• Was Hillary Clinton’s Email Hacked? The Case

    July 14, 2016 // 14 Comments »

    putin


    If you were Vladimir Putin, or President Xi of China, what would you do if you had the entire archive of Hillary Clinton’s emails, classified and unclassified, “deleted” and not, in your hands? What value to you would that be in your next round of negotiations with the president of the United States?

    Unencrypted Email

    Hillary Clinton traveled to 19 foreign locations during her first three months in office, inlcuding China, South Korea, Egypt, Israel, Palestine, and a meeting in Switzerland with her Russian counterpart. During that period of time her email system was unencrypted. She transmitted data over wireless networks in those countries, networks almost certainly already monitored 24/7 by intelligence and security officials. To say her email was not collected is to say the Russian, Chinese, Israeli and other intelligence services are complete amateurs.

    They are not complete amateurs.



    A System Wide Open to Monitoring

    While FBI director James Comey said his investigators had no “direct evidence” that Hillary Clinton’s email account had been “successfully hacked,” both private experts and federal investigators, according to the New York Times, “immediately understood his meaning: It very likely had been breached, but the intruders were far too skilled to leave evidence of their work.”

    Comey described a set of email practices that left Clinton’s systems wide open to monitoring. She had no full-time cyber security professional monitoring her system. She took her BlackBerry everywhere she went, “sending and receiving work-related emails in the territory of sophisticated adversaries.” Her use of “a personal email domain was both known by a large number of people and readily apparent… Hostile actors gained access to the private commercial email accounts of people with whom Secretary Clinton was in regular contact.”

    The FBI director was generous in his assessment. See, no hacking was really necessary.



    But No Hacking was Really Needed

    Online security company Venafi TrustNet has the world’s largest database of digital certificates and associated metadata, allowing it to go back in time and identify how digital certificates were used in the past, a kind of forensics capability for IT security. Here’s what they found on the clintonemail.com server, and it is not good.

    Using non-intrusive Internet scanning tests routinely performed throughout by IT security teams (meaning foreign intelligence agencies have them too), Venafi learned the Clinton server was enabled for logging in via web browser, smartphone, Blackberry, and tablet. That automatically makes it vulnerable to interception, as the information Clinton was sending and receiving abroad was traveling via other nations’ web infrastructure and open-air cellular networks.

    Clinton’s email log-in page was also on the web, meaning anyone who stumbled on it could try and log in, or employ the standard array of password hacking and brute force attacks against it, much like they did with your Gmail account that was hacked.

    The Clinton email setup also was initially running a standalone Microsoft Windows Server, which is very vulnerable to attack, with at least 800 known trojans/spyware in existence that can steal keys and certificates. If the credentials on the server were compromised in those first three months, then the next years of encryption might have meant nothing.

    How could someone have gained access to the credentials? Clinton’s most recent digital security certificate was issued by GoDaddy. Her domain’s landing page was at one time hosted by Confluence Networks, a web firm in the British Virgin Islands.



    No Smoking Gun?

    If anyone had picked up Clinton’s emails from the airwaves or in transit over the Internet (as we know, via Snowden, the NSA does), while they were encrypted, or had acquired the encrypted versions and used the resources of a state security apparatus to decrypt them, there would of course be no forensic evidence to find. Persons working at NSA-like levels actually breaking into systems expend significant energies hiding their intrusions, and such high level “hacks” have been known to stay hidden for years.

    Sure, if the standard is a “smoking gun,” there is none. But such proof is rarely available in the world of global espionage, and decisions and conclusions are made accordingly on a daily basis.

    Clinton’s email was extremely vulnerable, and her decision to run it off a private server put at significant risk the security of the United States. This is not a partisan attack or a conspiracy; it is technology.



    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA

    Tor Developer Created Malware for FBI to Hack Tor Users

    May 5, 2016 // 6 Comments »

    tor

    Espionage works like this: identify a target who has the info you need. Determine what he wants to cooperate (usually money.) Be sure to appeal to his vanity and/or patriotism. Create a situation where he can never go back to his old life, and give him a path forward where it favors his ongoing cooperation in a new life. Recruit him, because you own him.

    The FBI appears to have run a very successful, very classic, textbook recruitment on the guy above, Matt Edman, to use his insider-knowledge to defeat one of the best encryption/privacy software tools available. Aloha, privacy, and f*ck you, Fourth Amendment rights against unwarranted search and seizure.

