Justice Dept. Defends Public’s Constitutional ‘Right to Record’ Cops

As police departments around the country are increasingly caught up in tussles with members of the public who record their activities, the U.S. Justice Department has come out with a strong statement supporting the First Amendment right of individuals to record police officers in the public discharge of their duties.

In a surprising letter (.pdf) sent on Monday to attorneys for the Baltimore Police Department, the Justice Department also strongly asserted that officers who seize and destroy such recordings without a warrant or without due process are in strict violation of the individual’s Fourth and Fourteenth Amendment rights.

The letter was sent to the police department as it prepares for meetings to discuss a settlement over a civil lawsuit brought by a citizen who sued the department after his camera was seized by police.

In the lawsuit, Christopher Sharp alleged that in May 2010, Baltimore City police officers seized, searched and deleted the contents of his mobile phone after he used it to record them as they were arresting a friend of his.

Last year, the Baltimore Police Department published a General Order to officers explaining that members of the public have a right to record their activity in public, but the Justice Department said in its 11-page letter this week that the order didn’t go far enough, and pointed out several areas where it should clarify and assert more strongly the rights that individuals possess.

The right to record police officers in the public discharge of their duties was essential to help “engender public confidence in our police departments, promote public access to information necessary to hold our governmental officers accountable, and ensure public and officer safety,” wrote Jonathan Smith, head of the Justice Department’s Special Litigation Section.

Smith cited the 1991 videotaped assault of Rodney King while he was being beaten by law enforcement officers as an incident that “exemplifies this principle” of public oversight.

“A private individual awakened by sirens recorded police officers assaulting King from the balcony of his apartment,” Smith wrote. “This videotape provided key evidence of officer misconduct and led to widespread reform.”

He noted that the issue was particularly important in Baltimore, “given the numerous publicized reports over the past several years alleging that BPD officers violated individuals’ First Amendment rights.”

The Justice Department’s interference in the local civil case was surprising yet significant in that it put not only Baltimore but also every other city police department around the country on notice that interference in such recordings was unconstitutional. It was sent to Baltimore days after several media and civil rights organizations sent U.S. Attorney General Eric Holder a letter insisting that the Justice Department take action against agencies that arrest people who record officers.

“Since the Occupy Wall Street movement began, police have arrested dozens of journalists and activists simply for attempting to document political protests in public spaces,” the letter to Holder stated. “A new type of activism is taking hold around the world and here in the U.S.: People with smartphones, cameras and Internet connections have been empowered with the means to report on public events.”

While individual cases didn’t necessarily fall under the Justice Department’s jurisdiction, the letter acknowledged, the suppression of speech was a national problem that had to be addressed at the federal level.

“Freedom of speech, freedom of assembly and freedom of access to information are vital whether you’re a credentialed journalist, a protester or just a bystander with a camera,” the organizations asserted.

In the document he sent to Baltimore, Smith said that, except under limited circumstances where a person recording police activity engaged in actions that violated the law, jeopardized the safety of a police officer, a suspect, or others, or incited others to violate the law, police officers should not interfere with a recording and should never seize recording devices without a warrant. They should also be advised “not to threaten, intimidate, or otherwise discourage an individual from recording police officer enforcement activities or intentionally block or obstruct cameras or recording devices.”

Policies should prohibit officers from destroying recording devices or cameras and deleting recordings or photographs under any circumstances, Smith wrote.

Video above shows a New York City police officer attempting to prevent a New York Times photographer from capturing images during a public demonstration.

Analyzing Trends in Cybercrime: 2011 to 2020

Those who attempt to predict the future run the risk of being wrong. But those who overlook the importance of conducting a prospective analysis adopt a passive attitude that weakens them against the dictatorship of events. Anticipating societal changes prepares us to weather the storm.

That quote comes from the recently published Prospective Analysis on Trends in Cybercrime from 2011 to 2020, by the French General of the Army, Marc Watin-Augouard.

This study was originally published in French by a panel of experts from the public and private sectors. I was one of them.

Our approach was based on the Delphi method, an iterative process of discussion based on a questionnaire developed by a scientific committee, with interim summaries drawn up by an ad-hoc committee. The paperless discussion method was effective and kept participant responses anonymous, which leveled the playing field. The 22 experts who contributed to this study underwent three rounds of individual interviews, allowing them to express their opinions and reformulate their responses based on the results of the group discussions. Their analyses and individual expertise have led to a blank document that outlines typical criminal trends of the 21st century. The process took one year to present the results in this summary.


The result of this work is not an end in itself, but rather a tool to encourage discussion among policy makers, business leaders, and representatives of civil society regarding strategies to maintain the best possible control in a digital world without borders.

McAfee has translated of the results of this new French study on computer-related crime. McAfee, and I, consider this methodical and original research invaluable in explaining the threats we face today and predicting what we might see in the years up to 2020. Armed with this expertise, we can more effectively protect ourselves against future cybercrime.

The English version of the document is available here.

OSX.Flashback – How to Turn Your Botnet into $$$

Further analysis of the OSX.Flashback botnet has shed more light on how profitable such a botnet can be. Previously, we wrote that OSX.Flashback was generating money for its authors by displaying advertisements on compromised computers. We now have a much clearer idea of how many ads the attackers were displaying and how much those ads earned for the attackers.

From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked. These numbers earned the attackers $14,000 in these three weeks, although it is worth mentioning that earning the money is only one part of the puzzle—actually collecting that money is another, often more difficult, job. Many PPC providers employ anti-fraud measures and affiliate-verification processes before paying. Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid.

It is estimated the actual ad-clicking component of Flashback was only installed on about 10,000 of the more than 600,000 infected machines. In other words, utilizing less than 2% of the entire botnet the attackers were able to generate $14,000 in three weeks, meaning that if the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year.

For someone who is controlling a botnet of this magnitude, there are plenty of options. Recently we have seen many botnets using fraudulent ads to generate revenue for attackers. That is exactly the case with Flashback: the operators decided to leverage their botnet to commit fraudulent ad-clicks, also known as click fraud.

Analyzing the traffic delivered from the Flashback command-and-control (C&C) servers, we were able to follow the redirects used by the attackers. Compromised computers pass users' search keywords to the attackers. The attackers then contact various pay per click (PPC) services and route the ads from the PPC providers to the compromised computer—in the process earning money for those ads from the PPC providers.

We were able to identify patterns in the traffic sent to the compromised computers showing that the Flashback operators prefer some PPC providers over others. In fact over 98% of the ads being sent to compromised computers appear to originate from the same PPC provider. In such cases, the attackers are taking advantage of both users and the PPC providers by getting paid for ads that may not have been seen by users and may not be relevant to what the user searched for.

Process – Getting Paid

The OSX.Flashback bot-master hijacked Google’s search results and displayed their own PPC search results to create conversions. In the non-mainstream PPC world, keywords that generate the most pay out are usually related to pharmaceutical products, debt-mortgage consolidation, and auto-insurance. Generally, low demand search keywords such as yarn, glue, silly putty, etc., are usually the least expensive to use, but generate considerably less pay out.

Although the authors of Flashback had the opportunity to send users ads for search terms other than what the user had searched for, this is not what they decided to do. If a user searches for “toys” they are returned ads that are related to toys, likely avoiding the auditing programs that pay per click providers put in place. A search for “toys” on Google, for instance, results in a hijack by OSX.Flashback where the C&C server sends back the following encoded URL:

[http://][IP ADDRESS]/click.php?id=oilZLmquP5Xbg7U282f16g_6-uBw5r_xrTrfouhLHbOkwDfu0QZN4X21K6rK98QROh[REMOVED]

This URL redirects the user to the following URL that is related to the original search term “toys”:


Even though only a small fraction of the more than 600,000 compromised computers redirected users, the attackers still managed to display over 10 million ads in a three week period, generating $14,000 in revenue during. Had the attackers been more successful in installing the final payload they could have been earning considerably more than that, which makes this a profitable model for the attackers. Although per-per-click botnets are not a new idea—we have seen them on Windows for years—as the market share of Mac increases, we will see more Mac-related botnets similar to this one in the future.

‘Dead Man Walking’ Tricks Airport Into Giving Him Top Security Job

The TSA may have its eagle sights set on your underwear and water bottle, but it failed to miss the real security threat under its nose, it was revealed Monday, after a supervisor holding a top security job in a New Jersey airport was arrested for using the stolen identity of a dead man.

Bimbo Olumuyiwa Oyewole, known to his fellow workers as “Jerry Thomas,” obtained his job as a security guard supervisor at the Newark Liberty International Airport with credentials he’d allegedly stolen in 1992 from a petty criminal who was shot and killed in New York that year, according to CBS.

Authorities say Oyewole, who entered the U.S. illegally in 1989, began using Thomas’ birth certificate and Social Security number three weeks before he was murdered, though there’s no immediate evidence that he was involved in Thomas’ death. He used these documents to obtain a New Jersey driver’s license in Thomas’ name, as well as a state security guard license, airport identification and credit cards.

He used the fraudulent documents to gain employment with several contractors at the Newark airport, most recently with FJC Security Services.

At the time of his arrest on Monday, he was supervising 30 other security guards at the airport, including workers responsible for inspecting cargo vehicles, according to The Associated Press. His job also gave him unfettered access to the tarmac and to passenger planes.

The Newark airport is one of the busiest in the nation. More than 33 million travelers passed through it in 2010.

Authorities discovered Oyewole wasn’t the man he said he was only after an anonymous letter was sent to the Port Authority of New York, which oversees the region’s main airports, and to the New Jersey’s inspector general’s office. The letter indicated that “Jerry Thomas” was known by other names.

Oyewole may have been able to slip past security checks with a fake identify for two decades because he began using Thomas’ identity years before background checks became more stringent.

The Transportation Security Administration, which conducts security threat assessments at airports and requires anyone with access to sensitive areas to carry a security badge, was created only after the Sept. 11 terror attacks.

To obtain a badge for secure areas, workers need to provide a Social Security number and proof of name and place of birth. The Port Authority is responsible for validating the information and submitting this and other information to the FBI for a fingerprint-based criminal background check, after which the TSA conducts a security threat assessment on the individual.

It’s believed that because Oyewole was already a trusted worker at the time security assessments became more strict, no one bothered to dig deeply into his background.

But Oyewole’s scam against the airport apparently wasn’t the only security issue there. On the same day he was arrested, the Department of Homeland Security Inspector General released a report showing that the Newark airport was one of the worst in reporting security breaches that occurred at its facilities.

A “security breach” was defined as an incident where an individual gained access to sterile areas of an airport without submitting to screening or inspection at a TSA checkpoint.

The IG found that TSA employees at six airports surveyed reported only about 42 percent of security breaches, with the Newark Liberty airport being one of the worst offenders, reporting even fewer security breaches than others. The precise number of security breaches at the Newark airport were redacted in the report.