A while back I postulated that email spying was now a present danger, and only lacking in clarity before it becomes a full-blooded validated threat. This sets us the task of tracking the trackers of email, so that we can create a model to predict how that threat effects us and our designs.
I haven't seen statistics on email snooping as yet, but here's some related news. The FBI is back with intent to spy:
The FBI has drafted sweeping legislation that would require Internet service providers to create wiretapping hubs for police surveillance and force makers of networking gear to build in backdoors for eavesdropping, CNET News.com has learned.FBI Agent Barry Smith distributed the proposal at a private meeting last Friday with industry representatives and indicated it would be introduced by Sen. Mike DeWine, an Ohio Republican, according to two sources familiar with the meeting.
News of tracking email in US universities aimed at those protesting against unpopular policies:
The Department of Defense monitored e-mail messages from college students who were planning protests against the war in Iraq and against the military's "don't ask, don't tell" policy against gay and lesbian members of the armed forces, according to surveillance reports released last month. While the department had previously acknowledged monitoring protests on campuses as national-security threats, it was not until recently that evidence surfaced showing that the department was also monitoring e-mail communications that were submitted by campus sources.The surveillance reports -- which were released to lawyers for the Servicemembers Legal Defense Network on June 15 in response to a Freedom of Information Act request filed by the organization last December -- concern government surveillance at the State University of New York at Albany, Southern Connecticut State University, the University of California at Berkeley, and William Paterson University of New Jersey. The documents contain copies of e-mail messages sent in the spring semester of 2005 detailing students' plans to protest on-campus military recruitment.
The reports are part of a government database known as Talon that the Department of Defense established in 2003 to keep track of potential terrorist threats. Civilians and military personnel can report suspicious activities through the Talon system using a Web-based entry form. A Pentagon spokesman, Greg Hicks, would not verify whether the reports released last month were follow-ups to tips from military or government personnel, or from civilians at the universities.
This is a little different in that civilians seem to monitor and report the emails to the Pentagon. Universities are places were one would expect at least passing familiarity with civil rights and so forth, so it is somewhat curious to speculate who on campuses would be tipping off the authorities about protests against on-campus military activities...
The Talon reporting system gained national attention in December 2005 when NBC News obtained a copy of a 400-page Department of Defense document listing more than 1,500 "suspicious incidents" that had taken place across the country. Only 21 pages were released to the Servicemembers Legal Defense Network, since the group requested only documents related to lesbian, gay, bisexual, and transgender individuals and student groups. Mr. Hicks would not disclose the total number of reports that have been filed under the Talon program.
OK, Numbers! We can conclude that minority sexual preferences represent 5% of the current threat level to the DoD. If each page has an email on it, that gives 1500 emails reported in the programme -- that's not a particularly robust estimate but it might represent a lower bound.
And, wait until they get their mits on phone viruses, which store all that juicy lovetalk.
A company, Trust Digital of McLean, Va., bought 10 different phones on eBay this summer to test phone-security tools it sells for businesses. The phones all were fairly sophisticated models capable of working with corporate e-mail systems.Curious software experts at Trust Digital resurrected information on nearly all the used phones, including the racy exchanges between guarded lovers. The other phones contained:
- One company's plans to win a multimillion-dollar federal transportation contract.
- E-mails about another firm's $50,000 payment for a software license.
- Bank accounts and passwords.
- Details of prescriptions and receipts for one worker's utility payments.
A while back I reported that people worrying about cell/mob/handy phone tapping where missing the point - there is tracking ability which is far more useful than tapping ability. Sad to say, that battle is pretty much all over as phones move to include GPS by default.
One Facebook user, signing the petition opposing the recent changes, noted: "I find it sad this is one of the few issues our generation can band together, complain online and take little real action over. (ROFL)". Therein lies the crux about privacy and tracking: most vehement complaining takes place after people feel they have been victimised by technology, and long after it has been popularised.
We are moving as a society to total tracking, and the privacy community didn't notice until it was all over.
So who loses? Well, the Israeli Defence Force, for one. Alexander Klimov made the connection on the crypto list (which I missed even as I reported on the Sigint story):
My guess that at least some information was leaked due to cellular phones (the solders were routinely calling their families)."Besides radio transmissions, the official said Hezbollah also monitored cell phone calls among Israeli troops. But cell phones are usually easier to intercept than military radio, and officials said Israeli forces were under strict orders not to divulge sensitive information over the phone."Even if one don't care what was said over the phone, a lot of information can be extracted from mere location of a phone (especially, if one knows the owner of each phone):
"Israeli officials said the base also had detailed maps of northern Israel, lists of Israeli patrols along the border and cell phone numbers for Israeli commanders."
The Hezbollah tracking was on the individuals. They tracked the commanders as indicative of where the units were. Oops. I'd just love to be part of the design exercise to fix that blooper :)
This is the core failure that the US government foistered on the world. Since time immemorial, the USG has maintained crypto as a munition, and thus it is to be suppressed. This has led to two effects: firstly, the civilian Internet infrastructure is weak and brittle, due to the effect of lots of little barriers against crypto. Our best ally in security suffered the "death of a thousand cuts," as it were.
Secondly, as the civilian infrastructure overtook the military infrastructure, it left the military operations vulnerable when inevitably civilian assets were used for military tasks. If you've ever used military radio gear, you know you have a big problem when every soldier carries a much more powerful device in his pocket, albeit one deliberately weakened by government intervention.
Without dwelling on these points, we can also suggest that this explains why the job of Cybersecurity Czar is a woftam: the employer is cybersecurity's enemy number one.
Posted by iang at September 27, 2006 09:03 AM | TrackBack> Secondly, as the civilian infrastructure overtook the military
> > infrastructure, it left the military operations vulnerable when
> > inevitably civilian assets were used for military tasks. If you've
> > ever used military radio gear, you know you have a big problem when
> > every soldier carries a much more powerful device in his pocket, albeit
> > one deliberately weakened by government intervention.
You could also assume the phone signal, regardless of content (ie owner) you could direct attacks, well any signals could be detected and assumed to be enemy until you prove other wise.
In history in high school one of the things they taught us about trench wars in in Europe and turkey was if they heard anything they'd fire at it if they didn't think someone was supposed to be digging where they were, some times it wasn't the enemy, some times it would be. Substitute sound for RF leaks.
Posted by: Duane at September 27, 2006 10:52 AM> The FBI has drafted sweeping legislation that would require Internet
> > service providers to create wiretapping hubs for police surveillance
> > and force makers of networking gear to build in backdoors for
> > eavesdropping, CNET News.com has learned.
This is going to make MS holes seem like a walk in the park once these holes are exploited...
Posted by: Duane at September 27, 2006 10:53 AMAs early as in 1996 (wow, that was already 10 years ago...), the Russian military assasinated chechen president Dzhokhar Dudayev by using a guided missile that was homing in on his satellite phone.
The same can now be pulled off using cellphones.
In other, more recent, news from Russia, during the G8 summit in St. Petersburg, GSM encryption was turned off in the whole city. During that time, anybody (with the right equipment) could listen in to anybody else's phonecalls. Most phones display a broken key icon in that mode of operation (i.e. encryption switched off by provider), as many people found out.
Posted by: Daniel A. Nagy at September 29, 2006 01:48 PM