Category Archives: Law Enforcement

Prism, XKeyscore, and International Business

Disclaimer: I do not, nor ever had, any level of secret clearance for any government. I have no connections to Snowden, the NSA, or any person or organization linked to them.

From 2006 through 2012, I was the information security officer for a global financial services company, selling subscription based services to the largest companies in the world in every industry sector.  Understandably, many of the larger corporate customers expressed a lot of concern over the confidentiality of their financial data when stored in our systems. Despite having numerous external audits and penetration tests (with reports available to these customers), many of the larger customers won additional concessions in the form of additional security controls, in exchange for their business.

The U.S. PATRIOT Act was a tremendous stumbling block for many potential non-U.S. customers. They were concerned about the ability for law enforcement to serve secret subpoenas and obtain business records without their knowledge or consent.  Our only argument was that we were not the source for original data, and that federal law enforcement would more likely go after original records, such as banking and telecommunications. Still, many non-U.S. companies elected not to do business with our U.S. based company because of PATRIOT.

Revelations of Prism and XKeyscore represent U.S. law enforcement and spy agencies taking a gigantic leap beyond PATRIOT. With PATRIOT (as I understand it — my former employer was never, to my knowledge, served with a National Security Letter), a judge was required to sign or approve the national security letter on behalf of the federal law enforcement agency that wished to obtain information.  But with Prism and XKeyscore, U.S. federal law enforcement and other agencies have unilaterally obtained – and apparently continuously obtain – many forms of electronic records, without the consent of anyone.

Prism and XKeyscore, in my belief, will prove to be extremely harmful to U.S. based electronic services providers at every level: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and virtually all other forms of electronic services that store, transmit, or process electronic information.  With PATRIOT, the mere prospect of law enforcement obtaining information in special, limited circumstances was enough to scare away many potential customers. With XKeyScore and Prism, law enforcement continuously obtains much of this same information.  Thus, the probability of law enforcement (and other agencies) obtaining sensitive information increases from longshot to near absolute certainty.

This has got to be bad for U.S. based businesses in nearly every sector that provides services to customers worldwide.

————-

Aug 5 update: headline article in Puget Sound Business Journal echos my sentiments. http://www.bizjournals.com/seattle/news/news-wire/2013/08/05/nsa-revelations-could-cost-us-lead.html

Cloud service providers and the U.S. PATRIOT Act

The U.S. PATRIOT Act has a lot of non-U.S. companies wondering whether it is a sound practice to store data in a U.S. based cloud services organization. The concern is this: the cloud services provider may be obligated to turn over stored data on receipt of a National Security Letter, which is essentially a subpoena with a gag order.

But what if the customer is the legal owner of the data, and not the cloud services provider?

If legal contracts between the cloud services provider and its customers define customers as the owner of stored data, what happens when the cloud services provider receives a National Security Letter asking for that data? Can the provider say, “sorry – this is not our data, you need to ask the owner for it”?

I could see this going both ways.  Using the precedent of wiretapping, the law enforcement agency issuing the subpoena might argue that data ownership is irrelevant.

* * *

While we’re on the topic of PATRIOT… I often wonder about non-U.S. companies’ concern about it. Rationale I sometimes hear is that storing data in the U.S. is riskier because of PATRIOT.

Let me assert this: in the interest of national security, any nation’s law enforcement or intelligence agencies are going to search and sieze data as needed, whether there are laws on the books or not. The fact that the U.S. has its PATRIOT Act only means that the U.S. is being more transparent about a practice that we all know is pervasive around the world. Taking this argument further, you could argue that storing data in the U.S. is safer, because at least the U.S. has laws governing the use of search and seizure in the name of national security. In countries without such laws, what will limit the reach of law enforcement and intelligence agencies?

* * *

Finally, I want to say that I am not expressing an opinion about PATRIOT – whether I agree with it or not. It is simply a fact to be dealt with.

* * *

References:

The Patriot Act and your data: Should you ask cloud providers about protection? – InfoWorld article, January 2012.

Patriot Act Threatens American Cloud Computing – Wall Street Cheat Sheet, January 2012.

TSA learns redaction lesson the hard way…

Bookmark This (opens in new window)

…and we will all pay for it. Today it has been made public that the TSA’s detailed airport security procedures manual has been posted to the Internet. The TSA was putting out some services to bid, and posted what they believed to be a redacted version of the document. Well it turns out that the redaction technique they chose was ineffective.

Now that everyone can see TSA’s airport screening procedures in detail, they will have to resort to more pat-downs, wand scans, and body scans. Procedures for identifying CIA, air marshalls, and law enforcement personnel may need to change as well.

Some of the details revealed in the procedures include:

  • The size of wires that can pass through magnetometers without setting alarms
  • Procedures used for screening liquids
  • Items that do not require extra screening such as wheelchairs and casts
  • Procedures for verifying the identity of CIA, NSA, air marshalls, and other law enforcement personnel

See my earlier posting on redaction here.

Proper redaction of sensitive data in electronic documents is more than just covering up sensitive words and images. Instead, sensitive information is actually removed and replaced with solid black, so that the redacted text or images are not merely “underneath” it. I suspect that the NSA merely “covered” sensitive items without actually removing them from documents.

[picapp align=”right” wrap=”false” link=”term=tsa&iid=3702199″ src=”c/9/9/e/New_Airport_Security_d307.jpg?adImageId=8254188&imageId=3702199″ width=”234″ height=”236″ /]News stories here:

CNN

Yahoo News

Washington Post

New York Times

Rest in peace: officers Renninger, Griswold, Owens and Richards

Bookmark This (opens in new window)

Update 12/12/2010: Donate to Lakewood Police Independent Guild to benefit the families of the four slain officers

Today, four Lakewood WA police officers were assassinated in cold blood while conducting police business in a local coffee house. This happened very close to where I live, less than a month after a Seattle police officer was gunned down.

In my work I collaborate with and support law enforcement. I appreciate what they do for us.

These four officers leave nine children behind. This aspect makes this especially tragic.

References:

Tacoma News Tribune

Seattle Times

Published authors: stop the illegal file sharing hemorrhaging

Bookmark This (opens in new window)

Recently I was made aware of a file sharing site that reportedly had digital copies of published books, as well as music and other copyright content.  I had a look for myself, and found this to be true.

The site, 4shared.com, has thousands – maybe tens of thousands – of copyrighted books, music, and other content, freely online and available for anyone who wants to browse the site and download content.

Readers: it is illegal to post copyright content in any form online, unless you are the legal owner of the content or have written permission from the owner.  It is against the law.  Do not be deceived by the lure of free content.

Professionals: if you are found to be in possession of illegally copied protected content, you may be in jeopardy of losing your professional licenses or certifications.  You can also be sued by the copyright owner.

4shared.com will remove content on request.  It is necessary to state, in detail, who the owner of each item is, and why it should be removed.  Digital copies of many of my books were on the site, and I filed removal requests for each.  Yes, it was time consuming.  To request illegal content be removed, send an e-mail (with the full URL of the offending item(s)) to abuse@4shared.com, or visit http://www.4shared.com/contact.jsp , click on the “Copyrighted Materials” link, and complete the short form there.

The extent of illegal content on 4shared.com is appalling – it is a cesspool of of illegal content.  A quick search showed that almost one-thousand “For Dummies” titles were on the site.

FBI mystery man identified

Bookmark This (opens in new window)

Mystery manThe Federal Bureau of Investigation has allegedly identified the “mystery man” who has as many as 32 aliases. He is identified as Scott Andrew Shain.

Articles:

John Doe identified as Boston man

Six new photos of FBI’s Seattle mystery man

Fake fingerprints, multiple aliases, in FBI custody; name=??

Six new photos of FBI’s Seattle mystery man

Bookmark This (opens in new window)

The FBI has released several more photos of the career identity thief but they still don’t know who he is. The FBI is asking anyone who knows this person to call them at 206-622-0460.

Aliases: William Everett Gee, Robert Allen Lowe, Robert Allan Loew, Dwayne Spill

Click on photo for larger image

Mystery man

Seattle Times article: Mastermind or troubled mind?