Big Ears, Little Ears: One article, three layers of blown secrecy, and how Edward Snowden proves my point

Well, I haven’t had much time to write here for quite a while, but the Edward Snowden affair – and more specifically this piece in the Guardian – were such a terrific display of the Digital Water concept and “a world awash in data” that I couldn’t resist, despite my current schedule.  This story is kind of a delicious “triple play” on the concept.

I suppose before I dive in I should probably comment on using the word “delicious” in this context since I know there is an awful lot of outrage and shock on all sides of this debate.  Some are appalled by Snowden’s revelations, i.e. the supposed extent of the NSA’s electronic eavesdropping on everyone and everything including American citizens.  Others are appalled by Snowden’s actions and consider it nothing short of capital treason.  Those two viewpoints need not even be fundamentally in conflict – I’m sure there are folks out there who are both appalled by the NSA’s supposed activities and would like to see Snowden executed for treason.

I confess that, on the first point – the extent of the data collection and the agency’s capabilities – I myself am relatively unfazed. I’ve been in the Open Source Intelligence business for almost 15 years.  Given the shock many people express at what I could find out about them with nothing but a laptop at a Starbucks, I just can’t be wowed by what must be possible for a huge entity with a mania for secrecy, almost no oversight and an 11-digit budget.  The Echelon, or “Big Ear” controversy of the late 1990s(!) outed many of these supposed capabilities, and anyone who has even flipped through a James Bamford book would probably be slightly less bewildered at the ability (though perhaps not at the willingness) of NSA to do the things alleged. Anyway, wherever you stand on the particulars of the Snowden case, this article in the Guardian (which originally broke the story in an earlier piece) illustrates exactly the kind of world I have been trying to noodle over with this blog.  Here’s the “can’t anybody keep a secret any more?!” meme hat trick for this one little Web page.  Ready….

1. The NSA – The most obvious.  If you take him at his word, “The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife’s phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards… The extent of their capabilities is horrifying.”  While we can argue the legal and moral issues, as a technological matter, this hardly should be a shocker given that we live in a world where your department store can tell when you’re pregnant (even if your parents can’t yet).   So – Level 1: John Q. Public can’t really keep a secret in the digital world.  Almost anything you say, send or type outside a locked, airtight room can be captured, analyzed and recorded if someone deems you interesting enough. 

2. Edward Snowden – So the NSA is, by its very nature, ultra-secretive, institutionally paranoid and famously tight lipped (Jim Bamford’s books notwithstanding). Yet every organization is made up of people, and like any group of the NSA’s estimated 40,000 employees, they will hold a diversity of views.  Now by all accounts to date, Snowden was a patriotic, smart kid who joined the Army Reserve and worked for the CIA.  He obviously had been scrutinized, checked out and picked apart.  You don’t get to play inside The Puzzle Palace if you’re an anti-government radical.  Yet what Snowden saw working as an NSA contractor motivated him to leak, speak, and flee the country.  Level 2?  For all the supposedly terrifying ability to spy that Snowden witnessed, one insider with a moral objection meant they couldn’t keep their secrets secret either.

3. The guys at the airport – My absolute favorite (and why I found this page so delicious).  So in this sometimes-bizarre corner of the world here inside the DC beltway, it is not at all uncommon for lots of people with plastic ID badges on lanyards to be overheard talking about the sorts of things that, in most of the country, would seem at home only in a Tom Clancy novel.  You can walk through certain shopping mall food courts at lunch  and hear phrases like “I’m cleared up the wazoo – TS-SCI with lifestyle poly plus some special stuff” or “sure, anybody can read a license plate from outer space, but we can do it at night!”.

Like cars in Lansing or Dearborn, surveillance and Intelligence and secret-squirrel military programs are just kind of the local business, and this is a factory town.  A lot of people here take this stuff veeeery seriously.  So it is not entirely remarkable when the guys at the bottom of the page opine that Snowden, that dirty, rotten, no-good treasonous so-and-so ought to be “disappeared”.  The part I love so much was the extreme low-tech surveillance system that outed their conversation.  They said it out loud and in public, and a “Little Ear” (you know, the biological one attached to the guy sitting across from them) in the airport captured it.  He then used a few hundred bucks worth of smartphone to record part of the conversation and Tweeted about it to the whole world.

