Crime, private and public sector

Let's start the week off with two birds and one stone!    

Earlier in the week I was finally able to get access to No Place to Hide, by Glenn Greenwald, on his encounter with Edward Snowden and the stories that led to.  For those hiding under rocks,  Edward Snowden was a civilian contractor working for the NSA until he exposed part of their globe-spanning surveillance apparatus in 2013/2014. While employed by the CIA and NSA, Snowden became increasingly concerned with the scope, ambition, and dubious legality of his employers' programs, and decided to begin documenting what he was seeing.  After methodically collecting reports for months on end, throughout several assignments, Snowden contacted a reporter with an established reputation for criticizing both the government and a complicit media.    Greenwald, after  recounting his first contact with Snowden,  then shares information from the stories he filed with The Guardian before switching into an argument against the surveillance state, and a condemnation of the establishment media, particularly the Washington Post and the New York Times.

I daresay no one will be surprised to learn that I'm far more a supporter of Snowden than the NSA -- not because I believe the NSA is  part of some evil conspiracy, but because I have certain strongly-held believes on the nature and consequences of power, and know that the construction of an inescapable surveillance apparatus is Bad News. When Greenwald says global, he means global;   the book mentions numerous programs, not just the email-tapping ones, and between them they cover pretty much everyone but the crew of the International Space Station.   It can't all be to fight terrorism: what do terrorists have to do with Brazilian gas companies, and why is NSA surveillance being shared with US agricultural departments?   Those who believe that the NSA are swell chaps who wouldn't countenance abuse of their data may sleep soundly, but what happens when someone with less scruples is in charge?  As the current administration demonstrates, we no longer require even the pretense of civility from those those who want to operate the beastly machine that is DC.

More recently I read through Kevin Mitnick's The Art of Intrusion.  Mitnick was partially featured in Cyberpunks, a teenage telephone 'phreaker' turned pioneering computer hacker. Since his release from prison Mitnick has used his reputation and experience in intrusion to sell himself as a cybersecurity consultant. The Art of Intrusion collects 'true crime' stories of computer-based or related intrusions;   ranging from illicit exploration to digital skulduggery.   A lot of data is omitted for the protection of the persons and companies mentioned, but a lot of the stories seem dated, for the book's publication year, and others are so technical I am not sure who would be reading them. I did find quite a bit of interest, however, in the chapters on penetration testing and social engineering. I still do not like Mitnick's term for an art he and his friends practiced, and one which remains a security threat:  obtaining information and access through human, instead of technological, means. Mitnick shares the stories of  analysists, who -- performing audits on companies, and attempting to breach their security -- were able  access highly sensitive areas within buildings simply by chatting up coworkers and 'acting' like they belonged there.  This also involved technical assistance, like a fake id that security guards didn't vet too closely.    Mitnick claimed in his trial that he relied on social engineering, not computer programs, to access as much as he did, and he has previously authored a book called The Art of Deception that documents the psychological strategies used in this kind of 'engineering'.  As someone with a work-related interest in security,  I may look around for a copy.

I Know Who You Are and I Saw What You Did

I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy
© 2013 Lori Andrews
272 pages

Think about what you put on facebook. If you're like most people,  there is something in your photos, comments, likes, etc. that could get you into trouble.  I Know Who You Are and I Saw What You Did  explores the many ways that social networking websites expose individuals to physical and legal abuse. Written by an attorney,  the book has a legal emphasis, with many chapters on how publicly-visible facebook posts can prejudice judges against one claimant over another, or function as evidence not admitted in court when jurors begin googling people.   In many of the instances recorded here, the exposure comes not from people being careless, but from sites' privacy settings being adjusted without their knowing -- or because technology was being used to switch on their webcams without their awareness. Because of this, the author argues for a 'constitution' that would govern 'facebook nation', in essence a digital bill of rights protecting people.  Having read Future Crimes and Data and Goliath,  this was old hat for me, but a distilled reminder is always a good thing.  The catchy title and comparative slimness might draw in readers who ignore those other works, as well.    Very few congressional officials seem to know anything about cybersecurity, so I doubt we'll have a cyber bill of rights any time soon -- especially when easy violations of privacy serve the national security state so well.   In the meantime all we can do is stay paranoid.

