FBI
Latest
Lavabit was under FBI pressure to decrypt Snowden connections, court reveals
When Lavabit shut down in the wake of Edward Snowden's leaks, it left a big question unanswered: just what did the US government want that was supposedly so egregious? Thanks to newly unsealed court documents obtained by Wired, we now know much more of the story. The FBI had served Lavabit an order requiring that it hand over Snowden's encryption keys, helping the agency install a device that would collect metadata from its suspect's email connections. Lavabit repeatedly turned down the requests since it could have given access to data from every user of the service -- at one point it did serve up the SSL keys, but printed out on 11 pages in 4pt type -- which led to threats of criminal contempt charges and fines. We all know what happened afterward -- company founder Ladar Levison chose to shutter Lavabit rather than comply with the FBI's demands. While the new details aren't shocking given the government's desire to catch Snowden, they help explain Levison's past statements; he felt that it was better to defend Lavabit in court than risk violating the privacy of his customers.
Daily Roundup: Kindle Fire HDX review, Xi3's Piston console impressions, Silk Road shut down and more!
You might say the day is never really done in consumer technology news. Your workday, however, hopefully draws to a close at some point. This is the Daily Roundup on Engadget, a quick peek back at the top headlines for the past 24 hours -- all handpicked by the editors here at the site. Click on through the break, and enjoy.
FBI seizes black market website Silk Road, arrests its founder
Light just reached one of the darker corners of the web: the FBI has seized Silk Road, a site infamous for hosting anonymized, Bitcoin-based drug and gun sales. The move follows a sting operation that also led to the arrest of site founder Ross Ulbricht (aka Dread Pirate Roberts) for alleged hacking, money laundering and narcotics trafficking. While the seizure isn't likely to stop online contraband purchases, it's potentially a big blow. At current Bitcoin values, Silk Road generated $1.2 billion in revenue from just two years of operation -- the kind of cash that we'd expect from a large, legitimate e-commerce venture. The FBI's move also demonstrates that anonymizing technology like Tor won't always keep law enforcement at bay.
FBI turning to private sector to hack phones, exploit unknown security holes
Thanks to the NSA PRISM revelations we've all lost our innocence about government cyber-spying, but how far down that rabbit-hole has law-enforcement gone? Revelations from the Def Con hacking conference in Las Vegas show that such tactics are old hat for another US anti-crime department: the FBI. For instance, one ex-official said that the bureau's analysts (shown above) can routinely turn on the microphones in laptops and Android devices to record conversations without a person's knowledge. On top of such in-house expertise, a private sector cottage industry has sprung up around cyber surveillance, marketing programs that can also hack handheld devices and PCs. One company even markets "zero day" bugging software that exploits unknown security holes -- meaning crime lords can't just patch their browsers to avoid detection. [Image credit: Wikimedia Commons]
Microsoft says it freed at least 2 million PCs from Citadel botnets
Earlier this month, Microsoft announced that it took down 1,400 Citadel botnets with the help of the FBI, and now Ballmer and Co. have divulged just how big of an impact the effort had. According to Richard Domingues Boscovich, the firm's Digital Crimes Unit assistant general counsel, the operation freed at least 2 million PCs across the globe from the malicious code -- and that's a conservative estimate by his reckoning. It's believed that more than $500 million has been stolen from bank accounts thanks to information gleaned from keystrokes logged by computers afflicted with the software. Though the chief botnet organizer is still on the loose and many machines are still burdened by Citadel, Domingues Boscovich says they "feel confident that we really got most of the ones that we were after." [Image credit: Edmund Tse, Flickr]
Google asks US government to let it publish more national security requests for data, including FISA disclosures (update: Microsoft, Facebook too)
Google CEO Larry Page and Chief Legal Officer David Drummond made a general call for more transparency in their response to the PRISM revelations last week, and Drummond has gotten quite a bit more specific with that request today. In a post on the company's Public Policy blog, he says that he's sent a letter to offices of the Attorney General and the Federal Bureau of Investigation asking that Google be allowed to publish aggregate numbers of the national security requests for data it receives, including FISA disclosures, "in terms of both the number we receive and their scope." Those numbers, he says, "would clearly show that our compliance with these requests falls far short of the claims being made," adding, "Google has nothing to hide." You can find the full letter at the source link below. Update: Reuters is reporting that Microsoft also wants Uncle Sam to loosen up and let it be more transparent with the "volume and scope" of national security requests and FISA orders. "Our recent report went as far as we legally could and the government should take action to allow companies to provide additional transparency," Ballmer and Co. added. Update 2: Hot off the heels of Redmond's call to the US government, Facebook is voicing similar sentiments regarding increased transparency. "We urge the United States government to help make that possible by allowing companies to include information about the size and scope of national security requests we receive," read a statement released by the social network.
PRISM got you worried? Seecrypt app promises secure calls and texts
Want to hide your data from the prying eyes of the US government and its information-gathering program PRISM? A team of South African developers may have an encrypted-communications solution for iOS that'll let you call and text in complete privacy. As noticed by the Daily Caller, the Seecrypt group recently updated the Seecrypt app which lets you "make and receive unlimited, secure voice calls and text messages between Seecrypt Mobile-enabled devices, anywhere in the world." It works over any carrier's data network and uses end-to-end, military-grade encryption to protect all your VoIP calls and text messages. Because all the calls and texts are transmitted as an encrypted data stream, any snooping programs will only know that you sent some data and cannot detect when or how long you made a call or exchanged messages. The service is available for US$3 per month and comes with a free three-month account trial. The Seecrypt app is available for free from the iOS App Store. It's also available for Android. [Via The Daily Caller]
Washington Post: NSA, FBI tapping directly into servers of 9 leading internet companies (update)
On the heels of yesterday's revelation that the NSA is bulk collecting call logs from Verizon Business customers, the Washington Post is reporting tonight on another initiative, code named PRISM. According to the report, it gives the FBI and NSA access to "audio, video, photographs, e-mails, documents and connection logs" from the central servers of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL (parent company of Engadget), Skype, YouTube and Apple. Another program called BLARNEY sniffs up metadata as it streams past "choke points" on the internet, continuing the theme of bulk scooping of data most would think is private. The Post's knowledge of these programs comes from PowerPoint slides (like the one shown above) provided by a "career intelligence officer" driven to expose how deep it goes. So what can the project allegedly see? Analysts based at Fort Meade use search terms to determine at least 51 percent confidence in a subject's "foreignness" before pulling data, which can include that of people found in a suspect's inbox. On Facebook, they can utilize the service's built in search and surveillance capabilities, monitor audio, video, chat and file transfers or access activity on Google's mail, storage, photo and search services. So... are you still logged in? Update 4: Now we've come full circle, as the original Washington Post article has been expanded to include the various company's responses and denials (listed after the break). Another element that has changed is the mention of another classified report that suggests these companies may not be knowingly participating, and the NSA's access may not be as direct as originally claimed. Claiming the difference may be the result of "imprecision" by the NSA author, the arrangement is now described as "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations." Update (June 7th): Google has now issued a longer statement, signed by CEO Larry Page and Chief Legal Officer David Drummond, which reiterates its earlier comments and also calls for a "more transparent approach" from both other companies and governments alike. Update 2 (June 7th): Facebook CEO Mark Zuckerberg has denied involvement on his personal page, stating "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers...We hadn't even heard of PRISM before yesterday." Like the others, he claimed Facebook only provides information "if it is required by law" and mirrored Page's call for more transparency regarding government programs.
Google Transparency Report now includes the FBI's National Security Letters
Google's Transparency Report has sometimes supplied an unsettling level of detail as to what companies and governments want to know. Americans won't feel much more comfortable now that Google has added the FBI's National Security Letters to the mix. The investigative branch wants the numbers vague for secrecy's sake, but curious residents at least have access to annual data that shows the range of requests for information and roughly how many users were affected -- in this case, about 1,000 to 2,000 Google account holders every year since 2009. Google is quick to note that it does what it can to narrow the scope of requests and require search warrants for anything private. We're slightly reassured by that extra line of defense, although the Transparency Report's addition is still a reminder that the government is watching some of us.
WSJ and NYT accuse Chinese hackers of infiltrating their newsgathering systems
And the saga continues. Just a year after Bloomberg News was reportedly targeted by Chinese hackers, both The Wall Street Journal and The New York Times have independently published reports suggesting that they too are being probed. Both organizations seem to think that it's all part of a larger scheme, with Chinese hackers sifting through newsgathering systems of outlets that are reporting on touchy subjects. As the Times puts it: "The attacks appear to be part of a broader computer espionage campaign against American news media companies that have reported on Chinese leaders and corporations." When asked about such a possibility, China's Ministry of National Defense (unsurprisingly) denied the allegations, noting that "to accuse the Chinese military of launching cyberattacks without solid proof is unprofessional and baseless." As it stands, the FBI is already looking into various attacks of this nature, but strangely, the hacking attempts aren't being universally viewed as malicious. Paula Keve, chief spokeswoman for Dow Jones & Co., stated: "Evidence shows that infiltration efforts target the monitoring of the Journal's coverage of China, and are not an attempt to gain commercial advantage or to misappropriate customer information." As you'd expect, both outfits are stepping up security in a major way in hopes of fending off any future attempts.
JFK worker who helped steal 3600 iPad minis nabbed by FBI
Justice has prevailed! The FBI has arrested a worker at New York's JFK airport who acted as a lookout for a pair of accomplices who stole 3,600 iPad minis last week. Renel Rene Richardson (not to be confused with René Ritchie of iMore.com) was arrested after co-workers told Port Authority detectives that he had made inquiries about when the iPad minis were supposed to arrive, as well as where he might get a forklift. The New York Post stated that after being arrested, Richardson accompanied Port Authority detectives on a search for the getaway truck on Long Island. It's not known whether the stolen iPads have been recovered, or if they're in the process of being fenced. Apple 2.0's Philip Elmer-DeWitt noted that Apple probably has the serial numbers of the heisted minis on file, but won't be able to trace their location until they are activated. Elmer-DeWitt also pointed out that dozens of new iPad minis were being listed Sunday morning on Craigslist (see listing at the top of this post). While this might not be associated with the JFK iPad heist, the advertiser is certainly trying to move the merchandise...
iPhone appealing as BYOD smartphone thanks to security warning
When it comes to mobile devices in enterprises, Apple's iOS platform leads the way. But according to an opinion post by Computerworld's Jonny Evans, iOS may become even more dominant in enterprise computing thanks to a security warning about Android devices that came from the Internet Crime Complaint Center (IC3), a Federal task force that includes the Federal Bureau of Investigation (FBI), the National White Collar Crime Center and the Bureau of Justice Assistance. That security scare, dealing with Android malware, isn't the only reason why corporate IT departments are welcoming iPhones into companies as "bring your own device" (or BYOD) equipment. As Evans notes, a new system from HID Global brings government-level biometric security to the iPhone, and the next iPhone could feature built-in identification technology from Microlatch and Apple-owned AuthenTec. Evans lists six reasons why Apple provides the most secure BYOD smartphones on the market: Apple's iOS is inherently more secure than Android for a host of reasons, not least device fragmentation and the availability of security updates. Apple's App Store is more secure because it is curated. The FBI and others note the frequency of malware attacks on poorly protected Android devices. BYOD means enterprises are looking to standardize around a set of secure devices, but need to make those decisions sooner, not later. Solutions are already available that allow an iPhone to meet government agency-level security requirements, including secure monitoring of communications sent using that device. With the Lightning data transfer protocol, Apple is already laying the ground for future device security improvements. In conclusion, Evans notes that "the platform's current position as the world's most secure mass market mobile OS makes it the best platform for enterprise deployments." It's a good read for anyone in corporate IT or who is attempting to persuade their employer to allow iOS devices in a BYOD situation.
David Schuetz cracked the case of stolen iPhone UDIDs
Earlier this week, Blue Toad publishing confirmed that it, and not the FBI, was the source of 1 million UDIDs leaked by hacker group AntiSec. The company was tipped off by mobile security expert David Schuetz of Intrepidus Group, who spent days poring through the data and discovered references to Blue Toad and its employees. It's an impressive piece of work by Scheutz, who details how he discovered the Blue Toad link in a lengthy blog post on Intrepidus Group's website. His story is well worth the read when you have a few minutes to spare. [Via Apple 2.0]
Blue Toad publishing claims itself as source of leaked UDID database
According to a report in NBC news, a small publishing company is the source of Apple UDIDs leaked by hacker group AntiSec. AntiSec and Anonymous claimed the UDIDs were stolen from an FBI employee's laptop, but the governmental agency denied that it was the source the leak. Paul DeHart, CEO of Blue Toad publishing company, told NBC News that his company compared the leaked Anonymous database with its own database and found a 98 percent correlation between the two datasets. DeHart did not provide details, but said forensic analysis by his company showed the data a had been stolen within the past two weeks.
FBI to roll out $1 billion public facial recognition system in 2014, will be on to your evildoing everywhere
They're watching you -- or at least will be in a couple of years. That's when the FBI is gearing up for a nationwide launch of a $1 billion project designed to identify people of interest, according to the New Scientist. Dubbed the Next Generation Identification (NGI) program, the high-tech endeavor uses biometric data such as DNA analysis, iris scans and voice identification to track down folks with a criminal history. The FBI also plans to take NGI on the road literally by using public cameras to pick faces from the crowd and cross check them with its national repository of images. Let's just say this facial technology isn't going to be used for lighthearted Japanese vocaloid hijinks or unlocking your electronic device. The use and scope of NGI, which kicked off a pilot program in February, will likely be questioned not just by black helicopter watchers but privacy advocates as well. Facial recognition has certainly been a touchy issue in privacy circles -- something Facebook learned firsthand in Germany. Meanwhile, the Electronic Frontier Foundation is already raising concerns about innocent civilians being mixed up or included in the database. Naturally, the FBI claims that the NGI program is in compliance with the U.S. Privacy Act. On the positive side, at least they didn't name it the Genetic Lifeform and Disk Operating System.
Apple denies giving FBI any iOS device UDIDs, raises questions over AntiSec claims
Hacking group AntiSec (connected to Anonymous and LulzSec) made some bold claims Tuesday that it had obtained the unique device identifiers (UDIDs) of 12 million iOS devices from an FBI laptop, setting more than a few people on edge. The FBI has already denied that anything was stolen, but Apple has gone one step further to argue that it had no involvement. Spokeswoman Natalie Kerris tells AllThingsD that Apple hasn't given UDIDs to the FBI "or any organization" -- suggesting that either AntiSec or the FBI isn't telling the whole story of what data emerged and where. Even if there are real UDIDs floating around, Kerris adds that they don't necessarily pose much danger. She notes that programming hooks in iOS 6 will provide an alternative to UDID for device-specific data, and that apps will eventually be forbidden from using the older identifiers altogether. While the truth in the situation is hard to pin down, the technical reality doesn't leave much risk that our iPads and iPhones will be compromised. At least, not after this month.
FBI and Apple separately deny being source of leaked iPhone UDIDs
Yesterday, hacker group AntiSec released 1 million UDIDs from a pool of 12 million that it allegedly obtained from an FBI-issued laptop. The group used this high-profile leak to accuse the FBI of spying on the American public. Late on Tuesday, the FBI responded to AllThingsD with its own statement that says it was not the source of the leak. The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data. The FBI re-iterated this statement on its Twitter account with a strong denial that says, "We never had [the] info in question. Bottom Line: TOTALLY FALSE." Apple also chimed in and said it did not give the UDIDs to the FBI or anyone else. Apple spokesperson Natalie Kerri told AllThingsD that, "The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization. Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID."
Hackers reportedly leak 1M iOS UDIDs (updated)
Update: The New York Times reports that F.B.I has released a statement saying there's no indication that an FBI laptop was compromised or that the FBI sought out the data to begin with. Hacker group AntiSec claims to have 12 million iPhone and iPad UDIDs it obtained during an attack on an FBI agent's compromised notebook, according to a report in The Next Web. It made 1 million of the stolen UDIDs publicly available in a file posted on Pastebin. The UDID is a unique 40-digit code assigned to each iOS device and is often used by developers to distribute beta apps to an iOS device. Besides the UDID, some records in the FBI database also contained names, addresses, mobile phone numbers and other identifying information. The group stripped out most of the personal information from the 1 million leaked records, but left the Apple Device ID, Apple Push Notification Service DevToken, Device Name and Device Type, so users can search for their device. You can find the UDID of your iOS device using these directions and then search for your UDID in the leaked records using this tool at The Next Web. [Via AppleInsider]
Judge rules Facebook users can share friends' profiles with the feds
It's not the backdoor access that the FBI has been pushing for, but US District Judge William Pauley III has now ruled that it and other law enforcement agencies are entitled to view your Facebook profile if one of your "friends" gives them permission to do so. As GigaOm reports, that ruling comes as part of a New York City racketeering trial, in which one of the accused, Melvin Colon, had tried to suppress evidence turned up on Facebook that led to his indictment. That information was obtained through an informant who gave investigators access to the profile, something that Colon had argued violated his rights against unreasonable searches and seizures under the Fourth Amendment. In the ruling, Judge Pauley dismissed that claim, likening the Facebook access instead to a phone wiretap in which one person on the call allows the government to monitor it -- a practice that has been ruled constitutional. GigaOm also has the ruling in its entirety at the source link below for those interested.
FBI finally goes digital, Mulder and Scully start throwing out the filing cabinets
The FBI has announced that, after 12 years and $600 million, it has finally abandoned paper records in favor of a computerized system called Sentinel. Resembling a browser, it offers question-and-answer forms, case tracking and an ability to share files across the bureau's network. Assistant director Jeffrey Johnson said that the biggest hurdle was convincing paper-loving agents to get on board, so the system is designed to nag users into adding relevant data that's still extant on dead-trees. With any luck, some enterprising young agent will take advantage of the extensive database to find out the real location of Area 51.
