Book Review: An electronic Pearl Harbor is closer than you think

Book Review: An electronic Pearl Harbor is closer than you think

“Sandworm,” Doubleday, by Andy Greenberg

The Obama administration did not issue a single public rebuke after hackers knocked sections of Ukraine’s power grid offline on frigid December nights in 2015 and 2016. The unprecedented cyberattacks on civilian populations presaged the most devastating malware attack to date _ the June 2017 onslaught of NotPetya, which also targeted Ukraine but went further. Hobbled, too, were international business partners including Danish shipping multinational Maersk and pharmaceutical giant Merck. Damage was in the billions. In the U.S., hospital surgeries were impacted.

In “Sandworm,” Andy Greenberg sets out to track down the hackers behind those attacks, and his page-turning narrative sounds the alarm: We have failed to adequately confront a looming, existential threat. Our largely unquestioning dependence on digital technologies compounds the threat of a digital doomsday. The more reliant we become, the greater the potential peril. Power generation, health care and other vital services are at risk. Foreign agents have penetrated vital U.S. infrastructure, though the U.S. could also threaten global stability if its cyber-capabilities are carelessly loosed.

The 316-page real-life thriller takes the reader to the front lines of global cyberconflict, where U.S., Ukrainian and other computer security researchers painstakingly work to solve the authorship riddle. It concludes that the culprits _ initially dubbed ‘Sandworm’ by researcher John Hultquist after his team finds a reference to the Frank Herbert novel “Dune” in their code _ are the same state-backed hackers who wreaked havoc on the 2016 U.S. presidential elections, stealing and exposing Democratic National Committee emails and breaking into voter registration databases in at least two states.

andygreenbergThe military-backed Kremlin cyber-agents, it turns out, were also behind hacking of global anti-doping agencies and the U.S. power grid _ and knocked 2018 Winter Olympics networks offline during opening ceremonies.

When he gets technical _ no way around it, really _ Greenberg, a senior writer at ‘Wired,’ keeps the geek jargon to a minimum. His previous book, “This Machine Kills Secrets,” explores how digital tech and the global Internet _ where we are all publishers _ have transformed whistleblowing and leaking, keying off the WikiLeaks saga.

In “Sandworm,” Greenberg exposes the still uncharted world of global cyber-competition _ a perilous new front in warfighting that lacks norms and rules of engagement where human casualties seem inevitable. He describes, for one, how a nation’s own espionage tools can be dangerously turned against it and its allies, how programs written by U.S. National Security Agency uber-hackers to break into computers running on Microsoft operation systems wound up being exploited by Russian military hackers. Were they pilfered? Or leaked? That remains unclear.

“Sandworm” ranks with the multiple books by James Bamford and with Clifford Stoll’s 1989 “The Cuckoo’s Egg” as essential reading for grasping digital technology’s role in the evolution of global conflict.  It takes us well past the intrigue of cyber-espionage to contemplate _ now that the Trump administration has endorsed the use of offensive cyber operations _ how a global digital arms race might spiral out of control.

“Permanent Record” By Edward Snowden

Headline: Snowden memoir: The spy who came out and told
(On AP: Abridged version)

By FRANK BAJAK
Oct. 28, 2019

Edward Snowden is mostly self-invented, the fruit of his own ingenuity. He’s a community college dropout, but he’s no layabout. If hacking, purely defined, consists in devising the simplest, most elegant way of getting what you want then Snowden has always excelled at it, beginning when he set back every clock in the house at age 6 in order to stay up late.

The memoir “Permanent Record” from this computer whiz who exposed secret U.S. government mass domestic surveillance six years ago is already a headline. The government has sued to try to deny Snowden royalties for not allowing it pre-publication review. But I didn’t find any secrets he hasn’t already revealed.

A former CIA and National Security Agency systems engineer, Snowden is now a committed digital privacy activist with 4 million Twitter followers, charged with Espionage Act violations for which he says his conscience offered no other option. Civil disobedience is a long, proud tradition with practioners including the republic’s founders, Snowden reminds, and the book does at times read like a manifesto.

If anyone grew on the internet, it was Ed, who was intoxicated with its seemingly limitless potential for good. Snowden waxes poetic on the magic of the two-modem handshake when going online meant tying up the family phone line, which he did incessantly.

