Showing posts with label FBI. Show all posts
Showing posts with label FBI. Show all posts

Tuesday, October 10, 2017

Black Identity Extremists

The FBI is up to its mess and has made up a new term for Blacks who demand an end to government sanctioned tyranny against them.

Saturday, July 15, 2017

The Intercept Discloses Top-Secret NSA Document On Russia Hacking Aimed At US Voting System

The report details an operation targeting voter registration in 2016.

By Ben Dreyfuss

On Monday, the Intercept published a classified internal NSA document noting that Russian military intelligence mounted an operation to hack at least one US voting software supplier—which provided software related to voter registration files—in the months prior to last year’s presidential contest. It has previously been reported that Russia attempted to hack into voter registration systems, but this NSA document provides details of how one such operation occurred.

According to the Intercept:
The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the US election and voting infrastructure. The report, dated May 5, 2017, is the most detailed US government account of Russian interference in the election that has yet come to light.
While the document provides a rare window into the NSA’s understanding of the mechanics of Russian hacking, it does not show the underlying “raw” intelligence on which the analysis is based. A US intelligence officer who declined to be identified cautioned against drawing too big a conclusion from the document because a single analysis is not necessarily definitive.
The report indicates that Russian hacking may have penetrated further into US voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document:
Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.
Go read the whole thing.

Sunday, July 9, 2017

Trump’s Son Met With Russian Lawyer After Being Promised Damaging Information On Clinton

A meeting arranged by Donald Trump Jr. was held at Trump Tower in June 2016 with a Russian lawyer who has connections to the Kremlin. Credit Sam Hodgson for The New York Times
President Trump’s eldest son, Donald Trump Jr., was promised damaging information about Hillary Clinton before agreeing to meet with a Kremlin-connected Russian lawyer during the 2016 campaign, according to three advisers to the White House briefed on the meeting and two others with knowledge of it.

The meeting was also attended by his campaign chairman at the time, Paul J. Manafort, and his son-in-law, Jared Kushner. Mr. Manafort and Mr. Kushner only recently disclosed the meeting, though not its content, in confidential government documents described to The New York Times.

The Times reported the existence of the meeting on Saturday. But in subsequent interviews, the advisers and others revealed the motivation behind it.

The meeting — at Trump Tower on June 9, 2016, two weeks after Donald J. Trump clinched the Republican nomination — points to the central question in federal investigations of the Kremlin’s meddling in the presidential election: whether the Trump campaign colluded with the Russians. The accounts of the meeting represent the first public indication that at least some in the campaign were willing to accept Russian help.

And while Trump has been dogged by revelations of undisclosed meetings between his associates and the Russians, the episode at Trump Tower is the first such confirmed private meeting involving members of his inner circle during the campaign — as well as the first one known to have included his eldest son. It came at an inflection point in the campaign, when Donald Trump Jr., who served as an adviser and a surrogate, was ascendant and Mr. Manafort was consolidating power.

It is unclear whether the Russian lawyer, Natalia Veselnitskaya, actually produced the promised compromising information about Mrs. Clinton. But the people interviewed by The Times about the meeting said the expectation was that she would do so.

In a statement on Sunday, Donald Trump Jr. said he had met with the Russian lawyer at the request of an acquaintance. “After pleasantries were exchanged,” he said, “the woman stated that she had information that individuals connected to Russia were funding the Democratic National Committee and supporting Ms. Clinton. Her statements were vague, ambiguous and made no sense. No details or supporting information was provided or even offered. It quickly became clear that she had no meaningful information.”

He said she then turned the conversation to adoption of Russian children and the Magnitsky Act, an American law that blacklists suspected Russian human rights abusers. The law so enraged President Vladimir V. Putin of Russia that he retaliated by halting American adoptions of Russian children.

“It became clear to me that this was the true agenda all along and that the claims of potentially helpful information were a pretext for the meeting,” Mr. Trump said.

When he was first asked about the meeting on Saturday, he said only that it was primarily about adoptions and mentioned nothing about Mrs. Clinton.
President Trump’s son-in-law, Jared Kushner, also attended the meeting last year at Trump Tower. Credit Ruth Fremson/The New York Times
Mark Corallo, a spokesman for the president’s lawyer, said on Sunday that “Trump was not aware of and did not attend the meeting.”

Lawyers and spokesmen for Mr. Kushner and Mr. Manafort did not immediately respond to requests for comment. In his statement, Donald Trump Jr. said he asked Mr. Manafort and Mr. Kushner to attend, but did not tell them what the meeting was about.

American intelligence agencies have concluded that Russian hackers and propagandists worked to tip the election toward Donald J. Trump, in part by stealing and then providing to WikiLeaks internal Democratic Party and Clinton campaign emails that were embarrassing to Mrs. Clinton. WikiLeaks began releasing the material on July 22.

A special prosecutor and congressional committees are now investigating the Trump campaign’s possible collusion with the Russians. Mr. Trump has disputed that, but the investigation has cast a shadow over his administration.

Mr. Trump has also equivocated on whether the Russians were solely responsible for the hacking. On Sunday, two days after his first meeting as president with Mr. Putin, Mr. Trump said in a Twitter post: “I strongly pressed President Putin twice about Russian meddling in our election. He vehemently denied it. I’ve already given my opinion.....” He also tweeted that they had “discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded...””

On Sunday morning on Fox News, the White House chief of staff, Reince Priebus, described the Trump Tower meeting as a “big nothing burger.”

“Talking about issues of foreign policy, issues related to our place in the world, issues important to the American people is not unusual,” he said.

But Representative Adam B. Schiff of California, the leading Democrat on the House Intelligence Committee, one of the panels investigating Russian election interference, said he wanted to question “everyone that was at that meeting.”

“There’s no reason for this Russian government advocate to be meeting with Paul Manafort or with Mr. Kushner or the president’s son if it wasn’t about the campaign and Russia policy,” Mr. Schiff said after the initial Times report.

Ms. Veselnitskaya, the Russian lawyer invited to the Trump Tower meeting, is best known for mounting a multipronged attack against the Magnitsky Act.

The adoption impasse is a frequently used talking point for opponents of the act. Ms. Veselnitskaya’s campaign against the law has also included attempts to discredit the man after whom it was named, Sergei L. Magnitsky, a lawyer and auditor who died in 2009 in mysterious circumstances in a Russian prison after exposing one of the biggest corruption scandals during Mr. Putin’s rule.
Mr. Trump’s former campaign chairman, Paul J. Manafort, at the Republican National Convention in July 2016 in Cleveland. Credit Sam Hodgson for The New York Times
Ms. Veselnitskaya’s clients include state-owned businesses and a senior government official’s son, whose company was under investigation in the United States at the time of the meeting. Her activities and associations had previously drawn the attention of the F.B.I., according to a former senior law enforcement official.

Ms. Veselnitskaya said in a statement on Saturday that “nothing at all about the presidential campaign” was discussed. She recalled that after about 10 minutes, either Mr. Kushner or Mr. Manafort walked out.

She said she had “never acted on behalf of the Russian government” and “never discussed any of these matters with any representative of the Russian government.”

The Trump Tower meeting was disclosed to government officials in recent days, when Mr. Kushner, who is also a senior White House aide, filed a revised version of a form required to obtain a security clearance.

The Times reported in April that he had failed to disclose any foreign contacts, including meetings with the Russian ambassador to the United States and the head of a Russian state bank. Failure to report such contacts can result in a loss of access to classified information and even, if information is knowingly falsified or concealed, in imprisonment.

Mr. Kushner’s advisers said at the time that the omissions were an error, and that he had immediately notified the F.B.I. that he would be revising the filing.

In a statement on Saturday, Mr. Kushner’s lawyer, Jamie Gorelick, said: “He has since submitted this information, including that during the campaign and transition, he had over 100 calls or meetings with representatives of more than 20 countries, most of which were during transition. Mr. Kushner has submitted additional updates and included, out of an abundance of caution, this meeting with a Russian person, which he briefly attended at the request of his brother-in-law Donald Trump Jr. As Mr. Kushner has consistently stated, he is eager to cooperate and share what he knows.”

Mr. Manafort, the former campaign chairman, also recently disclosed the meeting, and Donald Trump Jr.’s role in organizing it, to congressional investigators who had questions about his foreign contacts, according to people familiar with the events. Neither Mr. Manafort nor Mr. Kushner was required to disclose the content of the meeting.

A spokesman for Mr. Manafort declined to comment.

Since the president took office, Donald Trump Jr. and his brother Eric have assumed day-to-day control of their father’s real estate empire. Because he does not serve in the administration and does not have a security clearance, Donald Trump Jr. was not required to disclose his foreign contacts.

Federal and congressional investigators have not publicly asked for any records that would require his disclosure of Russian contacts.

Ms. Veselnitskaya is a formidable operator with a history of pushing the Kremlin’s agenda. Most notable is her campaign against the Magnitsky Act, which provoked a Cold War-style, tit-for-tat dispute with the Kremlin when President Barack Obama signed it into law in 2012.

Under the law, about 44 Russian citizens have been put on a list that allows the United States to seize their American assets and deny them visas. The United States asserts that many of them are connected to the fraud exposed by Mr. Magnitsky, who after being jailed for more than a year was found dead in his cell. A Russian human rights panel found that he had been assaulted. To critics of Mr. Putin, Mr. Magnitsky, in death, became a symbol of corruption and brutality in the Russian state.
An infuriated Mr. Putin has called the law an “outrageous act,” and, in addition to banning American adoptions, he compiled what became known as an “anti-Magnitsky” blacklist of United States citizens.

Among those blacklisted was Preet Bharara, then the United States attorney in Manhattan, who led notable convictions of Russian arms and drug dealers. Mr. Bharara was abruptly fired in March, after previously being asked to stay on by President Trump.

One of Ms. Veselnitskaya’s clients is Denis Katsyv, the Russian owner of Prevezon Holdings, an investment company based in Cyprus. He is the son of Petr Katsyv, the vice president of the state-owned Russian Railways and a former deputy governor of the Moscow region. In a civil forfeiture case prosecuted by Mr. Bharara’s office, the Justice Department alleged that Prevezon had helped launder money linked to the $230 million corruption scheme exposed by Mr. Magnitsky by putting it in New York real estate and bank accounts. Prevezon recently settled the case for $6 million without admitting wrongdoing.

Ms. Veselnitskaya and her client also hired a team of political and legal operatives to press the case for repeal. And they tried but failed to keep Mr. Magnitsky’s name off a new law that takes aim at human-rights abusers across the globe. The team included Rinat Akhmetshin, an émigré to the United States who once served as a Soviet military officer and who has been called a Russian political gun for hire. Fusion GPS, a consulting firm that produced an intelligence dossier that contained unverified allegations about Mr. Trump, was also hired to do research for Prevezon.

Ms. Veselnitskaya was also deeply involved in the making of a film that disputes the widely accepted version of Mr. Magnitsky’s life and death. In the film and in her statement, she said the true culprit of the fraud was William F. Browder, an American-born financier who hired Mr. Magnitsky to investigate the fraud after three of his investment funds companies in Russia were seized.

Mr. Browder called the film a state-sponsored smear campaign.

“She’s not just some private lawyer,” Mr. Browder said of Ms. Veselnitskaya. “She is a tool of the Russian government.”

John O. Brennan, a former C.I.A. director, testified in May that he had been concerned last year by Russian government efforts to contact and manipulate members of Mr. Trump’s campaign. “Russian intelligence agencies do not hesitate at all to use private companies and Russian persons who are unaffiliated with the Russian government to support their objectives,” he said.

The F.B.I. began a counterintelligence investigation last year into Russian contacts with any Trump associates. Agents focused on Mr. Manafort and a pair of advisers, Carter Page and Roger J. Stone Jr.

Among those now under investigation is Michael T. Flynn, who was forced to resign as Mr. Trump’s national security adviser after it became known that he had falsely denied speaking to the Russian ambassador about sanctions imposed by the Obama administration over the election hacking.

Congress later discovered that Mr. Flynn had been paid more than $65,000 by companies linked to Russia, and that he had failed to disclose those payments when he renewed his security clearance and underwent an additional background check to join the White House staff.

In May, the president fired the F.B.I. director, James B. Comey, who days later provided information about a meeting with Mr. Trump at the White House. According to Mr. Comey, the president asked him to end the bureau’s investigation into Mr. Flynn; Mr. Trump has repeatedly denied making such a request. Robert S. Mueller III, a former F.B.I. director, was then appointed as special counsel.

The status of Mr. Mueller’s investigation is not clear, but he has assembled a veteran team of prosecutors and agents to dig into any possible collusion.

Saturday, June 24, 2017

Obama’s secret struggle to punish Russia for Putin’s election assault

Early last August, an envelope with extraordinary handling restrictions arrived at the White House. 

Sent by courier from the CIA, it carried “eyes only” instructions that its contents be shown to just four people: President Barack Obama and three senior aides.

Inside was an intelligence bombshell, a report drawn from sourcing deep inside the Russian government that detailed Russian President Vladi­mir Putin’s direct involvement in a cyber campaign to disrupt and discredit the U.S. presidential race.

But it went further. The intelligence captured Putin’s specific instructions on the operation’s audacious objectives — defeat or at least damage the Democratic nominee, Hillary Clinton, and help elect her opponent, Donald Trump.

At that point, the outlines of the Russian assault on the U.S. election were increasingly apparent.

Hackers with ties to Russian intelligence services had been rummaging through Democratic Party computer networks, as well as some Republican systems, for more than a year. In July, the FBI had opened an investigation of contacts between Russian officials and Trump associates. And on July 22, nearly 20,000 emails stolen from the Democratic National Committee were dumped online by WikiLeaks.

https://www.washingtonpost.com/graphics/2017/world/national-security/obama-putin-election-hacking/?utm_term=.12a31b9dd507&hpid=hp_hp-top-table-main_russiaobama-banner-7a%3Ahomepage%2Fstory

2016 election is officially illegitimate. TIME: Hackers Altered Voter Rolls

http://time.com/4828306/russian-hacking-election-widespread-private-data/

Election Hackers Altered Voter Rolls, Stole Private Data, Officials Say
Massimo Calabresi - Jun 22, 2017

The hacking of state and local election databases in 2016 was more extensive than previously reported, including at least one successful attempt to alter voter information, and the theft of thousands of voter records that contain private information like partial Social Security numbers, current and former officials tell TIME.

In one case, investigators found there had been a manipulation of voter data in a county database but the alterations were discovered and rectified, two sources familiar with the matter tell TIME. Investigators have not identified whether the hackers in that case were Russian agents.

The fact that private data was stolen from states is separately providing investigators a previously unreported line of inquiry in the probes into Russian attempts to influence the election. In Illinois, more than 90% of the nearly 90,000 records stolen by Russian state actors contained drivers license numbers, and a quarter contained the last four digits of voters’ Social Security numbers, according to Ken Menzel, the General Counsel of the State Board of Elections.

Congressional investigators are probing whether any of this stolen private information made its way to the Trump campaign, two sources familiar with the investigations tell TIME.

“If any campaign, Trump or otherwise, used inappropriate data the questions are, How did they get it? From whom? And with what level of knowledge?” the former top Democratic staffer on the House Intelligence Committee, Michael Bahar, tells TIME. “That is a crux of the investigation."

Saturday, June 10, 2017

FBI Notified: Mitch Mconnell In $2.5M Money Funnel Connected To Putin

By mhw

http://bipartisanreport.com/2017/06/09/fbi-notified-after-mitch-mcconnell-exposed-in-2-5m-money-funnel-connected-to-putin/

By Natalie Thongrit - June 9, 2017

SNIP

Thanks to the hard work of Democratic pundit Scott Dworkin, it’s beginning to look like every Republican politician has some kind of link to Russia.

Over the last few months, Dworkin has revealed that several Republican senators — including John McCain, Ted Cruz, and Marco Rubio — have accepted money from Russian donors. He also produced evidence of even more connections a couple of weeks ago that were shared by Palmer Report.

In May, Dworkin found documents that link Senate Majority Leader Mitch McConnell to a super PAC that accepted $2.5 million from a “pro-Putin Ukrainian businessman.” He shared photos of the documents on Twitter, along with the following message:

‘#TrumpLeaks Docs: Mitch McConnell linked super PAC took $2.5 million from a pro-Putin Ukrainian businessman last election cycle #trumprussia’

#TrumpLeaks Docs: Mitch McConnell linked super PAC took $2.5 million from a pro-Putin Ukrainian businessman last election cycle #trumprussia pic.twitter.com/V7HTq16fCR

— Scott Dworkin (@funder) May 21, 2017

*Scott Walker*
Dworkin also found that McConnell is not the only person who has benefited from a pro-Putin businessman. He tweeted a couple of days later photos of documents that show Wisconsin Governor Scott Walker also received money from this “pro-Putin” individual during the last election cycle.

MORE..Interesting read.!



Why they refuse to have Trump investigated.
We all knew that bunch was invested in Putin's scam, now we have the story.

Tuesday, May 9, 2017

Why The Sally Yates Hearing Was Very Bad News For The Trump White House

The president just lost his favorite piece of spin for countering the Russia scandal.



The much-anticipated Senate hearing on Monday afternoon with former acting attorney general Sally Yates and former director of national intelligence James Clapper confirmed an important point: the Russia story still poses tremendous trouble for President Donald Trump and his crew.

Yates recounted a disturbing tale. She recalled that on January 26, she requested and received a meeting with Don McGahn, Trump's White House counsel. At the time, Vice President Mike Pence and other White House officials were saying that ret. Lt. Gen. Michael Flynn, Trump's national security adviser, had not spoken the month before with the Russian ambassador to the United States, Sergey Kislyak, about the sanctions then-President Barack Obama had imposed on the Russians as punishment for Moscow's meddling in the 2016 presidential campaign. Yates' Justice Department had evidence—presumably intercepts of Flynn's communications with Kislyak—that showed this assertion was flat-out false.

At that meeting, Yates shared two pressing concerns with McGahn: that Flynn had lied to the vice president and that Flynn could now be blackmailed by the Russians because they knew he had lied about his conversations with Kislyak. As Yates told the members of the Senate subcommittee on crime and terrorism, "To state the obvious: you don't want your national security adviser compromised by the Russians." She and McGahn also discussed whether Flynn had violated any laws.

The next day, McGahn asked Yates to return to the White House, and they had another discussion. According to Yates, McGahn asked whether it would interfere with the FBI's ongoing investigation of Flynn if the White House took action regarding this matter. No, Yates said she told him. The FBI had already interviewed Flynn. And Yates explained to the senators that she had assumed that the White House would not sit on the information she presented McGahn and do nothing.

But that's what the White House did. McGahn in that second meeting did ask if the White House could review the evidence the Justice Department had. She agreed to make it available. (Yates testified that she did not know whether this material was ever reviewed by the White House. She was fired at that point because she would not support Trump's Muslim travel ban.) Whether McGahn examined that evidence about Flynn, the White House did not take action against him. It stood by Flynn. He remained in the job, hiring staff for the National Security Council and participating in key policy decision-making.

On February 9, the Washington Post revealed that Flynn had indeed spoken with Kislyak about the sanctions. And still the Trump White House backed him up. Four days later, Kellyanne Conway, a top Trump White House official, declared that Trump still had "full confidence" in Flynn. The next day—as a media firestorm continued—Trump fired him. Still, the day after he canned Flynn, Trump declared, "Gen. Flynn is a wonderful man. I think he has been treated very, very unfairly by the media, as I call it, the fake media in many cases. And I think it is really a sad thing that he was treated so badly." Trump displayed no concern about Flynn's misconduct.

