Pressure Mounts to Punish Russia For Hacking Without Evidence And Before Investigations Are Concluded

from the evidence-is-for-sissies dept

While it’s certainly possible Russia has been busy using hackers to meddle in (or at least stoke the idiot pyres burning beneath) the U.S. elections, we’ve noted how actual evidence of this is hard to come by. At the moment, most of this evidence consists of either comments by anonymous government officials, or murky proclamations from security firms that have everything to gain financially from stoking cybersecurity tensions. Of course, transparent evidence is hard to come by when talking about hackers capable of false flag operations while obfuscating their footprints completely.

Granted that hasn’t stopped people from demanding a cyber or real world attack on Russia, both idiotic ideas for what should be obvious reasons. But with no hard evidence forthcoming, those looking for perceived justice are apparently getting a little punchy. The Washington Post notes that the government continues to conduct an investigation into the DNC hacks, but the whole “obtaining actual evidence before doing anything stupid” thing is clearly frustrating the 1980’s action movie sect of the intelligence community:

“The White House?s and some Cabinet officials? insistence on awaiting the probe?s results has frustrated some officials at the FBI, the Justice Department and within the intelligence community, who favor holding Moscow accountable. The White House?s continued requests for more evidence, said one official, is ?to delay ? purposely delay? a public attribution.”

Again, it’s not like you’re going to find a goddamned memo linking Russia to the DNC hacks, and any hacker worth his or her salt isn’t going to leave evidence of the hack or their ties to a nation state. There’s also the ongoing reality that the leading country when it comes to nation state hacking has generally been the United States, making any vocal moral repudiation kind of laughable. Still, that doesn’t seem to be stopping folks like Senator Ben Sasse, who insists that we should just skip the whole actual evidence thing and proceed to lambasting Russia for doing what the United States has done for decades:

“Sen. Ben Sasse (R-Neb.), a member of the Homeland Security committee, said President Obama should publicly name Russia and do so before the November election. A failure to do so will only encourage further cyber intrusions and meddling in the U.S. election, he said.

?If the Obama administration has a reason for not clearly attributing these hacks to Russia, it contradicts their own cyber strategy,? Sasse said. ?If they?re silent because it would invite response, that suggests that we?re operating from a position of weakness ? in other words, we know that we need to aggressively deter cyberattacks, but we are too vulnerable to do it. Neither scenario is reassuring.”

But again, what good is publicly shaming Russia for hacking when you’ve spent decades doing the same thing — or worse? The only net outcome is you wind up looking like a giant, blithering hypocrite to the global community. The entire article stumbles on like this, quoting various officials on and off the record demanding we do everything from impose sanctions to start leaking Putin’s dirty laundry:

“The National Security Agency, for instance, could disrupt a Russian computer system in a way that leaves no doubt who did it and that warns the Russians ?to knock it off,? one former intelligence official said. Or the CIA could leak documents that are embarrassing in some way to Russian President Vladi?mir Putin.”

Attack! Attack! Who needs evidence? Who needs the moral high ground? Generally, the press-driven public dialogue on cybersecurity and intelligence is so far from what’s actually happening in the wild (as intelligence whistleblowers illustrate every few years) that one really should treat press reports on the subject as creative fiction. Combine that with the way nationalism leads to hypocrisy and the fact that most of these “former intelligence officials” don’t even know what a gigabyte is, and you’ve got a recipe for keystone-cops-esque high comedy.

Again, none of this is to suggest that Russia isn’t hacking the United States. But to ignore that all nation states are hacking each other all the time is myopic, and suggesting the DNC attack constitutes some rare breach of international ethics is hysterically naive given what we know about the States’ own hacking attacks. The real danger here remains the threat of false flag hacking attacks and misinformation campaigns designed to prompt countries to dramatic action without substantive proof. The smarter path is to focus this energy on securing, upgrading and patching government systems to protect against intrusion, even though that’s certainly a lot less fun than starting a new world war just because you think hard evidence is for sissies.

Filed Under: cybersecurity, dod, doj, hacking, politics, response, russia, us government

German Software Company Sues US Gov't For Copyright Infringement

from the navy-pirates dept

A German software company, Bitmanagement Software, is now suing the US government for copyright infringement and demanding almost $600 million. The lawsuit, which was filed in the US Court of Federal Claims (basically a special court set up just for cases involving suing the US government for money), says that the US Navy copied Bitmanagement’s 3D virtual reality software, BS Contact Geo. Apparently, the Navy had tested the software and had an evaluation license allowing the software to be used on 38 computers. And then the Navy just copied it onto hundreds of thousands of computers.

The lawsuit notes that the Navy had specifically requested the removal of Bitmanagement’s usage tracking code, and then told the company that it wanted to license the software for upwards of 500,000 computers — but also that it started doing those installs while the company was still negotiating a license. While that negotiation was ongoing, someone (accidentally, apparently) forwarded an email to Bitmanagement indicating that the software had already been installed on 104,922 computers. Apparently, a few months later, the Navy also disabled some other tracking software, called Flexwrap. This part is a bit confusing in the lawsuit, since earlier it notes that the evaluation contract required Bitmanagement to remove tracking software, but then the lawsuit notes that later on it was the Navy that removed Flexwrap, “in violation of the terms” of the license.

This is also a rare copyright case where the plaintiff is asking for actual damages, rather than mere statutory damages. That’s partly because it notes that a single license of its software runs approximately $1,000 — and it believes the software may have ended up on 558,466 computers. Thus, it’s asking for $596,308,103, which is the market value of the unpaid licenses. If it had sought statutory damages, it would have been limited to just $150,000, as that’s the maximum per “work infringed.” But it’s also because the US government has a special super power, called sovereign immunity when it comes to copyright claims, basically allowing it to avoid a copyright lawsuit in a regular (“Article III”) district court. However, at least based on my understanding of the law, they can still go to the Federal Claims court (as Bitmanagement is) and seek the actual licensing fees.

It will be interesting to see how the US government responds. After all, this is the very same US government that regularly insists that copyright infringement is a horrible evil and that we need to ratchet up punishment for it. Yet, here is the Navy doing what appears to be fairly blatant direct infringement on software that it was evaluating, but failed to fully license. In the past, the US government has found itself negotiating settlements in similar cases. But, of course, none of that has resulted in the government recognizing that perhaps its hardline position on infringement by others is a bit extreme, considering its own behavior.

Filed Under: 3d, bs contact geo, copyright, software, us government, us navy, virtual reality
Companies: bitmanagement

US Government Successfully Issues Contract For Open Source Code… For $1

from the why-that's-1/37-of-a-screw dept

One of my very first jobs in Silicon Valley was to try to help an internet startup get a big juicy contract with the US government (specifically the Department of Defense). The whole process was a disaster of epic proportions, in which I learned a ridiculous amount about government procurement, none of it good. At one point, I believe the company I worked for was paying a 5-figure-per-month “retainer” to an ex-high ranking military guy, mainly so that he would go out and drink a lot of bourbon with his DoD buddies and award us a no-bid contract before anyone realized it should be put out to bid. And, of course, as an internet startup, we didn’t have a GSA contract, and had to find a sham “partner” who would officially get the contract, under which we’d be a subcontractor. And, of course, we were asking for millions of dollars in government cash, and the technology we had in place wasn’t anything like what the DoD was actually looking for. In short, the whole thing was a complete mess. That was two decades ago, so I’d hope that things had changed, but we’ve heard so many stories of the ridiculousness of government procurement, that I doubt it’s changed that much.

But… there are glimmers of hope. And a neat little technical division of the GSA, known as 18F, which is modeled on startup culture and bringing a much more innovative take on technology to the government (it’s the same group that’s going around making the rest of the federal government encrypt their websites…), recently ran an experiment which (somewhat unexpectedly to all involved) resulted in the GSA awarding a $1 contract for a bit of open source software. And, yes, that’s ONE DOLLAR.

A few weeks back, 18F announced this experiment in “micro-purchase” contracts, with the idea being to see if they could create a quick and simple process to both (1) do small focused contracts and (2) make it easy for smaller tech firms to actually provide their products and services to the government. So 18F posted the details of a specific problem it was trying to solve to Github, and then created a Google form, to serve as a sort of blind reverse auction. Here’s how 18F described things:

If you?re interested in bidding, the closing time for the bid is 12 p.m. on Thursday, October 29, 2015. The opening bid starts at $3,499, and the lowest bid at the closing time will have 10 working days to ship the code necessary to satisfy the criteria. If the criteria are met, the vendor gets paid. If the criteria aren’t met the vendor shall not receive payment, the next lowest bidder will have the opportunity.

