More embarrassing than a bad movie: Sony-shaming and Korea blaming

Troubling as it was to see the President of the United States lob questionable charges at a rogue regime and threaten proportional response – whatever that means – then jet off to Hawaii for a two-week holiday, it’s more troubling that in the face of evidence to the contrary, the FBI is stands by its speedy assessment that the North Koreans are to blame for the Sony attack.

Attribution is the most difficult task in analyzing cybercrime. Truly adept cybercrimals write purposeful miscues in their code to implicate others, and anyone can buy code that’s been used by someone else. There’s a virtual Wal-Mart for cybercriminals out there on the dark web. Right next door, there’s another storehouse of used malware code for free. And another, and another.

This week, a security research firm that’s studied the Sony breach since its announcement tossed cold water on the FBI’s North Korea theory. Some of the most respected names in the information security realm agree that the feds are barking up the wrong tree. Many of these experts doubted the state-actor theory even as President Obama made his pre-Christmas announcement blaming North Korea.

It would be so easy to crack wise about a hasty and confident-sounding White House pronouncement on the cyberattack. This, one might say, from the people that brought you Healthcare.gov. From the folks who failed basic electronic record-keeping at the IRS. Yes, it’s the same government that was late to the cyberwarfare party, suffering an alarming loss of military secrets. The same government that earlier this year filed espionage charges against individual Chinese military agents for stealing intellectual property from U.S. companies, expecting what, exactly?

Jokes about U.S. government incompetence in the digital arena, however well earned, are beside the point. Three notable concerns arise from the President’s premature saber-rattling, and from federal insistence on pursuing the course based on deficient intelligence.

The first is obvious. Threatening North Korea for hostilities that can’t be reliably attributed to it could become another embarrassing moment in United States international relations. Moreover, if Kim Jong Un’s regime has the skill and resources to pull off the Sony attack, such saber-rattling could be dangerous. If the leader of the free world believes an adversary to be capable, unpredictable, and on the warpath, why poke it in the eye and then head for the beach?

Second, why the rush to judgment? Because in some quarters, perhaps, this was a good crisis that shouldn’t go to waste, as the Beltway saying goes. If visions of bodies falling from the burning World Trade Center can make a Christmas Day trip to the movie theater seem risky, well, then – you know, “the stupidity of the American voter,” and all. Stirring up national security fear is useful at a time when the alphabet soup agencies are desperate to continue probing the everyday communications of American citizens as a purported tool against terrorism.

It’s been documented by Stuxnet chronicler Kim Zetter that the initial messages to Sony from its attackers were demands for money, and had nothing to do with Sony’s movie featuring the assassination of Kim Jong Un. Not until December 8, when the media had repeatedly linked the attack to some North Korean grumbling about the film dating back to last summer did the attackers make their first public reference to it. In other words, the North Korea narrative may be a media invention, and may have clouded the motive of the real culprits, who appear to have wanted ransom, not censorship.

Note also that it wasn’t until someone threatened to blow up movie theaters, likely some capitalism-hating jackass of the variety that boast penetrating the networks of big companies for laughs, that the White House ventured an opinion. A cynic might suggest that a threat to movie theaters on Christmas Day is an opportunity to promote federal police power unlike any since the days after September 11.

Americans are gaining a rapid understanding of cybercrime, but it’s still murky to many. Some of these Americans, consumed by their own daily obligations, followed the story just closely enough to cite the insulting email remarks about Angelina Jolie, but did not grasp the dire effects of the attack on Sony. Some of them offered the theory on a recent radio talk show that Sony hacked itself, to generate publicity for its movie. What a fertile field in which to sow fear.

Finally, and in some ways most disturbing, the President conflated a straightforward business decision involving risk management with a sin against the First Amendment. Obama had plenty of company in this regard, with Hollywood heavies like George Clooney leading the charge, and commentators shepherding the general public to join in such a Sony-shaming harangue that the troubled company felt compelled to reverse itself after pulling the film from its scheduled debut.

Of course, foreign dictators have no standing to commit a First Amendment violation against U.S. citizens, but this became the mantra. Sony should not buckle to offshore censorship. (Like Facebook does?) Nobody defended Sony’s right to withhold speech, which is surely as embedded in the concept of free expression as is the right to disseminate ideas.

Sony, already smarting, and perhaps struggling for its very existence, was castigated for performing a fundamental risk assessment that measured the slight possibility of exploding movie theaters against the devastating consequences of such an occurrence, however unlikely. It was grossly unfair to paint Sony’s risk aversion as a slap in the face of the U.S. Constitution rather than a simple failure to devise a creative solution. Which it later did, under significant duress.

