Posts

Tuesday Morning: Toivo’s Tango

Did you know the tango evolved into a Finnish subgenre? Me neither, and I’m part Finn on my mother’s side of the family. Both my grandmother and great-grandmother spoke Finn at home after their immigration to the U.S., but apparently never passed the language or Finnish music on to my mother and her siblings. The Finnish tango became so popular a festival — the Tangomarkkinat — was established to celebrate it.

The tango makes its way back again, nearly 9000 miles from its origin to Finland, in this music video. The performer featured here is a very popular Argentine tango singer, Martin Alvarado, singing in Spanish a popular Finnish tango, Liljankukka, written by Toivo Kärki. If you search for the same song and songwriter in YouTube, you’ll trip across even more Finnish tango.

Let’s dance…

Police raid in Belgium today
There were more arrests in Belgium today in connection to Paris attack in November. Not many details yet in the outlets I follow, suggesting information is close to the vest; there was more information very early, which has now moved off feeds, also suggesting tight control of related news. A raid in the southern Brussels suburb of Uccle resulted in the arrest of three persons now being questioned. This raid follows the arrest last Friday of Mohamed Abrini, who has now admitted he is the man seen in security camera video as the ‘man in the hat’ observed just before the bombing of the Brussels’ airport. Thus far, intelligence gathered from suspects and locations indicates a second attack had been planned, attacking the Euro 2016 football championship. Worth noting the media has now been reporting only the given name and a family name first initial for some of those arrested recently.

Up All Night growing, annoying some Parisians
This Occupy movement subset called ‘Up All Night’ or ‘Night Rising’ (Nuit debout) has been rallying during evening hours, protesting austerity-driven labor reforms, France’s continued state of emergency after November’s terrorist attacks, and more. The number of protesters has grown over the last 12 days they have taken to the streets, driven in part by the Panama Papers leak. The crowd has annoyed those navigating the area around the Place de la Republique where the Nuit debout gather. (More here on video.)

Upset over Burr-Feinstein draft bill on encryption continues
The Consumer Technology Association (CTA) issued a statement last night conveying their displeasure with this proposed bill which would mandate compliance with law enforcement access to encrypted digital content. The CTA’s 2200 members include Apple, Google, Microsoft, and any consumer electronic technology manufacturer featured at the annual Consumer Electronics Show each year. This formal statement follows a wave of negative feedback from technology and privacy experts since the draft bill was revealed late last week.

Odds and ends

  • Cellebrite makes the news again, this time for a ‘textalyzer’ (Ars Technica) — Huh. What a coincidence that an Israeli company attributed with the cracking of the San Bernardino shooter’s iPhone 5c is now commercializing a device for law enforcement to use on drivers’ cellphones. Do read this piece.
  • DARPA still fighting for relevance with its Squad X initiative (Reuters) — Not a single mention of exoskeletons, but enough digital technology to make soldiers glow in the dark on the battlefield.
  • Microsoft’s director of research calls some of us chickenshit because AI is peachy, really (The Guardian) — Uh-huh. This, from the same company that released that racist, sexist POS AI bot Tay not once but twice. And we should all just trust this stuff in our automobiles and in the military. Ri-ight.
  • Farmers watching more than commodities market and the weather (Fortune) — Chinese IP rustlers are sneaking commercially-developed plant materials back to PRC. Hope the Chinese realize just how likely American farmers are to use firearms against trespassers.
  • CDC’s deputy director on Zika: “Everything we look at with this virus seems to be a bit scarier than we initially thought” (Reuters) — I swear multiple news outlets including WaPo have changed the heds on stories which originally quoted this statement. Zika’s observed destruction of brain cells during research is really distressing; so is Zika’s link to Guillain-Barre syndrome in addition to birth defects including microcephaly. In spite of the genuine and deep concern at CDC over this virus’ potential impact on the U.S., the CDC is forced to dig in sofa cushions for loose change to research and fight this infectious agent. Absolutely ridiculous, like we learned nothing from our experience here with West Nile Virus.

That’s it, off to mix up my tango with a whiskey foxtrot. See you tomorrow morning!

For Counterterrorism Experts, Absence of Evidence Equals Encryption

The NYT has a fascinating story based on shared criminal files and attack review, describing what authorities currently know about how ISIS pulled off the Paris attack. It describes continued problems with transliteration (though it’s not clear that played a role in this attack).

“We don’t share information,” said Alain Chouet, a former head of French intelligence. “We even didn’t agree on the translations of people’s names that are in Arabic or Cyrillic, so if someone comes into Europe through Estonia or Denmark, maybe that’s not how we register them in France or Spain.”

It describes, over and over, the volume of burner and borrowed phones the attackers used, including a lot of calls that ended up being easy to trace.

After numerous delays, one of the attackers began using a hostage’s cellphone to send text messages to a contact outside. At one point, one of the gunmen turned to a second and said in fluent French, “I haven’t gotten any news yet,” suggesting they were waiting for an update from an accomplice. Then they switched and continued the discussion in Arabic, according to the police report.

[snip]

The attackers seized cellphones from the hostages and tried to use them to get onto the Internet, but data reception was not functioning, Mr. Goeppinger told the police. Their use of hostages’ phones is one of the many details, revealed in the police investigation, pointing to how the Islamic State had refined its tradecraft. Court records and public accounts have detailed how earlier operatives sent to Europe in 2014 and early 2015 made phone calls or sent unencrypted messages that were intercepted, allowing the police to track and disrupt their plots. But the three teams in Paris were comparatively disciplined. They used only new phones that they would then discard, including several activated minutes before the attacks, or phones seized from their victims.

[snip]

Everywhere they went, the attackers left behind their throwaway phones, including in Bobigny, at a villa rented in the name of Ibrahim Abdeslam. When the brigade charged with sweeping the location arrived, it found two unused cellphones still inside their boxes.

New phones linked to the assailants at the stadium and the restaurant also showed calls to Belgium in the hours and minutes before the attacks, suggesting a rear base manned by a web of still unidentified accomplices.

Security camera footage showed Bilal Hadfi, the youngest of the assailants, as he paced outside the stadium, talking on a cellphone. The phone was activated less than an hour before he detonated his vest. From 8:41 p.m. until just before he died at 9:28 p.m., the phone was in constant touch with a phone inside the rental car being driven by Mr. Abaaoud. It also repeatedly called a cellphone in Belgium.

Remember, earlier reports on some of these same terrorists described them using a Moroccan dialect for which Belgian authorities, at least, did not have ready translators, which would make voice calls almost as effective as encrypted communications, especially so long as that common phone number in Belgium remained unknown. The story describes the attackers using Arabic, though doesn’t say whether it was a dialect.

After numerous delays, one of the attackers began using a hostage’s cellphone to send text messages to a contact outside. At one point, one of the gunmen turned to a second and said in fluent French, “I haven’t gotten any news yet,” suggesting they were waiting for an update from an accomplice. Then they switched and continued the discussion in Arabic, according to the police report.

But it then makes an enormous logical leap, from the very first line of the story, that absence of emails equates to some operational security pertaining to emails.

Investigators found crates’ worth of disposable cellphones, meticulously scoured of email data. [See note]

[snip]

According to the police report and interviews with officials, none of the attackers’ emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption. What kind of encryption remains unknown, and is among the details that Mr. Abdeslam’s capture could help reveal.

[snip]

Most striking is what was not found on the phones: Not a single email or online chat from the attackers has surfaced so far.

What seems most likely from this description is that for phones terrorists used as burners, they simply didn’t load them with apps to conduct more extensive communication. And why would they, especially if they knew from past reporting that their language was proving hard to “decrypt” for authorities, even with time?

Then there’s this description of a laptop that might have used encryption.

One of the terrorists pulled out a laptop, propping it open against the wall, said the 40-year-old woman. When the laptop powered on, she saw a line of gibberish across the screen: “It was bizarre — he was looking at a bunch of lines, like lines of code. There was no image, no Internet,” she said. Her description matches the look of certain encryption software, which ISIS claims to have used during the Paris attacks.

I asked one of the reporters on this story, Rukmini Callimachi, whether the computer showed up in the report; it did not. Which either suggests it was destroyed in one of the suicide vest explosions beyond all forensic use, or wasn’t one of the terrorist laptops at all (or was misremembered by the eyewitness, which would be unsurprising given the unreliable nature of even witnesses who are not, by nature of being hostages, very stressed).

Yet even if this computer had full disc encryption (as opposed to just being a Linux machine, as some people have suggested), there’s no reason to assume there’d be emails. And, as the story makes clear, the phone recovered outside of Bataclan was not encrypted (this was the one that had a text on it).

As the bodies of the dead were being bagged, the police found a white Samsung phone in a trash can outside the Bataclan.

It had Belgian SIM card that had been in use only since the day before the attack. The phone had called just one other number — belonging to an unidentified user in Belgium. Another new detail from the report showed that the phone’s photo album police found images of the concert hall’s layout, as well as Internet searches for “fnacspectacles.com,” a website that sells concert tickets; “bataclan.fr“; and the phrase “Eagles of Death at the Bataclan.”

[snip]

Even though one of the disposable phones was found to have had a Gmail account with the username “yjeanyves1,” the police discovered it was empty, with no messages in the sent or draft folders.

Note, that account name is very French, not at all similar to the names of the perpetrators (see the list here), which makes me wonder whether it’s an artefact of a prior owner, from whom this phone could have been stolen.

My suspicion is that, as had been reported, rather than emails ISIS relied on Telegram, but used in such a fashion that would make it less useful on burner phones (“secret” Telegram chat are device specific, meaning you’d need a persistent phone number to use that function). But if these terrorists did use Telegram, they probably eluded authorities not because of encryption, but because it’s fairly easy to make such chats temporary (again, using the secret function). Without Telegram being part of PRISM, the NSA would have had to obtain the metadata for chats via other means, and by the time they IDed the phones of interest, there may have been no metadata left.

The authorities now have a great deal of evidence on these terrorists. And what it shows is that burner phones used with discipline serve as a far more important operational security tool than encryption. Indeed, at this point, the authorities only claim the terrorists used encryption because they have no evidence of it!

And yet, that doesn’t appear to have stopped the IC from convincing Obama that the Paris terrorists used encryption and so we have to break it here.

Note: On Twitter, Callimachi acknowledged that that first line makes no sense and said she would try to have it changed.

Update: And now it reads like this:

Investigators found crates’ worth of disposable cellphones.

An Important Battlefield after Paris: US Counterterrorism Hegemony

Last week, I suggested that most commentators were misinterpreting a speech John Brennan made, assuming he intended to implicate just encryption and Edward Snowden in the Paris attack. Given that he repeatedly invoked changes the Europeans have to make, I think he was also complaining about European efforts to reclaim some data (or Internet software) sovereignty, with the effect that US counterterrorism programs are not as comprehensive. For example, to the extent terrorists use non-US based Internet services, they will elude PRISM, with its easy access to metadata and often content. In the wake of the Paris attack, Berlin-based Telegram shut down a bunch of channels ISIS was using, which suggests that may have been what Brennan was complaining about.

Yet that highlights a key issue: before the Snowden revelations, the US (with the UK and other Five Eyes members) largely could claim to exercise counterterrorism hegemony, in part because of our preferential position on the global telecommunications fiber network, in part because our tech companies served much of the world, and in part because many of our allies preferred to have us do the job. Some of the Snowden revelations — and the German investigation into BND’s partnership with NSA — have shown the cost of that: that the US gets European spooks’ help to spy on European targets of interest solely to the US.

It’s probably most effective to have one hegemonic dragnet, but it’s not clear whether it’s healthy (and now that US hegemony is beginning to crack, the dragnet will likely become less effective).

Given the comments of French Finance Minister Sapin today, US dragnet hegemony will continue to crumble. Along with a call to change certain laws on asset seizures and pre-paid bank cards, Sapin called for Europe to develop its own capability to access and analyze SWIFT data.

Sapin said that the SWIFT system had two computer servers, one in Europe and one in the United States, but that Europe currently relied on U.S. authorities to collect and analyze the vast amounts of data flowing through it to detect security issues.

“We Europeans don’t have the capacity to exploit our own data. I don’t think this can carry on this way,” Sapin told a news conference. “Since we do not have the means to analyze the data located in Europe, we transfer all of this data to the Americans, who have the capacity to analyze it.”

