We got an update on the technological “exploits” that were lifted from the NSA, the Federal Government spy agency that tracks your online behavior and phone records.
Brad Smith, President of Microsoft, warned governments like the United State’s federal behemoth are exposing their citizens by “stockpiling vulnerabilities”, hindering technology companies’ responses to cyberattacks because, well, the Federal agencies that suck up personal information on their
subjects citizens are usually terrible at securing that data. This necessitated the additional 560-million dollar data collection facility in Fort Meade, MD to complement the NSA’s initial $2 billion Utah warehouse for tracking the little people.
[As a reminder, when confronted with the 2013 Edward Snowden leaks of NSA’s seizure of citizen phone records under Section 215 of the Patriot Act--in some cases by warrant, such as when telecommunications giant Verizon refused to bend over for the Feds–Obama’s Director of National Intelligence James Clapper lied under oath to the Senate Intelligence Committee about the existence of the privacy-eroding program.
Mr. Clapper later alternately claimed that he “forgot” about the blatantly unconstitutional program; that he confused it with another data collection program, Section 702 of the Foreign Intelligence Surveillance Act; and (according to his taxpayer-funded lawyer, Robert Litt) that Clapper was unprepared for the query, despite receiving the Senate panel’s planned questions 24 hours in advance. Although we are paying it, we are unable to find Mr. Clapper’s salary amount online.]
On May 12, the WannaCry attack software held data of British National Health Service and other Windows users’ data hostage for a Bitcoin ransom, reportedly with a screen like the following:
Smith, labeling the attack as “WannaCrypt” [sic?], reported the vulnerabilities that enabled it were stolen from NSA in April (at least, that’s when the Feds reportedly admitted the theft). Although Microsoft had released a security patch to Windows Defender one month previously to counter just such a threat, about 300,000 consumers were still reportedly affected. Microsoft did what the Federal Government would never consider, and took personal responsibility for the disruption–even though it was the sloppy Feds who were actually plundered, and Federal Government hubris that concealed the potential weaknesses from citizens.
The most consequential part of Smith’s post:
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. [T]his most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
[It is unclear if “nation-state action” here refers to well-meaning but incompetent central government vulnerability to having…the vulnerabilities they refuse to share with technology companies stolen; or malicious governments acting as the organized criminals, such as when Russia single-handedly elected President Trump.]
The security community claims to be making strides towards transparency. They are cracking down on whistleblowers and systematically ignoring Congressional restrictions on civilian spying. Wait…
George Ellard (above) was removed in December 2016 from his powerful perch as [“what the fuck” alert:] Inspector General of the NSA when he was found guilty of whistle blower retaliation.
Recall the IG is the watchdog for a Federal Government agency who polices the government “workers” and reports their transgressions to taxpayers. Or in this case, quashes dissent. It’s like internal affairs covering for a dirty cop!
Ellard was not only NSA’s Inspector General, but an outspoken critic of Edward Snowden, the former contract employee who leaked hundreds of thousands of classified emails to publicly expose the agency’s domestic surveillance program. Snowden claimed, among other things, that his concerns about NSA’s domestic eavesdropping were ignored by the agency, and that he feared retaliation. Ellard publicly argued in 2014 that Snowden could have safely reported the allegations of NSA’s domestic surveillance directly to him.
[A] high-level Intelligence Community panel found that Ellard himself had previously retaliated against an NSA whistleblower, sources tell the Project On Government Oversight. Informed of that finding, NSA’s Director, Admiral Michael Rogers, promptly issued Ellard a notice of proposed termination, although Ellard apparently remains an agency employee while on administrative leave, pending a possible response to his appeal from Secretary of Defense Ash Carter.
Obama reportedly tried to strengthen whistleblower protections in the wake of Snowden’s revelations with Presidential Policy Directive 19. (Mr. Obama had referred to Snowden as a “29-year-old hacker” and–like Ellard–chastised the Federal contractor for not pursuing existing whistleblowing channels to expose the U.S.’s highly controversial metadata collection programs. Which Snowden had, only to find that such protections did not apply to contractors.)
The PPD-19 established an External Review Panel, comprising IGs for Justice, Treasury and CIA. ERP disagreed with the Defense Department IG, and found Ellard indeed had retaliated against an NSA whistleblower.
“Snowden could have come to me,” Ellard declared [in 2014], arguing that the leaker, now a fugitive in Russia, would have received the same protections as other NSA employees, who file some one thousand reports annually to the agency’s hotline. “We have surprising success in resolving the complaints that are brought to us,” Ellard said, adding, “Perhaps it’s the case that we could have shown, we could have explained to Mr. Snowden his misperceptions, his lack of understanding of what we do.”
Snowden’s related contention is that in his own case, he did, in fact, report his concerns in emails to NSA superiors at the time, a contention which NBC has said it verified.
Government Executive had more on Ellard:
Ellard himself became the subject of a complaint from an NSA employee who had contacted the Defense Department IG’s hotline with allegations of NSA overspending at a conference in Nashville, Tennessee. In 2013, the whistleblower’s identity was shared with Ellard, who then, according to the charges, denied the employee an assignment at the NSA IG’s Office of Investigations.
The Intelligence Community IG provided a sketch of how the PPD-19 external review process works in procedures issued in July 2013. If an aspiring whistleblower exhausts the agency review process without success, he or she can contact the IC watchdog’s office. The office has 45 days to complete a memo to the IG, who then has the authority to appoint an external panel. It collects evidence and has 180 days to make a decision. If the panel recommends action, the agency has another 90 days to respond. If no action is taken by then, the issue goes to the White House and, most likely, Congress.
Former assistant DOD IG John Crane told Government Executive he did the initial intake for the NSA whistleblower complaint about overspending at the conference. He said officials in the Pentagon IG office then revealed the whistleblower’s identity to Ellard, which he characterized as a violation of the Inspector General Act. Crane spent 25 years in government before he was fired in 2013 after accusing the Pentagon watchdog office of whistleblower retaliation.
It is unclear whether Ellard remains on paid leave, as he was placed last December while appealing his removal, or if the termination has been finalized. Cato Institute had a lengthy update last week.
argument justification unconstitutional practice assumed without debate or public knowledge for data-mining civilians is ridiculous, not least of all because all this super-secure data keeps getting leaked by their own employees.
Reality Leigh Winner (yes that is her actual name) was arrested in June for violating the Espionage Act.
Winner Winner Chicken Dinner.
Ms. Winner apparently leaked a classified document on Russian interference with the November 2016 elections to The Intercept.
And back in August, Harold Martin was nabbed for Espionage Act charges after allegedly swiping 50 terabytes of data from NSA. Martin’s defense attorney felt compelled to tell the press Martin is “no Edward Snowden.” Both men worked for Federal defense contractor Booz Allen Hamilton, an outfit especially proficient at vetting employees. Martin has reportedly held a security clearance since he joined the Navy. Thirty years ago.
Don’t hold your breath for restoration of your Constitutionally-demanded freedoms anytime soon. On May 2, Reuters reported that the NSA collected more than 151 million records of Americans’ phone calls last year, even after Congress limited its ability to collect bulk phone records, according to an annual report issued on Tuesday by the top U.S. intelligence officer.
Officials on Tuesday argued that the 151 million records collected last year were tiny compared with the number collected under procedures that were stopped after former NSA contractor Edward Snowden revealed the surveillance program in 2013.
See, that makes it ok!
Because the 151 million would include multiple calls made to or from the same phone numbers, the number of people whose records were collected also would be much smaller, the officials said. They said they had no breakdown of how many individuals’ phone records were among those collected.
There are a few bright spots in security news.
A hot topic this summer was Susan Rice and her demands of potentially illegal (certainly outside protocol of her office) “unmasking” of Trump associates who were transitioning to the new presidential administration.
The rate of “unmasking” average citizens (presumably to the chagrin of the filthy government thugs who spy on their citizens–and employers–because terrorism) marginally declined last year:
In all, according to the report, U.S. officials unmasked the names of fewer Americans in NSA eavesdropping reports in 2016 than they did the previous year, the top U.S. intelligence officer reported on Tuesday.
The report said the names of 1,934 “U.S. persons” were “unmasked” last year in response to specific requests, compared with 2,232 in 2015, but it did not identify who requested the names or on what grounds.
And back on April 28:
The National Security Agency said it will now limit [signals intelligence] collection to internet communications sent directly to or from a foreign target. It won’t permit intelligence officials to collect emails, texts and other communications between two people who mention a target by name, but are not themselves targets of surveillance.
The changes, first reported by The New York Times, are designed to reduce the chances of sweeping up communications of U.S. citizens or others in a way that some critics charged was overly broad.
On May 31, Shadow Brokers, the apparent perpetrators of the WannaCry attack, announced they would sell the stolen code for interested hackers at $22,000 per copy. By late June, they had raised the price, up to $131,000 for “VIP access,” in which a customer reportedly receives access to particular vulnerabilities.
Back in January, NSA Director Mike Rogers (below), encouraged by Clapper, introduced a measure to offer current NSA operatives raises to stop them from fleeing Big Brother for the private sector.
Interestingly, in November of last year, Clapper and then-Defense Secretary Ash Carter reportedly recommended outgoing President Obama remove Rogers as head of NSA.
Thanks to our sources: