Posts

Why Apple Should Pay Particular Attention to Wired’s New Car Hacking Story

/7 Comments/in , /by

This morning, Wired reports that the hackers who two years ago hacked an Escape and a Prius via physical access have hacked a Jeep Cherokee via remote (mobile phone) access. They accessed the vehicle’s Electronic Control Unit and from that were able to get to ECUs controlling the transmission and brakes, as well as a number of less critical items. The hackers are releasing a report [correction: this is Markey’s report], page 86 of which explains why cars have gotten so much more vulnerable (generally, a combination of being accessible via external communication networks, having more internal networks, and having far more ECUs that might have a vulnerability). It includes a list of the most and least hackable cars among the 14 they reviewed.

Screen Shot 2015-07-21 at 8.37.22 AM

Today Ed Markey and Richard Blumenthal are releasing a bill meant to address some of these security vulnerabilities in cars.

Meanwhile — in a remarkably poorly timed announcement — Apple announced yesterday that it had hired Fiat Chrysler’s former quality guy, the guy who would have overseen development of both the hackable Jeep Cherokee and the safer Dodge Viper.

Doug Betts, who led global quality at Fiat Chrysler Automobiles NV until last year, is now working for the Cupertino, Calif.-based electronics giant but declined to comment on the position when reached Monday. Mr. Betts’ LinkedIn profile says he joined Apple in July and describes his title as “Operations-Apple Inc.” with a location in the San Francisco Bay Area but no further specifics.

[snip]

Along with Mr. Betts, whose expertise points to a desire to know how to build a car, Apple recently recruited one of the leading autonomous-vehicle researchers in Europe and is building a team to work on those systems.

[snip]

In 2009, when Fiat SpA took over Chrysler, CEO Sergio Marchionne tapped Mr. Betts to lead the company’s quality turnaround, giving him far-reaching authority over the company’s brands and even the final say on key production launches.

Mr. Betts abruptly left Fiat Chrysler last year to pursue other interests. The move came less than a day after the car maker’s brands ranked poorly in an influential reliability study.

Note, the poor quality ratings that preceded Betts’ departure from Fiat Chrysler pertained especially to infotainment systems, which points to electronics vulnerabilities generally.

As they get into the auto business, Apple and Google will have the luxury that struggling combustion engine companies don’t have — that they’re not limited by tight margins as they try to introduce bells and whistles to compete on the marketplace. But they’d do well to get this quality and security issue right from the start, because the kind of errors tech companies can tolerate — largely because they can remotely fix bugs and because an iPhone that prioritized design over engineering can’t kill you — will produce much bigger problems in cars (though remote patching will be easier in electric cars).

So let’s hope Apple’s new employee takes this hacking report seriously.

Every Senator Who Supports USA Freedom May Be Affirmatively Ratifying a Financial Dragnet

/8 Comments/in /by

Now that I’ve finally got around to reading the so-called transparency provisions in Patrick Leahy’s USA Freedom Act, I understand that one purpose of the bill, from James Clapper’s perspective, is to get Congress to ratify some kind of financial dragnet conducted under Section 215.

As I’ve laid out in detail before, there’s absolutely no reason to believe USA Freedom Act does anything to affect non-communications collection programs.

That’s because the definition of “specific selection term” permits (corporate) persons to be used as a selector, so long as they aren’t communications companies. So Visa, Western Union, and Bank of America could all be used as the selector; Amazon could be for anything not cloud or communications-related. Even if the government obtained all the records from these companies — as reports say it does with Western Union, at least — that would not be considered “bulk” because the government defines “bulk” as collection without a selector. Here, the selector would be the company.

And as I just figured out yesterday, the bill requires absolutely no individualized reporting on traditional Section 215 orders that don’t obtain communications. Here’s what the bill requires DNI to report on traditional 215 collection.

(D) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of—
(i) the number of targets of such orders;
(ii) the number of individuals whose communications were collected pursuant to such orders; and
(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection;

The bill defines “individuals whose communications were collected” this way:

(3) INDIVIDUAL WHOSE COMMUNICATIONS WERE COLLECTED.—The term ‘individual whose communications were collected’ means any individual—
(A) who was a party to an electronic communication or a wire communication the contents or noncontents of which was collected; or
(B)(i) who was a subscriber or customer of an electronic communication service or remote computing service; and
(ii) whose records, as described in subparagraph (A), (B), (D), (E), or (F) of section 2703(c)(2) of title 18, United States Code, were collected.

