Privacy watchdog investigates breach in residential school survivors’ claim

By Susana Mas
CBC News: March 27, 2014

Canada’s privacy watchdog is investigating a possible breach of personal information belonging to residential school survivors, after an adjudicator working for the agency handling their compensation claims filed a police report citing blackmail.

The Indian Residential Schools Adjudication Secretariat is the administrative body that manages the claims made by residential school survivors. It is an independent, quasi-judicial tribunal established in 2007 under the Indian Residential Schools Settlement Agreement.

Indian residential school survivors can seek compensation for suffering “sexual or serious physical abuse or another wrongful act” through an independent assessment process managed by the agency.

A spokesperson for the agency told CBC News on Wednesday that “an individual contacted the Secretariat earlier this month” claiming to have information relating to claims made by residential school survivors.

“We have not determined if he actually has any confidential information,” said Michael Tansey, a senior communications officer with the Indian Residential Schools Adjudication Secretariat, in an email to CBC News on Wednesday.

“The adjudicator has made a report to the police, and indicated that blackmail was involved.”

The adjudicator, whose identity Tansey said can not be made public, is on a leave of absence for an undetermined period of time.

(Read the full story at CBC)

—-
AlternativeFreePress.com

An important ruling in Florida has made it more difficult for copyright holders to extract cash settlements from alleged BitTorrent pirates. District Court Judge Ursula Ungaro dismissed a lawsuit filed by Malibu Media, arguing that the IP-address evidence can’t identify the person who actually downloaded the pirated file.

Judge: IP-Address Is Not a Person and Can’t Identify a BitTorrent Pirate

By Ernesto
Torrent Freak: March 24, 2014

Over the past several years hundreds of thousands of alleged BitTorrent pirates have been sued by so-called ‘copyright trolls’ in the United States.

The rightsholders bringing these cases generally rely on an IP address as evidence. They then ask the courts to grant a subpoena, forcing Internet providers to hand over the personal details of the associated account holder.

The problem, however, is that the person listed as the account holder is often not the person who downloaded the infringing material. Although not many judges address this crucial issue early on, there are exceptions, such as the one raised by Florida District Court Judge Ursula Ungaro.

Judge Ungaro was presented with a case brought by Malibu Media, who accused IP-address “174.61.81.171″ of sharing one of their films using BitTorrent without their permission. The Judge, however, was reluctant to issue a subpoena, and asked the company to explain how they could identify the actual infringer.

Responding to this order to show cause, Malibu Media gave an overview of their data gathering techniques. Among other things they explained that geo-location software was used to pinpoint the right location, and how they made sure that it was a residential address, and not a public hotspot.

Judge Ungaro welcomed the additional details, but saw nothing that actually proves that the account holder is the person who downloaded the file.

“Plaintiff has shown that the geolocation software can provide a location for an infringing IP address; however, Plaintiff has not shown how this geolocation software can establish the identity of the Defendant,” Ungaro wrote in an order last week.

“There is nothing that links the IP address location to the identity of the person actually downloading and viewing Plaintiff’s videos, and establishing whether that person lives in this district,” she adds.

Even if Malibu Media can accurately show that the copyright infringer used the Internet connection of the account holder connected to IP-address 174.61.81.171, they still can’t prove who shared the file.

“Even if this IP address is located within a residence, the geolocation software cannot identify who has access to that residence’s computer and who would actually be using it to infringe Plaintiff’s copyright,” Judge Ungaro explains.

As a result, the court decided to dismiss the case for improper venue. The ruling is crucial as it’s another unique order confirming that an IP address alone is not enough to launch a copyright infringement lawsuit.

(read the full article at Torrent Freak)

—-
Alternative Free Press -fair use-

Editor’s Note: Keep in mind, this is just a proposal to alter one of many programs. While it is a step in the right direction, it’s not nearly enough. Remember, whistle-blower Edward Snowden has recently told us told us “There are many other undisclosed programs” & “There are absolutely more revelations to come. Some of the most important reporting is yet to come.”