Future Crimes

Future Crimes; Everything is Connected, Everyone is Vulnerable, and What We Can Do About It
Paperback subtitle: Inside the Digital Underground and the Battle for Our Connected World 
© 2015 Marc Goodman
608 pages

"It's not safe out here. It's wondrous, with treasures to satiate desires both subtle and gross. But it's not for the timid."  (Q, ST TNG)

 The future is arriving more quickly than we think,  the world being re-formed beneath our feet. Ten years ago, the fact that a presidential candidate was glued to his ‘BlackBerry’ was an oddity;  now, smartphones are the very way we interface with our environment.   The transformation of the world from material to digital is total, providing new avenues for the darker instincts of  mankind to exercise themselves alongside entertainment, commerce, and education. Future Crimes is an astonishing review of the myriad of ways that this brave new world is making us not only more productive, but more vulnerable to malicious attack – and offers insight into the dangers we will face tomorrow.  This is a book without  rival.

 Goodman writes as a law enforcement official who specialized in cyber security as computers left warehouses to become basic infrastructure. Now, after decades of experience, he shares extensive research and personal encounters with the reader. He begins by treading familiar ground at first, by reviewing  the state of overwhelming exposure people now live in. As learned in Data and Goliath, virtually everything we do generates data that is collected and evaluated by someone, whether it’s our phone company keeping a history of where our phone travels, apps within the phone transferring our information to marketing agencies, or our interactions with the online world being monitored and recorded, as Google sifts through our email – and our websearches, and our YouTube viewing history, and our web activity on Android and Chrome – ostensibly to sell ‘better ads’.   It's not just Google, of course: facebook is another major data distributor, but practically every website that depends on adspace is complicit.

 Adding to this, however, is the threat of outside attack: criminal elements corrupting apps or creating their own to collect data for more malicious purposes, like emptying our bank accounts – or entities across the globe, looking for secrets.  The fact that a person is an American or German national won’t stop Chinese companies from having an interest in their personal business if they are involved in technical enterprises of interest.   Blueprints of the US president’s personal aircraft, for instance, were obtained by the Chinese after a defense worker’s laptop was infected with targeted malware.  It’s not just smartphones, either: as computers undergird our very homes, surveillance no longer requires a group of fictional plumbers poking around installing cameras into  ceiling fans.  These days, even the power outlets can have ears.

 Data collection isn’t just a problem for privacy issues: the concentration of so much information invites crime.  When heist extraordinaire Willie Sutton was asked why he robbed banks, he replied simply – that’s where the money is. Why penetrate Target’s databanks? That’s where the information is  --  high-value credit card information.   The exposure isn’t all about profit, either, though the information superhighway has already helped far-distant predators steal and skedaddle. The early hackers practiced their craft for laughs, and so they still do – but the odds at stake are higher than simply wiping out computer drives.   Future Crimes documents one case of a young teenager whose laptop was infected with software that allowed an outside party – a teenager at her school who was not even reasonably clever, but purchased a kit – to  turn on her webcam,  collect photographs of her in states of undress, and then attempt to blackmail and humiliate her. Even after she switched schools,  the photos became the arsenal of bullies there,  their hounding continued after a failed suicide attempt, and eventually ended only when she succeeded in killing herself.  Secure in anonymity, able to meddle in the lives of others from safety, humans are willing and capable to do all matter of wretched things.

The fun will continue as the 21st century develops. Our digital world is in its infancy, a mere golf ball of connectivity compared to the solar-sized scale of tomorrow.  In the years to come,  it is possible that most every object in our home will be connected to an internet of things, and even if paranoiacs and luddites like myself object, regulation and market availability may force some level of IoT integration.  The systems that control our lives – traffic management, electrical grids, financial markets – are managed online, and each of them has already been tampered and manipulated by tech-savvy hoods.  As the world continues to become more automated,  services performed by machines running on software that can be manipulated,  our danger grows.  Military drones have already been touched by malefactors – insurgents can watch a drone’s feed as it approaches, or skew its navigation so that it blows up the wrong neighborhood. (Assuming it had the right neighborhood to begin with...)   Manufacturing robots have already proven themselves lethal,  sometimes mistaking human laborers for parts to be manipulated, and if their software is tampered with, accidents could be effected on purpose.

Future Crimes is a daunting, eye-opening book.   Even after reading other books on cyber-security,  Goodman provides case after case I hadn’t heard of. This is five hundred pages of disturbing reporting and evaluation,   dense and powerful.   Like any security auditor, Goodman doesn’t leave readers shocked but helpless: the last fifth of the book offers some ideas into protecting ourselves.   Part of the problem is that culture has not caught up to technological change yet: as smartphones ease  un-informed adults into the digital world, people unprepared for vigilant defense of their information expose themselves to a burgeoning number of thieves and opportunists.   Not even those who should know better are ready; many of the instances document here come from military or security officials not being fastidious enough, with the result that a virus intended for an Iranian offline network traveled to the International Space Station.   In addition to arguing for regulations that force private enterprises to take more fiscal responsibility for safeguarding the information they collect,  Goodman shares more interesting ideas, like crowdsourcing better digital security systems.