Thus, the 215 reporting only requires the DNI to provide individualized reporting on communications related orders. It requires no individualized reporting at all on actual tangible things (in the tangible things provision!). A dragnet order collecting every American’s Visa bill would be reported as 1 order targeting the 4 or so terrorist groups specifically named in the primary order. It would not show that the order produced the records of 310 million Americans.

I’m guessing this is not a mistake, which is why I’m so certain there’s a financial dragnet the government is trying to hide.

Under the bill, of course, Visa and Western Union could decide they wanted to issue a privacy report. But I’m guessing if it would show 310 million to 310,000,500 of its customers’ privacy was being compromised, they would be unlikely to do that.

So the bill would permit the collection of all of Visa’s records (assuming the government could or has convinced the FISC to rubber stamp that, of course), and it would hide the extent of that collection because DNI is not required to report individualized collection numbers.

But it’s not just the language in the bill that amounts to ratification of such a dragnet.

As the government has argued over and over and over, every time Congress passes Section 215’s “relevant to” language unchanged, it serves as a ratification of the FISA Court’s crazy interpretation of it to mean “all.” That argument was pretty dodgy for reauthorizations that happened before Edward Snowden came along (though its dodginess did not prevent Clare Eagan, Mary McLaughlin, and William Pauley from buying it). But it is not dodgy now: Senators need to know that after they pass this bill, the government will argue to courts that it ratifies the legal interpretations publicly known about the program.

While the bill changes a great deal of language in Section 215, it still includes the “relevant to” language that now means “all.” So every Senator who votes for USAF will make it clear to judges that it is the intent of Congress for “relevant to” to mean “all.”

And it’s not just that! In voting for USAF, Senators would be ratifying all the other legal interpretations about dragnets that have been publicly released since Snowden’s leaks started.

That includes the horrible John Bates opinion from February 19, 2013 that authorized the government to use Section 215 to investigate Americans for their First Amendment protected activities so long as the larger investigation is targeted at people whose activities aren’t protected under the First Amendment. So Senators would be making it clear to judges their intent is to allow the government to conduct investigations into Americans for their speech or politics or religion in some cases (which cases those are is not entirely clear).

That also includes the John Bates opinion from November 23, 2010 that concluded that, “the Right to Financial Privacy Act, … does not preclude the issuance of an order requiring the production of financial records to the Federal Bureau of Investigation (FBI) pursuant to the FISA business records provision.” Given that Senators know (or should — and certainly have the ability to — know) about this before they support USAF, judges would be correct in concluding that it was the intent of Congress to permit the government to collect financial records under Section 215.

So Senators supporting this bill must realize that supporting the bill means they are supporting the following:

  • The interpretation of “relevant to” to permit the government to collect all of a given kind of record in the name of a standing FBI terrorism investigation.
  • The use of non-communication company corporate person names, like Visa or Western Union, as the selector “limiting” collection.
  • The use of Section 215 to collect financial records.
  • Not requiring the government to report how many Americans get sucked up in any financial (or any non-communications) dragnet.

That is, Senators supporting this bill are not only supporting a possible financial dragnet, but they are helping the government hide the existence of it.

I can’t tell you what the dragnet entails. Perhaps it’s “only” the Western Union tracking reported by both the NYT and WSJ. Perhaps James Cole’s two discussions of being able to collect credit card records under this provision means they are. Though when Leahy asked him if they could collect credit card records to track fertilizer purchases, Cole suggested they might not need everyone’s credit cards to do that.

Leahy: But if our phone records are relevant, why wouldn’t our credit card records? Wouldn’t you like to know if somebody’s buying, um, what is the fertilizer used in bombs?

Cole: I may not need to collect everybody’s credit card records in order to do that.

[snip]

If somebody’s buying things that could be used to make bombs of course we would like to know that but we may not need to do it in this fashion.

We don’t know what the financial dragnet is. But we know that it is permitted — and deliberately hidden — under this bill.

Below the rule I’ve put the names of the 18 Senators who have thus far co-sponsored this bill. If one happens to be your Senator, it might be a good time to urge them to reconsider that support.

Patrick Leahy (202) 224-4242

Mike Lee (202) 224-5444

Dick Durbin (202) 224-2152

Dean Heller (202) 224-6244

Al Franken (202) 224-5641

Ted Cruz (202) 224-5922

Richard Blumenthal (202) 224-2823

Tom Udall (202) 224-6621

Chris Coons (202) 224-5042

Martin Heinrich (202) 224-5521

Ed Markey (202) 224-2742

Mazie Hirono (202) 224-6361

Amy Klobuchar (202) 224-3244

Sheldon Whitehouse (202) 224-2921

Chuck Schumer (202) 224-6542

Bernie Sanders (202) 224-5141

Cory Booker (202) 224-3224

Bob Menendez (202) 224-4744

Sherrod Brown (202) 224-2315

 

 

PCLOB Chair David Medine on the 30% Claims

/7 Comments/in /by

As Ken Dilanian pointed out in his story on the claim that NSA only collects 30% of phone records, in his testimony before the House Judiciary Committee, David Medine suggested “virtually all telephone records of every American” are collected — and he suggests these records are collected under Section 215.

Yet his references are more ambiguous than that. He admits that only some telecoms receive Section 215 orders.

The FISC order authorizes the NS A to collect nearly all call detail records generated by certain telephone companies in the United States, and specifies detailed rules for the use and retention of these records.

But then he makes 3 further references to some form of comprehensive collection.

And while eliminating a U.S. nexus to foreign plots can help the intelligence community focus its limited investigatory resources in time – sensitive situations by channeling efforts where they are needed most, our report questions whether the American public should accept the government’s routine collection of all of its telephone records because it helps in cases where there is no threat to the United States.

[snip]

Moreover, when the government collects all of a person’s telephone records, storing them for five years in a government database that is subject to high – speed digital searching and analysis, the privacy implications go far beyond what can be revealed by the metadata of a single telephone call.

[snip]

But while those rules offer many valuable safeguards designed to curb the intrusiveness of the program, in the Board’s view they cannot fully ameliorate the implications for privacy, speech, and association that follow from the government’s ongoing collection of virtually all telephone records of every American. [my emphasis]

With that in mind, I wanted to consider Medine’s answer to Richard Blumenthal’s questions about the 30% claims.

He starts by suggesting that if the claim were true it would not change PCLOB’s analysis.

Blumenthal: Would the apparent revelation that perhaps only a proportion of this telephone data was collected change in any way the conclusions of your report?

Medine: I don’t think we can address in public session the pros and cons of that conclusion but we’d be happy to meet with the committee in private session. But even if the reports are true it still means that hundreds of millions of telephone records are being collected and so, at least it’s my view, that it would not change the recommendations of the board.

The implication from this passage is that PCLOB did not know the collection was partial when they made their recommendations.

Medine’s dodges are more interesting in response to Blumenthal’s suggestion the Government has made false representations to Courts about obtaining all records (though note my comments on the ambiguity of that language here).

Blumenthal: Would it undercut the accuracy of the representations made by the United States Government to the Courts to justify this program?

Medine: Again, I don’t want to comment on that because some of this matter still remains classified and I think there’s more to be said on that but I don’t think it can be said in public session.

It seems that Medine suggests the Government’s claims are more complex than they might appear (though I may be reading into his answer my observation that the claims actually are ambiguous about how the government obtains its complete haystack).

Finally, Medine dodges again wholesale.

Blumenthal: Well, let me put it differently, wouldn’t you agree with me that the United States government has misled the Courts, whether purposefully or inadvertently in justifying this program on the basis that all telephone records are collected?

Medine: Again, I’m not prepared to confirm any of the reports that have been made and so I don’t want to draw any conclusions about representations that were made in court proceedings.

This answer may support the 30% claims more than earlier ones: it suggests Medine might be able to confirm such a claim.

Nevertheless, if the government has misrepresented the program, than so has Medine,

The one explanation that would address all this ambiguity, of course, is if the few providers that do receive orders provide the call records their backbones treat, not just the call records their own customers generate.

Radical Idea: the Legislature Ends Smith v. Maryland

/12 Comments/in /by

The Senate Judiciary Committee hearing with the NSA Review Group just finished. There was no earth-shattering news. Perhaps the best one-liner from the hearing came when former CIA Deputy Director Mike Morell said that metadata is content (and I’m grateful he said it early in the hearing so it will make the evening news). Bizarrely, he claimed he just learned that while working on this report which is rather … unconvincing.

At the very end of the hearing, however, Senator Richard Blumenthal said something equally as important, which went something like,

Smith v. Maryland is about as outdated as any Supreme Court [sic] can be. Congress has an equal responsibility to protect the Constitution as the Supreme Court. There is no need to wait for the Supreme Court.

It’s a great idea, for the legislature to end Smith v. Maryland’s encroachment on the Constitution, and he’s right, Congress does have the authority to act.

But as far as I know, Blumenthal has yet to introduce a bill doing that.

GOP Not Anxious to End John Roberts’ Unilateral Reign Appointing FISA Judges

/in /by

FWIW, Roger “Broccoli” Vinson aside, John Roberts has been appointing some solidly conservative, but nevertheless not lockstep Republicans to the FISA Court in recent years. But especially given the degree to which the FISC is now playing what former FISC judge James Robertson called a policy role, it is all the more inappropriate to have the Chief Justice, of whatever party, unilaterally pick FISC judges.

And some members of Congress — Adam Schiff in the House and Richard Blumenthal in the Senate — are trying to change that.

Curiously, however, while Republicans are happy to cosponsor legislation to force FISC to publish their opinions, Schiff, at least, has had no success finding a Republican cosponsor to support moves to take the FISC appointments out of John Roberts’ hands.

Schiff’s having a tougher time finding GOP co-sponsors for a second measure that would require Presidential nomination and Senate confirmation of FISA judges. Currently they are appointed by U.S. Supreme Court Chief Justice John Roberts.

I guess whatever claims GOP Representatives make about wanting to impose some controls on this dragnet take a back seat to maximizing party influence?

John Kerry Finally Meets a Close Election He Wants to Recount

/3 Comments/in , , /by

The other day, Hugo Chavez’ successor Nicolás Maduro beat opposition leader Henrique Capriles Radonski by 2% of the vote. In the days since, opposition figures have sown violence, claiming vote fraud.

Yesterday, Secretary of State Kerry encouraged a recount.

Mr. Kerry, in comments to a House committee, said, “We think there ought to be a recount.” He added that he had not yet evaluated whether Washington would recognize Mr. Maduro’s victory.

This, in spite of a leaked recording of a close Capriles advisor admitting that this result was a political triumph but an electoral defeat.

This, in spite of the fact that when Bush beat Kerry with precisely the same percentage of the vote in 2004 amid reports of (limited) electoral oddities, Kerry chose not to demand a recount.

On November 2, 2004, George W. Bush beat John Kerry 50.7 percent to 48.3 percent. Venezuela’s foreign minister immediately (either that night or the day after) recognized the results: “we will hope that in this second mandate we can improve our relations.”

Fast forward nine years, and Nicolás Maduro beats Henrique Capriles with 50.7% of the vote and the US refuses to recognize the result. “Look, we’re just not there yet,” said a State Department spokesman (who now works for—wait for it— John Kerry). “Obviously, we have nearly half the country that had a different view. And so we’ll continue to consult, but we’re not there yet.”

Most interesting of all is something James Clapper just said in a Senate Armed Services Committee hearing. In response to a question from Richard Blumenthal about whether there had been fraud in the election, Clapper said (my rough transcription):

There may have been some, but it’s unclear whether it was of sufficient magnitude to merit recount. Right now it doesn’t appear to be.

In other words, even the intelligence says, whatever fraud there was, it wasn’t enough to affect the outcome.

At this point, the Administration’s hesitation at recognizing Maduro and Kerry’s support for a recount do nothing but stoke violence.

Which I can only assume is the point.

Richard Blumenthal Asks Eric Holder Where the Foreclosure Prosecutions Are

/10 Comments/in , /by

It took until Richard Blumenthal’s turn in Eric Holder’s appearance before the Senate Judiciary Committee today before Holder got asked about foreclosure fraud. Blumenthal generously suggested that, “I know the foreclosure crisis is on your agenda,” and then asked if we’ll ever see a prosecution on robosigning and other fraud.