Obama to Call for End to N.S.A.’s Bulk Data Collection

By Charlie Savage
New York Times: March 24, 2014

(RELATED: Obama’s End Of NSA Data Collection, Will Actually Increase Collection)

WASHINGTON — The Obama administration is preparing to unveil a legislative proposal for a far-reaching overhaul of the National Security Agency’s once-secret bulk phone records program in a way that — if approved by Congress — would end the aspect that has most alarmed privacy advocates since its existence was leaked last year, according to senior administration officials.

Under the proposal, they said, the N.S.A. would end its systematic collection of data about Americans’ calling habits. The bulk records would stay in the hands of phone companies, which would not be required to retain the data for any longer than they normally would. And the N.S.A. could obtain specific records only with permission from a judge, using a new kind of court order.

In a speech in January, President Obama said he wanted to get the N.S.A. out of the business of collecting call records in bulk while preserving the program’s abilities. He acknowledged, however, that there was no easy way to do so, and had instructed Justice Department and intelligence officials to come up with a plan by March 28 — Friday — when the current court order authorizing the program expires.

As part of the proposal, the administration has decided to ask the Foreign Intelligence Surveillance Court to renew the program as it currently exists for at least one more 90-day cycle, senior administration officials said. But under the plan the administration has developed and now advocates, the officials said, it would later undergo major changes.

The new type of surveillance court orders envisioned by the administration would require phone companies to swiftly provide records in a technologically compatible data format, including making available, on a continuing basis, data about any new calls placed or received after the order is received, the officials said.

They would also allow the government to swiftly seek related records for callers up to two phone calls, or “hops,” removed from the number that has come under suspicion, even if those callers are customers of other companies.

The N.S.A. now retains the phone data for five years. But the administration considered and rejected imposing a mandate on phone companies that they hold on to their customers’ calling records for a period longer than the 18 months that federal regulations already generally require — a burden that the companies had resisted shouldering and that was seen as a major obstacle to keeping the data in their hands. A senior administration official said that intelligence agencies had concluded that the operational impact of that change would be small because older data is less important.

The N.S.A. uses the once-secret call records program — sometimes known as the 215 program, after Section 215 of the Patriot Act — to analyze links between callers in an effort to identify hidden terrorist associates, if they exist. It was part of the secret surveillance program that President George W. Bush unilaterally put in place after the terrorist attacks of Sept. 11, 2001, outside of any legal framework or court oversight.

In 2006, as part of a broader Bush administration effort to put its programs on a firmer legal footing, the Justice Department persuaded the surveillance court to begin authorizing the program. It claimed that Section 215, which allows the F.B.I. to obtain court orders for business records deemed “relevant” to an investigation, could be interpreted as allowing the N.S.A. to systematically collect domestic calling records in bulk.

Marc Rotenberg, the executive director of the Electronic Privacy Information Center, called the administration’s proposal a “sensible outcome, given that the 215 program likely exceeded current legal authority and has not proved to be effective.” While he said that he would like to see more overhauls to other surveillance authorities, he said the proposal was “significant” and addressed the major concerns with the N.S.A.’s bulk records program.

Jameel Jaffer of the American Civil Liberties Union said, “We have many questions about the details, but we agree with the administration that the N.S.A.’s bulk collection of call records should end.” He added, “As we’ve argued since the program was disclosed, the government can track suspected terrorists without placing millions of people under permanent surveillance.”

The administration’s proposal will join a jumble of bills in Congress ranging from proposals that would authorize the current program with only minor adjustments, to proposals to end it.

(read the full article at New York Times)

RELATED: Obama’s End Of NSA Data Collection, Will Actually Increase Collection
—-
Alternative Free Press -fair use-

NSA Spied on Chinese Government and Networking Firm

SPIEGEL: March 22, 2014

The American government conducted a major intelligence offensive against China, with targets including the Chinese government and networking company Huawei, according to documents from former NSA worker Edward Snowden that have been viewed by SPIEGEL. Among the American intelligence service’s targets were former Chinese President Hu Jintao, the Chinese Trade Ministry, banks, as well as telecommunications companies.