The conclusion from Yates' testimony was clear: Trump didn't dump Flynn until the Kislyak matter became a public scandal and embarrassment. The Justice Department warning—hey, your national security adviser could be compromised by the foreign government that just intervened in the American presidential campaign—appeared to have had no impact on Trump's actions regarding Flynn. Imagine what Republicans would say if a President Hillary Clinton retained as national security adviser a person who could be blackmailed by Moscow.

The subcommittee's hearing was also inconvenient for Trump and his supporters on another key topic: it destroyed one of their favorite talking points.

On March 5, Clapper was interviewed by NBC News' Chuck Todd on Meet the Press and asked if there was any evidence of collusion between members of the Trump campaign and the Russians. "Not to my knowledge," Clapper replied. Since then, Trump and his champions have cited Clapper to say there is no there there with the Russia story. Trump on March 20 tweeted, "James Clapper and others stated that there is no evidence Potus colluded with Russia. The story is FAKE NEWS and everyone knows it!" White House press secretary Sean Spicer has repeatedly deployed this Clapper statement to insist there was no collusion.

At Monday's hearing, Clapper pulled this rug out from under the White House and its comrades. He noted that it was standard policy for the FBI not to share with him details about ongoing counterintelligence investigations. And he said he had not been aware of the FBI's investigation of contacts between Trump associates and Russia that FBI director James Comey revealed weeks ago at a House intelligence committee hearing. Consequently, when Clapper told Todd that he was not familiar with any evidence of Trump-Russia collusion, he was speaking accurately. But he essentially told the Senate subcommittee that he was not in a position to know for certain. This piece of spin should now be buried. Trump can no longer hide behind this one Clapper statement.

Clapper also dropped another piece of information disquieting for the Trump camp. Last month, the Guardian reported that British intelligence in late 2015 collected intelligence on suspicious interactions between Trump associates and known or suspected Russian agents and passed this information to to the United States "as part of a routine exchange of information." Asked about this report, Clapper said it was "accurate." He added, "The specifics are quite sensitive." This may well have been the first public confirmation from an intelligence community leader that US intelligence agencies have possessed secret information about ties between Trump's circle and Moscow. (Comey testified that the FBI's counterintelligence investigation of links between Trump associates and Russian began in late July 2016.)

So this hearing indicated that the Trump White House protected a national security adviser who lied and who could be compromised by Moscow, that Trump can no longer cite Clapper to claim there was no collusion, and that US intelligence had sensitive information on interactions between Trump associates and possible Russian agents as early as late 2015. Still, most of the Republicans on the panel focused on leaks and "unmasking"—not the main issues at hand. They collectively pounded more on Yates for her action regarding the Muslim travel ban than on Moscow for its covert operation to subvert the 2016 election to help Trump.

This Senate subcommittee, which is chaired by Sen. Lindsey Graham (R-S.C.), is not mounting a full investigation comparable to the inquiry being conducted by the Senate intelligence committee (and presumably the hobbled House intelligence committee). It has far less staff, and its jurisdiction is limited. But this hearing demonstrated that serious inquiry can expand the public knowledge of the Trump-Russia scandal—and that there remains much more to examine and unearth.

Friday, March 24, 2017

Republicans tried to hide payments to Russia-linked intel firm for dirt-digging on Hillary Clinton

By David Ferguson

The Republican National Committee (RNC) tried to conceal payments it made during the 2016 election to a shadowy intelligence-gathering firm for opposition research against Democratic candidate Hillary Clinton.

Politico reported on Friday that the RNC paid $41,500 to the Hamilton Trading Group, a Virginia-based private company run by former CIA operatives. The agency worked with a former Russian spy to hunt for information that would show conflicts of interest between Clinton’s role as Secretary of State and her interests as a private citizen and leader of the Clinton Foundation.

Observers in politics and intelligence noted that it would be odd for the RNC to make payments to Hamilton Trading given that the group specializes in matters pertaining to Russia.

“RNC officials and the president and co-founder of Hamilton Trading Group, an ex-CIA officer named Ben Wickham, insisted the payments, which eventually totaled $41,500, had nothing to do with Russia,” wrote Politico’s Kenneth P. Vogel and Eli Stokols.

Wickham and the RNC initially claimed that the payments were in return for building and security analyses of RNC headquarters in Washington.

“But RNC officials now acknowledge that most of the cash — $34,100 — went towards intelligence-style reports that sought to prove conflicts of interest between Democratic presidential candidate Hillary Clinton’s tenure as Secretary of State and her family’s foundation,” Politico said.

HTG produced two dossiers, both of which attempted to make a case that Clinton directed U.S. interventions in Bulgaria and Israel on behalf of energy firms that donated to the Clinton Foundation, said individuals familiar with the documents.

Wickham told Politico in a Thursday interview that he floated the building inspection story because “any other work we may have done for them” was covered under a nondisclosure agreement.

“I’m not denying that I wasn’t totally forthcoming, but I’m telling you why,” Wickham told Politico.

“The security stuff that we did, which is legitimate, was not covered by any kind of a confidentiality agreement, so I can discuss that.”

Last June, when the RNC filed financial disclosures with the Federal Elections Commission (FEC), a $3,400 payment to Hamilton attracted attention because the firm is not known for building security consultations, but rather for espionage work related to Russia.

“Adding to the intrigue are the firm’s intelligence connections in Russia, where it was known to perform background checks and provide security services for American officials and companies,” said Politico.

The job was handed to former KGB agent Gennady Vasilenko, who declined to comment on the matter.

Wickham denied that his firm looked into any connections between the Trump campaign and the Russian government, saying he has “never had any contact with … Trump or Manafort or their people.” Politico said the RNC has produced documents detailing a list of Clinton-related issues it tasked Hamilton Trading with researching.

He said that while his firm is not well-known for building security, it did an assessment for the RNC to protect against a “McVeigh-type” bombing attack or a gun-wielding intruder like the San Bernardino mass shooting.

“We certainly are not widely known, as we have always been a two- to three-man company and have done little advertising,” Wickham said, adding that the firm has done anti-terror security consultations for Amtrak and the International Monetary Fund’s offices in Moscow.

Tuesday, November 1, 2016

A Veteran Spy Has Given The FBI Information Alleging A Russian Operation To Cultivate Donald Trump

Has the bureau investigated this material?

By David Corn

On Friday, FBI Director James Comey set off a political blast when he informed congressional leaders that the bureau had stumbled across emails that might be pertinent to its completed inquiry into Hillary Clinton's handling of emails when she was secretary of state. The Clinton campaign and others criticized Comey for intervening in a presidential campaign by breaking with Justice Department tradition and revealing information about an investigation—information that was vague and perhaps ultimately irrelevant—so close to Election Day. 

