Bruce Sterling will give away and sign some of his books Saturday 5pm-7pm at ATX Hackerspace, 1601 Rutherford Lane, Suite A200 in Austin. Sponsored by EFF-Austin. Drop by, hang out, get to know Hackerspace, walk away with a signed volume of sci fi or hacker crackdown journalism.

ATX Hackerspace Link

Soldier at the 9/11 Memorial at the Pentagon.
Photograph by Matt McClain, The Washington Post/Getty Images.
Image credit: National Geographic

Being a sequence of quotations from contemporary articles contextualizing the visit of the rising Vice President of China amidst a conspicuously timed introduction of unprecedented domestic cybersecurity legislation.

National Post Full Comment (Feb 14) – “From bitter gruel, Xi Jinping to ascend to China’s top job” by Peter Goodspeed
http://fullcomment.nationalpost.com/2012/02/14/xi-jinping/

He arrives in Washington Tuesday on the first stop of a week-long tour of the United States in one of the final diplomatic rituals he must undergo before becoming China’s next leader.

Now vice-premier, Mr. Xi is widely expected to replace President Hu Jintao as secretary-general of the Chinese Communist Party in October, when China will change 60% of the members of the party’s Central Committee and replace seven of the nine members on the ruling Standing Committee of the Politburo.

By spring 2013, he should replace Mr. Hu as president, then become chairman of the Central Military Commission.

Meanwhile…

Hillicon Valley (Feb 13) – “Senate cybersecurity bill would let firms appeal Homeland Security regulations” by Gautham Nagesh
http://thehill.com/blogs/hillicon-valley/technology/210349-senate-cybersecurity-bill-would-let-firms-appeal-regulations

The legislation would task the Department of Homeland Security with determining which sectors of the economy would be covered by new cybersecurity regulations, after risk assessments in consultation with the private sector, the intelligence community and others.

But designated sectors would have the right to appeal whether the regulations apply to them. Several groups representing portions of the private sector considered part of the critical infrastructure have expressed concern about the impact of the regulations on both security and the bottom line.

“Passing the bill is crucial for national security, but not if the provisions on critical infrastructure regulation are watered down. This will be a real test for this Congress,” said James Lewis, senior fellow and director at the Center for Strategic and International Studies.

James A. Lewis is one of the star witnesses for the Senate Homeland Security and Governmental Affairs Committee’s hearing this Thursday on what has been termed “comprehensive” cybersecurity legislation being unveiled by Majority Chair Joe Lieberman and co-sponsor Minority Chair Susan Collins. Senator John (Jay) Rockefeller IV is the other primary co-sponsor, and will be the first witness at Thursday’s hearing.

Examples of sectors considered likely to fall under the new regulations are utilities, water treatment plants and transportation providers. Some sectors, such as major financial institutions and telecom providers, may ask for exemptions based on a demonstrated ability to secure their systems.

After determining which firms are critical infrastructure, DHS would then, in consultation with the private sector, determine cybersecurity performance requirements for firms in the covered sectors.

…

“There would be a huge market incentive for designated sectors to meet the security standards. But if they don’t DHS and the AG would decide on penalties,” said the spokesman.

What about international cybersecurity standards and practices?

WSJ (Jan 27) – “China’s Cyber Thievery is National Policy—And Must Be Challenged” by former NSA Director Mike McConnell, former Secretary of DHS Michael Chertoff, and former Deputy Secretary of Defense William Lynn.
http://online.wsj.com/article/SB10001424052970203718504577178832338032176.html
This appears to be a copy liberated from between the lines of Rupert Murdoch’s curious digital divide:
http://defense-technologynews.blogspot.com/2012/02/dtn-news-defense-intelligence-news.html

The bottom line is this: China has a massive, inexpensive work force ravenous for economic growth. It is much more efficient for the Chinese to steal innovations and intellectual property—the source code of advanced economies—than to incur the cost and time of creating their own. They turn those stolen ideas directly into production, creating products faster and cheaper than the U.S. and others.

Cyberspace is an ideal medium for stealing intellectual capital. Hackers can easily penetrate systems that transfer large amounts of data, while corporations and governments have a very hard time identifying specific perpetrators.

