• Tag Archives cybersecurity
  • The Government Is Lying to Us About Cybersecurity

    In a press conference, Deputy Attorney General Rod Rosenstein stated that the “absolutist position” that strong encryption should be, by definition, unbreakable is “unreasonable.”

    The DOJ is lying about three things:

    First

    The US government works against the security of businesses. Just this week, I had to tell Apple that my iPhone app did not have certain kinds of encryption that the U.S. government has export control on. Encryption export controls cripple the security and innovation of software products made by American businesses.  

    Furthermore, the U.S. government hoards software exploits so it can hack into your computer rather than publish them that so companies can patch their products. The NSA intentionally sneaks weaknesses into protocols and bribes businesses to add holes to security products so it can steal the data of their customers.

    When businesses want to improve the security of their products, they offer rewards for exploits – Microsoft pays up to $250,000 per exploit, Facebook has paid $40,000, and so on. The NSA purchases millions of dollars of exploits from hackers and uses them to spy on the entire world, including U.S. citizens. Unfortunately, the NSA is incompetent at keeping secrets, so it lost their exploit database and caused millions of computers to be infected and hijacked with the exploits they hoarded.

    The hardware and software pieces of both the Internet and individual user’s computers are made by private companies. There is nothing the U.S. government can do to improve “cybersecurity” other than prosecuting criminal behavior.  However, the U.S. government prosecutes a minuscule proportion of cybercrime.  Whether it is unable or unwilling to punish criminals, the reality is that the only “cybersecurity” that the government cares about is its ability to conduct surveillance and attacks on foreign and domestic political targets.

    Second

    The idea that “strong security” is compatible with a government backdoor is a lie. Any security expert can tell you that a backdoor leaves your product vulnerable, even if you trust the government agency with the key. Previous backdoors advocated by the US government have been blown wide open by security experts. There is near-universal agreement among security experts that government backdoors and security are not compatible – a reality that the DOJ continues to ignore.

    Third

    It is not true that the government wants to weaken American’s security to protect against crime or terrorism. Their real motivation has always been power and money: they want to monitor the flow of information in order to prevent people from hiding their wealth and use their secret keys and vulnerability stash to intimidate and blackmail other countries into compliance with U.S. policies. This is why the U.S. intelligence budget of over $75 billion did not prevent most American’s personal details from being leaked, but U.S. citizens who do not report foreign bank accounts (under FACTA) can be fined $250,000 or 5 years in jail even if they have never stepped foot in the USA.

    Reprinted from The Ungoverned


    David L Veksler

    David Veksler is the Director of Marketing at FEE.

    This article was originally published on FEE.org. Read the original article.




  • D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes

    The United States Court of Appeals for the District of Columbia Circuit today held that foreign governments are free to spy on, injure, or even kill Americans in their own homes–so long as they do so by remote control. The decision comes in a case called Kidane v. Ethiopia, which we filed in February 2014.

    Our client, who goes by the pseudonym Mr. Kidane, is a U.S. citizen who was born in Ethiopia and has lived here for over 30 years. In 2012 through 2013, his family home computer was attacked by malware that captured and then sent his every keystroke and Skype call to a server controlled by the Ethiopian government, likely in response to his political activity in favor of democratic reforms in Ethiopia. In a stunningly dangerous decision today, the D.C. Circuit ruled that Mr. Kidane had no legal remedy against Ethiopia for this attack, despite the fact that he was wiretapped at home in Maryland. The court held that, because the Ethiopian government hatched its plan in Ethiopia and its agents launched the attack that occurred in Maryland from outside the U.S., a law called the Foreign Sovereign Immunities Act (FSIA) prevented U.S. courts from even hearing the case.

    The decision is extremely dangerous for cybersecurity. Under it, you have no recourse under law if a foreign government that hacks into your car and drives it off the road, targets you for a drone strike, or even sends a virus to your pacemaker, as long as the government planned the attack on foreign soil. It flies in the face of the idea that Americans should always be safe in their homes, and that safety should continue even if they speak out against foreign government activity abroad.  

    Factual background

    Mr. Kidane discovered traces of state-sponsored malware called FinSpy, a sophisticated spyware product which its maker claims is sold exclusively to governments and law enforcement, on his laptop at his home in suburban Maryland. A forensic examination of his computer showed that the Ethiopian government had been recording Mr. Kidane’s Skype calls, as well as monitoring his (and his family’s) web and email usage. The spyware was launched when Kidane opened an attachment in an email. The spying began at his home in Maryland.

    The spyware then reported everything it captured back to a command and control server in Ethiopia, owned and controlled by the Ethiopian government. The infection was active from October 2012 through March 2013, and was stopped just days after researchers at the University of Toronto’s Citizen Lab released a report exposing Ethiopia’s use of FinSpy. The report specifically referenced the very IP address of the Ethiopian government server responsible for the command and control of the spyware on Mr. Kidane’s laptop.

    We strenuously disagree with the D.C. Circuit’s opinion in this case. Foreign governments should not be immune from suit for injuring Americans in their own homes and Americans should be as safe from remote controlled, malware, or robot attacks as they are from human agents. The FSIA does not require the courts to close their doors to Americans who are attacked, and the court’s strained reading of the law is just wrong. Worse still, according to the court, so long as the foreign government formed even the smallest bit of its tortious intent abroad, it’s immune from suit. We are evaluating our options for challenging this ruling.

    Source: D.C. Circuit Court Issues Dangerous Decision for Cybersecurity: Ethiopia is Free to Spy on Americans in Their Own Homes | Electronic Frontier Foundation