On Sunday, Senate Minority Leader Harry Reid upped the ante. He sent Comey a fiery letter saying the FBI chief may have broken the law and pointed to a potentially greater controversy: "In my communications with you and other top officials in the national security community, it has become clear that you possess explosive information about close ties and coordination between Donald Trump, his top advisors, and the Russian government…The public has a right to know this information."

Reid's missive set off a burst of speculation on Twitter and elsewhere. What was he referring to regarding the Republican presidential nominee? At the end of August, Reid had written to Comey and demanded an investigation of the "connections between the Russian government and Donald Trump's presidential campaign," and in that letter he indirectly referred to Carter Page, an American businessman cited by Trump as one of his foreign policy advisers, who had financial ties to Russia and had recently visited Moscow.

Last month, Yahoo News reported that US intelligence officials were probing the links between Page and senior Russian officials. (Page has called accusations against him "garbage.") On Monday, NBC News reported that the FBI has mounted a preliminary inquiry into the foreign business ties of Paul Manafort, Trump's former campaign chief. But Reid's recent note hinted at more than the Page or Manafort affairs. And a former senior intelligence officer for a Western country who specialized in Russian counterintelligence tells Mother Jones that in recent months he provided the bureau with memos, based on his recent interactions with Russian sources, contending the Russian government has for years tried to co-opt and assist Trump—and that the FBI requested more information from him.

"This is something of huge significance, way above party politics," the former intelligence officer says. "I think [Trump's] own party should be aware of this stuff as well."
 
Does this mean the FBI is investigating whether Russian intelligence has attempted to develop a secret relationship with Trump or cultivate him as an asset? Was the former intelligence officer and his material deemed credible or not? An FBI spokeswoman says, "Normally, we don't talk about whether we are investigating anything." But a senior US government official not involved in this case but familiar with the former spy tells Mother Jones that he has been a credible source with a proven record of providing reliable, sensitive, and important information to the US government.

In June, the former Western intelligence officer—who spent almost two decades on Russian intelligence matters and who now works with a US firm that gathers information on Russia for corporate clients—was assigned the task of researching Trump's dealings in Russia and elsewhere, according to the former spy and his associates in this American firm. This was for an opposition research project originally financed by a Republican client critical of the celebrity mogul. (Before the former spy was retained, the project's financing switched to a client allied with Democrats.)

"It started off as a fairly general inquiry," says the former spook, who asks not to be identified. But when he dug into Trump, he notes, he came across troubling information indicating connections between Trump and the Russian government. According to his sources, he says, "there was an established exchange of information between the Trump campaign and the Kremlin of mutual benefit."

This was, the former spy remarks, "an extraordinary situation." He regularly consults with US government agencies on Russian matters, and near the start of July on his own initiative—without the permission of the US company that hired him—he sent a report he had written for that firm to a contact at the FBI, according to the former intelligence officer and his American associates, who asked not to be identified. (He declines to identify the FBI contact.) The former spy says he concluded that the information he had collected on Trump was "sufficiently serious" to share with the FBI.

Mother Jones has reviewed that report and other memos this former spy wrote. The first memo, based on the former intelligence officer's conversations with Russian sources, noted, "Russian regime has been cultivating, supporting and assisting TRUMP for at least 5 years. Aim, endorsed by PUTIN, has been to encourage splits and divisions in western alliance." It maintained that Trump "and his inner circle have accepted a regular flow of intelligence from the Kremlin, including on his Democratic and other political rivals." It claimed that Russian intelligence had "compromised" Trump during his visits to Moscow and could "blackmail him." It also reported that Russian intelligence had compiled a dossier on Hillary Clinton based on "bugged conversations she had on various visits to Russia and intercepted phone calls."

The former intelligence officer says the response from the FBI was "shock and horror." The FBI, after receiving the first memo, did not immediately request additional material, according to the former intelligence officer and his American associates. Yet in August, they say, the FBI asked him for all information in his possession and for him to explain how the material had been gathered and to identify his sources. The former spy forwarded to the bureau several memos—some of which referred to members of Trump's inner circle. After that point, he continued to share information with the FBI. "It's quite clear there was or is a pretty substantial inquiry going on," he says.

"This is something of huge significance, way above party politics," the former intelligence officer comments. "I think [Trump's] own party should be aware of this stuff as well."

The Trump campaign did not respond to a request for comment regarding the memos. In the past, Trump has declared, "I have nothing to do with Russia."

The FBI is certainly investigating the hacks attributed to Russia that have hit American political targets, including the Democratic National Committee and John Podesta, the chairman of Clinton's presidential campaign. But there have been few public signs of whether that probe extends to examining possible contacts between the Russian government and Trump. (In recent weeks, reporters in Washington have pursued anonymous online reports that a computer server related to the Trump Organization engaged in a high level of activity with servers connected to Alfa Bank, the largest private bank in Russia. On Monday, a Slate investigation detailed the pattern of unusual server activity but concluded, "We don't yet know what this [Trump] server was for, but it deserves further explanation." In an email to Mother Jones, Hope Hicks, a Trump campaign spokeswoman, maintains, "The Trump Organization is not sending or receiving any communications from this email server. The Trump Organization has no communication or relationship with this entity or any Russian entity.")

According to several national security experts, there is widespread concern in the US intelligence community that Russian intelligence, via hacks, is aiming to undermine the presidential election—to embarrass the United States and delegitimize its democratic elections. And the hacks appear to have been designed to benefit Trump. In August, Democratic members of the House committee on oversight wrote Comey to ask the FBI to investigate "whether connections between Trump campaign officials and Russian interests may have contributed to these [cyber] attacks in order to interfere with the US. presidential election."

In September, Sen. Dianne Feinstein and Rep. Adam Schiff, the senior Democrats on, respectively, the Senate and House intelligence committees, issued a joint statement accusing Russia of underhanded meddling: "Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election. At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes of the election." The Obama White House has declared Russia the culprit in the hacking capers, expressed outrage, and promised a "proportional" response.

There's no way to tell whether the FBI has confirmed or debunked any of the allegations contained in the former spy's memos. But a Russian intelligence attempt to co-opt or cultivate a presidential candidate would mark an even more serious operation than the hacking.

In the letter Reid sent to Comey on Sunday, he pointed out that months ago he had asked the FBI director to release information on Trump's possible Russia ties. Since then, according to a Reid spokesman, Reid has been briefed several times. The spokesman adds, "He is confident that he knows enough to be extremely alarmed."

Wednesday, June 8, 2016

FBI is now pushing for warrantless access to Internet browsing history

The amendment would apply in terrorism and national security cases, but critics warn against the expansion of powers.

By

The Obama administration is pushing to amend existing privacy law in a way that critics argue would allow the government access to internet browsing histories and other metadata -- without needing a warrant.

An amendment to the Electronic Communications Privacy Act (ECPA), set to be considered by the Judiciary Committee on Thursday, will allow the FBI to subpoena records associated with Americans' online communications -- so called electronic communications transactional records - with the use of national security letters, which don't require court approval.

That would allow federal agents to access phone logs, email records, cell-site data used to pinpoint locations, as well as accessing a list of visited websites.

Sen. John Cornyn (R-TX), who introduced the amendment, said the change was necessary to prevent "needlessly hamstringing our counterintelligence and counter-terrorism efforts."

Under existing law, national security letters can get access to all kinds of metadata -- but not contents of calls, emails, and other messages. But they don't permit the collection of website addresses, or internet search queries. (That said, the FBI is said to have secret legal interpretations allowing it to collect web histories in some cases.)

That's a problem for FBI director James Comey, who called the omission of the provision in the original law a "typo," arguing that it "affects our work in a very big and practical way," he told members of the Senate Intelligence Committee in February.

Or as the EFF staff attorney Andrew Crocker explained in a blog post, "the FBI thinks it was already entitled to get these records using [national security letters], and Congress simply messed up when it drafted the law."

But the Justice Dept.'s Office of Legal Counsel found in 2008 that the FBI was wrong. That's why the FBI is making the push for a change in the law -- making it the second second such push in a decade.

Those privacy advocates are also back, and they brought with them key allies from the tech industry - including Apple, Facebook, Google, Microsoft, and Yahoo, -- which were among dozens of signatures on an open letter to the Obama administration asking the government to drop the attempt.

"We would oppose any version of these bills that included such a proposal expanding the government's ability to access private data without a court order," says the open letter, dated Monday.
"The civil liberties and human rights concerns associated with such an expansion are compounded by the government's history of abusing NSL authorities," it adds.

But national security letters will still face some level of scrutiny, thanks to a provision in the Freedom Act, which replaced parts of the controversial Patriot Act, which allow secret demands for customer data to be periodically reviewed.

Leading senior senators have rejected the amendment, and will instead push for ECPA reforms, dubbed the Email Privacy Act, which was passed by the House earlier this year.

We reached out to the FBI for comment.

Monday, November 3, 2014

FBI secretly seeking legal power to hack any computer, anywhere

By Cory Doctorow

The Bureau is seeking a rule-change from the Administrative Office of the US Courts that would give it the power to distribute malware, hack, and trick any computer, anywhere in the world, in the course of investigations; it's the biggest expansion of FBI spying power in its history and they're hoping to grab it without an act of Congress or any public scrutiny or debate.
But under the proposed amendment, a judge can issue a warrant that would allow the FBI to hack into any computer, no matter where it is located. The change is designed specifically to help federal investigators carry out surveillance on computers that have been “anonymized” – that is, their location has been hidden using tools such as Tor.
The amendment inserts a clause that would allow a judge to issue warrants to gain “remote access” to computers “located within or outside that district” (emphasis added) in cases in which the “district where the media or information is located has been concealed through technological means”. The expanded powers to stray across district boundaries would apply to any criminal investigation, not just to terrorist cases as at present.
Were the amendment to be granted by the regulatory committee, the FBI would have the green light to unleash its capabilities – known as “network investigative techniques” – on computers across America and beyond. The techniques involve clandestinely installing malicious software, or malware, onto a computer that in turn allows federal agents effectively to control the machine, downloading all its digital contents, switching its camera or microphone on or off, and even taking over other computers in its network
FBI demands new powers to hack into computers and carry out surveillance [Ed Pilkington/The Guardian]

(Thanks, Melted_Crayons!)

Saturday, February 8, 2014

How Hackers and Software Companies are Beefing Up NSA Surveillance

Companies like Endgame Systems have for years sold information and digital loopholes to the NSA to help bolster spying.

Fri Feb. 7, 2014 9:50 A.M. GMT
This story first appeared on the TomDispatch website.

Imagine that you could wander unseen through a city, sneaking into houses and offices of your choosing at any time, day or night. Imagine that, once inside, you could observe everything happening, unnoticed by others—from the combinations used to secure bank safes to the clandestine rendezvous of lovers. Imagine also that you have the ability to silently record everybody's actions, whether they are at work or play without leaving a trace. Such omniscience could, of course, make you rich, but perhaps more important, it could make you very powerful.

That scenario out of some futuristic sci-fi novel is, in fact, almost reality right now. After all, globalization and the Internet have connected all our lives in a single, seamless virtual city where everything is accessible at the tap of a finger. We store our money in online vaults; we conduct most of our conversations and often get from place to place with the help of our mobile devices. Almost everything that we do in the digital realm is recorded and lives on forever in a computer memory that, with the right software and the correct passwords, can be accessed by others, whether you want them to or not.

Now—one more moment of imagining—what if every one of your transactions in that world was infiltrated? What if the government had paid developers to put trapdoors and secret passages into the structures that are being built in this new digital world to connect all of us all the time? What if they had locksmiths on call to help create master keys for all the rooms? And what if they could pay bounty hunters to stalk us and build profiles of our lives and secrets to use against us?

Well, check your imagination at the door, because this is indeed the brave new dystopian world that the US government is building, according to the latest revelations from the treasure trove of documents released by National Security Agency whistleblower Edward Snowden.

Over the last eight months, journalists have dug deep into these documents to reveal that the world of NSA mass surveillance involves close partnerships with a series of companies most of us have never heard of that design or probe the software we all take for granted to help keep our digital lives humming along.

There are three broad ways that these software companies collaborate with the state: a National Security Agency program called "Bullrun" through which that agency is alleged to pay off developers like RSA, a software security firm, to build "backdoors" into our computers; the use of "bounty hunters" like Endgame and Vupen that find exploitable flaws in existing software like Microsoft Office and our smartphones; and finally the use of data brokers like Millennial Media to harvest personal data on everybody on the Internet, especially when they go shopping or play games like Angry Birds, Farmville, or Call of Duty.

Of course, that's just a start when it comes to enumerating the ways the government is trying to watch us all, as I explained in a previous TomDispatch piece, "Big Bro is Watching You." For example, the FBI uses hackers to break into individual computers and turn on computer cameras and microphones, while the NSA collects bulk cell phone records and tries to harvest all the data traveling over fiber-optic cables. In December 2013, computer researcher and hacker Jacob Appelbaum revealed that the NSA has also built hardware with names like Bulldozer, Cottonmouth, Firewalk, Howlermonkey, and Godsurge that can be inserted into computers to transmit data to US spooks even when they are not connected to the Internet.

"Today, [the NSA is] conducting instant, total invasion of privacy with limited effort," Paul Kocher, the chief scientist of Cryptography Research, Inc. which designs security systems, told the New York Times. "This is the golden age of spying."

Building Backdoors

Back in the 1990's, the Clinton administration promoted a special piece of NSA-designed hardware that it wanted installed in computers and telecommunication devices. Called the Clipper Chip, it was intended to help scramble data to protect it from unauthorized access—but with a twist. It also transmitted a "Law Enforcement Access Field" signal with a key that the government could use if it wanted to access the same data.

Activists and even software companies fought against the Clipper Chip in a series of political skirmishes that are often referred to as the Crypto Wars. One of the most active companies was RSA from California. It even printed posters with a call to "Sink Clipper." By 1995, the proposal was dead in the water, defeated with the help of such unlikely allies as broadcaster Rush Limbaugh and Senators John Ashcroft and John Kerry.

But the NSA proved more tenacious than its opponents imagined. It never gave up on the idea of embedding secret decryption keys inside computer hardware—a point Snowden has emphasized (with the documents to prove it).

A decade after the Crypto Wars, RSA, now a subsidiary of EMC, a Massachusetts company, had changed sides. According to an investigative report by Joseph Menn of Reuters, it allegedly took $10 million from the National Security Agency in exchange for embedding an NSA-designed mathematical formula called the Dual Elliptic Curve Deterministic Random Bit Generator inside its Bsafe software products as the default encryption method.

The Dual Elliptic Curve has a "flaw" that allows it to be hacked, as even RSA now admits.

Unfortunately for the rest of us, Bsafe is built into a number of popular personal computer products and most people would have no way of figuring out how to turn it off.

According to the Snowden documents, the RSA deal was just one of several struck under the NSA's Bullrun program that has cost taxpayers over $800 million to date and opened every computer and mobile user around the world to the prying eyes of the surveillance state.

"The deeply pernicious nature of this campaign—undermining national standards and sabotaging hardware and software—as well as the amount of overt private sector cooperation are both shocking," wrote Dan Auerbach and Kurt Opsahl of the Electronic Frontier Foundation, a San Francisco-based activist group that has led the fight against government surveillance. "Back doors fundamentally undermine everybody's security, not just that of bad guys."

Bounty Hunters

For the bargain basement price of $5,000, hackers offered for sale a software flaw in Adobe Acrobat that allows you to take over the computer of any unsuspecting victim who downloads a document from you. At the opposite end of the price range, Endgame Systems of Atlanta, Georgia, offered for sale a package named Maui for $2.5 million that can attack targets all over the world based on flaws discovered in the computer software that they use. For example, some years ago, Endgame offered for sale targets in Russia including an oil refinery in Achinsk, the National Reserve Bank, and the Novovoronezh nuclear power plant. (The list was revealed by Anonymous, the online network of activist hackers.)
While such "products," known in hacker circles as "zero day exploits," may sound like sales pitches from the sorts of crooks any government would want to put behind bars, the hackers and companies who make it their job to discover flaws in popular software are, in fact, courted assiduously by spy agencies like the NSA who want to use them in cyberwarfare against potential enemies.
Take Vupen, a French company that offers a regularly updated catalogue of global computer vulnerabilities for an annual subscription of $100,000. If you see something that you like, you pay extra to get the details that would allow you to hack into it. A Vupen brochure released by Wikileaks in 2011 assured potential clients that the company aims "to deliver exclusive exploit codes for undisclosed vulnerabilities" for "covertly attacking and gaining access to remote computer systems."
At a Google sponsored event in Vancouver in 2012, Vupen hackers demonstrated that they could hijack a computer via Google's Chrome web browser. But they refused to hand over details to the company, mocking Google publicly. "We wouldn't share this with Google for even $1 million," Chaouki Bekrar of Vupen boasted to Forbes magazine. "We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers."

In addition to Endgame and Vupen, other players in this field include Exodus Intelligence in Texas, Netragard in Massachussetts, and ReVuln in Malta.

Their best customer? The NSA, which spent at least $25 million in 2013 buying up dozens of such "exploits." In December, Appelbaum and his colleagues reported in Der Spiegel that agency staff crowed about their ability to penetrate any computer running Windows at the moment that machine sends messages to Microsoft. So, for example, when your computer crashes and helpfully offers to report the problem to the company, clicking yes could open you up for attack.

The federal government is already alleged to have used such exploits (including one in Microsoft Windows)—most famously when the Stuxnet virus was deployed to destroy Iran's nuclear centrifuges.

"This is the militarization of the Internet," Appelbaum told the Chaos Computer Congress in Hamburg. "This strategy is undermining the Internet in a direct attempt to keep it insecure. We are under a kind of martial law." 


Harvesting your Data

Among the Snowden documents was a 20-page 2012 report from the Government Communications Headquarters—the British equivalent of the NSA—that listed a Baltimore-based ad company, Millennial Media. According to the spy agency, it can provide "intrusive" profiles of users of smartphone applications and games. The New York Times has noted that the company offers data like whether individuals are single, married, divorced, engaged, or "swinger," as well as their sexual orientation ("straight, gay, bisexuall, and 'not sure'").

How does Millennial Media get this data? Simple. It happens to gather data from some of the most popular video game manufacturers in the world. That includes Activision in California which makes Call of Duty, a military war game that has sold over 100 million copies; Rovio of Finland, which has given away 1.7 billion copies of a game called Angry Birds that allows users to fire birds from a catapult at laughing pigs; and Zynga—also from California—which makes Farmville, a farming game with 240 million active monthly users.

In other words, we're talking about what is undoubtedly a significant percentage of the connected world unknowingly handing over personal data, including their location and search interests, when they download "free" apps after clicking on a licensing agreement that legally allows the manufacturer to capture and resell their personal information. Few bother to read the fine print or think twice about the actual purpose of the agreement.

The apps pay for themselves via a new business model called "real-time bidding" in which advertisers like Target and Walmart send you coupons and special offers for whatever branch of their store is closest to you. They do this by analyzing the personal data sent to them by the "free" apps to discover both where you are and what you might be in the market for.

When, for instance, you walk into a mall, your phone broadcasts your location and within a millisecond a data broker sets up a virtual auction to sell your data to the highest bidder. This rich and detailed data stream allows advertisers to tailor their ads to each individual customer. As a result, based on their personal histories, two people walking hand in hand down a street might get very different advertisements, even if they live in the same house.