But the NSA made a special effort to target Huawei. With 150,000 employees and €28 billion ($38.6 billion) in annual revenues, the company is the world’s second largest network equipment supplier. At the beginning of 2009, the NSA began an extensive operation, referred to internally as “Shotgiant,” against the company, which is considered a major competitor to US-based Cisco. The company produces smartphones and tablets, but also mobile phone infrastructure, WLAN routers and fiber optic cable — the kind of technology that is decisive in the NSA’s battle for data supremacy.

A special unit with the US intelligence agency succeeded in infiltrating Huwaei’s network and copied a list of 1,400 customers as well as internal documents providing training to engineers on the use of Huwaei products, among other things.

Source Code Breached

According to a top secret NSA presentation, NSA workers not only succeeded in accessing the email archive, but also the secret source code of individual Huwaei products. Software source code is the holy grail of computer companies. Because Huawei directed all mail traffic from its employees through a central office in Shenzhen, where the NSA had infiltrated the network, the Americans were able to read a large share of the email sent by company workers beginning in January 2009, including messages from company CEO Ren Zhengfei and Chairwoman Sun Yafang.

“We currently have good access and so much data that we don’t know what to do with it,” states one internal document. As justification for targeting the company, an NSA document claims that “many of our targets communicate over Huawei produced products, we want to make sure that we know how to exploit these products.” The agency also states concern that “Huawei’s widespread infrastructure will provide the PRC (People’s Republic of China) with SIGINT capabilities.” SIGINT is agency jargon for signals intelligence. The documents do not state whether the agency found information indicating that to be the case.

The operation was conducted with the involvement of the White House intelligence coordinator and the FBI. One document states that the threat posed by Huawei is “unique”.

The agency also stated in a document that “the intelligence community structures are not suited for handling issues that combine economic, counterintelligence, military influence and telecommunications infrastructure from one entity.”

(read the full article at Spiegel)

—-
Alternative Free Press -fair use-

By Ryan Gallagher and Peter Maass
The Intercept: March 20, 2014

Across the world, people who work as system administrators keep computer networks in order – and this has turned them into unwitting targets of the National Security Agency for simply doing their jobs. According to a secret document provided by NSA whistleblower Edward Snowden, the agency tracks down the private email and Facebook accounts of system administrators (or sys admins, as they are often called), before hacking their computers to gain access to the networks they control.

The document consists of several posts – one of them is titled “I hunt sys admins” – that were published in 2012 on an internal discussion board hosted on the agency’s classified servers. They were written by an NSA official involved in the agency’s effort to break into foreign network routers, the devices that connect computer networks and transport data across the Internet. By infiltrating the computers of system administrators who work for foreign phone and Internet companies, the NSA can gain access to the calls and emails that flow over their networks.

The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. “Who better to target than the person that already has the ‘keys to the kingdom’?” one of the posts says.

The NSA wants more than just passwords. The document includes a list of other data that can be harvested from computers belonging to sys admins, including network maps, customer lists, business correspondence and, the author jokes, “pictures of cats in funny poses with amusing captions.” The posts, boastful and casual in tone, contain hacker jargon (pwn, skillz, zomg, internetz) and are punctuated with expressions of mischief. “Current mood: devious,” reads one, while another signs off, “Current mood: scheming.”