Two things are certain: we’re in for a ride in the next decade, and I won’t find a more eye-opening book this year.  This book delivers reams of eye-opening information. It would make for an interesting exposure of crime merely by itself,  but goes beyond that to brief readers on the multitude of security challenges we face now, and will face tomorrow, threats to our personal, corporate, and national security.  Future Crimes is well worth your time: it, and the world it opens one's eyes to, are incredible.

Related:

• Data and Goliath, Bruce Schneier
• The Internet Police, Nate Anderson
• Spam Nation, Brian Krebs
• 10 Don'ts On Your Digital Devices,  Eric Rzesut, Daniel Bachrach
• @ War, Shane Harris

I have a few more titles in this vein that will appear later this year, like Richard Clark's Cyberwar and Glenn Greenwald's No Place to Hide.  They may succeed, but they won't surpass....

Data and Goliath

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
© 2015 Bruce Schneier
400 pages, including 160 pgs of citations.

You're being watched -- all the time, no matter where you go or what you do. Not  by mysterious men in trench coats, or even black suits, shades, and earwigs -- but by the very system you live in.  Perhaps watched isn't the right word; monitored may be more apt.  In virtually every moment of the day in the developed world, billions of people are passing on data about themselves, knowingly and unknowingly. Our phones report where we are,  as do our cars if they are new enough;   in-store cameras track and analyze our shopping patterns, or alert security if we act aberrant;   and we add to the data stream ourselves by taking  inexplicable photos of our lunch and sharing them on facebook. Bruce Schneier has been involved with cybersecurity from the early days of the internet, and in Data and Goliath he alerts lay audiences to the fact that in the last fifteen years, a giant infrastructure of observation has grown around them, the joint work of companies out to sell you and governments out to control (sorry, "protect") you. After reducing the reader to a wide-eyed paranoiac, he then offers suggestions as to regulation might rein in the government and corporations, and -- more practically -- gives the reader ideas of how to safeguard against the worst aspects of the All Seeing iWorld.

We live in a digital world, quite literally. Not only have computerized systems become nearly as ubiquitous as asphalt at this point – in our phones, our cars, our homes, our electric grid – but much of our live is now lived in a digital sphere. A decade ago that might have only been true for socially awkward teenagers who found online Starcraft more appealing than in-person awkwardness.  These days,  virtually everyone spends part of the day partially engrossed in the web, particularly through social media.  Unlike communing in a café over the latest photographs or stories, our online connections are monitored and recorded.  There’s no conspiracy involved;  we pass our information through electronic portals, and the information is saved as part of the network’s very infrastructure before it can be transmitted.  More deliberate monitoring and recording is also at work:  online businesses track our activity to create better ads,  and ever since 2001 the NSA has been obsessive about detecting terrorists through electronic data collection.  A certain amount of this is tolerable in both instances, but questionable territory is reached when Facebook begins using users’ tagged photos to create sophisticated facial recognition software, or when NSA begins piling up information and filching emails en masse from people not accused of a crime, merely declared connected by software.

Data and Goliath contains a litany of alarming and unsettling accounts of digital innovation across the globe.  Government practices in the United States, China,  United Kingdom, and Iran all fall under fire, with the US taking the heaviest flak given its Wikileaks exposure.  Have the multitude of stories about the NSA’s email abuses become commonplace?  Consider their exciting proprietary tools that imitate a cell tower, allowing them to listen to whatever phone latches on to it – or their coercion of American companies to add in “backdoors” to their telecommunications systems, like Cisco’s routers. That’s not just an American problem: international traffic flows through American infrastructure,  and as knowledge of Uncle Sam’s masterkey filters through the international community,  sales for US equipment are struggling and criminals are learning to trip the backdoors themselves. Central to much of the abuse is the idea of collecting as much data as possible, then looking for the patterns.

In the interests of not driving readers into the ranks of the Amish, Schneier attempts to provide grounds for hope, suggesting regulation that might rein in government and business alike. He proposes, for instance,  a reorganization of the NSA that would  reduce its scope and shift the more likely-to-be-abused aspects into a military organization with harsher oversight, like the US Cyber Command. One regulatory idea for the private sector he has is forbidding companies from maintaining lengthy records of consumers without their consent: Apple may need to know where your iPhone is for it to connect to service providers, but it doesn’t need to record your movements.  No branch of the government is likely to dismember the nascent surveillance state, not when they find it so useful – and find the prospect of public outrage after an attack so intimidating. More promising is the chapter on how people can minimize their own exposure to data collection. One relatively simple practice that I've adopted for years is using browser plugins like Disconnect to prevent facebook from tracking me across sites: even don't even have to be a member for that plugin to create a cookie for my computer and compile traffic data about it.  If some agency is intent on finding you, being analyzed may be inevitable:  even people who take pains to move in the shadows of the web can be caught, including trained Israeli intelligence agents.