    Edman is a former Tor Project developer who created malware for the FBI that allows agents to unmask users of the anonymity software.



    Tor is part of a software project that allows users to browse the web and send messages anonymously. In addition to interfacing with encryption, the basic way Tor works is by bouncing your info packets from server to server around the Internet, such that each server knows only a little bit about where the info originated. If you somehow break the chain, you can only trace it back so far, if at all. Tor uses various front ends, graphic user interfaces that make it very easy for non-tech people to use.

    Tor is used by (a small number of) bad guys, but it is also used by journalists to protect sources, democracy advocates in dangerous countries, and simply people choosing to exercise their rights to privacy because they are in fact entitled to do so and don’t need a reason to do so. Freedom and all that. It is up to me if I want to lock the door to my home and close the blinds, not anyone else.



    Our boy Edman worked closely with the FBI to customize, configure, test, and deploy malware he called “Cornhusker” to collect identifying information on Tor users. The malware is also known as Torsploit. Cornhusker used a Flash application to deliver a user’s real Internet Protocol (IP) address to an FBI server outside the Tor network. Cornhusker was placed on three servers owned by a Nebraska man who ran multiple child pornography websites.


    We all hate child pornographers and we all would like to see them crammed up Satan’s butthole to suffocate in a most terrible way. But at the same time, we should all hate the loss of our precious rights. Malware has a tendency to find its way into places it should not be, including into the hands of really bad dictators and crooks, and even if we fully trusted the FBI to only use its Tor-cracking tools for good, the danger is there.

    And of course we cannot trust the FBI to use its Tor-cracking tools only for good. If Tor can be taken away from a few bad actors, then it can be taken away from all of us. Our choice to browse the web privately and responsibly is stripped from us. Encryption and tools like Tor are like any tool, even guns, in that they can be used for good or for evil. You never want to throw the baby out with the bathwater, especially when fundamental Constitutional rights are at stake.


    Rough and unpleasant as it is to accept, the broad, society-wide danger of the loss of those fundamental rights in the long run out-shadows the tragedy of child pornography.



    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA

    Suspect Held in Solitary for Seven Months for Forgetting Hard Drive Passwords

    May 4, 2016 // 4 Comments »

    rawls

    Innocent until proven guilty? Fifth Amendment rights against self-incrimination? Hah! Not if you forget your passwords, in Post-Constitutional America.


    Former Philadelphia Police Sergeant Francis Rawls, above, has spent the past seven months in solitary confinement without conviction because passwords he entered for investigators failed to decrypt his hard drives, seized in connection with a child porn investigation. Rawls says he’s forgotten the correct passwords and so can’t decrypt the drives and provide the cops with evidence that he possessed child porn.

    For “failure to cooperate with the investigation,” Rawls has been locked up. He spends 22 and a half hours a day in a cell.


    In addition to claiming he cannot remember the passwords, Rawls maintains he doesn’t have to unlock his computer because of his Fifth Amendment right not to incriminate himself. The idea is that the search warrant covered the physical hard drives, not any passwords. If Rawls were to give up the passwords involuntarily and the drives contained kiddie porn, he would have effectively been compelled to admit his guilt.

    Last year, following online surveillance, law enforcement agents raided Rawls’ home and seized two external hard drives and other computer gear. Rawls told officers he had “encryption on his computer” and refused to supply them with passwords. Investigators obtained an order compelling Rawls to turn over passwords. A new judge then found that order to be unconstitutional, writing Rawls “has properly invoked the Fifth Amendment privilege against self-incrimination when indicating that he would neither perform the act of decrypting the electronic devices, seized by the Commonwealth, nor provide the passwords to the Grand Jury for the electronic devices.”

    Following that judge’s ruling, investigators then went to federal court, where they used the 1789 All Writs Act — the same law the Department of Justice recently tried to use against Apple to try to force the company to unlock an iPhone — to compel Rawls to turn over his encryption keys.

    The judge ordered Rawls to be “remanded to the custody of the United States Marshals to be incarcerated until such time that he fully complies with the order to provide his encryption passwords to investigators.” In other words, the judge ordered Rawls locked up until he gave up. Built into the judge’s decision is the implication that Rawls is lying when he says he forgot the passwords.


