The case offers a rare look at the use of so-called “offensive” computer security tools by the U.S. government. Most past such legal requests by government investigators appear to have been sealed, as have been the judges’ rulings.

Read the rest of this post on the original site »

Sen. Lindsay Graham just told Fox News that the reason the FBI never realized that Boston Marathon bombing suspect Tamerlan Tsarnaev went to Russia in 2011 is that “when he got on the Aeroflot plane, they misspelled his name, so it never went into the system that he actually went to Russia.” Meanwhile, the Reinhart-Rogoff paper that has been a catalyst for government austerity policies worldwide since 2010 has, in fact, accidentally left out several countries’ worth of critical data in Excel.

As one blogger sums up scathingly: “One of the core empirical points providing the intellectual foundation for the global move to austerity in the early 2010s was based on someone accidentally not updating a row formula in Excel.”

Taken together, these factors offer a critical lesson here about the power and limits of Big Data today. In both scenarios, data management tools (i.e., the FBI’s systems and Excel) were undone by fairly simple errors: In one situation, a misspelling; in another, a failure to code a spreadsheet properly. And in both scenarios, the results were dire — an awful tragedy, and a potentially misdirected government economic policy in the midst of a recession.

As someone who spends day and night thinking through data management and workflow, these two stories lead me to three observations:

• As a society, we’re hugely reliant on data management platforms for our most critical information.
• Our core data platforms often aren’t set up to handle human error, from basic coding flaws to spelling mistakes.
• The wealth of data in our data tools can mask that human error. Consider: The Reinhart-Rogoff study examined “new data on forty-four countries spanning about two hundred years” with “over 3,700 annual observations covering a wide range of political systems, institutions, exchange rate arrangements, and historic circumstances.”

In such a wide sea of data, a few lines of code can be very easy to overlook, even if they have strong ramifications for analysis.

There are lots of things to take away from these three points, but I’ll just focus on one: The promise of Big Data is that it can make everyday processes — from critical analyses to mundane tasks — work smarter through data intelligence. Ultimately, all that data management translates into an economy and society that lets machines handle the minutiae as humans think through the larger picture.

To a large extent, that vision is already here. But at the same time, more human/data interaction means a lot more room for error (and inefficiency) around increasingly critical data sets — which, as we’ve seen, can have very serious results. Which means that, if we want to make the reality of Big Data match the dream, we need to spend serious time around providing usability that guides human users in the best way to engage with the data, and automation that takes human interaction (and human error) out of the picture for a lot of the basic calculations and tasks — and for some of the complicated ones, too.

If Big Data can’t fit hand-in-glove with usability and workflow, a lot of the promise of big data will be empty data crunching. That’s not just a problem for getting where we want to be in the evolution of computing. It’s a situation that can lead to bad data management — which translates into bad economics and, sometimes, far worse.

Bill Wise is CEO of Mediaocean. You can follow him on twitter at @billwise.

It is also a rebuke to the Internet’s amateur investigators — and to media outlets who encouraged them by passing along their speculation to the wider world.

The Post story spends quite a bit of time relaying this message from law enforcement officials: It’s great that you want to pitch in, but you’re probably going to do more harm than good. When we want your help, we’ll ask for it.

If you’re a true believer in Reddit Exceptionalism, and/or that crowds are always wiser than the pros, or that you simply can’t stop people from talking about things on the Internet, so best to talk about them yourself, you can probably find something to feel good about in today’s story. Likely along the lines of “Hey! We had an effect on the investigation!”

But the law enforcement sources the Post talked to sure don’t seem too feel great about that effect. The biggest impact seems to be that FBI officials released images of Tamerlan and Dzhokhar Tsarnaev before they might have wanted to, because they were afraid someone else would, first — or that people would keep misidentifying innocent people as suspects.

From the Post:

● Investigators didn’t want to risk having news outlets put out the Tsarnaevs’ images first, which might have made them the object of a wave of popular sympathy for wrongly suspected people, as had happened with two high school runners from the Boston area whose photos were published on the front page of the New York Post under the headline “Bag Men.” At the news conference, FBI Special Agent in Charge Richard DesLauriers sternly asked the public to view only its pictures or risk creating “undue work for vital law enforcement resources.”

● Investigators were concerned that if they didn’t assert control over the release of the Tsarnaevs’ photos, their manhunt would become a chaotic free-for-all, with news media cars and helicopters, as well as online vigilante detectives, competing with police in the chase to find the suspects. By stressing that all information had to flow to 911 and official investigators, the FBI hoped to cut off that freelance sleuthing and attend to public safety even as they searched for the brothers.

Want to couch this in some to-be-sures? Okay.

* Maybe it’s possible that someone, somewhere, on the Internet did have more impact on the case than the Post’s sources are letting on. After all, this is still a very early draft of history, cobbled together just hours after the event. Things get more nuanced over time, and sometimes they play out much differently.

* Similarly, it’s easy to assume that there’s some institutional bias in the Post’s story. If amateurs did have a more significant role in the case, the pros might not be excited to talk about it — for the same reason lots of professional reporters aren’t excited to acknowledge their diminished authority in the Web age.

And, in any case, I assume that none of this will prevent some Redditors or other would-be Sherlocks from trying the same thing the next time around. But maybe it will make the rest of us just a little bit less likely to share their efforts with our friends or readers.

(Image courtesy of spirit of america/Shutterstock.com)

The latest is the video footage taken by a Massachusetts State Police helicopter of the careful way in which police approached the boat. Obviously, they were cautious, no doubt because they had engaged in a pretty intense firefight with the suspect.

What you see in the video below, which was released today, is thermal imagery showing Tsarnaev’s warm body plainly visible beneath the boat cover. In the minutes leading up to the capture you could plainly hear, on police scanner traffic, someone saying whether or not he was moving, and see his position in the front or the middle or rear of the boat as he moved around a little. Later, you see a police vehicle moving in and using a robotic arm of some kind to tear away the cover.

And if you haven’t seen this yet, it bears mentioning: It’s some amateur video, taken from a neighboring home, of the gunfight that had occurred outside the boat just as Tsarnaev was discovered. (Be advised: There’s some NSFW language as it goes down.)

Finally, here are five still photos, released earlier by the Massachusetts State Police, taken from the video footage above. You can click them to make them bigger:

Police and Federal Bureau of Investigation agents converged on a house in the Boston suburb of Watertown late Friday, and apprehended Dzhokhar Tsarnaev, one of two brothers alleged to have exploded two homemade bombs in downtown Boston, killing three people and injuring more than 175. Images of the suspect were shown all day on national TV and online and online.

Read the rest of this post on the original site »

Judge Susan Illston, of U.S. District Court for the Northern District of California, said the laws, which underlie a tool known as a “national security letter,” violate the First Amendment and the separation of powers principles. In her order, Judge Illston ordered the government to stop issuing national security letters or enforcing their gag orders, although she said enforcement of her judgment would be stayed pending appeal.

Read the rest of this post on the original site »

The investigation confirmation came as part of HP’s annual report filed with the Securities and Exchange Commission. But this move was entirely expected given HP took its case to the FBI/DOJ and the SEC in the United States as well as the Serious Fraud Office in the U.K.

HP said it was alerted by the DOJ on Nov. 21 that it had officially opened an investigation about Autonomy.

Former Autonomy CEO Mike Lynch has strenuously rejected HP’s claims and has demanded to see evidence for them.

A spokesman for HP declined to comment on the matter.

RELATED POSTS:

• More From Mike Lynch: HP’s Autonomy Accusations Are Getting Weaker
• Mike Lynch Punches Back at Today’s HP Filing: Whither $5B Writedown?
• HP Confirms DOJ Is Investigating Alleged Fraud in Autonomy Deal
• Yes, There Are Layoffs Pending at HP’s Autonomy Unit in the U.K.
• Former HP CEO Shifts Blame for Autonomy Deal to Chairman
• Dell Passed on Autonomy Before HP Bought It
• Why Mike Lynch Is Playing PR Hardball With HP
• Autonomy Founder Lynch Asks Board to Explain HP Allegations
• Autonomy Founder Lynch Blames Accounting Standards in HP Flap
• The Red Flags That Were Obvious — To Some — In the HP-Autonomy Deal
• Oracle’s Ellison Vindicated in Autonomy PR Flap by HP’s $8.8 Billion Writedown
• Autonomy Founder Mike Lynch Rejects HP Charges, Alleges Mismanagement
• What Exactly Happened at Autonomy?
• HP Explains Its $8.8 Billion “Oops”
• HP Beats Street Amid Sales Declines, Takes $8.8 Billion Charge
• HP Names Microsoft Exec Robert Youngjohns to Run Autonomy
• Search Under Way at HP for Autonomy’s Next Chief
• Autonomy’s Mike Lynch Talks About Being HP’s Speedy Tiger Cub (Video)
• Britain’s First Software Billionaire Now Reports to HP CEO Meg Whitman
• Oracle Launches Exalytics Machine, Probably Ending Spat With Autonomy
• Autonomy: When All Else Fails, Blame the Bankers
• Mike Lynch to Oracle: Oh, You Mean Those Slides
• Oracle: You Have a Very Bad Memory, Mr. Lynch
• HP Reportedly Close to $10 Billion Buyout of Autonomy, PC Unit Spinoff
• Will Oracle and Microsoft Bid on Autonomy?

The hackers targeted Mr. Mullen’s personal computers, which he used while working on the grounds of the U.S. Naval Academy since his retirement in 2011, according to officials and others familiar with the probe. Those people said FBI agents took away two computers in late October and returned them in mid-November.

Read the rest of this post on the original site »

Paul Ceglia allegedly “doctored, fabricated and destroyed evidence” to support his false claim that he was promised a 50 percent share in Facebook by Mr. Zuckerberg, according to a criminal complaint unsealed in Manhattan federal court on Friday.

Read the rest of this post on the original site »

Paul DeHart, CEO of Blue Toad, a Florida publishing house, tells NBC that the list of one million Unique Device Identifiers (UDIDs) that AntiSec published earlier this month almost certainly came from its servers. Indeed, a comparison of the UDIDs on the AntiSec list to the UDIDs that BlueToad, a registered iOS app developer, has stored in one of its databases shows an almost 98 percent correlation between the two data sets.

“That’s 100 percent confidence level, it’s our data,” DeHart told NBC. “As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

So how did Blue Toad come by such a vast collection of iOS device UDIDs? Well, as I noted earlier, the company is a registered app developer. And while it’s not a household name, Blue Toad provides app-building services for about 6,000 different publishers, and it currently has 139 iPhone apps and 150 iPad apps available on the iTunes App Store. So it’s certainly plausible that Blue Toad might have a sizable collection of UDIDs. Apple confirmed as much in a statement to AllThingsD.

“As an app developer, BlueToad would have access to a user’s device information such as UDID, device name and type,” Apple spokeswoman Trudy Muller said. “Developers do not have access to users’ account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer.”

Muller added that Apple will soon do away with the UDID entirely, which will presumably bring an end to related security cock-ups like this one. “With iOS 6, we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” she said.

Google Inc. earlier this year refused to unlock an alleged pimp’s cellphone powered by its Android software — even after the Federal Bureau of Investigation obtained a search warrant.

Read the rest of this post on the original site »

“The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokeswoman Natalie Kerris told AllThingsD.

AntiSec claimed Tuesday that it breached an agency-owned computer and stole a database said to contain some 12 million unique ID numbers for iPhones and iPads around the world. The FBI branded that story as totally false, saying, “At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

The FBI computer from which the data was supposedly taken was never hacked, the Bureau said. What’s more, it said it never gathered the information in the first place.

Here’s the statement straight from an FBI spokesperson, sent only five minutes ago:

The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.

On Twitter, the FBI’s press office was a lot less ambiguous:

Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE

September 4, 2012 1:52 pm via webReplyRetweetFavorite

@FBIPressOffice

FBI PressOffice

In a message posted to Pastebin earlier today, AntiSec (a.k.a. LulzSec, a.k.a. Anonymous) claimed that it had stolen a list of millions of Unique Device ID numbers and related names and other information for some 12 million Apple-made iOS devices, including iPhones, iPads and iPod touches, found in a notebook computer belonging to an FBI employee.

The point of the claim — and we should be clear that from the first it has been only a claim and an unverified one at that — the group said, was to sound the alarm that the top American law enforcement agency is creating a list of owners of such devices for uncertain purpose. Clearly the agency is calling that claim into serious doubt and thus raising further questions about the origins of the document that AntiSec released today.

So where did that document come from really? The ball is now in AntiSec’s court.

One other thought comes to mind: If, as AntiSec says, the document in question came from an FBI-owned computer and was taken using a breach that took advantage of a vulnerability in Java, then AntiSec is readily admitting that the person who carried out the act has committed a federal crime. Given the history of numerous arrests in the U.S., the U.K. and elsewhere, and especially in light of the fact that the group was betrayed by one of its own, you’d think its remaining members would try to be more careful about its public claims.

It also wouldn’t be the first time that AntiSec/LulzSec/Anonymous had made inflated claims about its abilities. Last summer it made a lot of noise about a bunch of documents from NATO, which it portrayed as both important and sensitive, but which after a little scrutiny turned out to be neither.

Update: AntiSec is certainly enjoying the sudden spike in attention it has been getting.

One of the weirder demands in its statement today had to do with a Gawker writer, a ballet tutu and a shoe. Whatever. They got their wish.

Via its Twitter feed, AntiSec — which supposedly Tweets under the account @AnonymousIRC — reacted to the FBI saying there’s likely more to come.

Also, before you deny too much: Remember we’re sitting on 3TB additional data. We have not even started. #funtimes #fff

September 4, 2012 2:16 pm via TweetDeckReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

In another statement, AntiSec hinted that there will be more disclosures, and referred back to a message posted on YouTube from earlier this year about a 3-terabyte cache of data. It also sought to cast doubt on the FBI’s denial: “The fact that the FBI has no ‘evidence’ of a data breach on one of their notebooks, does not allow the conclusion that it never happened.” Essentially AntiSec is claiming that it knows more about the situation than the FBI does.

Also there’s this, where AntiSec seems to imply that there may be a common app involved in all this.

People whose UDID was on the list released by AntiSec might want to compare their installed apps. A common culprit might be found.

September 4, 2012 3:23 pm via TweetDeckReplyRetweetFavorite

@AnonymousIRC

AnonymousIRC

Those are but three of the questions arising from the overnight dump of 1 million Unique Device Identification numbers by the hacker troupe known as AntiSec, the loosely organized group that has variously used the names LulzSec and Anonymous over the last year or so.

In an otherwise rambling political message posted to PasteBin, the group included download links to an 89-megabyte file that certainly looks for real. The circumstances of how the hackers obtained it couldn’t be independently confirmed, but AntiSec claims it was taken during a breach of an FBI-owned notebook in March.

The group described the incident like so (typos in the original):

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

There is, according to LinkedIn, a Christopher Stangl employed by the FBI in New York, but so far the agency has had no comment on AntiSec’s claims.

I downloaded the file and from what I know about UDID numbers, it certainly looks legit. So what is a UDID anyway and why should you care? Every iOS device — iPhones, iPads, and iPod touches — has a UDID number. Developers use it to distribute trial versions of new apps before those apps are released to the iTunes store. Another use is storing applications preferences and high scores for games.

But historically, the UDID has been part of the data that many popular applications have shared with third-party marketers along with the phone owner’s age, gender, and ZIP code. A 2010 Wall Street Journal story examined this practice in detail. Earlier that year, the nature of privacy risks on the iPhone were disclosed (PDF here) by the security researcher Erik Smith of PSKL.

Earlier this year Apple started quietly denying access to the UDID by developers, refusing to approve apps that access it, making good on a policy it outlined in August of 2011. In March of this year, Congress started asking questions about the privacy in iOS apps, including UDIDs.

If you’d like to know if your device is on the list of 1 million or so released so far, here’s what to do. First, install a free app called Ad Hoc Helper on your device. This app grabs your device’s UDID and emails it to you. Once you have it, cut and paste the number into this search tool on Dazzlepod. (We haven’t vetted this, so use it at your own risk.)

So what use is knowing if your device is on the list? That’s a good question. I checked two of the three iOS devices I own and they’re not on the list, though in the original file there were several devices owned by people who share my first name. As AntiSec puts it in its statement: “…in this case it’s too late for those concerned owners on the list.”

If the claim by AntiSec bears out (and frankly, right now it is only that, a claim), then the question quickly turns to the FBI’s reasons for gathering the information in the first place. There might be legitimate law-enforcement reasons for doing so, though it’s hard to image what they might be given the sheer numbers said to be involved. It’s not hard to imagine the FBI requesting a UDID along with other information as part of building a case in a criminal investigation into a person or a set of people. But the leak of 1 million such UDIDs with the promise that there are 12 million more certainly raises a lot of troubling questions.

Worse is the fact that the machine on which it was stored was so readily breached by outside elements, though again, this is only an unverified claim.

I’ve asked Apple and the FBI for guidance on this, and don’t expect to hear much, but will update you if I do.

The SEC has alleged that during a period starting in 2005 and ending in 2007, employees at Oracle India had distributors keep some funds off the books. On 14 different occasions during the course of executing eight government contracts there, some Oracle India employees added some extra “margins” to deals they did with local distributors. (See the complaint here.) The funds piled up and were used to make payments to third parties, some of which proved to be either non-existent entities or storefronts.

The actions violated the Foreign Corrupt Practices Act. Oracle disclosed the violations to the SEC and cooperated with the investigation. The SEC and FBI started their investigation last year.

Oracle is not alone in this sort of thing. Last year, IBM paid $10 million to settle similar charges stemming from incidents in South Korea and China. And Hewlett-Packard faced its own in 2010 concerning alleged violations in Russia.

Here’s Oracle’s statement on the matter:

In 2007, Oracle discovered that a few employees of its Indian subsidiary apparently had directed distributors to maintain side funds in violation of Oracle business practices. Following a thorough investigation, the employees involved were terminated. Oracle disclosed the matter to the government and has cooperated with the SEC in its investigation, culminating in today’s announcement of a $2 million settlement.

And this from spokeswoman Deborah Hellinger: “Oracle has established policies, programs and controls to deter and detect inappropriate conduct that have been recognized among the best in our industry. We will continue to maintain a high standard of compliance and accountability for our business around the world.”

Here’s the full SEC Statement:

SEC Charges Oracle Corporation With FCPA Violations Related to Secret Side Funds in India
FOR IMMEDIATE RELEASE
2012-158

Washington, D.C., Aug. 16, 2012 — The Securities and Exchange Commission today charged Oracle Corporation with violating the Foreign Corrupt Practices Act (FCPA) by failing to prevent a subsidiary from secretly setting aside money off the company’s books that was eventually used to make unauthorized payments to phony vendors in India.

The SEC alleges that certain employees of the India subsidiary of the Redwood Shores, Calif.-based enterprise systems firm structured transactions with India’s government on more than a dozen occasions in a way that enabled Oracle India’s distributors to hold approximately $2.2 million of the proceeds in unauthorized side funds. Those Oracle India employees then directed the distributors to make payments out of these side funds to purported local vendors, several of which were merely storefronts that did not provide any services to Oracle. Oracle’s subsidiary documented certain payments with fake invoices.

Oracle agreed to pay a $2 million penalty to settle the SEC’s charges.

“Through its subsidiary’s use of secret cash cushions, Oracle exposed itself to the risk that these hidden funds would be put to illegal use,” said Marc J. Fagel, Director of the SEC’s San Francisco Regional Office. “It is important for U.S. companies to proactively establish policies and procedures to minimize the potential for payments to foreign officials or other unauthorized uses of company funds.”

According to the SEC’s complaint filed in U.S. District Court for the Northern District of California, the misconduct at Oracle’s India subsidiary – Oracle India Private Limited – occurred from 2005 to 2007. Oracle India sold software licenses and services to India’s government through local distributors, and then had the distributors “park” excess funds from the sales outside Oracle India’s books and records.

For example, according to the SEC’s complaint, Oracle India secured a $3.9 million deal with India’s Ministry of Information Technology and Communications in May 2006. As instructed by Oracle India’s then-sales director, only $2.1 million was sent to Oracle to record as revenue on the transaction, and the distributor kept $151,000 for services rendered. Certain other Oracle India employees further instructed the distributor to park the remaining $1.7 million for “marketing development purposes.” Two months later, one of those same Oracle India employees created and provided to the distributor eight invoices for payments to purported third-party vendors ranging from $110,000 to $396,000. In fact, none of these storefront-only third parties provided any services or were included on Oracle’s approved vendor list. The third-party payments created the risk that the funds could be used for illicit purposes such as bribery or embezzlement.

The SEC’s complaint alleges that Oracle violated the FCPA’s books and records provisions and internal controls provisions by failing to accurately record the side funds that Oracle India maintained with its distributors. Oracle failed to devise and maintain a system of effective internal controls that would have prevented the improper use of company funds.

Without admitting or denying the SEC’s allegations, Oracle consented to the entry of a final judgment ordering the company to pay the $2 million penalty and permanently enjoining it from future violations of these provisions. The settlement takes into account Oracle’s voluntary disclosure of the conduct in India and its cooperation with the SEC’s investigation, as well as remedial measures taken by the company, including firing the employees involved in the misconduct and making significant enhancements to its FCPA compliance program.

The SEC’s investigation was conducted by staff attorney Elena Ro and Assistant Regional Director Jina Choi in the San Francisco Regional Office. The SEC acknowledges the assistance of the U.S. Department of Justice, Federal Bureau of Investigation, and Internal Revenue Service.

The system, called Sentinel, includes elements resembling Web browsers, with tabs and movable windows, and forms that are filled out in a question-and-answer format similar to consumer tax software.

Read the rest of this post on the original site »

The U.S. Department of Justice fired back with a serious accusation. It filed a civil complaint claiming that the company, by not handing over its files, was interfering “with the United States’ sovereign interests” in national security.

Read the rest of this post on the original site »

The malware is called DNSChanger, and it was the centerpiece of an Internet crime spree that came to an end last November when the FBI arrested and charged seven Eastern European men with 27 counts of wire fraud and other computer crimes. At one point, the DNSChanger malware had hijacked the Internet traffic of about a half-million PCs around the world by redirecting the victims’ Web browsers to Web sites owned by the criminals. They then cashed in on ads on those sites and racked up $14 million from the scheme. When the crackdown came, it was hailed as one of the biggest computer crime busts in history.

But the FBI ended up doing something unusual: It took over the network the criminals had created and thus kept those infected machines up and running. Next week — July 9, to be exact — the FBI will pull the plug on that DNS Network.

If you don’t want to lose your Internet connectivity when that happens, the first thing to do is check to see if your machine is affected. You can do that here. If you see green, you’re good. If red, go here for tips on how to clean up your machine. From there, reset your machine’s DNS settings. It’s a pretty good idea to use a service like OpenDNS, or Google’s public DNS service, to handle your DNS queries. Usually, DNS settings are handled automatically by your ISP, but third-party DNS services can be a little snappier and more up to date, and will also help guard your machine against security threats.

Also, if you run a Web site, it might be worth your while to warn your users to check if they’re infected. In May, Cloudflare, the Web security start-up I wrote about last year, had teamed up with OpenDNS to help Web publishers warn their users about the infection.

Despite those efforts, some 64,000 people in the U.S. and 200,000 more outside the U.S. are still infected and will likely lose their connections on Monday through no fault of their own.

The Federal Bureau of Investigation set up a fake online forum two years ago to attract online thieves who steal personal identification and account information for credit, debit and bank cards that are used to make illicit purchases or to sell to others.

Read the rest of this post on the original site »

The company has signed Shawn Henry, the FBI’s former executive assistant director of the Criminal, Cyber, Response, and Service Branch, as the new president of its services subsidiary, CrowdStrike Services. Henry is a 24-year FBI veteran who led some of the Bureau’s biggest cybercrime cases.

Crowdstrike was launched by two veterans of McAfee, the security software concern that’s now a unit of chip giant Intel: George Kurtz, McAfee’s former CTO, and Dmitri Alperovitch, its former Vice President of Threat Research.

Not a great deal has yet been disclosed about Crowdstrike’s approach to security, but in the February 22 blog post announcing the launch of the company, Kurtz explained that, having seen the results of investigations into several high-profile cyber attacks, the current state of security practice is akin to the old French Maginot Line that was intended to keep out the Germans.

Kurtz argued that once you know your enemy — the party that’s attacking you — the key to success in stopping their attacks on your digital assets is to raise the cost of the human-powered portions of their attacks. “The only way to accomplish that is by forcing them to change the way they conduct the human-led parts of their intrusions, such as reconnaissance, lateral movement, identification of valuable assets, and exfiltration,” Kurtz wrote.

Henry did a short video announcing his move, and I embedded it below.

Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is “unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them, he said.

Read the rest of this post on the original site »

The new details, revealed in court documents made public on Thursday, show how quickly investigators were able to turn 28-year-old Hector Xavier Monsegur against his fellow alleged hackers.

Read the rest of this post on the original site »

I’m working on getting copies of the criminal complaints, and will add them here when I do, but here’s the rundown: It looks like one of the group’s insiders got caught and probably made some kind of misstep in covering his tracks, and then worked secretly with the government to inform on other members. This is exactly what I said was likely to happen in this case, way back in June.

According to Fox, the one who turned is a New Yorker named Hector Xavier Monsegur, who worked under the handle Sabu. He’s 28 years old and the father of two, and lives on the Lower East Side of Manhattan. This is his Twitter feed. He’s been a cooperating witness since June, which coincides nicely with the moment when the first rumors started to emerge that the FBI had penetrated the group.

Fox says that according to documents that will be unsealed in a New York federal court today, Monsegur pleaded guilty in August to several hacking-related crimes. His cooperation led to charges against five more people in Chicago, the U.K. and Ireland. Among them is Jake Davis, the 18-year-old resident of the Shetland Islands, who went by the handle Topiary, and whom police in the U.K. collared on Aug. 1.

The other four are Ryan Ackroyd, who went under the handle “Kayla.” He’s a Londoner. Two people from Ireland were also charged: Darren Martyn, whose handle was “pwnsauce,” and Donncha O’Cearrbhail, who called himself “palladium.” Jeremy Hammond of Chicago went by the handle “Anarchaos.”

The news makes the following tweet by Monsegur, a.k.a. Sabu, seem sort of ironic. Among his final tweets, before word emerged that he had helped turn in his comrades, were several railing against informants and other “cowards.” Clearly, he was keeping up a brave public face:

Without informants or companies bending over+giving up their customer data the feds would be further behind than they are now. Ride up.

March 5, 2012 7:59 am via Twitter for BlackBerry®ReplyRetweetFavorite

@anonymouSabu

The Real Sabu

Anonymous, the wider hacker group with which LulzSec teamed up last year, was quick to urge its followers to block Sabu’s Twitter account.

@anonymouSabu is now controlled by feds. We have blocked the account and we suggest you do as well. #BlockAnonymouSabu

March 6, 2012 10:38 am via TweetDeckReplyRetweetFavorite

@anonops

AnonOps

Hammond, the one in Chicago, was said to be the one who led the hack against the private intelligence company Stratfor. He was profiled by Chicago Magazine in 2007 and portrayed as something of a digital Robin Hood.

Ackroyd is said to be the one who found the weaknesses in the servers of the U.S. Senate that led to its being attacked in June. Hacking federal computer systems is considered a serious crime in the U.S., but is something that LulzSec said, in the posting to Pastebin at the time, that they carried out “just for kicks.”

Update: So the US Attorney’s Office in New York has issued its press release confirming most of what Fox reported. Here it is.

Six Hackers in the United States and Abroad Charged for Crimes Affecting Over One Million Victims

Four Principal Members of “Anonymous” and “LulzSec” Charged with Computer Hacking and Fifth Member Pleads Guilty; “AntiSec” Member also Charged with Stealing Confidential Information from Approximately 860,000 Clients and Subscribers of Stratfor

U.S. Attorney’s Office March 06, 2012

Five computer hackers in the United States and abroad were charged today, and a sixth pled guilty, for computer hacking and other crimes. The six hackers identified themselves as aligned with the group Anonymous, which is a loose confederation of computer hackers and others, and/or offshoot groups related to Anonymous, including “Internet Feds,” “LulzSec,” and “AntiSec.”

RYAN ACKROYD, a/k/a “kayla,” a/k/a “lol,” a/k/a “lolspoon”; JAKE DAVIS, a/k/a “topiary,” a/k/a “atopiary”; DARREN MARTYN, a/k/a “pwnsauce,” a/k/a “raepsauce,” a/k/a “networkkitten”; and DONNCHA O’CEARRBHAIL, a/k/a “palladium,” who identified themselves as members of Anonymous, Internet Feds, and/or LulzSec, were charged in an indictment unsealed today in Manhattan federal court with computer hacking conspiracy involving the hacks of Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service (“PBS”). O’CEARRBHAIL is also charged in a separate criminal complaint with intentionally disclosing an unlawfully intercepted wire communication.

HECTOR XAVIER MONSEGUR, a/k/a “Sabu,” a/k/a “Xavier DeLeon,” a/k/a “Leon,” who also identified himself as a member of Anonymous, Internet Feds, and LulzSec, pled guilty on August 15, 2011 in U.S. District Court to a 12-count information charging him with computer hacking conspiracies and other crimes. MONSEGUR’S information and guilty plea were unsealed today. The crimes to which MONSEGUR pled guilty include computer hacking conspiracy charges initially filed in the Southern District of New York. He also pled guilty to the following charges: a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of California related to the hacks of HBGary, Inc. and HBGary Federal LLC; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Central District of California related to the hack of Sony Pictures Entertainment and Fox Broadcasting Company; a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Northern District of Georgia related to the hack of Infragard Members Alliance; and a substantive hacking charge initially filed by the U.S. Attorney’s Office in the Eastern District of Virginia related to the hack of PBS, all of which were transferred to the Southern District of New York, pursuant to Rule 20 of the Federal Rules of Criminal Procedure, in coordination with the Computer Crime and Intellectual Property Section (“CCIPS”) in the Justice Department’s Criminal Division.

Late yesterday, JEREMY HAMMOND, a/k/a “Anarchaos,” a/k/a “sup_g,” a/k/a “burn,” a/k/a “yohoho,” a/k/a “POW,” a/k/a “tylerknowsthis,” a/k/a “crediblethreat,” who identified himself as a member of AntiSec, was arrested in Chicago, Illinois and charged in a criminal complaint with crimes relating to the December 2011 hack of Strategic Forecasting, Inc. (“Stratfor”), a global intelligence firm in Austin, Texas, which may have affected approximately 860,000 victims. In publicizing the Stratfor hack, members of AntiSec reaffirmed their connection to Anonymous and other related groups, including LulzSec. For example, AntiSec members published a document with links to the stolen Stratfor data titled, “Anonymous Lulzxmas rooting you proud” on a file sharing website.

The following allegations are based on the indictment, the information, the complaints, and statements made at MONSEGUR’s guilty plea:

Hacks by Anonymous, Internet Feds, and LulzSec

Since at least 2008, Anonymous has been a loose confederation of computer hackers and others. MONSEGUR and other members of Anonymous took responsibility for a number of cyber attacks between December 2010 and June 2011, including denial of service (“DoS”) attacks against the websites of Visa, MasterCard, and PayPal, as retaliation for the refusal of these companies to process donations to Wikileaks, as well as hacks or DoS attacks on foreign government computer systems.

Between December 2010 and May 2011, members of Internet Feds similarly waged a deliberate campaign of online destruction, intimidation, and criminality. Members of Internet Feds engaged in a series of cyber attacks that included breaking into computer systems, stealing confidential information, publicly disclosing stolen confidential information, hijacking victims’ e-mail and Twitter accounts, and defacing victims’ Internet websites. Specifically, ACKROYD, DAVIS, MARTYN, O’CEARRBHAIL, and MONSEGUR, as members of InternetFeds, conspired to commit computer hacks including: the hack of the website of Fine Gael, a political party in Ireland; the hack of computer systems used by security firms HBGary, Inc. and its affiliate HBGary Federal, LLC, from which Internet Feds stole confidential data pertaining to 80,000 user accounts; and the hack of computer systems used by Fox Broadcasting Company, from which Internet Feds stole confidential data relating to more than 70,000 potential contestants on “X-Factor,” a Fox television show.

In May 2011, following the publicity that they had generated as a result of their hacks, including those of Fine Gael and HBGary, ACKROYD, DAVIS, MARTYN, and MONSEGUR formed and became the principal members of a new hacking group called “Lulz Security” or “LulzSec.” Like Internet Feds, LulzSec undertook a campaign of malicious cyber assaults on the websites and computer systems of various business and governmental entities in the United States and throughout the world. Specifically, ACKROYD, DAVIS, MARTYN, and MONSEGUR, as members of LulzSec, conspired to commit computer hacks including the hacks of computer systems used by the PBS, in retaliation for what LulzSec perceived to be unfavorable news coverage in an episode of the news program “Frontline”; Sony Pictures Entertainment, in which LulzSec stole confidential data concerning approximately 100,000 users of Sony’s website; and Bethesda Softworks, a video game company based in Maryland, in which LulzSec stole confidential information for approximately 200,000 users of Bethesda’s website.

The Stratfor Hack

In December 2011, HAMMOND conspired to hack into computer systems used by Stratfor, a private firm that provides governments and others with independent geopolitical analysis. HAMMOND and his co-conspirators, as members of AntiSec, stole confidential information from those computer systems, including Stratfor employees’ e-mails as well as account information for approximately 860,000 Stratfor subscribers or clients. HAMMOND and his co-conspirators stole credit card information for approximately 60,000 credit card users and used some of the stolen data to make unauthorized charges exceeding $700,000. HAMMOND and his co-conspirators also publicly disclosed some of the confidential information they had stolen.

The Hack of International Law Enforcement

In January 2012, O’CEARRBHAIL hacked into the personal e-mail account of an officer with Ireland’s national police service, the An Garda Siochana (the “Garda”). Because the Garda officer had forwarded work e-mails to a personal account, O’CEARRBHAIL learned information about how to access a conference call that the Garda, the FBI, and other law enforcement agencies were planning to hold on January 17, 2012 regarding international investigations of Anonymous and other hacking groups. O’CEARRBHAIL then accessed and secretly recorded the January 17 international law enforcement conference call, and then disseminated the illegally-obtained recording to others.

***

MONSEGUR, 28, of New York, New York, pled guilty to three counts of computer hacking conspiracy, five counts of computer hacking, one count of computer hacking in furtherance of fraud, one count of conspiracy to commit access device fraud, one count of conspiracy to commit bank fraud, and one count of aggravated identity theft. He faces a maximum sentence of 124 years and six months in prison.

ACKROYD, 23, of Doncaster, United Kingdom; DAVIS, 29, of Lerwick, Shetland Islands, United Kingdom; and MARTYN, 25, of Galway, Ireland, each are charged with two counts of computer hacking conspiracy. Each conspiracy count carries a maximum sentence of 10 years in prison.

O’CEARRBHAIL, 19, of Birr, Ireland, is charged in the indictment with one count of computer hacking conspiracy, for which he faces 10 years in prison. He is also charged in the complaint with one count of intentionally disclosing an unlawfully intercepted wire communication, for which he faces a maximum sentence of five years in prison.

HAMMOND, 27, of Chicago, Illinois, is charged with one count of computer hacking conspiracy, one count of computer hacking, and one count of conspiracy to commit access device fraud. Each count carries a maximum sentence of 10 years in prison.

DAVIS is separately facing criminal charges in the United Kingdom, which remain pending, and ACKROYD is being interviewed today by the Police Central e-crime Unit in the United Kingdom. O’CEARRBHAIL was arrested today by the Garda.

The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of New York. The investigation was initiated and led by the FBI, and its New York Cyber Crime Task Force, which is a federal, state, and local law enforcement task force combating cybercrime, with assistance from the PCeU; a unit of New Scotland Yard’s Specialist Crime Directorate, SCD6; the Garda; the Criminal Division’s CCIPS; and the U.S. Attorneys’ Offices for the Eastern District of California, the Central District of California, the Northern District of Georgia, and the Eastern District of Virginia; as well as the Criminal Division’s Office of International Affairs.

The charges contained in the indictment and complaints are merely accusations, and the defendants are presumed innocent unless and until proven guilty.

And here’s the initial indictment on Hector Monsegur, initially filed in the US District Court for the Southern District of New York in August of last year. I’m gathering up documents on the other people charged in this and will share it as I get it.

Monsegur

The agency just released its file on Jobs, compiled during a background check conducted in the 1990s, when Jobs was being considered for a spot on a White House council on exports. And, with the exception of a noteworthy nugget or two, it’s about as mundane as they come.

If you’ve read Walter Isaacson’s biography of Jobs — or, frankly, any newspaper obituary of the man — then you’re already as well-informed on his life and peccadilloes as the FBI.

Put it this way: Among the highlights of the agency’s 191-page dossier is the observation that Jobs was a former hippie: “During the late 1960s and early 1970s, Mr. Jobs may have experimented with illegal drugs, having come from that generation.”

A few others:

• Jobs had a tendency to “twist the truth and distort reality in order to achieve his goals.”
• Jobs underwent a “change in philosophy by participating in eastern and/or Indian mysticism and religion. This change apparently influenced his personal life for the better.”
• Jobs was “strongwilled, stubborn, hardworking and driven, which … is why he is so successful.”
• Jobs liked to get his own way.
• Jobs was not a member of the Communist party.
• Jobs did “an outstanding job in the computer industry.”

Really, the FBI’s only discovery of note was that Jobs was inexplicably granted Top Secret security clearance by the Defense Industrial Security Clearance Office between 1988 and 1990. Oddly, those credentials were issued by Pixar, which may have done some government work around that time.

Beyond that? Not much. Had Isaacson written his biography of Jobs a few decades earlier, he would have saved the FBI a hell of a lot of work.

Below, the report in its entirety:

Jobs

“I didn’t want the password to live in an email somewhere. I started thinking, what if there was something that would allow me to destroy the email?” Robbins said in an interview.

The thought stayed with him, and by summer, Robbins had dropped the other project to turn his full attention to building a service for hyper-secure email exchanges. He named the service Burn Note.

Burn Note, which opens up to the public today, allows the sender of an email to set a time frame in which the receiver can read an email before the email disappears.

At that point, the email no longer exists — anywhere.

Burn Note’s Web site says the service uses no binary logging, which means there are no standby servers, or backup copies of emails. The company uses a storage engine that has no journaling capabilities, and an underlying file system that logs metadata but not the content of the notes themselves.

While grabbing an image of the email might seem like a simple workaround, Robbins said he has introduced two methods to the service that make it extremely difficult for recipients to quickly copy the text of an email for posterity. Burn Notes can include Web links, but can’t send attached files, though Robbins has said attachments are in the works.

“I think there are a lot of legitimate uses for why people would want an off-the-record conversation,” Robbins said. “The message goes away, but it’s still been communicated to the recipient, which is the point.”

Robbins most recently served as the head of software development for Facebook-acquired Drop.io; he said the Burn Note service was partly inspired by that cloud-storage service. “There was a feature that we considered, but ultimately didn’t turn on, where a file could have a certain number of views before it self-destructed,” Robbins said.

While there currently aren’t any mobile apps for Burn Note, Robbins said that it’s a mobile-optimized Web site, so it can be accessed from a phone with a Web browser.

Highly encrypted or “vanishing” email services aren’t new. In 1999, Canada-based Hush Communications launched Hushmail, a free Web-based email system for individuals and businesses that sent PGP — Pretty Good Privacy — encrypted emails. As Wired reported, it was originally stated that “uniquely-coded” Hushmails were so encrypted that not even Hush employees with access to servers could read the emails.

But in 2007, Hush turned over a dozen CDs of emails, following a court order obtained through a mutual assistance treaty between the U.S. and Canada. The evidence was requested as part of a U.S. federal prosecution of alleged steroid dealers. The company subsequently acknowledged that Hushmails could, in some instances, be decrypted.

In 2009, the New York Times wrote about a group of scientists at the University of Washington who developed software that would make email messages disappear after a period of time. The software, called Vanish, would rely on a key-based encryption system that differed from the usual key cryptography used in digital communications, by making the “keys” erode over time.

A couple of months after that, “Freedom to Tinker,” which is hosted by Princeton’s Center for Information Technology Policy, released a paper detailing a series of experimental attacks against the Vanish prototype. The paper stated that Vanish should be considered too risky to rely on.

On a Web site for Vanish, the group acknowledged that the implementation on which Vanish was based was not adequately protected against attacks, and says it’s “investigating new directions and architectures for self-destructing data.”

Burn Note’s Robbins says Hushmail’s service and the Vanish project are different from Burn Note because those products rely on encryption keys, while Burn Note is effectively reengineering the default settings of computer systems and server systems so that nothing at all is saved.

When asked what Burn Note’s protocol would be for handling requests from law-enforcement officials for email exchanges, Robbins replied, “Burn Notes aren’t emails.”

He went on to say that the exchange of Burn Notes is more comparable to phone calls in that, unless they’re recorded, the exchange itself can’t be retrieved.

But Burn Note — unlike phone companies — doesn’t keep a log of who is communicating with whom. Robbins said the company plans to compile and study anonymous usage data, but will keep two separate logs — incoming messages and outgoing messages — rather than a log of messages exchanged between users. According to the company’s explanation of its technical procedures, even the time stamp on the message is anonymized: Burn Note rounds the times to the nearest hour so that timing cannot be used as a unique identifier.

“A lot of services launch to acclaim that they’re going make digital communications disappear,” said Paul Ohm, an associate professor of law focused on information privacy at the University of Colorado Law School. “But they sometimes become that place where bad people go to exchange information, or a haven for criminals. In order for this work, you have to stay on the side of legitimacy.”

“It’s never a complete dead end,” Ohm added. “There has to be data living somewhere, and there’s always a way to engineer around these systems.”

While Burn Note will at first be marketed to the average email user, Robbins said he hopes to attract attention from the enterprise market. “I think there’s a really interesting set of use cases around banks, especially if it can be made to plug in to existing systems,” he said.

When asked how Burn Note might comply with the record-keeping obligations of U.S. financial institutions have, Robbins said it would require a case-by-case evaluation.

“I don’t have a good answer for that, because it will require review by a legal professional before we can fully work through that type of situation,” Robbins said. He pointed to the company’s privacy policy, which plainly states:

“If you have a legal obligation to preserve data, do not use Burn Note.”