Data and Goliath demonstrates superbly how information-gathering is not simply a matter of government overreach, but endemic to the way the internet has developed thus far. The danger lies in our growing so used to this passive surveillance that we forget what it was to live privately. It is an invaluable resource for realizing how exposed we are living in the digital world.

Related:

• The Internet Police: How Crime Went Online and the Cops Followed.  More on the law and order side.
• 10 Don't On Your Digital Devices, Eric Rzesut, Daniel Bachrach.  Covering your electronic caboose for beginners!

The Internet Police

The Internet Police: How Crime Went Online (and the Cops Followed)
© 2014 Nate Anderson
 310 pages

 Not since the steam engine has the world been so utterly transformed than by the Internet. Originally a military network, it is now infrastructure, undergirding modern life to a degree only surpassed by electricity.The internet is not just a physical construct of tubes and boxes; it is a social world unto itself, one created by its users.  Like every aspect of society, the internet has its dark alleys,  Mos Eisley-like havens of villainy. The Internet Police takes readers on a ridealong into those alleys, exploring the world of internet crime -- and internet policing.

The Internet Police opens with a chapter on the difficulties of imposing order in the first place. In the first chapter,  the author shares the joint scheme of an enterprising cyberlibertarian, Sean Hastings, and a presumably lunanical bootleg radioman turned king of his own private island, Roy Bates. The latter took over an English gun platform from WW2, declared it his personal fiefdom, and defended it with a shotgun before settling down to eake out a living taxing seagulls and the like. The former, who decided what the world needed was a secure place where servers could host the materials respectable governments banned (like online casinos and pirating), proposed renting space in the platform.  The thing was virtually inaccessible (har har), but could connect to British web infrastructure fairly easily. The adventure didn't work out terribly well, however, as Bates had an itching for respectability and a penchant for being dictatorial, neither of which allowed him to coexist with the pirate-haven for too long.

After concluding from the collapse of HavenCo that even a freeform place like the web needs law and order, Anderson reveals how the same has been enacted, despite the internet serving for both an extension of preexisting crime and the opportunity for new ones. Take sexual harrassment, for instance, which has been liberated from bars and dimly-lit parking garages. Computer mics and cameras,  some integral to the machines themselves, can be converted into the eyes and ears of tech-savvy voyeurs.  Readers may be familiar with trojan-horse style malware that uses seemingly innocuous bits of software, downloaded unsuspectingly through email or updates, which then  install and activate programs that can record keystrokes or open the machine up for remote control. Malicious use is not limited to petty lechers;  Collection agencies may use the software to obtain photographs of an unpaid-for computer in use, but their agents -- proving that all power in human hands is liable to be abused --  are recorded here using it to leer at and blackmail customers who were caught in a state of nature before the camera. Police officers using the same means succumb to the same ends.

While collections companies and perverts may invade others' computers with the primitive justification, "Who's gonna stop me?", the police are an altogether different story.  In an ideal world, they are to be accountable to the public and its law. Part of The Internet Police is a history of the myriad of ways the government has attempted to rein in the internet first through laws that allow for what is still called "wiretapping", despite the fact that it now consists more of  integrating police software with internet service providers' to scrutinize information being sent and received from a given IP address.  Governments also strong-arm telecommunications companies,  forcefully suggesting that they build in 'backdoors' to their devices and networks to allow Uncle Sam or the Crown to easily find out what a given gadget is up to.  The NSA specializes in such backdoors.  Courts as well as the police can be used to take down 'criminals', although here Anderson's review is limited to the seemingly endless attempts by music companies to prosecute consumers for file-sharing.  Unlike going after the programs themselves (Napster being the most famous, with Limewire and Kazaa other heavyweights), these campaigns rendered only a lot of bad publicity.

While there's a lot of digital crime not mentioned here (pirated video games and DRM, identity theft), The Internet Police is a fast read and one that opens up a fascinating peek into how the internet is continuing to reshape the world we live in.  Opening with the utterly bizaare story of Sealand and serving up legal thrillers in miniature, it entertains while serving as a heads up as to how vulnerable we are using unsecured systems.

Related:
New York Times article, "Spyware vs Spyware: Nate Hood's Internet Police"
Der Spiegel article (English), "Shopping for Spy Gear"
CBS is about to air a cybercrimes show that has my interest: CSI: Cyber.