I wish (the Sony executives) had called me, the President said. No wonder they didn’t.

Advertisements

Five privacy measures the Nevada legislature should pass in 2015, Part I

1- Require public notice of license plate scanning, and set uniform standards for managing the data

Law enforcement agencies throughout Nevada are using license plate scanning technology. The scanners record every license plate number from every car they encounter, even at speeds up to 110 miles per hour, according to a proposal submitted by a vendor of car-mounted scanners.

Both local jurisdictions and the state have the devices. No uniform policies exist for storage and handling of the data, or for disclosure of records related to quantity of data captured, and whether it’s transmitted outside the state. These policies should be standardized across the state.

Citizens also have a right to know their vehicles are being tracked. The scans include GPS location data and other metadata that can be used to reconstruct activities and associations. Alerts to such technology should be posted in every jurisdiction where it’s used, on signs similar to those informing drivers that their speed is monitored by aircraft,  and should include a reference for more information.

2- Prohibit medical practices from scanning and storing driver’s licenses

Medical information is statistically among the most vulnerable to cybercrime and system breaches. The good news is, some insurance companies have apparently realized that scanning and storing driver’s licenses is a bad policy. The requirement is being loosened.

The bad news is that medical receptionists haven’t stopped demanding a copy the moment you enter the facility. You’re still forced to assert yourself if you want to keep your license out of their systems, perhaps even escalating the argument to the office manager. (Earlier this year, after losing one of these fights, I submitted questions in writing about the technical storage specifications and the rationale for retaining my license. Six weeks later I received a letter from the facility with the answer – “it’s not required and we’ll destroy the file if you’d like us to.”)

Why retain a document bearing a patient’s facial image and signature sample if you don’t have to? Why collect one more shred of personal information than necessary? This is an invitation to identity theft, and should be outlawed by statute.

3- Pass a resolution supporting federal reform of the Electronic Communications Privacy Act

NSA whistleblower Edward Snowden and Facebook founder Mark Zuckerberg were both toddlers when ECPA was written. That should convey the obsolescence of the federal law that controls government access to citizen communications, with no further explanation of the ways in which the nature and the volume of digital communication have changed, or the expansive government tactics employed to pursue it.

It’s conceivable the lame duck congress could pass ECPA reform before the 2015 legislative session convenes in Nevada. There are proposals with bipartisan support in Washington, and there’s a lot of pressure to act from the tech sector and privacy advocates. But in the event ECPA reform sits until next year, the Nevada legislature could go on the record with a resolution supporting reform. The American Legislative Exchange Council has a model resolution that can serve as a starting point, even if it’s not adopted wholesale.

4- Create a legislative subcommittee on privacy

In 2014, privacy discussions revolve in large part around technology. But privacy is an element in virtually every aspect of personal, family, and business life. The state legislature inserts itself into all of these areas, mostly without contemplation of how its actions affect privacy.

A subcommittee should be formed to review the implications of the dozens of bills each session that affect privacy.

The committee should also sponsor a bill requiring all government agencies at every level to review their own privacy policies and report back to the committee on data collection and privacy protections, with the relevant results compiled and posted online for accessibility to the public. Nevadans deserve to know what data is collected, where and how it is stored, and the purpose for which it’s used.

5- Codify a set of data handling and retention policies to protect student privacy

Public school students are subject to unprecedented data collection regarding their health, academic performance, disciplinary issues, and even their home life. The old joke about things that end up on your “permanent record” isn’t a joke anymore, it’s a reality.

Data collection on K-12 students, to the extent it can be controlled at the state level, should be reviewed and analyzed to determine which information is truly useful and which might be considered extraneous.

Stringent data security and privacy policies should protect students from criminals and commercial activity, but also protect the adults they will become from being haunted by the kids they once were. That means a vigorous schedule of data destruction should be part of the policy. The data should not outlive its educational necessity, and the longer it’s retained, the greater the odds it will leak. Young people change as they mature. Damaging details about their past should not become one more obstacle for them to overcome when they’re trying to conduct their adult lives.

California has just passed two laws that bear discussion and analysis. More about these statutes in a future post. They’re conceived to fill gaps in federal student privacy protections. They’re not completely in sync with the sentiments above, but they’re a demonstration of control at the state level.

Nevada has no business mandating a remote kill switch for cellphones

The Silver State is still basking in praise uttered last month by Tesla founder Elon Musk, who dubbed Nevada a “get things done” state. What a shame if we followed the business-friendly feats that persuaded Tesla to locate its battery plant here with legislation signaling the opposite attitude – – like requiring cellphones sold in Nevada to have remote kill capability.

The 2015 Nevada legislature will contemplate the kill switch mandate as a way to curb smartphone theft, according to a USA Today report.

Why would a state striving to reinvent itself as a technology haven insert itself into design standards for a globally-distributed tech product? Surely not because Nevada wants to emulate California, where a new kill switch law goes into effect next July.

Perhaps the advocates anticipate the reliable political boost that comes from supporting a crime bill, even when the resulting law is largely symbolic. In this case, symbolic because Apple, Google and Microsoft, which together command nearly 100 percent of the smartphone market, are already equipping their devices with remote anti-theft features, or preparing to do so in their next versions. For the tiny remainder of the market, mostly Blackberry users, the remote-kill feature has existed for years.

Beyond the politics, when governments manipulate the architecture of communication equipment, privacy and civil rights implications must be considered. State-mandated remote access provides an opening for abuse, as demonstrated by federal backdoor requirements that paved the way for spying and cybercrime.

The new California law says service to a phone can be halted only by “an authorized user.” But guess who is “authorized” besides the owner of the phone? Government at any level, right down to the dog catcher. The California statute incorporates a Public Utilities Commission Code section allowing a “government entity” – – broadly defined – – to get a court order requiring  the provider to cut service for a “reasonably necessary” period.

"Governmental entity" means every local government, including a city, 
county, a transit, joint powers, special, or other district, the state, 
and every agency, department, commission, board, bureau, or other 
political subdivision of the state, or any authorized agent thereof.

Based on this language, a bus supervisor or a fire inspector could conceivably be an authorized agent.

The circumstances allowing a government-ordered shutdown include probable cause that the phone is being used for an unlawful purpose. Or that without intervention, there is jeopardy to public health, safety or welfare.

Civil libertarians are going on the record with warnings that peaceful protesters might be shut down, or that law enforcement might misuse the remote kill. And it’s hardly ridiculous to wonder what public welfare threats involving individual cellphones government might perceive.

Sections authorizing government use will be the consequential portion of any Nevada kill switch law, given the industry’s already clearly-stated intention to provide anti-theft technology. Observers of Nevada’s 2015 session should watch closely. Or, maybe Nevada’s stated goal of luring tech will prevail, and the legislature will spend its time on other matters.

Not without a fight: Keeping the cops out of your iPhone

Law enforcement has its boxer shorts in a bunch following Apple’s announcement that iPhone 6 and iOS 8 devices will be protected from the probing eyes of police. Google, too, will complicate criminal investigations by changing its optional Android encryption feature to automatic.

Federal officials are “bracing for a confrontation with Silicon Valley” over encryption-by-default, reports the Wall Street Journal. A former FBI official called the new privacy feature “outrageous,” and likened it to an invitation for criminals to use the products.

Lame-duck Attorney General Eric Holder piled on this week, denouncing encryption and other privacy tools to the Global Alliance Conference Against Child Sexual Abuse. Holder wants tech companies to provide back doors into their products. To save the children, of course, whose exploitation at the hands of perverts is second only to their exploitation by the political class.

Criminals are certain to use encrypted smart phones, but so are millions of law-abiding citizens who’d like to send private messages to their physicians, their business prospects, and their mistresses. Some of them might snap a nude selfie or two. Everyone has perfectly legal secrets to keep.

Bravo to Apple and Google for their late, if grudging, arrival to the privacy party. In this arena, it should be noted that Apple is following, not leading. The privacy community celebrated the release earlier this year of the encrypted Blackphone, an Android adaptation with amped-up security and privacy. Blackphone hails from Switzerland. The company was located there for precisely the reasons outlined above, by an American technology entrepreneur who champions privacy.

Law enforcement’s fight for continued easy access to devices, cloud storage, and business-grade communication tools compromises the American economy, as well as personal privacy. Global companies have reservations about buying products that are open to U.S. government fishing expeditions. Just one more reason for American innovators to move offshore.

And this squabble ignores the valuable role of encryption in fighting cybercrime. Both personal and business data need to be properly encrypted. The fight to secure your snapshots is one thing. But guarding embedded systems that control water and power facilities is the next level.  As is the safety of intellectual property that’s the lifeblood of innovation. How about keeping criminals and terrorists out of the banking networks and the airport control towers?

Holder and company are apparently willing to expose a data pool far greater than the rate at which your next-door neighbor consumes dirty movies. (Evidence of which, incredibly enough, is sometimes seized by prosecutors grasping for dubious rape convictions, in order to establish predatory intent.)

Police have many avenues to truly relevant evidence. Third-party billing records and court orders requiring legitimate suspects to turn over their encryption keys offer a slower, but better-considered route. More generally, the surveillance deck is stacked heavily in law enforcement’s favor.

It’s time to nix the notion that our privacy is disposable because there’s a guy waiting behind every bush to molest children and grab college girls, or that everyone who carries more than one cell phone must be a drug dealer. Such an allusion to multiple phones was made by none other than Chief Justice John Roberts, even as he was about to author this summer’s Supreme Court decision requiring warrants for cell phone searches.

It’s also time to hit back at the rhetorical last refuge of scoundrels. “What if it was your daughter?” – a wretched query hurled regularly at privacy advocates, as if only those unscathed by crime should appreciate principles that protect all citizens from intrusions into their personal affairs.

These tired crime-fighting tropes need a rest, and so does the assumption that every technological tool should be an automatic enhancement to police power. These are stops along a path that leads to fear and mistrust of the police. That’s not a desirable outcome for any of us, as we saw in Ferguson, Missouri.

Retro privacy concerns: bed pans and hospital gowns

I couldn’t see her face on the other side of the curtain, but I was pretty well acquainted with my roommate after a few hours. We were friends, kind-of, by the time the nurse helped me position myself over a bedpan. Propping myself up on three of my all-fours, because one foot is severely injured, I was momentarily struck with a rush of old-school emotion about privacy.

Hours earlier, three men had undressed me in the emergency room. There was no institutionally-prescribed mock concern for my emotional comfort. In short order, the male ER personnel had pulled off the pants, T-shirt, and sports bra I’d been wearing on my bike ride, and put me into a gown. No-nonsense, down-to-business, get-‘er-done. It didn’t feel strange because they didn’t make it strange.

So now, with a nurse and another patient in the room, the self-described privacy advocate needs to go potty.

“Suddenly, I’ve got a shy bladder,” I told the nurse, who said she’d leave the room for a moment to give me some privacy. It didn’t help, because it wasn’t about her.

Dozens of times a month, I contemplate twenty-first century privacy. Procedures, protections, violations, bad laws, and the dumb ways people expose themselves for the sake of convenience or socializing.

So often and so automatically do I think about these things that my brain’s been retrained. It translates “privacy” differently than it did when I was growing up. Knowing there are people are watching in real time as my body functions, and looking at my private parts —  once, this would have been a 10 on the privacy invasion scale. It barely registers now. Seems quaint, even.

Privacy invasion is made of different things now.  Video surveillance and invasive authority. Businesses blithely collecting info without considering the consequences. Free services that steal your soul with a thumbs-up and a smile. The mantra that says you have nothing to worry about, because you’ve done nothing wrong, which is of course, patently false. And the big lie, repeatedly told and never questioned: “We take privacy very seriously.” Ha.

So these people who work in clinical settings, helping the ill and patching up the occasional injured bicyclist — like the creeps who steal nude photos from the cloud, the medical professionals see lots of naked body parts in a given week. Like the social media moguls, they stay emotionally detached from their subjects, and they do what they do for money. Like mindless good-government types, they expose you in order to help you.

But their invasion is fleeting, it’s got authentic purpose, and they’re in the room, looking you in the face, with full accountability while they do it. Those are some of the reasons it’s different, and the reasons float through my head, and in the middle of the night I wake up, and notice lights on the patient cams are lit.  It might be the pain medication they’ve pumped into me, but tonight I don’t care.

Apple Pay: Sorry about your nude photos, but please let us handle your money.

Criticizing Apple can be as emotionally charged as talking politics at the Thanksgiving dinner table. It should not be undertaken lightly, and perhaps not at all, if you dread ugly, irrational confrontation with true believers.

Having said that, here’s the definition of chutzpa: Ten days after the great iCloud nude photo hack, Apple, with great fanfare, announces Apple Pay. Now that cybercriminals have swiped your most intimate and embarrassing photos from its digital vault, Apple would like to handle your money.

Experts say the Apple Pay system looks as technologically sound as such things can be. In fact, it’s a breakthrough in digital payment methodology.

But just a minute – Apple has shed no light on the problem that allowed the great celebrity nude photo hack, except to say that vile human behavior is to blame, not its iCloud upload feature. The company shrugged off the most talked-about cyber incident of the year with a boilerplate statement, reflecting its customary impenetrable demeanor.

Apple is an arrogant company, and it’s not a transparent company, and if you’re an Apple-lover, this is the point at which you might throw down your napkin and stalk away from the dinner table before the pumpkin pie is served, making me wonder why I waded into the subject in the first place.

In the age of rampant cybercrime and diminishing privacy, Apple’s aversion to candid conversation is worrisome, no matter the system architecture of its next big thing. Presumably, it’s the drive to keep users in a proprietary Apple cocoon that drives Apple’s close-to-the-vest  attitude about everything else, including security and privacy, which the company claims – as does every Big Data player – to take “very seriously.”

Talk with folks in the security community, and you’ll hear that Apple is closed to outside inquiry. Google, Microsoft, and the other big players have a conspicuous presence at security conferences. Apple does not make itself conspicuous at these gatherings. The others issue open invitations to the hacking community to help identify problems. Apple does not. Some offer “bug bounties” — a payment in return for reporting security holes.  Apple does not.

That doesn’t mean the Apple iOS hasn’t suffered repeated and very public penetration by expert hackers. It just means those exploits don’t generate any reassuring responses. Apple tackles problems internally, at its own pace, all the while keeping its legions of users convinced that they’re as safe in the Apple environment as babes in their mothers’ arms.

Wednesday’s Wall Street Journal carries a piece called “Can Apple Solve the Riddle of Mobile Payments?” which says Apple didn’t return a phone call requesting comment. Apple didn’t return a call to the freakin’ Wall Street Journal, for the love of Steve Jobs, on the day of a major announcement. Other stories about Apple Pay rely almost entirely on the opinions of third-party analysts and academic researchers, with those sources buttressed by unnamed “people involved in its development,” and information from the formal Apple announcement.

Once, five or so years back, I called Apple in an earnest attempt to carry out a journalistic obligation. It might have been one of the many times iOS security was called into question. Whatever it was, I was inviting the company’s response. After several attempts to get someone on the phone, a spokesperson left a message declining my request for a conversation, but instructing me to refer to the company as “Apple, not Apple Computers.”

Mea culpa, but what about youra culpa? Apple doesn’t cop to anything, even when it should. At this moment in history, every entity that owns personal information about its users should be an open book, inviting scrutiny, and responding candidly to problems. That brand of openness should become a consumer demand.

To broach all of this causes veins to bulge in the foreheads of Appleheads, who experience the company’s public persona  only at the Genius Bar and during its highly-orchestrated new product releases.

Apple’s stock is up, its users are salivating for the iPhone 6 and the Apple Watch, and the nude photo hack is all but forgotten. Apple Pay represents the next potential Apple juggernaut — domination of retail transactions. Apple rules again, for the many of the right reasons. But also for some wrong ones.

Don’t track me, bro: How to make your cell phone signal disappear

Here’s my favorite memento from this year’s Def Con conference.  It’s a Faraday Cage for your cell phone, constructed from military-grade electromagenetic shielding to prevent cell and GPS signal tracking.  The truly paranoid will be pleased to know it also prevents remote activation of your cell phone’s audio and video functions, eliminating the threat of real-time eavesdropping by — well, whomever you fear might be interested in you.

privacyCaseI’m satisfied just to seal up my phone for a few hours and trek around town without leaving a trace, pretending I’m Gene Hackman in Enemy of the State.

The inventor of the case is coy about how it works, but says it relies on well-understood scientific principles to create an “electronically bulletproof” environment for the phone. No signal gets in or out.

The downside, if you’re required to stay in contact with the world, is a delay in receiving messages, which arrive only after the phone is removed from the case.  The size, too, may present problems if you keep your phone in a case to protect it from damage.  My phone has to be removed from its Otterbox to fit in the Privacy Case.  There’s a larger Privacy Case on the drawing board, inventor and company president Mike Nash told me.

Nash’s company, Privacy Research, Inc, cites the Fourth Amendment on its packaging, a clear appeal to Snowden fans and civil libertarians. But he also works with domestic violence shelters, where the immediate practical benefit is obvious.

Nash was inspired to create the Privacy Case when he was working for a hedge fund company.

“We realized that with 24 people sitting in the board room, that’s 24 microphones and 24 cameras that could  collect information that’s confidential to our company,” Nash told me. “After leaving (that job), I discovered that domestic violence perpetrators and stalkers were using people’s cell phones to track them down.”

He launched the company with a focus on products for individuals, but says he’s working on some business products.

I paid $80 for my case, and Nash engraved it for me on the spot.  Most folks want their name or company logo, he said, but that’s seems counterproductive if it’s privacy you’re seeking, so I requested the phrase pictured above.

 The cases come in a range of colors, including a camouflage print.