The author of the posts, whose name is being withheld by The Intercept, is a network specialist in the agency’s Signals Intelligence Directorate, according to other NSA documents. The same author wrote secret presentations related to the NSA’s controversial program to identify users of the Tor browser – a privacy-enhancing tool that allows people to browse the Internet anonymously. The network specialist, who served as a private contractor prior to joining the NSA, shows little respect for hackers who do not work for the government. One post expresses disdain for the quality of presentations at Blackhat and Defcon, the computer world’s premier security and hacker conferences:

Visit The Intercept To View Image Of Post

It is unclear how precise the NSA’s hacking attacks are or how the agency ensures that it excludes Americans from the intrusions. The author explains in one post that the NSA scours the Internet to find people it deems “probable” administrators, suggesting a lack of certainty in the process and implying that the wrong person could be targeted. It is illegal for the NSA to deliberately target Americans for surveillance without explicit prior authorization. But the employee’s posts make no mention of any measures that might be taken to prevent hacking the computers of Americans who work as sys admins for foreign networks. Without such measures, Americans who work on such networks could potentially fall victim to an NSA infiltration attempt.

The NSA declined to answer questions about its efforts to hack system administrators or explain how it ensures Americans are not mistakenly targeted. Agency spokeswoman Vanee’ Vines said in an email statement: “A key part of the protections that apply to both U.S. persons and citizens of other countries is the mandate that information be in support of a valid foreign intelligence requirement, and comply with U.S. Attorney General-approved procedures to protect privacy rights.”

As The Intercept revealed last week, clandestine hacking has become central to the NSA’s mission in the past decade. The agency is working to aggressively scale its ability to break into computers to perform what it calls “computer network exploitation,” or CNE: the collection of intelligence from covertly infiltrated computer systems. Hacking into the computers of sys admins is particularly controversial because unlike conventional targets – people who are regarded as threats – sys admins are not suspected of any wrongdoing.

In a post calling sys admins “a means to an end,” the NSA employee writes, “Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of.”

The first step, according to the posts, is to collect IP addresses that are believed to be linked to a network’s sys admin. An IP address is a series of numbers allocated to every computer that connects to the Internet. Using this identifier, the NSA can then run an IP address through the vast amount of signals intelligence data, or SIGINT, that it collects every day, trying to match the IP address to personal accounts.

“What we’d really like is a personal webmail or Facebook account to target,” one of the posts explains, presumably because, whereas IP addresses can be shared by multiple people, “alternative selectors” like a webmail or Facebook account can be linked to a particular target. You can “dumpster-dive for alternate selectors in the big SIGINT trash can” the author suggests. Or “pull out your wicked Google-fu” (slang for efficient Googling) to search for any “official and non-official e-mails” that the targets may have posted online.

Once the agency believes it has identified a sys admin’s personal accounts, according to the posts, it can target them with its so-called QUANTUM hacking techniques. The Snowden files reveal that the QUANTUM methods have been used to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server. This method tricks a target’s computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware “implant” and gain unfettered access to the data stored on its hard drive.

“Just pull those selectors, queue them up for QUANTUM, and proceed with the pwnage,” the author of the posts writes. (“Pwnage,” short for “pure ownage,” is gamer-speak for defeating opponents.) The author adds, triumphantly, “Yay! /throws confetti in the air.”

In one case, these tactics were used by the NSA’s British counterpart, Government Communications Headquarters, or GCHQ, to infiltrate the Belgian telecommunications company Belgacom. As Der Speigel revealed last year, Belgacom’s network engineers were targeted by GCHQ in a QUANTUM mission named “Operation Socialist” – with the British agency hacking into the company’s systems in an effort to monitor smartphones.

While targeting innocent sys admins may be surprising on its own, the “hunt sys admins” document reveals how the NSA network specialist secretly discussed building a “master list” of sys admins across the world, which would enable an attack to be initiated on one of them the moment their network was thought to be used by a person of interest. One post outlines how this process would make it easier for the NSA’s specialist hacking unit, Tailored Access Operations (TAO), to infiltrate networks and begin collecting, or “tasking,” data:

Visit The Intercept To View Image Of Post

Aside from offering up thoughts on covert hacking tactics, the author of these posts also provides a glimpse into internal employee complaints at the NSA. The posts describe how the agency’s spies gripe about having “dismal infrastructure” and a “Big Data Problem” because of the massive volume of information being collected by NSA surveillance systems. For the author, however, the vast data troves are actually something to be enthusiastic about.