Got it? Makes sense, as a way to try to keep costs down, but not to make it so crazy low that it’s not worth someone’s time (or where they’re not able to deliver). Except… no one expected someone to (a) bid $1 and (b) then deliver working code that not only met the requirements, but exceeded them. But that’s what happened:

Then, there was the $1 bid.

When we received the $1 bid, we immediately tried to figure out whether it was intentional, whether it was from a properly registered company, and whether we could award $1. We contacted the bidder and we confirmed that the bid was valid, that the registration on SAM.gov was current, and that the bid would be the winning bid. It was a plot twist that no one here at 18F expected. This unexpected development will no doubt force us to rethink some of our assumptions about the reverse-auction model.

In some respects, this result was the best possible outcome for the experiment. It proved that some of our core assumptions about how it would work were wrong. But the experiment also validated the core concept that open-source micro-purchasing can work, and it?s a thing we should try to do again. A few weeks ago, micro-purchasing for code was just an idea, but now that we?ve done our first experiment, the data demonstrate that the idea has potential and can be improved upon.

You can see the “winning” $1 pull request by Brendan Sudol over at Github, which went above and beyond the requirements:

Not only did Brendan Sudol meet the requirements of loading the data, the new code had 100 percent test coverage, an A grade from Code Climate, and included some new functionality to boot.

18F notes that the experiment turned up a few other interesting tidbits, including that of the 16 bidders, 8 of them registered to be a government contractor on SAM.gov after the project was announced (showing that, indeed, the process of becoming a government contractor appears to be getting much easier). They also noted that the highest bidder was for $740 with the smallest (obviously) being $1. The most common bid was $50.

Obviously, the $1 bid is both a bit of a gimmick, and something where Sudol recognized that it wouldn’t be that much work to provide the code and it apparently seemed like a project worth doing. I doubt that we’ll regularly see the government awarding $1 contracts, and the GSA is hardly likely to become the government version of TaskRabbit or Mechanical Turk. But it’s still interesting to see the ways in which the terrible inefficiency of government purchasing might go down — and more recognition over the idea that, if the government just needs a few lines of code, it doesn’t need to award a multi-million dollar contract to some stodgy old “services” company.

Filed Under: $1, 18f, brendan sudol, contracts, gsa, micro-purchase, open source, us government

US Government's HR Department Has Been Hacked, Government Employee Data Leaked

from the if-you-can't-clean-up-your-own-home... dept

The US government keeps insisting that companies should be giving it information in order to help the government block “cybersecurity” attacks on those companies. In fact, as just reported, the NSA is already scooping up tons of information in trying to spot malicious attacks ahead of time, despite insisting in the past that it wasn’t doing this. However, before everyone starts handing over information to the federal government, shouldn’t we have some sort of evidence that the US government itself actually has some decent cybersecurity skills?

Because it appears that, yet again, there has been a massive data breach, and this time, it’s the US government’s Office of Personnel Management (OPM), which is basically the HR department for the entire federal government. In other words, hackers may have gotten access to the personal information on tons of current and former government employees:

The agency said that in April of 2015 it had identified ?a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information,? although the breach is only being disclosed now. OPM alsos said that it will notify around 4 million people whose personal information ?may have been compromised??although the number is likely to grow since the investigation is ongoing.

Taking the same idiotic, symbolic but pointless, response as the private sector every time there’s a breach, the OPM is promising a some free credit reporting:

To protect employees from identity theft, OPM is giving them free ?credit report access, credit monitoring and identify theft insurance and recovery services,? according to the press release.

?Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,? OPM Director Katherine Archuleta said in a statement.

Actually, that last statement does not appear to be true. As the report at Vice’s Motherboard (linked above) notes, this is the second time in less than a year that this happened, and last time it was determined to be Chinese hackers who broke in — and that’s who is suspected again this time. In which case, “free credit reporting” services are likely to be totally useless. It’s quite likely that whoever hacked in wasn’t doing it to do identity fraud and swipe credit card numbers, but to get useful information for additional, more sophisticated hacks to get access to various government employees’ computers and networks.

So, yeah, if the US government can’t even protect its own systems against these hacks, can someone explain why, again, we’re expected to have companies hand over their own information under the false belief that the government will somehow protect them against attacks as well?

Filed Under: china, cybersecurity, hacked, office of personnel management, opm, us government

John Oliver Takes On The US Government's Legalized Theft Programs, Asset Seizure And Civil Asset Forfeiture

from the due-process?-never-heard-of-it dept

“Last Week Tonight’s” John Oliver is again taking an entertaining swing at a subject that has made its way into Techdirt’s pages: asset seizure and forfeiture. Going beyond the “robbery at badgepoint” (Cory Doctorow’s term) to civil asset forfeiture (in which the government files suit against property that is presumed guilty of criminal ties), Oliver is his usual entertaining self while still managing to highlight the obscene depths these programs — started with the intent of breaking up criminal enterprises and returning assets to those defrauded, etc. — have sunk, thanks to the perversion of incentives.

The highlights are a law enforcement official sheepishly explaining (in a public hearing) that there is really no oversight or discretion involved in the spending of seized funds. (He flat out states that it’s used to buy “toys” the department “needs.”) This leads directly to a police department being called out by a citizen (in another public meeting) for purchasing booze and a margarita machine with seized funds.

Also fun (but in a rather twisted way) is the names of suits brought by the US against “guilty” property, including United States v. Article Consisting of 50,000 Cardboard Boxes More or Less, Each Containing One Pair of Clacker Balls. You can find several others simply by running a search at Justia. (This also happens at state level, so additional searching uncovers gems like this one: South Dakota vs. Fifteen Impounded Cats.)

Anything that brings more attention to this issue is welcome. Oliver’s take allows for a rather painless digestion of the issue while still refusing to underplay how thoroughly corrupted the ideal has become, thanks mainly to policies that allow those seizing the property to directly benefit from the seizures. As to a solution, Oliver suggests two things: an overhaul of this system and rigorous oversight or (the easier route) changing TV procedurals to more accurately reflect law enforcement activities — like the cuffing and frisking houses, furniture, etc.

Filed Under: asset fofeiture, asset seizure, john oliver, law enforcement, legalized theft, us government

The Intercept Reveals The US Government's Guidebook For Declaring You're A Terrorist Or Putting You On The No Fly List

from the because-you-just-might-be-a-terrorist dept

Jeremy Scahill and Ryan Deveraux, over at The Intercept have a giant scoop: the full 166-page guidebook that US law enforcement uses to declare someone a terrorist who deserves to be on one of its various watchlists from the no-fly list to the “terrorist screening database.” We’ve had plenty of stories about the no fly list and the TSDB, and the ridiculous lengths that the US government has gone to to keep anyone from knowing if or why they’re in any of these databases — leading to a series of lawsuits from individuals who were put on that list under very questionable circumstances.

We were happy last month to see that the process for getting off of these watchlists was declared unconstitutional, but the lawsuits over these watchlists suggest that they are prone to abuse and error. We were particularly disturbed to find out in a recent lawsuit that the US government actually has a secret exception to reasonable suspicion for putting people on the list.

The document released by The Intercept is quite revealing, and shows that President Obama has massively expanded the criteria for getting people onto the list. In fact, as the report notes, the President “quietly approved” an expansion “authorizing a secret process that requires neither ?concrete facts? nor ?irrefutable evidence? to designate an American or foreigner as a terrorist.”

The new guidelines allow individuals to be designated as representatives of terror organizations without any evidence they are actually connected to such organizations, and it gives a single White House official the unilateral authority to place ?entire categories? of people the government is tracking onto the no fly and selectee lists. It broadens the authority of government officials to ?nominate? people to the watchlists based on what is vaguely described as ?fragmentary information.? It also allows for dead people to be watchlisted.

As you might imagine, given all the stories about people being put on various watchlists even though they’re clearly not terrorists, the guidelines are crazy expansive:

The document?s definition of ?terrorist? activity includes actions that fall far short of bombing or hijacking. In addition to expected crimes, such as assassination or hostage-taking, the guidelines also define destruction of government property and damaging computers used by financial institutions as activities meriting placement on a list. They also define as terrorism any act that is ?dangerous? to property and intended to influence government policy through intimidation.

And obviously this goes way beyond just boarding (or not boarding) airplanes. As the report notes, if you’re pulled over for speeding and the police run your name, if you’re on the watchlist, the police will get a notification, leading them to automatically think that you’re a suspected terrorist. The guidelines also contradict themselves directly. At first it says that:

To meet the REASONABLE SUSPICION standard, the NOMINATOR, based on the totality of the circumstances, must rely upon articulable intelligence or information which, taken together with rational inferences from those facts, reasonably warrants a determination that an individual is known or suspected to be or has been knowingly engaged in conduct constituting, in preparation for, in aid of, or related to TERRORISM and/or TERRORIST ACTIVITIES.

