Court Revives NSA Dragnet Surveillance Case

The National Security Agency allegedly siphoned Americans

A federal appeals court on Thursday reinstated a closely watched lawsuit accusing the federal government of working with the nation’s largest telecommunication companies to illegally funnel Americans’ electronic communications to the National Security Agency without court warrants.

While the 9th U.S. Circuit Court of Appeals revived the long-running case brought by the Electronic Frontier Foundation, the three-judge panel unanimously refused to rule on the merits of the case, or whether it was true the United States breached the public’s Fourth Amendment rights by undertaking an ongoing dragnet surveillance program the EFF said commenced under the Bush administration following 9/11.

The San Francisco-based appeals court reversed a San Francisco federal judge who tossed the case against the government nearly three years ago. U.S. District Judge Vaughn Walker, now retired, said the lawsuit amounted to a “general grievance” from the public, and not an actionable claim.

Walker also presided over the only case that found the Bush administration illegally spied on American citizens when it unleashed the NSA on Americans’ conversations, ruling that the government violated the rights of two American lawyers for al-Haramain, a now defunct Islamic charity. The government is appealing that ruling.

Writing for the majority on Thursday, Judge Margaret McKeown ruled (.pdf) that the EFF’s claims “are not abstract, generalized grievances and instead meet the constitutional standing requirement of concrete injury. Although there has been considerable debate and legislative activity surrounding the surveillance program, the claims do not raise a political question nor are they inappropriate for judicial resolution.”

The EFF’s allegations are based in part on internal AT&T documents, first published by Wired, that outline a secret room in an AT&T San Francisco office that routes internet traffic to the NSA.

“Today, the 9th Circuit has given us that chance, and we look forward to proving the program is an unconstitutional and illegal violation of the rights of millions of ordinary Americans,” said Cindy Cohn, the EFF’s legal director.

But the appeals court also dealt EFF a blow.

In a separate opinion (.pdf), the judges tossed the EFF’s lawsuit against the United States’ largest telecoms, including AT&T — which the EFF accused of cooperating with the government’s warrantless surveillance program.

The appeals court sided with an act of Congress from July 2008, one voted for by then-Senator Barack Obama of Illinois, and then signed by President George W. Bush. The legislation handed the telcos retroactive immunity from being sued for allegedly participating in the surveillance program.

That led Judge Walker to toss the case against AT&T and others. The EFF contended on appeal that the legislation, which grants the president the power to grant immunity to the telcos, was an unlawful abuse of power.

The appeals court disagreed.

“By passing the retroactive immunity for the telecoms’ complicity in the warrantless wiretapping program, Congress abdicated its duty to the American people,” EFF senior staff attorney Kurt Opsahl said. “It is disappointing that today’s decision endorsed the rights of telecommunications companies over those over their customers.”

That said, the Bush administration, and now the Obama administration, have neither admitted nor denied the spying allegations — though Bush did admit that the government warrantlessly listened in on some Americans’ overseas phone calls, which he said was legal. But as to widespread internet and phone dragnet surveillance of Americans, both administrations have declared the issue a state secret — one that would undermine national security if exposed.

Toward that end, the federal appeals court sent the EFF’s case against the government back to the lower courts to determine whether it should be tossed on grounds that it threatens to expose state secrets. No court date has been set.

That lawsuit was filed immediately after Bush signed the immunity legislation for the telcos. The new lawsuit prompted the Obama administration to invoke the state secrets privilege — despite having announced he would limit his use of that doctrine at the beginning of his four-year term. Usually, lawsuits are dismissed when the government invokes the privilege.

Judge Walker wound up dismissing the revised lawsuit as a “general grievance” and did not rule on the state secrets claim.

Walker, however, did allow the al-Haramain case to proceed despite the feds’ invocation of the privilege — a rarity since courts are extremely deferential to the executive branch in matters of secrecy. The Supreme Court first fashioned the doctrine in a McCarthy-era lawsuit in a case where the government lied to the court to escape embarrassment and liability over an airplane crash.

Patator – Multi Purpose Brute Forcing Tool

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because: They either do not work or are not reliable (false negatives several times in the past) They are slow (not multi-threaded or [...]

Read the full post at darknet.org.uk


2011: The Year Intellectual Property Trumped Civil Liberties

Photo: Nelson Runkle/Flickr

Online civil liberties groups were thrilled in May when Sen. Patrick Leahy (D-Vermont), the head of the powerful Judiciary Committee, announced legislation requiring the government, for the first time, to get a probable-cause warrant to obtain Americans’ e-mail and other content stored in the cloud.

But, despite the backing of a coalition of powerful tech companies, the bill to amend the Electronic Communications Privacy Act was dead on arrival, never even getting a hearing before the committee Leahy heads.

In contrast, another proposal sailed through Leahy’s committee, less than two weeks after Leahy and others floated it at about the same time as his ECPA reform measure. That bill, known as the Protect IP Act, was anti-piracy legislation long sought by Hollywood that dramatically increased the government’s legal power to disrupt and shutter websites “dedicated to infringing activities.”