Stewart A. Baker, another witness for Thursday’s hearing, on the metaphorical wall isolating domestic and foreign intelligence gathering: “I thought that the civil liberties dangers it was supposed to ward off were probably more theoretical than real.”
http://www.skatingonstilts.com/skating-on-stilts/tired-of-reading-chapters-backwards.html

Continuing with the perspectives expressed in the WSJ:

The report to Congress notes that the U.S. intelligence community has improved its collaboration to better address cyber espionage in the military and national-security areas. Yet today’s legislative framework severely restricts us from fully addressing domestic economic espionage. The intelligence community must gain a stronger role in collecting and analyzing this economic data and making it available to appropriate government and commercial entities.

Congress and the administration must also create the means to actively force more information-sharing. While organizations (both in government and in the private sector) claim to share information, the opposite is usually the case, and this must be actively fixed.

National Journal (Feb 13) – “Feinstein Introduces Information-Sharing Bill Ahead Of Senate Cybersecurity Debate” by Josh Smith
http://techdailydose.nationaljournal.com/2012/02/feinstein-introduces-informati.php

Feinstein’s proposal would require the government to designate an agency as a “cybersecurity exchange” to coordinate information sharing; allow the government to share classified cybersecurity information with certain private-sector organizations; and provide liability protection for companies that share information.

“Alongside terrorism, cybersecurity is perhaps the number one threat facing our nation today, but many obstacles exist that prevent the cooperation and coordination needed to deter this growing threat,” Feinstein said in a statement.

NextGov (Feb 13) – “DHS budget would double cyber spending to $769 million” by Aliya Sternstein
http://www.nextgov.com/nextgov/ng_20120213_7454.php

There is bipartisan support for improving computer network defenses, so the outlook may be positive for obtaining much of the proposed $769 million from Congress. The funding would go toward the National Cyber Security Division for protecting federal networks and coordinating with the private sector on safeguarding critical infrastructure systems such as utility grids.

For perspective:

U.S. Department of Defense (Feb 13) – “DOD Releases Military Intelligence Program Requested Top Line Budget for Fiscal 2013″
http://www.defense.gov/releases/release.aspx?releaseid=15058

The Department of Defense released today the military intelligence program (MIP) requested top line budget for fiscal 2013. The total request, which includes both the base budget and Overseas Contingency Operations appropriations, is $19.2 billion.

The department determined that releasing this top line figure does not jeopardize any classified activities within the MIP. No other MIP budget figures or program details will be released, as they remain classified for national security reasons.

What is the mood of the Senate, and the posture towards the private sector?

United States Senate Democrats (Feb 9) – ‘[Senate Majority Leader Harry] Reid Outlines Process For Cybersecurity Legislation, Including “Fair and Open” Amendment Process [in letter to US Chamber of Commerce CEO Tom Donohue]‘:
http://democrats.senate.gov/2012/02/09/reid-outlines-process-for-cybersecurity-legislation-including-%E2%80%9Cfair-and-open%E2%80%9D-amendment-process/

I was struck by the testimony of the leaders of our Intelligence Community at recent Intelligence Committee hearings. Director of National Intelligence James Clapper called cyber security “a profound threat to this country, to its future, its economy, and its very being.” And Robert Mueller, Director of the Federal Bureau of Investigation (FBI), stated that, “stopping terrorist attacks with the FBI is the present number one priority, but down the road, the cyberthreat, which cuts across all programs, will be the number one threat to the country.” Think about that: in the years to come, malicious cyber activity will pose a threat to our country greater than terrorism. We simply cannot afford to repeat the mistakes of the past by failing to prepare for the leading threats of the future.

Yet, addressing cyber security is not simply a matter of staving off a future threat; it demands that we stop the hemorrhaging of national security secrets, intellectual property, and jobs already underway. In a recent letter to Senate Republican Leader McConnell and myself, eight former high-ranking national security officials led by Secretary of Homeland Security Michael Chertoff and Secretary of Defense William Perry pointed out that, not only are critical infrastructure such as power plants and hospitals at risk; moreover, “foreign states are waging sustained campaigns to gather American intellectual property – the core assets of our innovation economy – through cyber-enabled espionage.” They counseled that the “constant barrage of cyber assaults has inflicted severe damage to our national and economic security, as well as to the privacy of individual citizens. The threat is only going to get worse. Inaction is not an acceptable option.”

At this point, all signs indicate informed consensus for this legislation to pass quickly through Committee into an opportunity for debate culminating in passage through the Senate.

In closing, witness Stewart A. Baker from his text Skating on Stilts: Why We Aren’t Stopping Tomorrow’s Terrorism, (Stanford, California: Hoover Institution Press, 2010), p. 5-6.
http://www.skatingonstilts.com/skating-on-stilts/tired-of-reading-chapters-backwards.html

In the 1990s, after a term as the National Security Agency’s top lawyer, I spoke out in favor of keeping a wall between spies and cops. The idea was simple enough. Agencies like the National Security Agency (NSA) gathered intelligence on a global scale, and they rarely observed the legal constraints that applied to domestic policemen. To protect the civil liberties of Americans, it only made sense to separate intelligence gathered in that way from evidence assembled in a criminal investigation. With a wall between the two, criminal investigators from agencies like the Federal Bureau of Investigation (FBI) would be forced to observe the legal restrictions that went with criminal investigative tools. They wouldn’t be tempted to take the shortcut of using intelligence that had been gathered with less attention to civil liberties.

That was the theory, anyway. In practice, the wall crippled our last, best chance to catch the hijackers before September 11, 2001. In August of that year, the wall kept the FBI from launching a fullscale criminal search for the hijackers—even though all of our security agencies were expecting an imminent al Qaeda attack, and even though both the FBI and the Central Intelligence Agency (CIA) knew that two dangerous al Qaeda operatives had entered the United States. The failure to track those operatives down wasn’t a matter of incompetence or a failure to communicate, at least not in the last weeks. FBI criminal investigators spent the last part of August begging for a chance to track the terrorists. They were shut down cold—by lawyers who told them the wall simply could not be breached.

I wasn’t the most enthusiastic proponent of the wall. I thought that the civil liberties dangers it was supposed to ward off were probably more theoretical than real. But I saw no harm in building in an extra margin of protection for civil liberties. If nothing else, the wall would reassure privacy advocates in the courts, in the newspapers, and on Capitol Hill that intelligence would not be misused. It was insurance, not just for civil liberties, but for the intelligence agencies themselves. For both reasons, I thought, it was best to keep the wall high.

It made eminent sense inside the Beltway.

Until the world outside the Beltway broke through, just a few yards from where I’m standing.

Will the world outside the Beltway be heard in the composition of these new laws and during the creation of these new authorities? Are the new cyber sabers already rattling?

A website called “Frugal Dad” offers this infographic covering various issues of online privacy:

Clay Shirky has the best overview I’ve seen/heard/read of PIPA and SOPA and the context from whence they emerged:

Bottom line: the legilsation’s about wanting us to be passive consumers, not producing and not sharing.

I put on my $DAYJOB CTO hat for Midas Green Tech and facilitated a conference call with Sean McLaughlin, the Chief of Staff for the Judiciary Committee, and executives from CoreNAP and DataFoundry today.

Sad to say, it’s not dead yet.  The “Internet experts hearing” that the Oversight committee was planning has apparently been canceled, so that’s a loud voice in opposition that the House probably won’t get to hear.

http://oversight.house.gov/index.php?option=com_jcalpro&Itemid=1&extmode=view&extid=363

The requirements to force ISPs to edit DNS results are apparently out, so that’s good.

Search engines will still be required to block results.

Visa and Mastercard will still be required to stop the financial flows.

Supposedly your hosting company won’t be required to look over your shoulder to see what’s going on on your site, but some legal eagles have noted that the only way for a hosting company to avoid penalty will probably be to….Look over your shoulder.

Now, to be fair, Sean did keep pounding on the point that “this applies only to foreign web sites.”  My problem is what’s really “foreign” in these days of the Internet / World Wide Web / globalization?

The next big event is the cloture vote on the 24th in the Senate.  For more info on that see

http://www.publicknowledge.org/blog/pipa’s-january-24th-vote-and-how-filibuster-w

EFF-Austin just received this press release from the Computer and Communications Industry Association:

Contact:
Heather Greenfield
202-783-0070 ext 113
hgreenfield@ccianet.org
Ed Black
202-783-0070 ext 110

FOR IMMEDIATE RELEASE:
January 12, 2012

Washington – Senate Judiciary Chairman Patrick Leahy has put out a statement may add a provision to study the impact of DNS blocking before that provision within the controversial PROTECT IP bill (PIPA) would take effect. The offer to suspend the timing of DNS blocking comes after cybersecurity experts in the Obama administration and those implementing the latest cybersecurity measure known as DNSSEC have warned PIPA and the latest cybersecurity measures the government has spent the last ten years developing are incompatible. Internet engineers and cybersecurity experts have written to Congress about their serious concerns.

The following can be attributed to Computer & Communications Industry Association President & CEO Ed Black:

“I hope this statement signals a recognition they didn’t understand this issue when the bill was drafted. We hope this means they will step back, talk to stakeholders, identify and focus on the real problem they’re trying to solve and target that. But it seems more likely to be aimed at newer opponents of the bill that haven’t absorbed how harmful the legislation would still be, even if there was a firm commitment to remove DNS blocking, which there isn’t.

“This DNS blocking was the tip of the iceberg in terms of the broad range of real problems with the approach of SOPA and PIPA. The DNS blocking was easy to understand and remove. Those who value the functioning of the Internet and the jobs that depend on it should now focus on the provisions of the legislation that still cause much collateral damage to the Internet.

“Those pushing this flawed bill discounted a lot of early concerns voiced by Internet experts about the bill. The DNS blocking was just one glaring flaw that would harm cybersecurity. There are a lot of other concerns they seem to continue to ignore about the collateral damage to the Internet that are also well founded. If the offer to further study the DNS blocking provision were a sign of real willingness to step back in general and rethink this bill, then it would be meaningful.”

About CCIA:
CCIA is an international, nonprofit association of computer and communications industry firms, representing a broad cross section of the industry. CCIA is dedicated to preserving full, fair and open competition throughout our industry. Our members employ more than 600,000 workers and generate annual revenues in excess of $200 billion.

Guest post by Mark Boyden

Found this recently (from July 2011, read article for full text, images, videos, documents, and deeper links):

Police To Begin Using Iris Scans From Controversial Iphone App, FED Forms “Center For Identity” At U-Texas Austin Campus

~ Alternative News Report – July 21, 2011

Representatives from private industry and the US federal government has already made a discreet presentation to college students in Austin Texas this spring where the concept of a series of “National Identity Management Centers” aka “The Center For Identity” was introduced to students.

I have wondered WHY this presentation was made on a college campus to college students, most of whom are gullible and many are still innocent to the beguiling tactics of surreptitiously introduced socialism and mass population surveillance programs by the federal government. Restated: most college kids do not understand what “social engineering” means, or “mass indoctrination by media gradualism.”

Until just recently if you were to try to explain these mind control methods to college kids they would hop on their skateboards and laugh it off. But that en mass naivete is now changing. “The Center For Identity” on the University of Texas at Austin has already been planned and now has a web presence.

A close friend, college aged, and a student in Austin, who attended this presentation told me later the entire ambiance of the material was creepy, hard to understand and altogether very ambiguous.

Just exactly WHAT is a “national identity management center’? I examined the literature which was handed out at this presentation and it was all cloaked in well familiar magnanimous federal platitudes about ‘personal identity security” and so forth. There was even a letter included from President Obama. The specific term “RFID” was not referenced in the literature, but I had the very distinct feeling that once these federally staffed “national identity management centers” become operative, that RFID, Iris scans, facial recognition, DNA scans and a host of other high technology personal identification methods will be deployed through the centers. There is a partnership forming between high level corporations and the federal government to establish these “national identity management centers” for profit. That was made very clear in the documents that I examined. I have posted some of these documents at the end of this report.

Read the entire article, view the videos, and included documents, at Alternative News Report.

Former EFF-Austin Director Cory Doctorow thinks that there’s a war on general purpose computing.

Transcript at

https://github.com/jwise/28c3-doctorow/blob/master/transcript.md

But it’s not as bad as all that. It’s not a “war” on GP computers–in
fact things would grind to a halt rapidly without a continual supply of
the very speedy and infinitely mutable CPUs that make modern tech work
and progress.

What will happen–in fact is already happening–is the shift of data
storage and muscular data processing off of the commonplace
laptop/desktop model that we have today to the “cloud.” Aside from the
obvious privacy issues, this is not all bad. Take a look at the Google
ChromeOS model. Lose your ChromeBook? No big deal, just go get another
one, log in, and there’s your stuff. Viruses? Not your problem.
Apple’s Siri is another cloud app bellwether. A few milliseconds of
crunching on a CPU in a datacenter, plus some database dips provide
version 1.0 of an actual intelligent agent application that would be
impossible to implement in a meaningful way on a desktop. So the trend
is back toward centralization of data and processing, not a war on
computing. Great risks come with centralization though.

As for cars, aircraft, and the like, code signing and other security
tools _must_ be deployed in life safety and other critical applications.
Designers and developers who implement these systems using commercially
available and open source general purpose operating systems need to be
flogged. Yes, it’s cheap and fast, but it’s not good. Just ask Siemens
and the Iranians. We need to have a lot more R&D on building hardened
Real Time Operating Systems for critical applications to run on, and
have better testing and development procedures for those applications
and RTOS’s.

Centralization of personal data favors the oppressor and the marketer.
Implementing the centralization (which is going to happen, market
forces are too strong) without getting the security and privacy right
is a greater risk, and the real battle ground.

High-tech law enforcement under scrutiny

This post concludes EFF Austin’s investigation of DART’s #OpWardrive; here’s our initial post, announcement of operation cancellation, and update on the open records request.

In our last post, we summarized our inquiry into the City of Austin Police Department’s Digital Analysis Response Team’s (DART) Operation Wardrive, concluding that it was now up to the City to provide the documents responsive to our open records request which the Office of the Attorney General (OAG) declared were not exempt from disclosure. In a letter dated December 16th (notably well within the ten calendar day deadline initiated on December 13th), the City of Austin responded by postal mail with copies of the remaining documents.

Here’s the cover letter and documents:

Operation Wardrive Open Records Request – City of Austin Response – December 16, 2011

Included were two new documents: an “Operational Briefing” and a “Synopsis of Operation.” The operation objective is worth reproducing in full:

Operation Objective
Crack down on unsecured wireless networks in residential neighborhoods.

The Austin Police DART Unit plans to conduct a ‘wardriving’ mission around select Austin neighborhoods in an effort to educate its citizens to secure their wireless networks.

‘Wardriving’ refers to the technique of searching for unsecured wireless networks by driving the streets armed simply with a laptop or smartphone seeking network connections. When unsecured networks are found, the Police detectives will pay a friendly visit to the household or small business, informing them of the risks they are exposing themselves to and attempt to assist in securing their wireless network.

The Synopsis provides a little additional information:

Detectives should log the locations where they have made contact with residents and identify them on provided activity sheet.

There are a few items worth emphasizing here:

1. EFF Austin requested “All documents and communications related to the selection and identification of Austin locations, neighborhoods, and/or individual citizens that will be targeted by ‘Operation Wardrive’”. The Briefing specifies target locations as “Austin Neighborhoods,” while the objective mentions “select Austin neighborhoods.” We are left to presume the neighborhoods selected would be left to the recognizance of DART detectives or decided and communicated off-the-record, perhaps during the 30-minute briefing on September 22nd prior to the operation.
2. EFF Austin requested “All documents and communications related to the devices, software, and other technologies that will be utilized to identify Austin locations with unencrypted broadband networks.” The Briefing indicates wardriving may be practiced “simply with a laptop or smartphone seeking network connections” but does not explicitly declare this as the tools or techniques DART would be deploying.
3. EFF Austin requested “All documents and communications related to the policies governing the protection and security of the information obtained during ‘Operation Wardrive’”. The Synopsis instructs detectives to log the names and addresses of individual citizens they paid “friendly visit[s]” to, thus creating public records of open wireless access points – one of EFF Austin’s original concerns.
4. Perhaps most revealingly, EFF Austin requested “All documents and communications related to The City of Austin’s, Austin Police Department’s, the Digital Analysis Response Team’s, or other Austin governmental agency’s recommendations and/or suggested practices for securing wireless broadband networks.” We did not receive a single document, nor can we find a single sentence responsive to this inquiry, leaving one to ask: how could DART “Crack down on unsecured wireless networks in residential neighborhoods” if the City of Austin was unable to locate a single document explaining how citizens or detectives are supposed to go about securing those networks?

Perhaps DART detectives have received special training towards that end…

Standard Operating Procedures

The last document included in the City’s response was an unredacted version of the APD DART Standard Operating Procedures (SOP), available in the embed above. The City provided EFF Austin with a redacted version of the SOP while appealing to the Office of the Attorney General, insisting that disclosure might interfere with law enforcement and crime prevention efforts. The OAG disagreed, forcing the City to release the complete document. It is an interesting read we encourage you to review, revealing the marching orders of one of the most venerable computer forensics and cybercrime prevention units in the country.

Within the previously censored sections of the document, EFF Austin found an item that might be worth further exploration.

The duties of the Sergeant of DART, the ranking officer of what appears to be a team of five detectives, are described in section .05.C.1 under “Personnel Duties, Authority, and Responsibilities.” Item “aa” on page 5 states:

Act as unit coordinator with the Austin Metro High Tech Foundation (AMHTF) Board of Directors:

1. Prepare annual budget for December meeting which projects anticipated expenditures of the AMHTF monies over the upcoming calendar year.
2. Supervise expenditures of these budgeted monies over the budget year and authorize all expenditures from these monies.
3. Prepare annual reports for the board of directors meetings itemizing budgeted expenditures for the previous year.
4. Prepare reimbursement request(s) for the AMHTF, as needed, to recover monies from authorized expenditures. Provide a receipt for all items in the reimbursement request.
5. Authorize disbursements from and provide accounting on the travel and training fund provided by the AMHTF.

What is the Austin Metro High Tech Foundation? Some historical perspective can be found at what appears to be the Foundation’s most recent website, a lonely Geocities relic worthy of review for its quirky mid-90′s Internet aesthetic alone. Quoting from the site:

The Austin Metro High Tech Foundation (AMHTF) is an organization founded by local companies and law enforcement personnel to battle high-tech crime in the Austin Metro area. The Foundation began in mid-1994, when seven area security managers decided to join with local law enforcement to form a policing unit dedicated to investigating high-tech crimes.

Since 1994, the Foundation membership has grown, along with the expertise of the law enforcement personnel assigned to high-tech crimes.

And what does the Foundation do – or rather what did the Foundation do at this time?

Foundation members provide funds, training and in-kind donations to support the law enforcement community’s high-tech crime efforts. The funds are used for education, equipment and travel required by law enforcement personnel. The benefit to members is the increase in prosecutions and restitution associated with high-tech crimes.

This 1999 LA Times story (“Tech Firms Pay Police Agencies to Fight Cyber Crime”) mentions the Austin foundation, and its byline (“Law enforcement: Intel funds sheriff’s unit that chases computer pirates. Some fear conflict of interest.”) hints at reasons why AMHTF may opt for a low profile.

This is not to say funding from the Foundation is without cause or merit; from the article:

When losses mounted from armed robberies at computer chip plants in Austin in the early ’90s, the city’s high-tech companies decided to finance a private nonprofit group to train officers to deal with the problem. Through the Austin Metro High Tech Foundation, firms including IBM and Dell Computer Corp. annually donate up to $10,000 each for investigators’ training, travel and equipment.

In return, businesses–including Applied Micro Devices, National Instruments and Motorola Corp.–say they expect law enforcement to treat computer crime as seriously as drugs and gang violence.

In 1999, according to the article’s author, public sentiment was decidedly mixed on the appropriateness of private corporations funding specific law enforcement efforts narrowly focused on crime prevention within their business sector. Is that the cause for AMHTF deciding to assume a low public profile? Is that the reason why public servants of the City of Austin attempted to perpetuate the Foundation’s low profile through selective application of the secrecy attendant on the darkness of redaction?

In the cleansing sunlight, perhaps we’ll see.