    A federal court has previously ruled that compelled forfeiture of encryption passwords is unconstitutional: In 2012, the 11th Circuit Court reversed an order that would compel a suspect to give up his encryption passwords on drives investigators suspected contained child pornography.

    Rawls, pending his appeal, continues to be held in solitary confinement even though he hasn’t been charged with a crime.


    BONUS: I get that if Rawls is a pedophile he should be locked away. The thing is he has not been convicted of anything, and is simply invoking some of the most basic Constitutional rights available to Americans. And, as with free speech for people like the Nazis or the KKK, the real test of our commitment to those rights is not in the easy cases, but in the tough ones.


    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA

    Calling Bull on Obama’s Call for Law Enforcement Access to Encryption

    March 14, 2016 // 12 Comments »

    fourth amendment


    As the government’s fight to eliminate encryption as we know it, and ensure themselves unfettered access to all of all Americans’ communications, spreads out of the most-mediagenic example with Apple, Barack Obama has weighed in, using some of the oldest and sleaziest scare tactics available.

    Speaking to an audience of technology executives at the South by Southwest festival, Obama said America had “already accepted that law enforcement can rifle through your underwear” in searches for those suspected of preying on children, and he said there was no reason that a person’s digital information should be treated differently.

    “If, technologically, it is possible to make an impenetrable device or system, where the encryption is so strong that there is no key, there is no door at all, then how do we apprehend the child pornographer?” Obama said. “How do we disrupt a terrorist plot?”

    If the government has no way into a smartphone, he added, “then everyone is walking around with a Swiss bank account in your pocket… This notion that somehow our data is different and can be walled off from those other trade-offs we make, I believe, is incorrect.”


    Obama has resorted to the low-level scare tactics, invoking a landscape where pedophiles and terrorist employ encryption to prey on our children, and blow up our homes. And the president insists we trust him on this, that should the government gain access to all of our communications via some encryption backdoor, the tool will only be used for hard-to-argue with good — specifically, child pornographers and terrorists.

    Now do keep in mind that this is the same president who promised us soon after the Snowden revelations came out in 2013 that the feds were looking at “only metadata” and not reading Americans’ communications.

    That said, maybe I am wrong to be so cynical. Maybe this time Obama is sincere in needing those encryption backdoors to protect us from the pedos and jihadis.


    So, Barack, let’s put up or shut up.

    You tell us exactly how many American communications your NSA, et al, have gathered in say the last five years. You then tell us how many of those communications had unbreakable encryption applied. Then tell us how many of those encrypted messages were directly connected to child porn or unambiguous terrorism cases. Then tell us exactly how many of those cases were left unprosecuted only because of some encrypted message.

    And no cheating by falling back on the equally old scare tactic of “well, if we disrupt on case, it’s all worth it, I mean what if it was your child.” We are talking about abrogating the entire Fourth Amendment here. And as you say safety is worth sacrificing for, I say freedom is worth dying for.

    You tell us all that, and let us — the people you are spying on — weigh out the risk-versus-gain, the so-called trade off between our freedom and our safety. And unless and until you’re ready to throw some real cards on the table, I call bullsh*t on your arguments. Sir.



    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA

    Clinton Email Server was Not Encrypted for Her First Three Months of Foreign Travel

    March 13, 2015 // 16 Comments »

    Hillary-Clinton

    At her recent press conference, Clinton assured America that her personal email server was secure, that there had never been any security breaches and in fact it was “at a location” guarded by the Secret Service as if Spetsnaz ninjas might attack. Nothing to worry about here folks, time to move on.

    Except that is not true.

    Clinton’s email was extremely vulnerable. This is not a partisan attack; it is technology.



    Clinton’s Email Domain was Accessible Over the Internet and Cell Phones

    Online security company Venafi TrustNet has the world’s largest database of digital certificates and associated metadata, allowing it to go back in time and identify how digital certificates were used in the past, a kind of forensics capability for IT security. Here’s what they found on the now-infamous clintonemail.com server, and it is not good.

    Using non-intrusive Internet scanning tests routinely performed throughout by IT security teams (meaning foreign intelligence agencies have them too), Venafi learned the Clinton server was enabled for logging in via web browser, smartphone, and tablets. That automatically makes it vulnerable to interception, as the information Clinton was sending and receiving abroad was traveling via other nations’ web infrastructure and open-air cellular networks.

    Clinton’s email log-in page was also hung out on the web all pink and naked, meaning anyone who stumbled on it could try and log in, or employ the standard array of password hacking and brute force attacks against it, much like they could with your Gmail account.

    Had Clinton used a legitimate State Department email account, none of this would have been a problem. Unclassified State accounts can be accessed only one of three ways (for security purposes!) A) From inside a State Department facility; B) Using a State Department-issued Blackberry running exclusively on a State Department-owned server or C) Using a one-time code generated by a physical fob device hand-carried by a State employee. No web access. No straight-line cell access. Nope.

    Luckily all her communications were encrypted so someone couldn’t just pluck them from the air like some rube sitting in Starbucks using the public WiFi, right? Wrong.



    No Encryption

    Oops. Clinton’s email traffic was not encrypted for the first three months of her term as Secretary of State.

    But luckily Clinton stayed around Washington for that time, right?



    Travels with Hillary

    Wrong. State Department records show during her first three months in office Clinton had her walking shoes on. Among the 19 locations visited were spying hotspots like China, South Korea, Egypt, Israel, Palestine, a NATO event and a meeting in Switzerland with her Russian counterpart.

    But how could she know she was at risk? Well, her own State Department says this about China:

    Security personnel carefully watch foreign visitors and may place you under surveillance. Hotel rooms (including meeting rooms), offices, cars, taxis, telephones, Internet usage, and fax machines may be monitored onsite or remotely, and personal possessions in hotel rooms, including computers, may be searched without your consent or knowledge. Business travelers should be particularly mindful that trade secrets, negotiating positions, and other business-sensitive information may be taken and shared with local interests.

    Now we’ll grant you that Hillary’s hotel room was closely guarded, but go back and re-read that warning, the part about how electronic communications might be monitored remotely.

    Clinton Unclassified

    Well, heck, Clinton claims none of the 30,000 some work emails were classified, so what?

    Leaving aside exactly what Clinton had to say 30,000 times that somehow never crossed the line into classified, it seems there must have been some sensitive information tucked in there somewhere. For example, the one, single Clinton (unclassified) email that has been released was entirely redacted by the State Department, including Clinton’s personal server email address. The multi-months State Department review process now underway on Clinton’s turned-over emails is designed to redact sensitive information.

    So there is something to hide. Too bad it appears likely that the Chinese government has access to information on Clinton the American people can’t be trusted to see.

    There’s more.


    Spoofing the Secretary

    Without a security certificate and encryption for three months, Clinton’s server would not have been uniquely identified as being clintonemail.com and therefore could have been spoofed, allowing attackers to more easily trick an unsuspecting user of the site to hand over their username and password. She was also running a standalone Microsoft Windows Server, which is very vulnerable to attack, with at least 800 known trojans/spyware in existence that can steal keys and certificates. If the credentials on the server were compromised in those first three months (nah, the Chinese and the Israelis would never try that) then the next four years of encryption might have meant nothing.

    But don’t worry. Clinton’s most recent digital security certificate was issued by GoDaddy. The domain’s blank landing page is hosted by Confluence Networks, a web firm in the British Virgin Islands, which is sorta a foreign country.



    Questions of the Candidate

    So, would some reporter please ask Hillary Clinton these two questions:

    Where was the NSA? Where was the State Department’s Diplomatic Security technical security staff? Did they just miss all this, or did they report it to Clinton’s staff and were ignored?

    What is the price America paid for your personal convenience?

    BONUS: By claiming her server was secure, Clinton threw down the gauntlet to America’s geek and hacker communities, who do not take kindly to their moms pretending to know their business. Big tactical mistake…



    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA

    How to Communicate Securely with the Media

    November 15, 2014 // 5 Comments »




    Glenn Greenwald almost missed the story of his career because he didn’t understand how to communicate securely.

    The person Greenwald now knows as Edward Snowden began contacting him via open email, urging Greenwald to learn how to use encryption and other web tools to receive sensitive information. When Greenwald was slow to act, Snowden even made a video tutorial to baby-step him through the necessary procedures. Absent these extraordinary efforts by Snowden, who knows when or even if his game-changing NSA information would have come to light.

    You don’t have to wait for some future Snowden to teach you how to communicate securely, thanks to Trevor Timm, co-founder and the executive director of the Freedom of the Press Foundation.