As a reminder, access to SWIFT — Society for Worldwide Interbank Financial Telecommunication, the international bank transfer system through which most international transactions take place — has been a contentious issue for some time. Europe tried to demand more equitable access in 2009-2010 when one of the servers for the system got moved to Brussels, only to find the US was cheating on the spirit of the agreement in 2011. What Sapin describes — Europe just sending all its data to the US in bulk — is what came out of that effort to reclaim some control over the data. In the last few years, it has become clear how US control of SWIFT makes it easier to dictate policy, especially regarding sanctions, to allies (I suspect, too, it has been used to collect embarrassing details about EU elite ties to unsavory characters, like Qaddafi). Obviously, having exclusive access to records of who is transferring money to whom can be incredibly valuable for the US, in ways that go well beyond terrorism.

From his comments, it’s unclear whether Sapin says Europe doesn’t have the technical capability or bureaucratic/legal authority to access and analyze this data. Given his explicit comment that the Paris terrorists used pre-paid bank cards to plan their attack (which would probably be adequate to transfer money between Belgium and France), it’s also not clear that the attackers used international transfers that would have shown up on SWIFT. But he’s going to use this opportunity to demand equitable access to the data.

The US would surely love to maintain a monopoly on omniscience. In the name of counterterrorism efficacy, they might be able to make an argument to do so. But either because they’ve already lost that omniscience — or because their dragnet failed to keep France safe — they’re likely to continue to lose that monopoly. It’s not clear that has any benefit for privacy (redundant dragnets are more invasive than single ones). It will likely have consequences for US hegemony more generally.

Author of Story Based on Leaks about Surveillance Parrots Brennan Condemning Leaks about Surveillance

Josh Rogin is among many journalists who covered John Brennan’s complaints about how “a number of unauthorized disclosures”and hand-wringing about our surveillance capabilities this morning (which was a response to Rogin asking “what went wrong” in Paris in questions).

But Brennan also said that there had been a significant increase in the operational security of terrorists and terrorist networks, who have used new commercially available encryption technologies and also studied leaked intelligence documents to evade detection.

“They have gone to school on what they need to do in order to keep their activities concealed from the authorities,” he said. “I do think this is a time for particularly Europe as well as the U.S. for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence services to protect the people that they are asked to serve.”

The FBI has said that Internet “dark spaces” hinder monitoring of terrorism suspects. That fuels the debate over whether the government should have access to commercial applications that facilitate secure communications.

Brennan pointed to “a number of unauthorized disclosures” over the past several years that have made tracking suspected terrorists even more difficult. He said there has been “hand wringing” over the government’s role in tracking suspects, leading to policies and legal action that make finding terrorists more challenging, an indirect reference to the domestic surveillance programs that were restricted after leaks by Edward Snowden revealed their existence.

I find it interesting that Rogin, of all people, is so certain that this is an “indirect reference to the domestic surveillance programs that were restricted after leaks by Edward Snowden revealed their existence.” It’s a non-sensical claim on its face, because no surveillance program has yet been restricted in the US, though FBI has been prevented from using NSLs and Pen Registers to bulk collection communications. The phone dragnet, however, is still going strong for another 2 weeks.

That reference — as I hope to show by end of day — probably refers to tech companies efforts to stop the NSA and GCHQ from hacking them anymore, as well as European governments and the EU trying to distance themselves from the US dragnet. That’s probably true, especially, given that Brennan emphasized international cooperation in his response.

I’m also confused by Rogin’s claim Jim Comey said Tor was thwarting FBI, given that the FBI Director said it wasn’t in September.

Even more curious is that Rogin is certain this is about Snowden and only Snowden. After all, while Snowden’s leaks would give terrorists a general sense of what might not be safe (though not one they tracked very closely, given the Belgian Minister of Home Affair’s claim that they’re using Playstation 4 to communicate, given that one of Snowden’s leaks said NSA and CIA were going after targets use of gaming consoles to communicate at least as early as 2008).

But a different leak would have alerted terrorists that their specific communications techniques had been compromised. The leak behind this story (which was a follow-up on leaks to the NYT, McClatchy, and WaPo).

It wasn’t just any terrorist message that triggered U.S. terror alerts and embassy closures—but a conference call of more than 20 far-flung al Qaeda operatives, Eli Lake and Josh Rogin report.
The crucial intercept that prompted the U.S. government to close embassies in 22 countries was a conference call between al Qaeda’s senior leaders and representatives of several of the group’s affiliates throughout the region.