This also has immense value to any organization that can match up the data from a device with an actual name and identity—such as the federal government. Indeed, the Guardian has highlighted an NSA document from 2010 in which the agency boasts that it can "collect almost every key detail of a user's life: including home country, current location (through geolocation), age, gender, zip code, marital status…income, ethnicity, sexual orientation, education level, and number of children."

In Denial

It's increasingly clear that the online world is, for both government surveillance types and corporate sellers, a new Wild West where anything goes. This is especially true when it comes to spying on you and gathering every imaginable version of your "data."

Software companies, for their part, have denied helping the NSA and reacted with anger to the Snowden disclosures. "Our fans' trust is the most important thing for us and we take privacy extremely seriously," commented Mikael Hed, CEO of Rovio Entertainment, in a public statement.

"We do not collaborate, collude, or share data with spy agencies anywhere in the world."

RSA has tried to deny that there are any flaws in its products. "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the company said in a statement on its website. "We categorically deny this allegation." (Nonetheless RSA has recently started advising clients to stop using the Dual Elliptical Curve.)

Other vendors like Endgame and Millennial Media have maintained a stoic silence. Vupen is one of the few that boasts about its ability to uncover software vulnerabilities.

And the NSA has issued a Pravda-like statement that neither confirms nor denies the revelations.

"The communications of people who are not valid foreign intelligence targets are not of interest to the National Security Agency," an NSA spokeswoman told the Guardian. "Any implication that NSA's foreign intelligence collection is focused on the smartphone or social media communications of everyday Americans is not true."

The NSA has not, however, denied the existence of its Office of Tailored Access Operations (TAO), which Der Spiegel describes as "a squad of [high-tech] plumbers that can be called in when normal access to a target is blocked."

The Snowden documents indicate that TAO has a sophisticated set of tools at its disposal—that the NSA calls "Quantum Theory"—made up of backdoors and bugs that allow its software engineers to plant spy software on a target computer. One powerful and hard to detect example of this is TAO's ability to be notified when a target's computer visits certain websites like LinkedIn and to redirect it to an NSA server named "Foxacid" where the agency can upload spy software in a fraction of a second.

Which Way Out of the Walled Garden?

The simple truth of the matter is that most individuals are easy targets for both the government and corporations. They either pay for software products like Pages and Office from well known manufacturers like Apple and Microsoft or download them for free from game companies like Activision, Rovio, and Zynga for use inside "reputable" mobile devices like Blackberries and iPhones.

These manufacturers jealously guard access to the software that they make available, saying that they need to have quality control. Some go even further with what is known as the "walled garden" approach, only allowing pre-approved programs on their devices. Apple's iTunes, Amazon's Kindle, and Nintendo's Wii are examples of this.

But as the Snowden revelations have helped make clear, such devices and software are vulnerable both to manufacturer's mistakes, which open exploitable backdoors into their products, and to secret deals with the NSA.

So in a world where, increasingly, nothing is private, nothing is simply yours, what is an Internet user to do? As a start, there is an alternative to most major software programs for word processing, spreadsheets, and layout and design—the use of free and open source software like Linux and Open Office, where the underlying code is freely available to be examined for hacks and flaws. (Think of it this way: if the NSA cut a deal with Apple to copy everything on your iPhone, you would never know. If you bought an open-source phone—not an easy thing to do—that sort of thing would be quickly spotted.) You can also use encrypted browsers like Tor and search engines like Duck Duck Go that don't store your data.

Next, if you own and use a mobile device on a regular basis, you owe it yourself to turn off as many of the location settings and data-sharing options as you can. And last but hardly least, don't play Farmville, go out and do the real thing. As for Angry Birds and Call of Duty, honestly, instead of shooting pigs and people, it might be time to think about finding better ways to entertain yourself.

Pick up a paintbrush, perhaps? Or join an activist group like the Electronic Frontier Foundation and fight back against Big Brother.

Friday, July 26, 2013

Feds tell Web firms to turn over user account passwords

By Declan McCullagh

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form.

The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed.

If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused.

"I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back."

A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of  'over my dead body.'"

Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts.
 
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?"
--Jennifer Granick, Stanford University

A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said.

A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: "If we receive a request from law enforcement for a user's password, we deny such requests on the grounds that they would allow overly broad access to our users' private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law."

Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them.

Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn't recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, "we don't get a high volume" of U.S. government demands.

The FBI declined to comment.

Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. "The authority of the government is essentially limitless" under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week.

Large Internet companies have resisted the government's requests by arguing that "you don't have the right to operate the account as a person," according to a person familiar with the issue. "I don't know what happens when the government goes to smaller providers and demands user passwords," the person said.

An attorney who represents Internet companies said he has not fielded government password requests, but "we've certainly had reset requests -- if you have the device in your possession, than a password reset is the easier way."
Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.
Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.
(Credit: Photo by Declan McCullagh)
 
Cracking the codes

Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user's original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password.

Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase "National Security Agency" into this string of seemingly random characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output.

But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.

The best practice among Silicon Valley companies is to adopt far slower hash algorithms -- designed to take a large fraction of a second to scramble a password -- that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination.

One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500.

But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion.

As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. "I'd say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper," said Percival, who founded a company called Tarsnap Backup, which offers "online backups for the truly paranoid." Percival added that a government agency would likely use ASICs -- application-specific integrated circuits -- for password cracking because it's "the most cost-efficient -- at large scale -- approach."

While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the "cost of a hardware brute-force attack" against a hashed password as much as 4,000 times greater than bcrypt.

Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.

With the computers available today, "bcrypt won't pipeline very well in hardware," Mazières said, so it would "still be very expensive to do widespread cracking."

Even if "the NSA is asking for access to hashed bcrypt passwords," Mazières said, "that doesn't necessarily mean they are cracking them." Easier approaches, he said, include an order to extract them from the server or network when the user logs in -- which has been done before -- or installing a keylogger at the client.

Sen. Ron Wyden, who warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.
Sen. Ron Wyden, who warned this week that "the authority of the government is essentially limitless" under the Patriot Act's business records provision.
(Credit: Getty Images)
 
Questions of law

Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know."

Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government -- for the government to crack passwords and use them unsupervised." If the password will be used to log in to the account, she said, that's "prospective surveillance," which would require a wiretap order or Foreign Intelligence Surveillance Act order.

If the government can subsequently determine the password, "there's a concern that the provider is enabling unauthorized access to the user's account if they do that," Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.

The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.

The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives."

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.

Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party.

"If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.

Last updated at 8:00 p.m. PT with comment from Yahoo, which responded after this article was published.
 
Disclosure: McCullagh is married to a Google employee not involved with this issue.