So-   Quis custodiet ipsos custodes?   Apparently any employee with a conscience or every jackass with a cell phone.  I think that’s probably reassuring, but I have to think some more about it.  The world really is full of dangerous people who hate us.  Meanwhile – my own personal take on the Snowden thing?  (I’m speaking technologically here, I leave the constitutional and legal questions for others to debate.)  IF you matter enough to someone, there are no secrets.  Most of us just enjoy security through obscurity.  The only reason our privacy is safe for most of us is we’re utterly uninteresting.  You may not like it, but information and technology are inextricably linked.  The capability to do what NSA does can’t be uninvented.  We can do it… so can other countries. We can only decide as a society whether we can strike the appropriate balance between protecting ourselves from those without and those within.

IMO, China’s welcome to lead the world in some things…

A week or so ago, I noted, via an awesome slide from Bit9 Security, that Chinese hackers are just workin’ stiffs like the rest of us.  Then I had a quick piece that even here in the West we see increasing indications they face some of the same concerns we do with regard to the trouble of keeping information bottled up.  (This was further emphasized today by the stories, backed by pretty strong evidence, claiming that a hacker going by “Hardcore Charlie” has penetrated China Electronics Import & Export Corporation or “CEIEC”, China North Industries Corporation, WanBao Mining, and others.)

Well, today, (OK it was actually Friday, but apparently I forgot to hit “Publish” before I sat down to dinner on Friday) another in the trickle of “China has now surpassed the US” stories, and this one they’re welcome to.

The Anti-Phishing Working Group reported today that China’s Taobao.com e-commerce site “Surpasses PayPal as the World’s Most Phished Brand“. Seems not even the (I should say alleged) world leaders in the theft of sensitive information are immune to the even the simplest forms of stealing sensitive data. This includes both intentional dOxxing like Hardcore Charlie, and the inadvertent revelations that simply can’t be stopped in world full of camera phones and Twitter (and Weibo) accounts.  (See the TV documentary that caught Chinese army personnel using click-to-play Cyber attack tools in the background as a fun example.)

Being trained in macroeconomics and generally favoring the Darwinian benefits of competition, I have to say this is one crown I’m happy to hand over.

Thanks again to the APWG for some very useful stats and reporting in today’s release.  Full report is at:

http://apwg.org/reports/APWG_GlobalPhishingSurvey_2H2011.pdf

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

Social Media and the Military – keeping secrets keeps getting harder

I work with a group of fantastic Open Source Intelligence (OSINT) analysts.  One of them, who both reads this blog and knows I’m a pilot/airplane junkie, sent over this link under the heading of “Digital Water in China?”.  It talks about how, days before it ever made the Western press, the first confirmed sighting/evidence for a Chinese fifth generation fighter came not from the massive US intelligence apparatus but from a cell phone camera hung out a car window and posted to a Chinese military fanboy forum.

Now I recognize that China has an infamous, massive and essentially limitless-budget Web censorship program, which might well lead one to conclude that this evidence was found online because it was allowed to stay online. China decided it was time to let the world know so they intentionally let the drip-drip-drip start ahead of the (blatant thumbing-of-the-nose) first flight while Defense Secretary Robert Gates was in town.

Still, I happened to get this email the same week that linkedin discussions introduced me to both www.nosi.org (a naval OSINT blog maintained by, of all people, a physician) and osgeoint.blogspot.com, a blog both discussing and analyzing publicly available geospatial intelligence.  There are many more like these of course, but it’s still amazing that on any given day you can now read posts by people who (for free by the way) identify ships, spot aircraft and analyze other military assets from Google earth or satellite imagery. We can learn about ship construction from employee’s blogs, twitpics from dog-walkers and minutes from town meetings.  And let us not forget the first person to (albeit unknowingly) inform the world about the raid that killed Bin Laden – a Pakistani programmer up late writing code who Tweeted about the ruckus happening a few hundred yards away.

Look down the road another ten years at everything from augmented reality goggles to the questions raised for Law Enforcement and espionage by Facebook’s facial recognition.  I don’t know exactly what will and won’t be possible, but it certainly seems to me that keeping ANYTHING, from Special Ops that last an hour to weapons programs that run decades, secret is going to get a lot harder.  From the intentional  wiki-leaking to the inadvertent disclosure, the Digital Water is pushing and probing, finding its way out the cracks and crevices.  I suppose I take some comfort from the J-20 Stealth Fighter story at least in knowing our likely adversaries will have to tangle with the same problems.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

How to Hack Like Homer Simpson…

A few weeks ago, I gave a talk to a room full of police chiefs. I was talking about the goods, bads and unknowns of Social Media use by and for Law Enforcement (#LESM or #SM4LE).

One of the slides looked like this:

Image

It shows how, unless you explicitly change the default settings, in many cases everything from Tweets to photos are tagged with a variety of metadata.  In some cases this can include geotags for the location of the device that produced the photo, tweet or update, the model number and make of the camera or phone, etc.

I suppose if you flip the “goods” and the “bads” I could have given the same speech to hackers, but of course they are way to tech savvy to need any such guidance.

Well, most of them. There’s always the exception

http://www.informationweek.com/news/security/government/232900329

I couldn’t help but smile.  A hacker implicated in the recent Texas DPS breach, in painfully cliche fashion, decided that a bit of geek chest thumping was in order.  In a bugs-bunny-esque “you’ll never catch me coppers! Mwah hah hah!” moment, he decided to post pics on Social Media of his girlfriend holding signs taunting law enforcement.

The only problem?  Hacker-genius-computer-expert guy neglected to remove the geotagging from the photos, which were taken in her back yard. Police took the arcane and Star-Treky step of reading the lat/long coordinates on the files and looking them up on a map.

What I wouldn’t have given to be a fly on the wall when he was told how they got him.

Image

Inventing My Own Hashtag… #SM4LE

So I recently spoke at a gathering of Police Chiefs on the topic of Social Media and Law Enforcement.  I covered a bunch of topics over the course of my bit (it was a full hour speaking slot, which allowed us to cover a lot of ground), but one came out of some of the things I learned while preparing.

  1.  Something like 90% of all US law enforcement agencies have fewer than 50 employees.
  2. Nearly all US municipalities are facing declining tax revenues and police departments are under more pressure than ever to “do more with less”.
  3. A significant portion of non-violent crimes that don’t involve drugs are never even pursued.  Consider this example?  In Spokane, the Police Department actually told the press that only 5% of property crimes will even be investigated! Not solved… looked at.  In 95% of all cases involving simple property theft, the victim filing the police report (usually done for their insurance company) is the end of the process.  I’m not knocking them – there just aren’t enough resources to go round.

 

Remember this post though?  It was on a more grandiose topic the State and local Law Enforcement, but it closed with an important notion.

“From cults to political parties to hate organizations to repressive regimes, the daylight is coming to shine on you.  If you can’t say it out loud and in public, know that your days are numbered.  I think, whether in months or years, the end is nigh, and your doom will come not from jackbooted troops, police SWAT teams or even intrepid reporters, but in the form of the individual with a conscience and the cheap, ubiquitous camera phone.”

And here’s what I’ve found.  Local Police Departments, those less-than-50-people, short-of-money agencies I talked about, are getting super creative in taking advantage of Social Media, and the power of both free technology platforms and free labor in the form of the engaged citizenry.  Here are just a few of my favorites.

The Utica NY police department (hey, I’m a Hamilton grad, what can I say?) started using its Facebook, Youtube and Twitter accounts to post information about crimes, including the “dead end” ones that no one could afford to spend paid labor to investigate.

The most amazing thing happened.  Shortly after the UPD posted store camera video of a liquor thief on its FB and YT channels, they received multiple calls ID’ing her by name, AND she turned herself in before UPD even tasked an officer to pick up the suspect.  My favorite part was her explanation when she showed up.  When asked why, she said “I wanted my face off Facebook and Youtube!” and her phone was “blowing up” with calls from angry family and friends. As I said before, this generation has a relationship to their phones and social networks that us “old people” (by which I mean, over 30) simply do not appreciate.

So a crime that a few years ago would fall into the “never even investigated pile” was now solved, in 24 hours complete with confession, at a total cost to the department of roughly NOTHING. They didn’t even spend the gas to have a cruiser pick her up.  She drove herself to the police station.  Awesome.

In another case described by the Chief of the UPD, there was a series of high-value thefts during one night between 11 and 3.  In the ensuing 24 hours, thanks to quick action on social media channels, they got two dozen tips, every single one of which named the same two guys. 