Before innocence was lost, the internet represented America’s true values to Snowden. Dorkishly, he read the U.S. Constitution cover to cover when it was offered free at work. Patriotism was ingrained in his upbringing. His parents quietly exercised it when clocking in daily at work. Dad was a Coast Guard techie. Mom held various government jobs.

The North Carolina-born Snowden hacked his way through adolescence in the shadow of Fort Meade, Maryland, the NSA’s home. His scheme for skating through high school with minimum effort _ calculating what it took to get passing grades and doing no more _ worked until Honest Ed explained it to a teacher.

Coming-of-age memoirs like Snowden’s typically recount personal journeys of moral and psychological discovery. That is the book’s strength. Others, most notably journalist Glenn Greenwald and filmmaker Laura Poitras, have already better chronicled the white-knuckled drama of how the most famous whistleblower since Daniel Ellsberg persuaded them to meet him in Hong Kong in 2013 so he could lift the lid on the NSA’s mass surveillance of U.S. citizens _ the 21st century’s biggest scoop.

What Snowden does well, aided by novelist Joshua Cohen, his ghostwriter, is define the promise and dangers of digital technology and the wacky alchemy that grants system architects and administrators like him extraordinary power over people’s lives. His clearcut explanations of complicated yet vital phenomena like the TOR privacy browser and encryption are especially instructive.

Looking back, Snowden most regrets his atavistic reaction to 9/11, how the 18-year-old Ed became “a willing vehicle of vengeance.” He enlists in the Army, hoping to join the Special Forces _ only to break his leg in basic training. He’d been at Fort Meade the day of the attacks, coding for an employer who lived on the base, and joined the vehicular exodus as thousands fled the NSA’s gleaming black towers.

Engrossing is Snowden’s description of how he used his programming skills to create a repository of classified in-house jots on the NSA’s global snooping _ and built a backup system for agency data he called EPICSHELTER. Reading through the repository _ and through his research during a short stint as a briefer on Asian cyberthreats _ Snowden begins to understand just how badly the government was stomping on its citizens’ civil liberties. The “bulk collection” program was called STELLARWIND.

Snowden became sullen. “I felt more adult than ever, but also cursed with the knowledge that all of us had been reduced to something like children, who’d been forced to live the rest of their lives under omniscient parental supervision. I felt like a fraud.”

The rest is history: Snowden’s aborted flight from Hong Kong to Ecuador, stymied when the U.S. canceled his passport, stranding him in Moscow, where he lives in forced exile with longtime girlfriend, now wife, Lindsay Mills. If that relationship was ever tested Snowden is not saying. He turns the book over to Mills for a late chapter taken from her diaries when he disappears without a trace _ then shows up on everyone’s TV screen _ and the FBI is on her like flypaper. By then, the narrative has gone thin.

Snowden says he came to realize, in 2011 as he was deciding to blow the whistle on the NSA, that it wasn’t just the government that was endangering our liberty by amassing and categorizing our data. Back in the U.S. from Japan, he meets his first Internet-equipped ‘smart fridge.’ He is aghast.

Here he was, getting all exercised about U.S. government snooping while surveillance capitalists similarly spied on acquiescent consumers, rendering them a product that “corporations sold to other corporations, data brokers and advertisers.” Worse, people were being persuaded to surrender control of their data to corporations for storage “in the cloud.”

Snowden, at age 28, had soured on his beloved internet. “The Internet that had raised me was disappearing. And with it, so was my youth. The very act of going online, which had once seemed like a marvelous adventure, now seemed like a fraught ordeal.”

“Every transaction was a potential danger.”

Two years later, he’d share his discoveries with the rest of us.

Brazil Looks to Break from U.S.-Centric Internet







RIO DE JANEIRO (AP) — Brazil plans to divorce itself from the U.S.-centric Internet over Washington’s widespread online spying, a move that many experts fear will be a potentially dangerous first step toward fracturing a global network built with minimal interference by governments.

President Dilma Rousseff ordered a series of measures aimed at greater Brazilian online independence and security following revelations that the U.S. National Security Agency intercepted her communications, hacked into the state-owned Petrobras oil company’s network and spied on Brazilians who entrusted their personal data to U.S. tech companies such as Facebook and Google.

The leader is so angered by the espionage that on Tuesday she postponed next month’s scheduled trip to Washington, where she was to be honored with a state dinner.

Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.

Read full article on AP Big Story

Brazil’s about ready to poke out the “Five Eyes”







A Twitter wag asked today why Glenn Greenwald doesn’t just unload all his Snowden-endowed dirt on who is spying on Brazil in one article. I thought of the old journalistic saw: “Why to sell newspapers, of course.” Sounds quaint, eh?

The Canadians reportedly busted open encryption to have their way with Brazil’s mining ministry. We’d already heard that the NSA spied on Petrobras and President Rousseff’s inner circle. Still to come: Details on how Brazil spies on its citizens. Have patience. Brazilian colleagues are surely working it.

It will be time soon for an update on the divorce Rousseff is preparing from the U.S.-centric Internet. Plenty of experts think that’s a bad idea and will only encourage Balkanization by really nasty regimes already bent on inhibiting the free flow of  information.

 

The Most Important Snowden Documents Yet







I have always trusted Bruce Schneier, author of the much-respected 1996 “Applied Cryptography.”

Glenn Greenwald showed Schneier some of the Snowden documents that featured in today’s stories by The Guardian, The New York Times and Propublica. They are the most important, upsetting revelations to date from the Snowden trove. Without doubt.

The NSA, says Schneier, has been breaking most of the encryption on the Net.  He says the U.S. government has betrayed the Internet and we need to take it back.

Schneier summarizes what the NSA has done to make the Internet a more dangerous place and five ways to stay safe online:  Hide in the network. Encrypt your communications. Assume that while your computer can be compromised, it would take work and risk by the NSA – so it probably isn’t.  Be suspicious of commercial encryption software, especially from large vendors. Try to use public-domain encryption.

The NSA was told in the mid-1990s that it could not have the Clipper Chip, the backdoor it wanted into our digital lives . Silicon Valley and Bill Gates objected. By 1996 the Clipper Chip was defunct. So the NSA decided to begin breaking-and-entering on its own. Without our approval.

Greenwald/Snowden gave the public some time to prepare today’s disclosure. First, give it a series of primers on the extent to which the NSA is spying on the American public (not to mention allies). Then unload this zinger.

I want more details. What exactly is compromised? Is everything I do using SSL on my Mozilla Firefox browser compromised?

Boing Boing tweeted KEEP CALM AND USE OPEN SOURCE CRYPTO. Excellent advice. Time to revise my anti-surveillance toolkit.

Two small encrypted email services down. Hire the lawyers.







The Snowden backlash is only just beginning. And so is the resistence. Expect U.S. tech companies that have given the National Security Agency direct access to your data to suffer commercially.  How badly, hard to say. Depends on how deep the public outrage. Three of  Germany’s biggest Internet services, one of them Deutsche Telekom, announced they’ll encrypt customers’ emails.  Unfortunately, their encryption appears to be a bad joke. Here’s Chaos Computer Club release (German).

Phil Zimmermann

The U.S. government forced the hand of a small Texas-based email service,  It seems clear that Lavabit’s owner, Ladar Levison, shut down rather than agree to grant the government access to the data of customers. Snowden is reported to have been among his users. Levison has set up a legal defense fund and is accepting contributions. He likely received a National Security Letter, a search warrant or a subpoena with a gag order attached. He can’t say but he says he’s preparing an appeal to the 4th Circut.

“This experience has taught me one very important lesson: without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States,” The New York Times quoted Levison as saying.  I can’t find an image of him online.

The other U.S. email service that preemptively shut down belonged to Silent Circle, a company co-founded by Phil Zimmerman, creator of Pretty Good Privacy encrypted email. It says it wiped the discs containing all that email. The encryption keys were on the servers. Not so with the keys that Silent Circle uses for its text-messaging, video and voice comms services. They are end-to-end secure. The encryption keys are erased when the communcation ends.

Now, which big U.S. tech companies will join the legal challenge in defense of First and Fourth Amendment rights?

Yahoo is the only one known to have challenged a gag order of the type Levison apparently got.

The Internet Archive’s Brewster Kahle, an Internet giant committed to nothing less than providing “universal access to all knowledge,” successfully fought a gag order and is one of the few people who can openly discuss what it’s like to get a National Security Letter.  Read here the New Yorker’s interview with him about it.
Meanwhile, more and more people are posting PGP public keys to servers.

Anti-Surveillance tools and tips – not just for journalists







(updated May 12, 2023)

Long before Snowden, we who snoop in the public interest knew that if we weren’t being watched we would be eventually. So we took steps to protect ourselves. Digital self-defense is now vital for everyone, not just journalists. Our toolboxes are ongoing projects. This is mine, and I am grateful to the coders who help protect us. Questions/suggestions/criticisms encouraged.

SECURE BROWSING
The point of greatest vulnerability in Internet interaction is the browser. So we use end-to-end encryption via Secure Socket Layer, or SSL. I like the browser add-on “HTTPS Everywhere” from the Electronic Frontier Foundation. HTTPs does not hide the IP addresses of where you visit from “sniffers.” What it does is encrypt your online interactions with a website.

ANONYMOUS ON THE INTERNET
If you want to hide your activity, there’s Tor, short for The Onion Router. Tor is designed to hide your IP address, erase your online footprints.  It is best with a VPN (virtual private network) connection. It is open source, free and backed by a nonprofit. It encrypts bounces connections through a random set of servers called onion routers operated by volunteers. Browsing is slower, but much more secure.  Human rights activists and journalists swear by Tor. So do ransomware syndicates.  *Don’t expect it to work against the NSA or other parties with sophisticated surveillance tools. Download it here.
How Tor works.

Tor is best used with a VPN proxy service. They circumvent censors. Use one with exit nodes in multiple countries that doesn’t log your activity. Choose your service carefully and trust Yael Grauer of Consumer Reports and Wirecutter.

ANONYMOUS SEARCH
Duckduckgo.com is the most popular anonymous alternative to Google’s search engine.  Its makers explain why it’s a good idea even if you’re not trying to hide from the NSA or other spooks. own web crawler and also uses other sites.  There’s a Duckduckgo Firefox browser extension. Another good option is the Epic privacy browser that’s built on top of Firefox. Google search can be run through a Tor browser for more complete results. Google will demand that you prove you are not a machine. Startpage is an anonymous search engine hosted in the U.S. and the Netherlands that gets its results from Google. Startpage also offers encrypted email.

EMAIL ENCRYPTION
Pretty Good Privacy (PGP) doesn’t just encrypt your email. It also authenticates them with digital signatures. Plus it encrypt disk partitions and files. What it does not do is hide from eavesdroppers the identity of those with whom you are communicating. Easiest to use of free PGP products is the combination of Enigmail and the Thunderbird email client. Protonmail.com (Swiss-based) is good and private but I would hesitate to trust them completely.

VOICE COMMS/TEXT:
For texting and calls the gold standard is Signal  It is free. WhatsApp uses the same end-to-end encryption tech but its owner is Meta. It tracks user activity — who you communicate with and when — and works hard at getting your address book. The best endorsement of Signal was the $50 million give to the foundation that runs it of WhatsApp co-creator Brian Acton. Signal’s president, Meredith Whittaker, is no friend of Big Tech, either. Signal’s creator, Moxie Marlinspike, is not to be upstaged. I’m inclined to believe him when he says Telegram is not to be trusted.

AUDIO/VIDEO COMMS and CHAT
Use meet.jit.si . It creates a secure video/audio chatroom to which one can invite multiple parties.

DISC ENCRYPTION
Encrypt an entire drive or create virtual disks to store data you don’t want seen even by an intruder. Security expert Bruce Schneier recommends BestCrypt  As do I.

SAFE TRAVELS
A strategy is vital for what to do if border security people demand you unlock the data on your cellphone or laptop so they can review it. You especially need this if you handle info sensitive enough to get someone killed if revealed. Not carrying your work devices is one travel option. Putting it on a cloud-based encrypted backup service like SpiderOakOne is another.

EFF has this Guide for Travelers Carrying Digital Devices.

Whatever you do, make sure you LOCK your PHONE with a long password. No less than eight digits.

FURTHER READING:
(There is a lot out there! Do send me links to guides not listed that should be)

A good guide with a catchy name to open source, free infosec solutions: https://prism-break.org/
The Committee to Protect Journalists’  infosec page.
Press Freedom Foundation compendium of online security tools and how they work.
Surveillance Self-Defense from EFF: https://ssd.eff.org/
The Tactical Tech Collective
have a very good list of tools and a how-to booklet at SecurityinaBox.org