Okay. So you need to have a factual basis for reasonable suspicion, right? Wrong:

In determining whether a REASONABLE SUSPICION exists, due weight should be given to the specific reasonable inferences that a NOMINATOR is entitled to draw from the facts in light of his/her experience and not on unfounded suspicions or hunches. Although irrefutable evidence or concrete facts are not necessary, to be reasonable, suspicion should be as clear and as fully developed as circumstances permit.

So, it can’t just be a hunch. It has to be a really good hunch seems to be the lesson.

The report also likely reveals the “secret” exceptions to reasonable suspicion that the judge refused to reveal in the Rahinah Ibrahim case we wrote about. She was kept on the watchlist despite there being no reasonable suspicion. One of the exceptions is the “family member” loophole (which some had suggested was likely the issue in the comments to our story about Ibrahim). But it appears the exceptions are much broader:

There are a number of loopholes for putting people onto the watchlists even if reasonable suspicion cannot be met.

One is clearly defined: The immediate family of suspected terrorists?their spouses, children, parents, or siblings?may be watchlisted without any suspicion that they themselves are engaged in terrorist activity. But another loophole is quite broad??associates? who have a defined relationship with a suspected terrorist, but whose involvement in terrorist activity is not known. A third loophole is broader still?individuals with ?a possible nexus? to terrorism, but for whom there is not enough ?derogatory information? to meet the reasonable suspicion standard.

And then there’s the fact that the new “threat-based expedited upgrade” program, which was put in place following the US failing to notice that the famed “underwear bomber” got on his plane despite being on the watchlist. So, rather than recognize that the list was broken, the administration just added a new category, allowing a single White House official the unilateral power to elevate entire “categories of people” into a special list for extra scrutiny.

This extraordinary power for ?categorical watchlisting??otherwise known as profiling?is vested in the assistant to the president for homeland security and counterterrorism, a position formerly held by CIA Director John Brennan that does not require Senate confirmation.

The rulebook does not indicate what ?categories of people? have been subjected to threat-based upgrades. It is not clear, for example, whether a category might be as broad as military-age males from Yemen. The guidelines do make clear that American citizens and green card holders are subject to such upgrades, though government officials are required to review their status in an ?expedited? procedure. Upgrades can remain in effect for 72 hours before being reviewed by a small committee of senior officials. If approved, they can remain in place for 30 days before a renewal is required, and can continue ?until the threat no longer exists.?

Basically, as most people suspected, it appears the government has broad and, until now, secret powers to effectively ruin someone’s life by placing them on one of these watchlists… with no legitimate way to get off.

Filed Under: dhs, doj, guidebook, no fly list, reasonable suspicion, terorrism, terrorist watchlist, tsdb, us government, watchlist

Internet Industry Hate Taken To Insane Levels: Ridiculous Proposals To 'Nationalize' Successful Internet Companies

from the say-what-now? dept

Over the last few years, there’s been a ridiculous rise in a bizarre form of anti-Silicon Valley populism, in which people are encouraged to hate successful internet companies for… being successful. Usually, when you dig into the details, the attacks on the firms are a combination of general fear of “bigness,” hatred/jealousy of success and a fundamental misunderstanding of economics. Now, let’s be clear: big companies with too much power do have a rather long history of bad behavior and companies should be watched carefully if they abuse their position. But the anti-internet populism seems incredibly misplaced, especially given that the companies they’re attacking are often companies that have clearly improved the lives of those doing the attacking. I’m always worried about old “enabling” companies becoming the new gatekeepers, but I’m also confident in the ability of a brand new generation of enablers to undermine business models of the last generation of internet giants as well — especially if they start making moves that actually harm the public.

But, it seems, this general hatred of Silicon Valley is being taken to nearly parodic levels with two new articles, one in Salon and one in Slate, both of which call for “nationalizing” some of the internet’s most popular companies. First up, we have Richard “RJ” Eskow saying that we should nationalize Amazon and Google because the original internet was publicly funded, and thus, apparently, everything built after that should be owned by the federal government.

Big Tech was created with publicly developed technology. No matter how they spin it, these corporations were not created in garages or by inventive entrepreneurs. The core technology behind them is the Internet, a publicly funded platform for which they pay no users? fee. In fact, they do everything they can to avoid paying their taxes.

Big Tech?s use of public technology means that it operates in a technological ?commons,? which they are using solely for its own gain, without regard for the public interest. Meanwhile the United States government devotes considerable taxpayer resource to protecting them ? from patent infringement, cyberterrorism and other external threats.

Of course, based on this absolutely idiotic argument, you could argue that we should nationalize just about every business out there. Fedex and UPS? Why they make use of the federal highway system, which was publicly funded. So, “no matter how they spin it,” the “core infrastructure” behind them was “publicly funded.” Ditto for the entire US automobile industry (though, to be fair, we kinda came pretty close to “nationalizing” them a few years back). How about Wall Street? I mean, look at it: it’s entirely dependent on federal currency. Clearly: should be nationalized. In fact, I’m having trouble coming up with a business that shouldn’t be nationalized under these conditions. Almost every business relies on some aspect of publicly-funded infrastructure.

From there, Eskow insists that these companies are “abusive,” which again is apparently a reason why they should be nationalized (he doesn’t explain how the two are connected or why he believes nationalized companies would be less prone to abusive power — because he can’t). But he picks some rather unfortunate examples for “abuse.”

The bluntness with which Big Tech firms abuse their monopoly power is striking. Google has said that it will soon begin blocking YouTube videos from popular artists like Radiohead and Adele unless independent record labels sign deals with its upcoming music streaming service (at what are presumably disadvantageous rates). Amazon?s war on publishers like Hachette is another sign of Big Tech arrogance.

Except, as we’ve detailed, neither of those stories is even remotely accurate. Artists are not being blocked from YouTube, they’re being offered a better deal if they want to monetize their videos. Some don’t like the terms of that deal, but they can still upload their own videos, just not to the monetized services of YouTube. And the Amazon/Hachette example is not a “war on publishers” so much as it’s an attempt to get better prices for consumers. Apparently, Eskow would like to side with the publishers over the public. Why?

Eskow also finds his “support” in odd places:

Even Microsoft?s Steve Ballmer argued that Google is a ?monopoly? whose activities were ?worthy of discussion with competition authority.? He should know.

Wait. A company that is being beat left and right by an upstart competitor is complaining that that competitor should be regulated? Gee, that means absolutely nothing.

Nowhere in the entire piece does Eskow even attempt to explain how “nationalizing” these firms would actually solve any of these issues. He just insists it would. Apparently he’s unaware of how “wonderful” service is from nationalized companies. I’m sure bureaucracies and government controls are just great for innovation. And, if we’re talking about abuse, shall we bring up what happened with the history of Fannie Mae and Freddie Mac, which were “de facto nationalized?”

Eskow also goes on and on about the privacy violations of these companies, but for a deeper discussion on that, we’ll flip over to Salon competitor Slate, where Philip Howard has an article about how we should nationalize Facebook because of that company’s long-standing problems on the privacy front:

By ?nationalizing Facebook,? I mean public ownership and at least a majority share at first. When nationalizing the company restores the public trust, that controlling interest could be reduced. There are three very good reasons for this drastic step: It could fix the company?s woeful privacy practices, allow the social network to fulfill its true potential for providing social good, and force it to put its valuable data to work on significant social problems.

Let?s start with privacy. Right now, the company violates everybody?s privacy expectations, not to mention privacy laws. It also struggles to respond properly to regulatory requests in different countries. In part, this is because its services are designed to meet the bare minimum of legal expectations in each jurisdiction. When users in Europe request copies of the data Facebook keeps on them, they are sent huge volumes of records. But not every user lives in a jurisdiction that requires such responsiveness from Facebook?U.S. users are out of luck because their regulators don?t ask as many questions as those in the European Union and Canada. Privacy watchdogs consistently complain that the company uses user data in ways they didn’t agree to or anticipate. There are suspicions that the company creates shadow profiles of people who aren?t even users but whose names get mentioned by people who are Facebook users.

It’s completely reasonable to question Facebook’s privacy practices, and its history of arbitrarily changing things and being involved in “creepy” behavior. But, again, there’s a massive leap in logic to go from “hey, Facebook isn’t very good at protecting your privacy” to “let’s hand the company over the to US government.” I don’t know if Philip Howard has been living under a rock for the past 13 months or so, but if there’s one organization that appears to respect your privacy even less than Facebook, it would be the US government. The very same US government that is actively looking for new ways to spy on as many people as possible. And Howard thinks the approach to “protect” users’ privacy from Facebook is to… give all that info directly to the US government?

In fact, Howard actually argues directly for how wonderful it would be for the US gov’t to be able to snoop through our data to perform “research” on it:

Nationalizing Facebook would allow more resources to go into data mining for public health and social research.

Somehow, he claims that if the company were “nationalized,” then there would magically be higher ethical standards to make sure this research is “good” and not “evil.” He also has a funny notion whereby if Facebook were nationalized, not only would it be useful in tracking down bad people, but “good” activists that we liked could also be allowed to use pseudonyms, rather than real names. Because that’s exactly what we want: the US government picking and choosing which activists are “good.”

Having read both of these articles, I’m kind of wondering if they’re both a form of satire, mocking the idea of nationalization or even the anti-internet populism we’ve been seeing lately — but it looks as if they’re both serious, if totally ridiculous.

Filed Under: internet, nationalize, populism, privacy, us government
Companies: amazon, facebook, google

More Details Emerge Showing The US Government Has No Idea How To Solve A Problem Like Snowden

from the piling-futility-on-futility dept

For all of its surveillance and number-crunching powers, the NSA has had little success in dealing with its Snowden problem. It still seems the agency has no idea what Snowden took, with guesses varying wildly over the past several months. Some reports (not the NSA’s) have put that number as low as 60,000. The NSA continues to claim the number is over one million, even with its most recent guess revising its first estimates downward.

But the number of documents is only part of the problem. Details of the government’s inability to apprehend Snowden, as well as its uncertainty as to his current location or activities, continue to surface. Snowden seems to be able to operate in the all-seeing-eye’s blind spots, according to officials quoted by Greg Miller at the Washington Post.

The first indication that the government was operating several steps behind Snowden surfaced during his move from Hong Kong to Russia. The plan, such as it were, was to rely on the benevolence of a country whose president often displays a casual antipathy towards the United States.

For weeks, senior officials from the FBI, the CIA, the State Department and other agencies assembled nearly every day in a desperate search for a way to apprehend the former intelligence contractor who had exposed the inner workings of American espionage then fled to Hong Kong before ending up in Moscow.

Convened by White House homeland security adviser Lisa Monaco, the meetings kept ending at the same impasse: Have everyone make yet another round of appeals to their Russian counterparts and hope that Snowden makes a misstep.

Snowden didn’t misstep, but the US did, concentrating its efforts on a flight to Bolivia that the former NSA contractor never boarded. (It also scrambled a rendition jet on the off-chance that Snowden could be seized out in the open.) And even if he had decided to head that direction, there was actually very little the US could have done about it. Forcing the plane to land (as it did with the president of Bolivia’s jet) wasn’t the problem. This could be done in any allied airspace. The problem was that the country’s jurisdiction ended where the plane’s cabin began.

Even if Snowden had been a passenger, officials said, it is unclear how he could have been removed from a Bolivian air force jet whose cabin would ordinarily be regarded as that country’s sovereign domain — especially in Austria, a country that considers itself diplomatically neutral.

“We would have looked foolish if Snowden had been on that plane sitting there grinning,” said a senior Austrian official. “There would have been nothing we could have done.”

But what is probably more concerning is the fact that US intelligence seems to have little idea what Snowden’s doing, where he’s living or anything else. While some officials have made claims that Snowden is now working for Russian intelligence, any actual intelligence is sparse and nearly impossible to verify.

Snowden is facing espionage-related charges, and the FBI has power to conduct wiretaps and enlist the NSA and CIA in its investigative efforts overseas. But even with such help, officials said, the bureau’s reach in Moscow is limited.

“The FBI doesn’t have any capability to operate in Moscow without the collaboration of the FSB,” said a former senior U.S. intelligence official who served in the Russian capital.

Further hampering its investigation is the lack of evidence that Snowden is working for a “foreign power” or actively aiding an enemy state. Russia, despite its problems, simply doesn’t qualify as a direct opponent of our national security. And so far, nothing obtained has indicated Snowden is now an FSB operative. Without this crucial stipulation, the government can only go so far in its efforts.

Several U.S. officials cited a complication to gathering intelligence on Snowden that could be seen as ironic: the fact that there has been no determination that he is an “agent of a foreign power,” a legal distinction required to make an American citizen a target of espionage overseas.

For all the claims that Snowden has done irreparable harm to US security with his leaks, it’s kind of surprising that the government can gather so little information on the current situation of its public enemy #1. This also shows that the surveillance state is severely limited without cooperative partners, something countries expressing outrage over expansive data/communication harvesting should take note of.

The government claims Snowden has harmed America, but can’t even determine what he took, who he’s working with or even where exactly he’s currently living. It can’t even provide enough evidence of its claims to build a case that would provide it more surveillance options. And yet, it wants to throw Snowden in jail for espionage. That doesn’t add up.

Filed Under: bolivia, cia, ed snowden, fbi, lisa monaco, moscow, nsa, state department, surveillance, us government

No, Government Computers Won't Suddenly Be Vulnerable To Hackers On April 8; They Already Are

from the this-is-reporting? dept

The Washington Post has an article about how, even though it’s long been known that Microsoft is sunsetting support for Windows XP on April 8th of this year, about 10% of US government computers still run XP. Because of this, the article declares that government computers running Windows XP will be vulnerable to hackers after April 8. While technically true (they will be vulnerable after April 8th) what would be a hell of a lot more true is to actually note that they’re extremely vulnerable to hackers today and have been just as vulnerable for years. Microsoft sunsetting its support doesn’t change that one way or the other.

What’s incredible, is that for all the FUD being spread around by government officials about “cyberwar,” “cyberattacks” and “cybersecurity,” you’d think that getting the government’s own house in order would be more of a priority. Outgoing NSA boss General Keith Alexander keeps claiming that he needs more access to private networks to protect them from foreign hackers (yeah, right), and yet this report notes that all sorts of classified government material is sitting on Windows XP computers.

That includes thousands of computers on classified military and diplomatic networks, U.S. officials said. Such networks have stronger defenses generally but hold more sensitive material, raising the stakes for breaches if they occur.

Given how sophisticated the NSA’s abilities are to infiltrate just about any computer out there, as revealed by multiple documents leaked by Ed Snowden, you’d think that the NSA would be a bit more proactive in helping to shore up our own defenses by doing things like no longer using Windows XP.

Filed Under: cybersecurity, security, sunsetting, support, us government, windows xp
Companies: microsoft

US Hypocrisy: Pushing For Maximum Damages For Infringement, While Settling Its Own Piracy Bill For Less

from the but-of-course dept

You may have seen the story over the weekend that the US government had settled a copyright infringement lawsuit filed against it by Apptricity for $50 million. Basically, the Army licensed Apptricity’s server and device software for $4.5 million in 2004, but with a limited number of licenses — which worked out to $1.35 million per server and $5,000 per device. The Army completely blew through the limit and installed it on another 100 servers and 9,000 devices (the government then tried to hide this from Apptricity). Apptricity noted that, at the existing deal’s terms, the Army would have owed it an additional $225 million. The government, of course, settled for $50 million, leading some to note that it appears that by infringing, the government effectively got a 73% discount. Not bad — though that does assume that the government would have licensed the same number (and that there wouldn’t have been some sort of bulk discount).

That said, what strikes me about this is that at the very same time that the Army was ignoring all of this and clearly infringing on the terms of its license, the US government has been pushing a zero tolerance approach to copyright infringement both at home and around the globe. You have Homeland Security and the Justice Department both ramping up prosecutions of intellectual property violations. You have the US State Department going around the globe pushing for stricter and stricter enforcement. And, of course, you have the USTR trying to negotiate draconian criminal penalties into international agreements for copyright infringement.

Hell, if we count each excess installation as a separation copyright violation (and, for what it’s worth, there’s a reasonable argument that under copyright law multiple installations of the same file only counts as a single violation, rather than multiple — but the DOJ itself has argued that each copy should count as an individual infringement), and then multiply by the $150,000 that’s the top of the line for statutory damages for willful infringement (which this appears to be), the government would have had to pay somewhere around $1.4 billion. And, again, the DOJ itself has regularly argued in court that $150,000 per infringement is perfectly reasonable.

And yet, here, when the US government itself has to pay up, suddenly it gets to do so at a great discount? And this won’t change a damn thing in how the rest of the government goes around the globe pushing for extreme punishment for infringement, insisting super high statutory rates are needed to “teach a lesson.” Apparently, though, it’s a lesson that doesn’t apply to the US government itself.

This is part of what’s so ridiculous with statutory damages. Copyright holders and maximalist defenders insist they’re reasonable… until they realize that they’re also infringers. And then suddenly they think it’s reasonable for a much, much, much lower number. What a bunch of hypocrites.

Filed Under: copyright, infringement, statutory damages, us army, us government
Companies: apptricity