    SecureDrop

    Freedom of the Press Foundation has helped news organizations install SecureDrop, an open-source whistleblower submission system that helps sources get documents to journalists in a much more anonymous and secure way than email. Currently, journalists at five major news organizations in the United States use SecureDrop. Here’s how to use it:

    — Find a public wifi internet connection that is not connected to your work or home, such as a coffee shop. Take the bus to a new place you’ll not visit again.

    Download and install the Tor Browser Bundle. For more security, also install and use the Tails operating system. For maximum security, run all this off a flash drive you bought with cash, and throw away the drive after one use.

    –Using the Tor Browser, enter in your news organization’s Onion URL (below). Only load this URL inside the Tor Browser.

    — Follow the instructions on the SecureDrop screen.


    Onion URLs

    Here are Onion URLs for the five groups of journalists currently operating SecureDrop:

    The Intercept: y6xjgkgwj47us5ca.onion

    ProPublica: pubdrop4dw6rk3aq.onion

    New Yorker: strngbxhwyuu37a3.onion

    Forbes: bczjr6ciiblco5ti.onion

    Wired’s Kevin Poulsen: poulsensqiv6ocq4.onion


    A Plea to Computer People

    I have heard from many journalists their concern that sources are unaware or incapable of communicating securely. Many times the journalist, who may or may not really understand this stuff, ends up trying to explain it to an already-nervous source whose computer skills may be basic at best. Every one of the writers say the same thing: someone please create a secure system for dummies.

    So, computer people of the web, please consider this. Create a one-button click piece of software that installs all the software needed on a flash drive. The users need only plug in the flash drive and click one button. Create the necessary front ends so that the software can be used by anyone. Please don’t write in and say “But it is already so easy to use.” Experience is that it is not. Think software that your grandma could make work. For better or worse, many people who are or who might communicate important information to responsible journalists need your help. Without your help, many will either not communicate at all, or put themselves at increased risk by communicating insecurely.

    Disclaimer

    Anyone takes great personal risk, including financial ruin and potential jail time, by transmitting to journalists, so all the warnings and caveats apply. Do not leak or transmit classified information. Courts are attacking journalists’ abilities to protect their sources. Though Snowden and others have endorsed the use of systems such as described here, there is no information now available on if/how the NSA can monitor such communications, now or in the future. The FBI has successfully, on a known, limited scale, monitored some parts of the Tor Network. Everything else. This is America, 2014. We’re on our own to fix our country.




    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA

    There is Much to Fear

    September 29, 2014 // 6 Comments »




    One of the exceptional things about Post-Constitutional America is how instead of using the traditional tools of an autocracy– secret police, torture, mass round ups– the majority of Americans have given up their rights willfully, voluntarily, almost gleefully. The key tool used by government to have accomplished this is fear-mongering.

    Fear is one of our most powerful emotions. It plays a very important evolutionary role after all; the first folks who learned to fear lions and tigers and bears tended to live longer than those who were slower learners. Fears from childhood about heights or spiders often stick with us forever. So using fear of terrorists and other bogeymen has proven to be the most effective tool of the world’s first voluntary national security state and its coalition partners in scariness.

    The post-9/11 months are nothing but a master class in fear-mongering. Condoleezza Rice’s oft-quote statement about not wanting to wait for a mushroom cloud over America to be the smoking gun of terror is near-Bond villain level evil genius. The 2003 Iraq War was sold in large part on fear-mongering over fake nukes, fake biological weapons and a fake hunt for WMDS.

    A few recent examples illustrate how the work continues. Because nothing is better to keep fear alive than a regular flow of refreshers (watch out behind you, a spider!).


    Australia

    The Australians have proven excellent students of the American model. After a single phone call from one purported jihadi in the Middle East to a purported jihadi in Sydney suggesting a random beheading would be a fine terror act, the Aussies kicked off the largest counterterrorism operation in Australian history, with full world-wide media coverage of course, all of which resulted in the arrest of one 22-year-old. Prime Minister Tony Abbott said it showed that “a knife, an iPhone and a victim” were the only ingredients needed for a terrorist attack.

    B.S. Factor: Between 2009-2010 (last statistics located) 257 Australians were killed domestically, many with knives. None of those cases involved the largest manhunts in Australian history. Drunken dingos seem more a threat to citizens than terrorists, perhaps even with an iPhone and a knife for the dingo.