Holder responded, at first, by pointing to states Attorney Generals, claiming they are conducting investigations. I do hope he’s thinking of Eric Schneiderman, Beau Biden, and Catherine Cortez Masto, because the ones working on the settlement are pointedly avoiding any real investigation. Holder then further dodged, suggesting DOJ might find other ways–like civil suits–to hold these banks accountable.

Finally, and perhaps most interesting, Bluementhal asked why DOJ had not intervened in the Bibby, Donnelly v. Wells Fargo suit, a whistleblower suit against Wells Fargo, BoA, Chase, Ally, and others for the illegal legal fees the banks charged homeowners, including veterans.

Holder hedged in response to that question, promising he’d find out who had made the decision not to intervene and the basis for the decision.

Unfortunately, Blumenthal pointedly avoided asking for a 30 day response to that request. So an explanation for why DOJ isn’t helping to sue banks for the illegal fees they’ve charged will probably come long after DOJ settles for those illegal fees.

Does Treasury Believe Spreading Our Flawed Banking System Is a Solution to Terrorism?

/11 Comments/in , /by

Sheldon Whitehouse had a hearing on terrorist finance the other day. There was an interesting exchange that I think bears notice.

The hearing focused, in part, on hawalas, not least because DOJ recently prosecuted Mohammad Younis, the guy whose hawala Faisal Shahzad used to fund his terrorist attempt. Richard Blumenthal suggested (around 75:50 and following) that that funding may have come from Pakistani authorities (implicitly, the ISI). The FBI’s acting head of counterterrorism wouldn’t answer a question about that in public session.

A more interesting response came from Treasury’s Assistant Secretary for Terrorist Financing, Daniel Glaser. Sheldon Whitehouse asked him (at 92:50 and following) whether we were making progress on solving the problem hawalas create for counterterrorism efforts. Here’s my transcription of Glaser’s response:

Daniel Glaser: The reason hawala and other forms of informal remittances and informal money services exist is because there’s large communities around the world that don’t have access to formal financial services or affordable financial services. So the long-term quote-unquote solution to hawala is a generational one and it is about building an international financial system that everybody around the world has access to. Now, since that’s a long-term solution, we need to address the problem in a shorter term way as well.

[snip]

The way we try to approach it beyond the long term effort to make financial services available to everybody is regulatory prong, enforcement, international standards, and general economic development.

While Glaser described a four-pronged approach in his written testimony (and described in more detail in the parts of his response that I’ve snipped), he said the ultimate solution would come when international financial services were available to everyone.

So the way to solve terrorism, then, is to make sure everyone banks at Jamie Dimon’s bank?

That’s an exaggeration, of course. And unless and until bankers get squeamish about the way the US government is accessing SWIFT, integrating everyone into the formal finance system would give counterterrror investigators transparency into terror financing. But given the state of the banking system–given how much more damage the international financial system has done to the world in the last decade than terrorism (leaving aside the effect of couter-terrorism and false counter-terrorism, like the Iraq War) it troubles me that a high ranking Treasury Department official believes one solution to terrorism is modern banking.

Now Glaser strikes me as an incredibly intelligent and sincere guy–coming from him this “generational solution” sounded like a completely sincere idea. So while this comment made my spidey sense tingle, it didn’t in the way it would have if, say, TurboTax Timmeh Geithner had said it.

Nevertheless, here are some issues it raises.

Read more

Of COURSE Blumenthal Is Running against Civilian Law

/in , /by

Gregg has a post up expressing shock that Richard Blumenthal, CT’s craven Attorney General running to replace Chris Dodd, advocated against using civilian law for both Khalid Sheikh Mohammed and the UndieBomber, Umar Farouk Abdulmutallab. Gregg argues that Blumenthal’s stance (on this issue and on opposition to Bernanke’s reconfirmation) is directly counter to the Administration’s policy.

To which I’d respond in two ways.

  • Of course he’s running against civilian law.
  • It’s not so clear his stance on civilian law (as opposed to Ben Bernanke) is “completely counter to the position of the administration.”

Here’s a big chunk from Gregg’s post:

But listen to what comes next—listen to this relative non sequitur that Blumenthal volunteers without a prompting question:

I’m determined to chart my own course in Washington, different in many respects from the Administration. I’ve taken the position that the trial of Khalid Sheik Mohammed should be in a military tribunal away from the United States, or, I’m sorry, away from New York and New Haven, and on a number of other issues, for example opposing the reconfirmation of Bernanke as chairman of the Federal Reserve, I have charted my own course, I’m prepared to do it, and issue-by-issue debate either side in what I think is the right thing to do.

What this attorney general and former US attorney has to say about who supposedly is and is not entitled to their rights is pretty shocking,

[snip]

Yet, just over a year after the inauguration of this theoretically still popular president, the candidate for US Senate in Connecticut just went out of his way to distance himself from the White House on two hot issues—a civil trial for KSM and the reappointment of Ben Bernanke as Fed Chair.

But wait, there’s more.

Blumenthal was next asked about whether Christmas crotch-bomber Umar Farouk Abdulmutallab should have been brought into the US criminal process, and the question turned to Miranda rights (I apologize in advance for the meandering quote, but I want to give the entire context):

Let’s talk in real terms about what Mirandizing means. It means reading somebody their rights as opposed to simply interrogating them. I think there’s a general consensus now that in that instance there may have been no real need to read Miranda rights before some interrogation took place. And, in my view, with a terrorist, with our nation potentially at risk, interrogation should be pursued, and the consequences may be that some evidence may be inadmissible, but there is obviously in that case, overwhelming evidence without whatever may be gained or gleaned from the interrogation. So, bottom line, interrogation should have been pursued by a specially trained group of agents without necessarily a lawyer being present, and if at some point there was diminished usefulness to the interrogation, other criminal interrogation should have been applied perhaps by other authorities.

Yes, this is utter garbage—in terms of what actually happened to Abdulmutallab, what Miranda rights actually are, and who is entitled to them by law—but stick with me:

Very often the reading of rights diminishes the usefulness of subsequent interrogation, the reason being simply that the defendant chooses to have a lawyer present, or chooses to cease talking. And I would have pursued the interrogation without the Miranda rights because I believe that the usefulness of learning about contacts from Yemen and elsewhere in the world and potential immediate attacks that may be known to this individual outweigh the benefits of having that at the trial

Yes, more inaccuracies and inanities in search of a position, so questioner Lehrer wanted to clarify, should Abdulmutallab be tried in civilian court? “Probably not in criminal court,” says Blumenthal.

Stupid, yes, but importantly here, also completely counter to the position of the administration of a president still thought popular in Dick’s state.

Now, as I suggested, it should surprise no one that a “finger-in-the-wind” politician like Blumenthal is taking this stance against civilian law.

As I pointed out earlier this week, Scott Brown says he won in MA (which is slightly to the left of CT, if you look at it from my perspective) because he ran against civilian law.

Republicans discovered the renewed power of terrorism in last month’s special Senate election in Massachusetts. Neil Newhouse, the pollster for the Republican victor, Scott Brown, said voters responded to the way Mr. Brown framed the issue, supporting him 63 percent to 26 percent when told he favored charging suspected terrorists as enemy combatants in a military tribunal while his Democratic opponent would give them constitutional rights and a civilian trial.

“This moved voters more than the health care issue did,” Mr. Newhouse said. “The terrorism stuff resonated, and it wasn’t just from the advertising we did.” [my emphasis]

Scott Brown’s pollster found that MA voters–voting to replace Ted Kennedy, of all people!!!–were more than twice as likely to support Brown for advocating against civilian law than Martha Coakley, the AG from the state next door to Blumenthal’s, who supported it. Scott Brown won at least partly because he trashed civilian law (he even went so far as to endorse water-boarding explicitly, in MA, and still won).

And, as I also pointed out this week, in response to the lesson they took from the Brown win, Republicans are running hard against civilian law. “If this approach of putting these people in U.S. courts doesn’t sell in Massachusetts, I don’t know where it sells,” Mitch McConnell told someone at a Heritage event on February 3. He went on to say, “You can campaign on these issues anywhere in America.”

Now, I agree with Mitch McConnell on approximately nothing policy-wise. But he’s a smarter politician than a lot of guys on our side. And he, at least, believes “you can campaign” against civilian law “anywhere in the country.” Including Massachusetts. And, presumably, Connecticut.

Read more