In LA, social media information was critical to catching a serial arsonist that had set more than 30 fires.  And this posted just this week – Police in Denton, Texas have caught eight of their Most-Wanted local criminals since February, thanks to their Facebook page.

What’s my point?  Two things – first, when every citizen is a free employee armed with a sophisticated, interlinked sensor (i.e. the camera phone and SMS), it’s amazing what under-staffed, under-funded and low-tech Law Enforcement Agencies  can do with a mouse, social media and an engaged community.

 

 

 

 

 

 

Second – This was about a one-minute part of an hour long discussion.  There are just so many aspects of social media and Open Source Intelligence that touch on state and local Law Enforcement. All  the money and fancy systems and “big data” being discussed at the Federal level? None of that trickles down well to the local LEAs whose concerns are the daily block and tackle of community policing.  I talked about the pitfalls, legal issues, and problems, yes, but also about the incredible opportunities that Social Media presents for improving outcomes and actually improving quality of life in communities large and small.  This is a broad, rich and fascinating topic I hope will get a lot more coverage in the future.

In the meantime, since I’m back on the blog and Twitter’s 140 character limit is not conducive to “#SocialMediaForLawEnforcement” I’m going to us #SM4LE (it didn’t already exist, I checked) as shorthand and hope I can help start a conversation.  I’ve met so many great cops, and dedicated civil servants who are trying to hard to work with what little they have in their own communities.  Maybe some of what I know about Open Source and Social Media can help the folks too small, too short-handed or too underfunded to enjoy the solutions that benefit the national agencies and major cities.

See you in the Twitterverse.

Eric  (@DigitalH20)

 

 

 

A really smart guy blows it completely…Malcolm Gladwell isn’t exactly wrong, he just missed the point.

So let me start with a couple of quick disclaimers.

  1. Malcolm Gladwell is a really smart guy, I respect a lot of his ideas, and I really liked several of his books.
  2. I’m not trying to pick a fight with someone famous just to elevate my blog.  What might I accomplish? Doubling the two dozen people who read it?  This isn’t gratuitous, and (as evidenced by my spotty posting record) I’m obviously not trying to make this blog a platform for fame or visibility.
  3. He’s also a lot more famous, rich and brainy than I am, so if those are the metrics that serve as proxy for right and wrong, maybe I should shut up. That said… Yeah, he totally blew it.

So a while back, I wrote a post called “Tech Coup 2.0 – The Revolution Will Be Twittervised…”, one in a long list of plays on the original title, poem and song, (The Revolution Will Not Be Televised, Gil Scott-Heron, 1970).

Unbeknownst to me at the time, Gladwell had written a piece a few months before for the New Yorker called “Small Change: The Revolution Will Not Be Tweeted”.  The reason I’m taking this on now, when the question might seem oh-so-totally-six-months-ago is not just to defend my position, but because I think this is going to be the question of 2012 far more than it was the question of 2010.  First let’s talk about how he’s missed the point, then I’ll touch on why I think the impact of this is going to reach far beyond the past year’s “Arab Spring”.

Gladwell’s argument, as well as those of several learned and impressive people he sites including Golnaz Esfandiari’s excellent piece in Foreign Policy “Misreading Tehran: The Twitter Devolution”, is that social media and virtual networks have fundamental flaws as a tool for organizing revolution.  I won’t recap his whole argument here, but citing examples from East Germany to the US civil rights movement, he explains that, among other things, social uprising against the status quo requires two very important elements.

The first is what he calls “strong ties”.  It’s easy, he argues, to “join a cause” by clicking the “Like” button facebook or giving a dollar via Web site, but when we’re talking about rising up against a regime or authority with the ability and willingness to use coercion and force, it’s a different ballgame.  To be willing to stand in front of the proverbial tank or put flowers in a rifle barrel aimed at your head, true (that is, physically dangerous) stands against authority have traditionally required a personal connection to others involved.  Flash-mobbing Wall Street in New York, where the rule of law and one’s physical safety are essentially not in question (recent left-wing hysteria about pepper spray and fascism not withstanding), is totally different than coming out of your house to face down Assad’s security forces because of a text message or Tweet.  People, he argues, put their asses on the line, because people they know and care about are taking to the streets too, and/or have been victims of the condition against which they protest.

The second factor a true uprising requires to be sustained, he argues, is hierarchy and organizational control, the very antithesis of social, informal and virtual networks.  If one’s goal is just to create havoc, then sure, a loose confederation of like-minded individuals acting semi-autonomously is fine.  But if your goal is explicit, specific and clear policy and governmental changes, then (citing examples like the NAACP), a clearly structured organization and chain of command is explicitly required.

He also does a fine job of pointing out the flaws of, if not completely tearing down, the arguments for the power of social media that are made in Smith and Aaker’s “The Dragonfly Effect” and Shirky’s “Here Comes Everybody”.  My favorite nugget:

“ ‘Social networks are particularly effective at increasing motivation,’ Aaker and Smith write.  But that’s not true.  Social networks are effective at increasing participation – by lessening the level of motivation that ‘participation’ requires.” 

Again, I won’t restate his whole argument here, it’s really worth it to read Gladwell’s piece.  And I say that because, (and here comes the potentially confusing part) I think he’s absolutely right. I think his critiques of the whole “social media will change the world” view is dead on in terms of the flaws he exposes in social media as a tool of organization for large scale social or revolutionary change.

So… HUH?  Didn’t I start this whole discussion saying Gladwell’s wrong?  Nope.  I said he missed the point.  Not the same thing at all.  He’s absolutely right that technology, social networks and the like will not likely play (and explicitly have NOT to date played), the role it’s cheerleaders have claimed.

Here’s the point I think he missed, and it was the core point of my own Revolution post, which perhaps I didn’t state explicitly enough.  Technology and social networks will not bring the tools and organization and strong ties required to bring people out in the face of the threat of physical force.  But let’s remember what gets people out in the street in the first place – a motivation to take the risk, something so inspiring, egregious or powerful it overcomes the collective inertia of not revolting.  And that is what technology can, and will, bring.

Gladwell is right that it took organization, strong ties, and deeply seated moral beliefs among both the black protesters and the white freedom riders and volunteers who eventually rose up to begin changing life for black Americans.  Twitter and YouTube can’t provide the ties, or the organizational structure.  What they can provide is the motivation, the evidence, the “why”.  How much sooner, and how many more, white supporters might have come, how many more black students might have sat in, if lynchings and beatings and rapes of black girls by white men had been caught on cellphone cameras and posted on YouTube.

What was the catalyst that started the Tunisian upheaval? One poor street vendor, despondent and disheartened to the point of self-immolation, became the (literal) match that lit the fuse of revolution.

Can Twitter or SMS really provide the the organizational structure and the belief systems to make thousands turn out in the face of arrest, imprisonment or worse and keep them focused on a long term goal or societal change?  Not at all.  Does it provide the strong familial or social ties that get folks to link arms in front of a machine gun?  Nope.  But…

Can it, in seconds and nearly unstoppably, communicate out to a million people the photo, video, report or account of an atrocity, injustice or societal wrong that will get them in the streets and provide the motivation to organize, reach out and engage one’s close ties?

It has (flip phone vid of Saddam Huessein being hanged anyone?), it can and it will.

Like I said, Gladwell wasn’t wrong, in fact I agree with his criticisms of the social-media evangelist set. Social media doesn’t play the role it’s cheerleaders claim.  On this, he’s right. I just think he’s arguing the wrong point.  I’ll close by repeating my own thought from the previous post, for whatever that’s worth.

If, and where, keeping the world from knowing “what’s really happening” is important to maintaining advantage, power or undeserved legitimacy,  the inability to keep the information genie in the bottle ever, at all, anywhere, is going to catch a whole lot of employers, governments and belief systems up short.

From cults to political parties to hate organizations to repressive regimes, the daylight is coming to shine on you and your beliefs.  If you cant say it out loud and in public without losing support, money or legitimacy, know that your days are numbered.  I think, whether in months or years, the end is nigh, and your doom will come not from jackbooted troops, police SWAT teams or even intrepid reporters, but in the form of the individual with a conscience and the cheap, ubiquitous camera phone.

Disclaimer: The views expressed on this blog are mine alone, and do not represent the views, policies or positions of Cyveillance, Inc. or its parent, QinetiQ-North America.  I speak here only for myself and no postings made on this blog should be interpreted as communications by, for or on behalf of, Cyveillance (though I may occasionally plug the extremely cool work we do and the fascinating, if occasionally frightening, research we openly publish.)

%d bloggers like this: