[security-news] Bulletin #13 - March 24th, 2003
security-news at lists.resist.ca
security-news at lists.resist.ca
Mon Mar 24 22:30:07 PST 2003
***************************************************************
Security-news <security-news at lists.resist.ca>
A security bulletin for autonomous resistance movements
Produced by the folks who bring you http://security.tao.ca
***************************************************************
March 24th, 2003
Just when you think things can't possibly get worse, they always seem
to. The past week of war and the several weeks leading up to it have
been truly terrible times for the global population awaiting yet
another assault on the world by the United States. At the same time,
the struggles against the war globally have been truly inspiring to
participate in and to watch from afar. The thousands who have been
arrested in the United States, the hundreds of thousands marching in
the streets every day around the world - these are the moments we are
fighting to keep in a world increasingly repressing its dissident
voices. With resistance comes repression, and it is in this vein that
we put out the 13th Security-news bulletin. We urge our brothers and
sisters to stay strong and safe in these times of struggle.
**********************************
Security-news: Issue #13 - Contents
**********************************
* Upcoming Event: Little Sister 2003
* News & Analysis: These Are Not Your Father's Wiretaps
* News & Analysis: U.S. Steps Up Secret Surveillance
* How to: There's a War On - Do you know where your data is?
*****
Event: Little Sister 2003
*****
Little Sister 2003
Community Resistance, Security, Law and Technology
May 9-11
Vancouver, British Columbia (Coast Salish Territory)
All activist folks interested in security issues during this heightened
time of global crackdown should seriously plan to attend this three day
conference!
The Little Sister website is up and running at
https://littlesister2003.org. There is information Conference
registration and workshop submissions are handled at this site. PLEASE
NOTE that the workshop sub and registration deadlines are fast
approaching - so get your applications in to us asap!
We believe that our greatest strength in defeating the security and
legal maneuvers used against us as community organizers is by unifying
and building common cause in our movements. This means building diverse
coalitions who are willing to support each other in order to create
safe spaces for opposition to the policies and practices of governments
and corporations. Ultimately, as organizers, our goal is to resist the
injustices our communities face, while retaining our physical and
emotional freedom. It is these themes on which the Little Sister 2003
organizing committee is building the conference program.
Visit our website for more info or email us at info at littlesister2003.org
Little Sister 2003 Organizing Committee
*****
News & Analysis: These Are Not Your Father's Wiretaps
By Jane Black, Business Week
February 27, 2003
*****
In the old days, tapping a phone was as easy as one-two-three. All
calls ran over Ma Bell's copper wires. To listen in, law-enforcement
agents simply requested that the phone company isolate the suspect's
wire and record any calls made or received. One phone company. One
network. One flip of a switch.
That was eons ago by techno-standards, however. The new world of
telecommunications has made it much harder for the FBI to thwart
evildoers -- and for privacy advocates to ensure that the agency
doesn't overstep its bounds. Today, dozens of new technologies need to
be monitored, such as packet voice and cellular text messaging. And
thousands of new service providers are now in business. "Every time the
technology moves ahead, you have all these pitfalls -- all these
potential points where we can creep away from the status quo to a far
more intrusive type of surveillance," says Lee Tien, a senior attorney
at San Francisco-based advocacy group the Electronic Frontier
Foundation.
The job of sorting out the mess falls in large part to Les Szwajkowski,
the director of the FBI's CALEA surveillance policy and planning unit.
(CALEA is an acronym for Communications Assistance for Law Enforcement
Act, which was passed in 1994 and granted the FBI the right to conduct
surveillance on any new technologies that arise.) With his staff of 50
engineers, lawyers, and surveillance experts, Szwajkowski's most
pressing task is finding a way to tackle the challenge of packetized
voice, better known as VOIP (for voice over Internet protocol), which
is steadily gaining a foothold in the U.S. market. VOIP provider Vonage
in Edison, N.J., alone has lured 15,000 customers since it launched in
April, 2002.
"SHORT ONE PLAYER." Last month, law-enforcement officials and telecom
providers such as Vonage gathered at a closed-door meeting in Chicago
to plan for the digital future. The technology makes for some tough
issues for policymakers. Unlike a traditional phone call, where a line
is dedicated between two parties, VOIP slices each call into millions
of tiny digital packets, each of which can take a discrete route over
the Internet. That means surveillance equipment must either be
installed permanently on a network or calls must be routed through FBI
surveillance equipment before being delivered to the caller, which
experts say can create a suspicious delay.
"Our tactical people are trying to plug every hole. But it's like
playing the field short one player," says Szwajkowski. "A call that is
not [able to be intercepted] is a major public-safety and security
dilemma."
This isn't the first time the FBI has faced such a challenge. As early
as the 1980s, new features such as call forwarding and conference
calling created loopholes for crafty criminals. If the FBI tapped a
suspect's office phone, that person could forward the call to a home
line if he or she smelled a wiretap -- outfoxing the FBI. Conference
calls also thwarted so-called pen register and trap-and-trace orders,
which allow law-enforcement agencies to record all the calls made or
received on a particular line.
WHO YA GONNA CALL? To trick the feds, one untapped person could call
another and then conference in the suspected wrongdoer, without the
call being registered by law enforcement. From 1992 to 1994, a total of
183 federal, state, and local law-enforcement cases were impeded by
advances in digital technology, according to congressional testimony by
then-FBI Director Louis Freeh.
Szwajkowski's job is all the more complicated because of the explosion
of new communications providers since the 1996 Telecommunications Act.
Today, it's not just the phone company that completes calls. It could
be an Internet service provider, a VOIP startup, or both. In rural
areas, it's not uncommon for startups, such as Paul Bunyon Telecom in
Bemidji, Minn., or CBeyond Communications in Atlanta, to serve just a
few thousand customers apiece.
"The number of new players is staggering to us," Szwajkowski says. "It
was hard enough before to balance technology and economics. Today we
have to negotiate with a whole new set of entrants with a range of
demands and circumstances."
HUNGRY CARNIVORE. Therein lies a danger, say privacy advocates. They
worry that the FBI will use the rise of the packet technology and the
expanding number of players as an excuse to expand its all-seeing,
all-knowing surveillance power.
Here's why: VOIP travels across the Internet the same way that e-mail
does. Address information (the number dialed or the e-mail address) is
contained in the same packet as the content (what is said or written).
The FBI's solution for e-mail is the notorious Carnivore technology,
which sucks up all data that passes its way. The FBI claims that
Carnivore filters traffic and delivers to investigators only packets
that they're lawfully authorized to obtain. But because the details
remain secret, the public must trust the FBI's characterization of the
system and -- more significant -- that it's complying with legal
requirements.
Carnivore has been highly controversial, and privacy advocates fear the
FBI will develop a similar system for VOIP. "The very nature of packet
technology means that whether it's an e-mail or a voice call, [the FBI]
can get more and more information that allows them to be more and more
privacy-invasive," says the EFF's Tien.
A NEW ERA. The sheer number of players could put privacy at an even
greater disadvantage. In the old days, the FBI went head-to-head with
the likes of AT&T (T ) or Verizon (VZ ), each of which has an army of
lawyers to fight off any onerous requirements. In an emerging area such
as VOIP, however, small companies are on the cutting edge, and they
have no money to staff a huge legal department.
Szwajkowski plays down these fears. "I'm a citizen too. I don't want to
be surveilled without law enforcement having built up a serious case in
front of a judge," he says. "All we want is the ability to intercept,
whatever technology they use to communicate."
Figuring out just how to do that will be tough -- even with the best of
intentions. Compromises between law enforcement and carriers over the
coming year will usher in a new era of government surveillance. To
avoid another Carnivore, privacy advocates must stay alert.
*****
News & Analysis: U.S. Steps Up Secret Surveillance
FBI, Justice Dept. Increase Use of Wiretaps, Records Searches
By Dan Eggen and Robert O'Harrow Jr.
March 24, 2003; Page A01
*****
Article at:
http://www.washingtonpost.com/wp-dyn/articles/A16287-2003Mar23.html
Since the Sept. 11, 2001, attacks, the Justice Department and FBI have
dramatically increased the use of two little-known powers that allow
authorities to tap telephones, seize bank and telephone records and
obtain other information in counterterrorism investigations with no
immediate court oversight, according to officials and newly disclosed
documents.
The FBI, for example, has issued scores of "national security letters"
that require businesses to turn over electronic records about finances,
telephone calls, e-mail and other personal information, according to
officials and documents. The letters, a type of administrative
subpoena, may be issued independently by FBI field offices and are not
subject to judicial review unless a case comes to court, officials said.
Attorney General John D. Ashcroft has also personally signed more than
170 "emergency foreign intelligence warrants," three times the number
authorized in the preceding 23 years, according to recent congressional
testimony.
Federal law allows the attorney general to issue unilaterally these
classified warrants for wiretaps and physical searches of suspected
terrorists and other national security threats under certain
circumstances. They can be enforced for 72 hours before they are
subject to review and approval by the ultra-secret Foreign Intelligence
Surveillance Court.
Government officials describe both measures as crucial tools in the war
on terrorism that allow authorities to act rapidly in the pursuit of
potential threats without the delays that can result from seeking a
judge's signature. Authorities also stress that the tactics are
perfectly legal.
But some civil liberties and privacy advocates say they are troubled by
the increasing use of the tactics, primarily because there is little or
no oversight by courts or other outside parties. In both cases, the
target of the investigation never has to be informed that the
government has obtained his personal records or put him under
surveillance.
"When this kind of power is used in the regular criminal justice
system, there are some built-in checks and balances," said David Sobel,
general counsel of the Electronic Privacy Information Center (EPIC),
which is suing the Justice Department for information about its
secretive anti-terrorism strategies. "The intelligence context provides
no such protection. That's the main problem with these kinds of
secretive procedures."
The use of national security letters has been accelerated in part
because Congress made it easier to use and apply them. The USA Patriot
Act, a package of sweeping anti-terrorism legislation passed after the
Sept. 11 attacks, loosened the standard for targeting individuals by
national security letters and allowed FBI field offices, rather than a
senior official at headquarters, to issue them, officials said.
The records that can be obtained through the letters include telephone
logs, e-mail logs, certain financial and bank records and credit
reports, a Justice official said.
The Patriot Act also significantly increased the amount of intelligence
information that can be shared with criminal prosecutors and federal
grand juries, giving authorities new powers in the war on terrorism.
National security letters can be used as part of criminal
investigations and preliminary inquiries involving terrorism and
espionage, according to officials and internal FBI guidelines on the
letters.
According to documents given to EPIC and the American Civil Liberties
Union as part of their lawsuit, the FBI has issued enough national
security letters since October 2001 to fill more than five pages of
logs. There is no way to determine exactly how many times the documents
have been employed because the logs were almost entirely blacked out,
according to a copy provided to The Washington Post by the ACLU.
The Justice Department and FBI refuse to provide summary data about how
often the letters are used. Several lawmakers have proposed legislation
that would require the department to provide that kind of data.
"In our view, the public is entitled to these statistics," said Jameel
Jaffer, staff attorney for the ACLU's national legal department. "We
have no idea how those are being used."
FBI spokesman John Iannarelli said "it's safe to say that anybody who
is going to conduct a terrorism investigation is probably going to use
them at some point. . . . It's a way to expedite information, and
there's nothing that needs expediting more than a terrorism
investigation."
But a November 2001 memorandum prepared by FBI attorneys warned that
the letters "must be used judiciously" to avoid angering Congress,
which will reconsider Patriot provisions in 2005. "The greater
availability of NSLs does not mean they should be used in every case,"
the memo says.
Beryl A. Howell, former general counsel to Sen. Patrick Leahy (D-Vt.)
and a specialist in surveillance law, described national security
letters as "an unchecked, secret power that makes it invisible to
public scrutiny and difficult even for congressional oversight." Howell
now is a managing director and general counsel at Stroz Friedberg LLC,
a computer forensic firm in the District.
Under the Foreign Intelligence Surveillance Act (FISA), the government
has the power to obtain secret warrants for telephone wiretaps,
electronic monitoring and physical searches in counterterrorism and
espionage cases. The Justice Department has expanded its use of such
warrants since a favorable FISA court ruling last year, which
determined that the Patriot Act gave federal officials broad new
authority to obtain them.
The warrants, cloaked in secrecy and largely ignored by the public for
years, have become a central issue in the ongoing debate over missteps
before the Sept. 11 attacks. The FBI has come under sharp criticism
from lawmakers who say FBI officials misread the FISA statute in the
case of Zacarias Moussaoui, the alleged terror conspirator who was in
custody before the attacks. No warrant was sought in the Moussaoui
case, and his computer and other belongings were not searched until
after the attacks.
Even less well known are provisions that allow the attorney general to
authorize these secret warrants on his own in emergency situations. The
department then has 72 hours from the time a search or wiretap is
launched to obtain approval from the FISA court, whose proceedings and
findings are closed to the public.
Officials said that Ashcroft can use his emergency power when he
believes there is no time to wait for the FISA court to approve a
warrant. There are no additional restrictions on emergency warrants,
other than the rules that apply to all FISA applications, officials
said.
Ashcroft told lawmakers earlier this month that Justice made more than
1,000 applications for warrants to the secret court in 2002, including
more than 170 in the emergency category. In the previous 23 years, only
47 emergency FISA warrants were issued.
FBI Director Robert S. Mueller III, in similar testimony to the Senate
Judiciary Committee, said, "We can often establish electronic
surveillance within hours of establishing probable cause that an
individual is an appropriate FISA subject."
"We have made full and very productive use of the emergency FISA
process," Mueller said.
Sobel and other civil liberties advocates say they are troubled by the
aggressive use of emergency FISAs because it leaves the initial
decision up to the attorney general and allows clandestine searches and
surveillance for up to three days before any court review.
Staff researcher Madonna Lebling contributed to this report.
*****
How to: There's a War On - Do you know where your data is?
An Open Letter from Cindy Cohn
Electronic Frontier Foundation
*****
Hi all,
With the war declared, it's becoming quite clear that ISPs and other
holders and passers of electrons throughout the US (and probably much
of the world) are receiving various sorts of subpoenas, court orders
and warrants to collect and hold information. about people involved in
the peace movement and other progressive organizing, along with anyone
with an Arabic sounding name or ties.
If this concerns you, or the people you work with, a couple of thoughts:
1) Are you using encryption when you can? Are the people who you work
with? Go to www.pgpi.org and download the program and find someone to
show you how to use it. It's not that hard and there are plenty of
folks on this list and elsewhere who can teach you. If you use
Outlook, I've just been told that there is opportunistic encryption
built in if you know how to turn it on. I'll send an EFF hat to the
first person who sends me an explanation of how to do it that my
grandfather could understand. I'll also make sure it gets posted
online. If you know how to use PGP, target 3 colleagues who need it and
teach them. Then use it with them so that they get well-practiced. And
don't forget PGPDisk. No one should cross a border without her hard
drive encrypted. We worked hard to free encryption from governmental
censorship and control. Please use it.
2) For those of you that administer websites, e-mail systems and
similar technologies, what information do you have about your users?
Do you need to have it? Does your website gather IP addresses? Does
your e-mail system keep log files? Are you keeping them? If so, why
and for how long? Double checking the settings on your servers and
systems. The techies who write most of those programs set the default
to save everything. Do you really need that? Most good sysadmins are
packrats by nature; but now is the time to fight that urge to keep
every scrap of data "just in case" someone wants it later. That
someone could be John Ashcroft.
The US has NO data retention requirements. As long as you implement a
system of eliminating records as you go and stick to it, there's no
liability for you if the feds come to seize your server and there's
nothing on it they can use. Let's exercise this freedom NOT to gather
information for the government while we still have it.
3) What footprints are you and your colleagues leaving when you travel
around the Internet? Think about using anonymizer.com or similar tool
for your surfing. It's easy. Anonymizer.com offers a free account to
EFF members, but whether you go through us or directly to them or
through some other tool.
I'm proud of the work the peace movement has done so far and the good
use it's made of new technologies to assist in organizing, planning,
rallying and support. We've been watching the Ashcroftians closely,
however, and it's clear that the war on terrorism and the war on Iraq
are being used as excuses to spy on the public and to gather extensive
dossiers about us. The peace movement is an obvious target for
harassment using this information. Let's not make their job any easier
for them.
And if you hear from law enforcement about your online activities,
please don't hesitate to contact us.
Feel free to forward this message to anyone who you think could benefit
from it.
Take care,
Cindy
************************************************
Cindy A. Cohn Cindy at eff.org
Legal Director www.eff.org
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
Tel: (415)436-9333 x 108
Fax: (415) 436-9993
***************************************************************
Security-news <security-news at resist.ca>
Good computer security is no sub
More information about the security-news
mailing list