Obama campaign staffer who works on digital outreach, had no knowledge of the outage, asked this reporter for the url and then upon seeing the takedown, said, "I'll have to call you back."
The video has since been updated to state that "This video is private." There's probably quite a bit going on behind the scenes at the moment, but fortunately Wired snagged the complete list of claimants for future reference.
Take a good, long look at that list. There's a few of the usual suspects in there, including AP, UMG and Warner, entities not known to be shy about claiming content that isn't theirs.
Now, these entities aren't directly responsible for this takedown. This is more of an automated match situation, but it still doesn't change the fact that the inherent stupidity of the action, automated or not, does absolutely nothing to lock down stray, unmonetized content and absolutely everything to highlight the ridiculous nature of copyright protection in a digital age.
If Google can work with copyright holders to produce content matching software, it seems like it might be possible to designate certain accounts or entities as "off limits" from the wandering killbots. If the stream is authorized by, I don't know, the party of the current President of the United States, maybe, just fucking maybe, everything's "above board."
Sure, defining legitimate, pre-approved accounts may prove to be as difficult as determining which content is infringing and which isn't, but this should be the sort of thing that content holders should be working toward, rather than simply moving from disaster to disaster, smugly secure in the knowledge that filthy file sharers are getting content-blocked thousands of times a day.
Nice going, huge list of content holders. Your boundless, maximalist enthusiasm is just another nail in the coffin containing what's left of copyright's reputation.