    Britain

    The British are loosely joining the coalition against ISIS in Iraq, based largely on the beheading video of a single Brit hostage (beheading videos of two American hostages have also been an effective fear-mongering tool in the United States recently.) Since most westerners do not visit the Arabic-language web sites where such videos widely appear, this form of fear- mongering requires the assistance of the main stream media, who appear more than happy to assist by re-running the videos in an endless loop.

    B.S. Factor: In 2013, 6,193 Brits died abroad. Very few cases even made the news in a small way.


    United States

    Back here in the U.S., higher-level encryption built directly into the new iPhone caused much concern among law enforcement, who will have a harder time mass-monitoring the communications of all Americans as they have freely done for the past decade or so. FBI Director James Comey at a news conference already focused on ISIS terror threats said “What concerns me about this is companies marketing something expressly to allow people to hold themselves beyond the law.” He cited specifically kidnapping cases, in which exploiting the contents of a seized phone could lead to finding a victim, and predicted there would be moments when parents would come to him “with tears in their eyes, look at me and say, ‘What do you mean you can’t’ ” decode the contents of a phone.

    B.S. Factor: We could find no statistics on how often decoding the contents of a phone alone resolved a kidnapping case. We also note that even if the FBI or the NSA could not actually break the iPhone encryption, existing, working tools unaffected by encryption such as triangulation geolocating, standard GPS, cell tower tracking, Stingray intercepts, call logs, email logs, cloud contents, and web searches can provide a wealth of data remotely, without even the need to seize a physical phone.


    OMG: Americans May Be Killed By Terrorists

    Obviously the uber fear-mongering are the pervasive streams of warnings about “almost executed” terror plots inside America. Whether told “if you see something, say something” on a bus, strip searched in the airport or hearing about one pseudo-plot after another on the news, the meme is that danger lurks everywhere in the United States.

    B.S. Factor: Since 9/11, as few as 16 Americans here in Das Homeland has been killed by terrorists, almost all fellow Americans. On the high end, some claim the death count is about 100, but that includes murders at abortion clinics not everyone would call terrorism as far as traditional government fear-mongering is concerned.

    The odds of dying in a terrorist attack in the United States are 20,000,000 to 1. By comparison, Americans are 17,600 times more likely to die from heart disease than from a terrorist attack.

    Maybe more terrifying than anything else, in America you are eight times more likely to be killed by a police officer than by a terrorist. That’s a broad average; it is higher if you are a young African-American male.


    Exceptionalism?

    To be fair, fear-mongering in general, and fear-mongering over terrorism, have a much longer history of use by autocrats than what has been employed since 9/11. One national leader in fact said “The easiest way to gain control of a population is to carry out acts of terror. The public will clamor for such laws if their personal security is threatened.” That was Joseph Stalin.

    So yes, there is indeed much to fear.



    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA

    Government Demands Whistleblower Organization’s Encrypted Files

    June 11, 2014 // 4 Comments »




    For those people who still do not believe we have crossed a terrible line into a Post-Constitutional state, here’s another chance to repent before we all go to hell.

    The Department of Veterans Affairs’ (VA) in-house watchdog has demanded that the Project On Government Oversight (POGO) turn over all information it has collected related to abuses and mismanagement at VA medical facilities, according to a subpoena delivered to POGO May 30.

    The VA is part of the federal government. POGO is a private non-profit group.

    The subpoena from the VA Office of Inspector General demands all records POGO has received from current or former VA employees, as well as any other individuals, including veterans. The subpoena asks for records related to “wait times, access to care, and/or patient scheduling issues at the Phoenix, Arizona VA Healthcare System and any other VA medical facility.”

    POGO refused to provide the records, most of which have come from confidential tips submitted through VAOversight.org.

    Background

    The Project On Government Oversight has for 33 years helped government whistleblowers. They are scrupulously non-partisan and very dedicated to exposing waste, fraud and mismanagement in Washington. They’re part of the reason we know that the Department of Defense wasted billions on things like a $7,600 coffee maker and a $436 hammer. They are very active in trying to bring some modicum of transparency to what the NSA is doing.

    The Veteran’s Affairs disaster is well-known. In short, the VA, which should be helping returning service members with their health problems, instead has been hiding their impossible wait times for appointments. They got caught for some of what they did already, but to ferret out more, POGO set up an online drop-box where people could submit tips and blow the whistle anonymously. Much of the information POGO received– which could very likely help veterans– has been submitted by persons from inside the VA. After all, who knows more about what the government is really doing (or not doing) than those who work inside? Sadly, those same workers also know that today, blowing the whistle is considered a Crime Against the State, and they do not wish to go to prison simply for informing the American people what the People’s Government is up to.