“Our ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!” the author writes. “One of the coolest things about it is how much data we have at our fingertips.”

(read the full article with images and view source doc at The Intercept)

—-
Alternative Free Press -fair use-

Microsoft says it snooped on Hotmail to track leaker of company secrets

The Associated Press: March 20, 2014

LOS ANGELES — Microsoft Corp., which has skewered rival Google Inc. for going through customer emails to deliver ads, acknowledged Thursday it had searched emails in a blogger’s Hotmail account to track down who was leaking company secrets.

John Frank, deputy general counsel for Microsoft, which owns Hotmail, said in a statement Thursday that the software company “took extraordinary actions in this case.” In the future, he said, Microsoft would consult an outside attorney who is a former judge to determine if a court order would have allowed such a search.

The case involves former employee Alex Kibkalo, a Russian native who worked for Microsoft as a software architect in Lebanon.

According to an FBI complaint alleging theft of trade secrets, Microsoft found Kibkalo in September 2012 after examining the Hotmail account of the blogger with whom Kibkalo allegedly shared proprietary Microsoft code. The complaint filed Monday in federal court in Seattle did not identify the blogger.

“After confirmation that the data was Microsoft’s proprietary trade secret, on September 7, 2012, Microsoft’s Office of Legal Compliance (OLC) approved content pulls of the blogger’s Hotmail account,” says the complaint by FBI agent Armando Ramirez.

The search of the email account occurred months before Microsoft provided Ramirez with the results of its internal investigation in July 2013.

The email search uncovered messages from Kibkalo to the blogger containing fixes for the Windows 8 RT operating system before they were released publicly. The complaint alleges Kibkalo also shared a software development kit that could be used by hackers to understand more about how Microsoft uses product keys to activate software.

Besides the email search, Microsoft also combed through instant messages the two exchanged that September. Microsoft also examined files in Kibkalo’s cloud storage account, which until last month was called SkyDrive. Kibkalo is accused of using SkyDrive to share files with the blogger.

Kibkalo has since relocated to Russia, the FBI complaint says.

Frank said in his statement that no court order was needed to conduct the searches.

“Courts do not issue orders authorizing someone to search themselves,” he said. “Even when we have probable cause, it’s not feasible to ask a court to order us to search ourselves.”

Hotmail’s terms of service includes a section that says, “We may access or disclose information about you, including the content of your communications, in order to … protect the rights or property of Microsoft or our customers.”

(read the full article at CTV)

—-
Alternative Free Press -fair use-

This drone can steal what’s on your phone

By Erica Fink
CNNMoney: March 20, 2014

The next threat to your privacy could be hovering over head while you walk down the street.

Hackers have developed a drone that can steal the contents of your smartphone — from your location data to your Amazon password — and they’ve been testing it out in the skies of London. The research will be presented next week at the Black Hat Asia cybersecurity conference in Singapore.

The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on.

Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past.

“Their phone will very noisily be shouting out the name of every network its ever connected to,” Sensepost security researcher Glenn Wilkinson said. “They’ll be shouting out, ‘Starbucks, are you there?…McDonald’s Free Wi-Fi, are you there?”

That’s when Snoopy can swoop into action (and be its most devious, even more than the cartoon dog): the drone can send back a signal pretending to be networks you’ve connected to in the past. Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive.

“Your phone connects to me and then I can see all of your traffic,” Wilkinson said.

That includes the sites you visit, credit card information entered or saved on different sites, location data, usernames and passwords. Each phone has a unique identification number, or MAC address, which the drone uses to tie the traffic to the device.

The names of the networks the phones visit can also be telling.

“I’ve seen somebody looking for ‘Bank X’ corporate Wi-Fi,” Wilkinson said. “Now we know that that person works at that bank.”

CNNMoney took Snoopy out for a spin in London on a Saturday afternoon in March and Wilkinson was able to show us what he believed to be the homes of several people who had walked underneath the drone. In less than an hour of flying, he obtained network names and GPS coordinates for about 150 mobile devices.

He was also able to obtain usernames and passwords for Amazon, PayPal and Yahoo accounts created for the purposes of our reporting so that we could verify the claims without stealing from passersby.

Collecting metadata, or the device IDs and network names, is probably not illegal, according to the Electronic Frontier Foundation. Intercepting usernames, passwords and credit card information with the intent of using them would likely violate wiretapping and identity theft laws.

(read the full article at CNNMoney)

—-
Alternative Free Press -fair use-

NSA general counsel Rajesh De says big tech companies provided ‘full assistance’ in legally mandated collection of data

US tech giants knew of NSA data collection, agency’s top lawyer insists

By Spencer Ackerman
The Guardian: March 19, 2014

The senior lawyer for the National Security Agency stated on Wednesday that US technology companies were fully aware of the surveillance agency’s widespread collection of data.

Rajesh De, the NSA general counsel, said all communications content and associated metadata harvested by the NSA under a 2008 surveillance law occurred with the knowledge of the companies – both for the internet collection program known as Prism and for the so-called “upstream” collection of communications moving across the internet.

Asked during a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”

When the Guardian and the Washington Post broke the Prism story in June, thanks to documents leaked by whistleblower Edward Snowden, nearly all the companies listed as participating in the program – Yahoo, Apple, Google, Microsoft, Facebook and AOL – claimed they did not know about a surveillance practice described as giving NSA vast access to their customers’ data. Some, like Apple, said they had “never heard” the term Prism.

De explained: “Prism was an internal government term that as the result of leaks became the public term,” De said. “Collection under this program was a compulsory legal process, that any recipient company would receive.”

After the hearing, De added that service providers also know and receive legal compulsions surrounding NSA’s harvesting of communications data not from companies but directly in transit across the internet under 702 authority.

The disclosure of Prism resulted in a cataclysm in technology circles, with tech giants launching extensive PR campaigns to reassure their customers of data security and successfully pressing the Obama administration to allow them greater leeway to disclose the volume and type of data requests served to them by the government.

Last week, Facebook founder Mark Zuckerberg said he had called US president Barack Obama to voice concern about “the damage the government is creating for all our future.” There was no immediate response from the tech companies to De’s comments on Wednesday.

It is unclear what sort of legal process the government serves on a company to compel communications content and metadata access under Prism or through upstream collection. Documents leaked from Snowden indicate that the NSA possesses unmediated access to the company data.

The secret Fisa court overseeing US surveillance for the purposes of producing foreign intelligence issues annual authorisations blessing NSA’s targeting and associated procedures under Section 702.After winning a transparency battle with the administration in the Fisa court earlier this year, the companies are now permitted to disclose the range of Fisa orders they receive, in bands of 1,000, which presumably include orders under 702.

Passed in 2008, Section 702 retroactively gave cover of law to a post-9/11 effort permitting the NSA to collect phone, email, internet and other communications content when one party to the communication is reasonably believed to be a non-American outside the United States. The NSA stores Prism data for five years and communications taken directly from the internet for two years.

While Section 702 forbids the intentional targeting of Americans or people inside the United States – a practice known as “reverse targeting” – significant amounts of Americans’ phone calls and emails are swept up in the process of collection.

In 2011, according to a now-declassified Fisa court ruling, the NSA was found to have collected tens of thousands of emails between Americans, which a judge on the court considered a violation of the US constitution and which the NSA says it is technologically incapable of fixing.

Renewed in December 2012 over the objections of senate intelligence committee members Ron Wyden and Mark Udall, Section 702 also permits NSA analysts to search through the collected communications for identifying information about Americans, an amendment to so-called “minimisation” rules revealed by the Guardian in August and termed the “backdoor search loophole” by Wyden.

(read the full article and find source links at The Guardian)

—-
Alternative Free Press -fair use-