Sen. Patrick Leahy. Photo: Courtesy Sen. Patrick Leahy

This dichotomy played itself out over and again in 2011, as lawmakers — Democrats and Republicans alike — turned a blind eye to important civil liberties issues, including Patriot Act reform, and instead paid heed to the content industry’s desires to stop piracy.

“Any civil liberties agenda was a complete non-starter with Congress and the Obama administration,” said Cindy Cohn, the Electronic Frontier Foundation’s legal director. “They had no interest in finding any balance in civil liberties.”

It wasn’t just on the federal level, either.

In California, for example, Gov. Jerry Brown vetoed legislation that would have demanded the police obtain a court warrant before searching the mobile phone of anybody arrested. But Brown, a Democrat, signed legislation authorizing the authorities to search, without a warrant, CD-stamping plants that dot Southern California’s landscape.

Underscoring that civil liberties would take a back seat in 2011 was the debate, or lack thereof, concerning the Patriot Act. The House and Senate punted in May on revising the controversial spy act adopted in the wake of 9/11. Congress extended three expiring Patriot Act spy provisions for four years, without any debate.

The three provisions extended included:

• The “roving wiretap” provision allows the FBI to obtain wiretaps from a secret intelligence court, known as the FISA court (under the Foreign Intelligence Surveillance Act), without identifying the target or what method of communication is to be tapped.

• The “lone wolf” measure allows FISA court warrants for the electronic monitoring of a person for any reason — even without showing that the suspect is an agent of a foreign power or a terrorist. The government has said it has never invoked that provision, but the Obama administration said it wanted to retain the authority to do so.

• The “business records” provision allows FISA court warrants for any type of record, from banking to library to medical, without the government having to declare that the information sought is connected to a terrorism or espionage investigation.

While the Obama administration was lobbying against tinkering with the Patriot Act, and telling the courts that Americans have no privacy in their public movements, the White House was quietly working with the recording and motion picture industries to help broker a deal by which internet companies would block internet access to repeat online infringers.

E-mails obtained via the Freedom of Information Act showed just how cozy the administration was with the content industry: The nation’s copyright czar, Victoria Espinel, used her personal e-mail account with industry officials to help mediate the plan.

The administration said in a statement to Wired that Espinel was undertaking “precisely the work outlined in the administration’s 2010 Joint Strategic Plan on Intellectual Property Enforcement.”

By the same token, the Privacy and Civil Liberties Oversight Board remained dormant again for another year. It was chartered by statute in 2004 and given more power in 2007 to “analyze and review actions the executive branch takes to protect the nation from terrorism, ensuring that the need for such actions is balanced with the need to protect privacy and civil liberties” and to “ensure that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the nation against terrorism.”

The board has remained without members since January 2008, a year before Obama’s inauguration. Its website at privacyboard.gov doesn’t resolve.

Two weeks ago, President Barack Obama finally filled out the five-member board, but his nominees still have to be confirmed by the Senate.

Had the board been active, it would have had plenty to say on the “development and implementation of laws.”

“Had the board been functional, it might have been a valuable participant in current deliberations over military detention authority, for example,” said Steven Aftergood, who directs the Federation of American Scientists Project on Government Secrecy. “It might also have conducted investigative oversight into any number of other counterterrorism policies, as mandated by law.”

All the while, Espinel and the Immigration and Customs Enforcement office spent the year seizing online domains of websites allegedly hawking counterfeit and copyright goods. All told, the government has seized more than 350 domains taken as part of a forfeiture program known as “Operation in Our Sites” that began a little more than a year ago. The authorities were using the same asset-forfeiture laws used to seize cars and houses belonging to suspected drug dealers.

A hip-hop music site’s domain name was seized for a year and given back three weeks ago, without ever affording the site’s New York owner a chance to challenge the taking. The legal case surrounding the takedown, which centered on MP3s posted by the site, is sealed from public view at the request of ICE. The site’s lawyer says the MP3s listed in the seizure order had been sent to the site by the labels themselves, seeking publicity.

That prompted Sen. Ron Wyden (D-Oregon) to demand that the Justice Department divulge how many other domains are caught in a legal black hole.

Sen. Ron Wyden.
Photo: TalkMediaNews/Flickr

Lawmakers’ drive to bolster intellectual property rights of some of the country’s biggest political donors began in earnest in May when Leahy introduced the Protect IP Act, and two weeks later it sailed through his Judiciary Committee.

The Stop Online Piracy Act, or SOPA, is nearly an exact copy and is now being debated in the House Judiciary Committee.

Both are offshoots of the Combating Online Infringement and Counterfeits Act introduced last year.

Under the old COICA draft, the government was authorized to obtain court orders to seize so-called generic top-level domains ending in .com, .org and .net. The new legislation, with the same sponsors, narrows that somewhat.

Instead of allowing for the seizure of domain names, it allows the Justice Department to obtain court orders demanding American ISPs block citizens from reaching a site by modifying the net’s Domain Name System. DNS works as the net’s phone book, turning domain names like Wired.com into IP addresses such as 165.193.220.20, which browsers use to actually get to the site.

On May 26, the day the Protect IP Act passed the Senate Judiciary Committee, Wyden exercised a rarely used Senate procedure and held the measure from going to the Senate floor for a vote, where it would likely pass. The measure is expected to come back in the new year, and it’s likely Wyden’s hold can be overridden by a vote of 60 senators.

Wyden has promised to wage a one-man filibuster if necessary.

“By ceding control of the internet to corporations through a private right of action, and to government agencies that do not sufficiently understand and value the internet, PIPA represents a threat to our economic future and to our international objectives,” Wyden said.

DNS experts Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson and Paul Vixie wrote in a white paper that the Protect IP Act “would promote the development of techniques and software that circumvent use of the DNS.”

“These actions,” they wrote, “would threaten the DNS’s ability to provide universal naming, a primary source of the internet’s value as a single, unified, global communications network.”

They also argue that the proposal undermines a government-approved new DNS security measure known as DNSSEC that aims to prevent criminals from poisoning the domain-name lookup system with false information in order to “hijack” people trying to visit their bank online.

Regardless, the SOPA measure in the House, which is virtually identical to PIPA in the Senate, looked like it would sail out of the House Judiciary Committee two weeks ago.

But Rep. Lamar Smith (R-Texas), who heads the House Judiciary Committee, abruptly continued the hearing so lawmakers could hear from internet architecture experts before taking a vote. A Motion Picture Association vice president had testified before the committee that concerns over DNS redirecting were “overstated.”

Rep. Zoe Lofgren (D-California) said the measure went too far.

“We never tried to filter the telephone networks to block illegal content on the telephone network,” she said, “yet that is precisely what this legislation would do relative to the internet.”

The hearing will resume in the new year.

But it’s unlikely that lawmakers will return to the now-forgotten bill that would prevent law enforcement from sifting through your online e-mail account without first proving probable cause to a judge.

Consider that October marked the 25th anniversary of the Electronic Communications Privacy Act, the law that allows the authorities to access your e-mail without a court warrant.

The law, known as ECPA and signed by President Ronald Reagan, came at a time when e-mail was used mostly by nerdy scientists, when phones without wires hardly worked and when the World Wide Web didn’t exist. Four presidencies and hundreds of millions of personal computers later, the Electronic Communications Privacy Act has aged dramatically, providing little protection for citizens from the government’s prying eyes — despite the law’s language remaining much the same.

The silver anniversary of ECPA had prompted the nation’s biggest tech companies and prominent civil liberties groups to again lobby for an update to what was once the nation’s leading privacy legislation protecting Americans’ electronic communications from warrantless searches and seizures.

In the 1980s, ECPA protected Americans’ e-mail from warrantless surveillance — despite ECPA allowing the government to access e-mail without a court warrant if it was six months or older and stored on a third-party’s server. The tech world now refers to these servers as “the cloud,” and others just think of Hotmail, Yahoo Mail, Facebook and Gmail.

ECPA was adopted at a time when e-mail wasn’t stored on servers for a long time. It just sat there briefly before recipients downloaded it to their inbox on software running on their own computer. E-mail more than six months old was assumed abandoned, and that’s why the law allowed the government to get it without a warrant.

On Oct. 20, Leahy said “this law is significantly outdated and outpaced by rapid changes in technology.” He promised hearings “before the end of the calendar year” in the Judiciary Committee he heads, despite the Obama’s Justice Department opposition to the change.

But there was no hearing.

Presumably, it was just forgotten amid the rush to alter the internet at the behest of the same industry that tried to ban the VCR and MP3 players.

Malicious Password-protected Documents used in Targeted Attacks

Recently, we discovered malware in the wild in the form of document files, such as PDF and Word, using password protection. The malware are used as attachments in email in limited, targeted attacks.

Passwords for document files are commonly used to prevent unauthorized access to the files by encrypting them with passwords. However, attackers are misusing the password feature to encrypt files, most likely to make it difficult for security products to detect them as malware. It also makes reverse-engineering the files difficult because they need to be decrypted before analysis can be performed.

These malware themselves aren’t anything special. They are no different to the common attachments used in typical targeted attacks except for the fact that they require passwords to be opened. Various office suite software includes a password encryption feature, so document files are not the only type that can be used for this sort of attack. Besides  files for word processors, spreadsheet and presentation programs are also affected.

In the past, we have often seen password-protected email attachments, but these have usually been archive files. The attachments themselves are not usually detected but the files inside the archive are detected when they are extracted. For this particular attack, however, the attached document files themselves are password-protected, meaning the files are encrypted.We can still nonetheless prevent infection with security products using traditional as well as proactive detection to detect the dropped and/or downloaded files like any other type of attack. However, please be aware of this new trick when you encounter password protected documents in unsolicited emails.

As the attackers continue to add extra tricks to their repertoire, as long as multi-layered defence is used, risk of infection shouldn’t be any higher than other types of targeted attacks.