    Drop Box

    As a way of helping those who wish to pass on information that may help our veterans, POGO created an online drop box. This is the equivalent of an email Inbox, except it is secure. POGO advises “To maximize your security and anonymity, you should consider using the Tor Browser Bundle for all of your electronic correspondence with POGO. You should never use a government or contractor phone, fax, or computer to contact POGO. The information you submit from this page will be sent to POGO in an encrypted message.”

    Some VA employees who contacted POGO and requested confidentiality said they feared retaliation if their names were divulged. Some of the employees told POGO that they had already filed reports with the VA. You know, through channels.

    Encryption still pretty much works. And the government knows that. That’s why, instead of trying to decrypt the VA whistleblowers’ messages to POGO, the VA has simply demanded them from POGO, unencrypted, via subpoena.

    Subpoena

    A subpoena is an order to do something, most typically to produce a document or appear in court.

    Wait a second. How can the Veteran’s Administration be able to “legally” demand documents from a private, non-governmental entity like POGO anyway? The VA’s Inspector General, whose real job is supposedly to inspect the VA and root out waste, fraud and mismanagement, has subpoena powers that are supposed to be used for that purpose.

    All other federal Inspectors General have the same power. So does Congress. These subpoenas have the titular power of law. They have the same power that a real court has to demand documents be produced. These sorts of subpoenas are authorized within the agency itself, and do not require probable cause or a court’s approval. They are considered administrative acts and occur with no outside oversight.

    That said, subpoena power was never intended as a blunt tool to chase down whistleblowers even as the organization they’re blowing the whistle on fails in its mission. You’d think that the VA Inspector General has gone rogue here. But that’s not true. This is 2014 and we’re in Post-Constitutional America.

    Subpoenas and the Old Fourth Amendment

    The Department of Justice created a novel interpretation of the Fourth Amendment that currently allows it to access millions of records on Americans without search warrants. To clarify, a warrant is court permission to search and seize something. A warrant must be specific– enter Mr. Anderson’s home and look for drugs. Warrants are not free-hunting licenses (with exceptions) and cannot be general in nature, such as search everyone around 93rd Street for whatever illegal things they might have laying around.

    DOJ has turned all that around. It claims now that under the Fourth Amendment, it can subpoena an Internet company such as Facebook and demand they look for and turn over all the records they have about Mr. Anderson. DOJ isn’t searching, per se– they are demanding Facebook do that for them, so no warrant is needed. Worse yet, DOJ believes it can subpoena multiple records, maybe all the records something like Facebook has, with one piece of paper. The same thing applies, DOJ claims, to email. If they came to someone’s home and demanded access to that person’s emails, it would require a specific search warrant. Instead, if DOJ issues a subpoena to say Google, they can potentially vacuum up every Gmail message ever sent.

    The Department has continued this practice even after a federal appeals court in 2010 ruled that warrantless access to e-mail violates the Fourth Amendment. An FBI field manual released under the Freedom of Information Act also makes clear agents do not need warrants to access email in bulk when pulled directly from Google, Yahoo, Microsoft and others.

    Snowden was Wrong

    Edward Snowden, along with many others, has said that the best tool right now to defeat the NSA and other government spying is the use of encryption. It is possible that some forms of encryption are not breakable by the NSA. It is likely that breaking other forms of encryption is slow and/or expensive to do on a world wide web-scale. It is a race of course, between how many supercomputing algorithms the NSA can throw at the problem and the cleverness of the people creating new forms of better encryption.

    If the government can access documents and information with a simple piece of paper– a subpoena– then all the encryption in the world is pointless.

    POGO says they’ll fight, and that their people are willing to go to jail instead of releasing any documents. Let’s believe them. But the possibility of the government getting the documents is likely enough to scare off would-be whistleblowers from submitting anything new. And not every whistleblower organization has the guts and the resources of POGO to fight back.

    The race for privacy may now be over, and the government is laughing at you still running around the track while they cut across the grass to the finish line. Suckers.



    Related Articles:




    Copyright © 2019. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Facebooktwitterredditpinterestlinkedin

    Posted in Embassy/State, NSA