The intercept provided the U.S. intelligence community with a rare glimpse into how al Qaeda’s leader, Ayman al-Zawahiri, manages a global organization that includes affiliates in Africa, the Middle East, and southwest and southeast Asia.

Several news outlets reported Monday on an intercepted communication last week between Zawahiri and Nasser al-Wuhayshi, the leader of al Qaeda’s affiliate based in Yemen. But The Daily Beast has learned that the discussion between the two al Qaeda leaders happened in a conference call that included the leaders or representatives of the top leadership of al Qaeda and its affiliates calling in from different locations, according to three U.S. officials familiar with the intelligence. All told, said one U.S. intelligence official, more than 20 al Qaeda operatives were on the call.

[snip]

Al Qaeda leaders had assumed the conference calls, which give Zawahiri the ability to manage his organization from a remote location, were secure. But leaks about the original intercepts have likely exposed the operation that allowed the U.S. intelligence community to listen in on the al Qaeda board meetings.

That story — by Josh Rogin himself! (though again, this was a follow-up on earlier leaks) — gave Al Qaeda, though maybe not ISIS, specific notice that one of their most sensitive communication techniques was compromised.

It’s really easy for journalists who want to parrot John Brennan and don’t know what the current status of surveillance is to blame Snowden. But those who were involved in the leak exposing the Legion of Doom conference call (which, to be sure, originated in Yemen, as many leaks that blow US counterterrorism efforts there do) might want to think twice before they blame other journalism.

Surveillance Hawk Stewart Baker Confirms Dragnet Didn’t Work as Designed

The French authorities are just a day into investigating the horrid events in Paris on Friday. We’ll know, over time, who did this and how they pulled it off. For that reason, I’m of the mind to avoid any grand claims that surveillance failed to find the perpetrators (thus far, French authorities say they know one of the attackers, who is a French guy they had IDed as an extremist, but did not know of people identified by passports found at the Stade — though predictably those have now been confirmed to be fake [update: now authorities say the Syrian one is genuine, though it’s not yet clear it belonged to the attacker], so authorities may turn out to know their real identity). In any case, Glenn Greenwald takes care of that here. I think it’s possible the terrorists did manage to avoid detection via countersurveillance — though the key ways they might have done so were available and known before Edward Snowden’s leaks (as Glenn points out).

But there is one claim by a surveillance hawk that deserves a response. That’s former DHS and NSA official Stewart Baker’s claim that because of this attack we shouldn’t stop the bulk collection of US persons’ phone metadata.

Screen Shot 2015-11-15 at 7.41.03 AM

The problem with this claim is that the NSA has a far more extensive dragnet covering the Middle East and Europe than it does on Americans. It can and does bulk collect metadata overseas without the restrictions that existed for the Section 215 dragnet. In addition to the metadata of phone calls and Internet communications, it can collect GPS location, financial information, and other metadata scraped from the content of communications.

The dragnet covering these terrorists is the kind of dragnet the NSA would love to have on Americans, if Americans lost all concern for their privacy.

And that’s just what the NSA (and GCHQ) have. The French have their own dragnet. They already had permission to hold onto metadata, but after the Charlie Hebdo attacks, they expanded their ability to wiretap without court approval. So the key ingredients to a successful use of the metadata were there: the ability to collect the metadata and awareness that one of the people was someone of concern.

The terrorists may have used encryption and therefore made it more difficult for authorities to get to the content of their Internet communications (though at this point, any iPhone encryption would only now be stalling investigators).

But their metadata should still have been available. There’s no good way to hide metadata, which is why authorities find metadata dragnets so useful.

French authorities knew of at least one of these guys, and therefore would have been able to track his communication metadata, and both the Five Eyes and France have metadata dragnets restricted only by technology, and therefore might have been able to ID the network that carried out this attack.

Stewart Baker claims that Section 215 was designed to detect a plot like this. But the metadata dragnet covering France and the Middle East is even more comprehensive than Section 215 ever was. And it didn’t detect the attack (it also didn’t detect the Mumbai plot, even though — or likely because — one of our own informants was a key player in it). So rather than be a great argument for why we need to keep a dragnet that has never once prevented an attack in the US, Baker’s quip is actually proof that the dragnets don’t work as promised.