High-risk Colombians say GPS devices only add to dangers

By FRANK BAJAK

August 1, 2022

The bulletproof vehicles that Colombia’s government assigns to hundreds of high-risk individuals are supposed to make them safer. But when an investigative reporter discovered they all had GPS trackers, she only felt more vulnerable — and outraged.

No one had informed Claudia Julieta Duque — or apparently any of the 3,700-plus journalists, rights activists and labor and indigenous leaders who use the vehicles — that the devices were keeping constant tabs on their whereabouts. In Duque’s case, it happened as often as every 30 seconds. The system could also remotely cut off the SUV’s engine.

Colombia is among the world’s most dangerous countries for human rights defenders — with more than 500 killed since 2016. It is also a country where right-wing extremists have a track record of infiltrating national security bodies. For Duque, the GPS revelation was chilling: Movements of people already at risk of political assassination were being tracked with technology that bad actors could weaponize against them.

“It’s something super invasive,” said Duque, who has been a persistent target of rogue security agents. “And the state doesn’t seem to care.”

The government agency responsible has said the trackers were installed to help prevent theft, to track the bodyguards who often drive the vehicles and to help respond to dangerous situations.

For a decade, Colombia had been installing trackers in the armored vehicles of at-risk individuals as well as VIPs, including presidents, government ministers and senators. The agency’s director made that disclosure after Duque learned last year through a public records request that the system was recording her SUV’s location an average of five times an hour.

The director dismissed privacy concerns and called the practice “fundamental” to guaranteeing security.

Considering the tracker a danger to her and her sources, Duque pressed for details on its exact features. But the National Protection Unit, known as UNP in Spanish, offered little. She then demanded the agency remove the device. It refused. So in February, Duque returned the vehicle, left the country and filed a legal challenge.

Now back in Bogotá, she is hoping for satisfaction when Gustavo Petro, Colombia’s first leftist president, takes office Aug. 7.

MORE

Secretive, never profitable Palantir makes market debut

By FRANK BAJAK
September 30, 2020

BOSTON (AP) — Seventeen years after it was born with the help of CIA seed money, the data-mining outfit Palantir Technologies is finally going public in the biggest Wall Street tech offering since last year’s debut of Slack and Uber.

Never profitable and dogged by ethical objections for assisting in the Trump administration’s deportation crackdown, Palantir forged ahead Wednesday with a direct listing of its stock, gaining 31% in its first trading day.

The big question for both investors and company management: Can Palantir successfully transition from a business built on the costly handholding of government customers to serving corporate customers at scale? The company is a hybrid provider of software and consulting services that often embeds its own engineers with clients.

MORE

AP Exclusive: Colombia ‘panic buttons’ expose activists







By FRANK BAJAK

It is supposed to help protect human-rights activists, labor organizers and journalists working in risky environments, but a GPS-enabled “panic button” that Colombia’s government has issued to about 400 people could be exposing them to more peril.

The pocket-sized devices are designed to notify authorities in the event of an attack or attempted kidnapping. But the Associated Press, with an independent security audit , uncovered technical flaws that could let hostile parties disable them, eavesdrop on conversations and track users’ movements.

There is no evidence the vulnerabilities have been exploited, but security experts are alarmed.

“This is negligent in the extreme,” said Eva Galperin, director of cybersecurity at the nonprofit Electronic Frontier Foundation, calling the finding “a tremendous security failure.”
Over the past four years, other “distress alarms” and smartphone apps have been deployed or tested around the world, with mixed results. When effective, they can be crucial lifelines against criminal gangs, paramilitary groups or the hostile security forces of repressive regimes.

READ FULL ARTICLE

Snapping up cheap spy tools, nation ‘monitoring everyone’







By FRANK BAJAK and JACK GILLUM

LIMA, Peru — It was a national scandal. Peru’s then-vice president accused two domestic intelligence agents of staking her out. Then, a top congressman blamed the spy agency for a break-in at his office. News stories showed the agency had collected data on hundreds of influential Peruvians.

Yet after last year’s outrage, which forced out the prime minister and froze its intelligence-gathering, the spy service went ahead with a $22 million program capable of snooping on thousands of Peruvians at a time. Peru — a top cocaine-producing nation — joined the ranks of world governments that have added commercial spyware to their arsenals.area de trabajo

The purchase from Israeli-American company Verint Systems, chronicled in documents obtained by The Associated Press, offers a rare, behind-the-scenes look into how easy it is for a country to purchase and install off-the-shelf surveillance equipment. The software allows governments to intercept voice calls, text messages and emails.

Except for blacklisted nations like Syria and North Korea, the is little to stop governments that routinely violate basic rights from obtaining the same so-called “lawful intercept” tools that have been sold to Western police and spy agencies. People tracked by the technology have been beaten, jailed and tortured, according to human rights groups.

Targets identified by the AP include a blogger in the repressive Central Asian republic of Uzbekistan, opposition activists in the war-ravaged African nation of South Sudan, and politicians and reporters in oil-rich Trinidad and Tobago in the Caribbean.

“The status quo is completely unacceptable,” said Marietje Schaake, a European Union lawmaker pushing for greater oversight. “The fact that this market is almost completely unregulated is very disturbing.”

READ FULL ARTICLE

A year in digital insecurity – nothing, and no one is safe







I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.

Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.

Credit: Andy Greenberg

In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team).  Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.

Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.

Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).

The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.

The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.

The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.

On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities.  Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.

Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June.  Tim CookWeakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”

So all the 2015 security news isn’t bad, after all.

Brazil Looks to Break from U.S.-Centric Internet







RIO DE JANEIRO (AP) — Brazil plans to divorce itself from the U.S.-centric Internet over Washington’s widespread online spying, a move that many experts fear will be a potentially dangerous first step toward fracturing a global network built with minimal interference by governments.

President Dilma Rousseff ordered a series of measures aimed at greater Brazilian online independence and security following revelations that the U.S. National Security Agency intercepted her communications, hacked into the state-owned Petrobras oil company’s network and spied on Brazilians who entrusted their personal data to U.S. tech companies such as Facebook and Google.

The leader is so angered by the espionage that on Tuesday she postponed next month’s scheduled trip to Washington, where she was to be honored with a state dinner.

Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.

Read full article on AP Big Story

Brazil’s about ready to poke out the “Five Eyes”







A Twitter wag asked today why Glenn Greenwald doesn’t just unload all his Snowden-endowed dirt on who is spying on Brazil in one article. I thought of the old journalistic saw: “Why to sell newspapers, of course.” Sounds quaint, eh?

The Canadians reportedly busted open encryption to have their way with Brazil’s mining ministry. We’d already heard that the NSA spied on Petrobras and President Rousseff’s inner circle. Still to come: Details on how Brazil spies on its citizens. Have patience. Brazilian colleagues are surely working it.

It will be time soon for an update on the divorce Rousseff is preparing from the U.S.-centric Internet. Plenty of experts think that’s a bad idea and will only encourage Balkanization by really nasty regimes already bent on inhibiting the free flow of  information.

 

The Most Important Snowden Documents Yet







I have always trusted Bruce Schneier, author of the much-respected 1996 “Applied Cryptography.”

Glenn Greenwald showed Schneier some of the Snowden documents that featured in today’s stories by The Guardian, The New York Times and Propublica. They are the most important, upsetting revelations to date from the Snowden trove. Without doubt.

The NSA, says Schneier, has been breaking most of the encryption on the Net.  He says the U.S. government has betrayed the Internet and we need to take it back.

Schneier summarizes what the NSA has done to make the Internet a more dangerous place and five ways to stay safe online:  Hide in the network. Encrypt your communications. Assume that while your computer can be compromised, it would take work and risk by the NSA – so it probably isn’t.  Be suspicious of commercial encryption software, especially from large vendors. Try to use public-domain encryption.

The NSA was told in the mid-1990s that it could not have the Clipper Chip, the backdoor it wanted into our digital lives . Silicon Valley and Bill Gates objected. By 1996 the Clipper Chip was defunct. So the NSA decided to begin breaking-and-entering on its own. Without our approval.

Greenwald/Snowden gave the public some time to prepare today’s disclosure. First, give it a series of primers on the extent to which the NSA is spying on the American public (not to mention allies). Then unload this zinger.

I want more details. What exactly is compromised? Is everything I do using SSL on my Mozilla Firefox browser compromised?

Boing Boing tweeted KEEP CALM AND USE OPEN SOURCE CRYPTO. Excellent advice. Time to revise my anti-surveillance toolkit.

Two small encrypted email services down. Hire the lawyers.







The Snowden backlash is only just beginning. And so is the resistence. Expect U.S. tech companies that have given the National Security Agency direct access to your data to suffer commercially.  How badly, hard to say. Depends on how deep the public outrage. Three of  Germany’s biggest Internet services, one of them Deutsche Telekom, announced they’ll encrypt customers’ emails.  Unfortunately, their encryption appears to be a bad joke. Here’s Chaos Computer Club release (German).

Phil Zimmermann

The U.S. government forced the hand of a small Texas-based email service,  It seems clear that Lavabit’s owner, Ladar Levison, shut down rather than agree to grant the government access to the data of customers. Snowden is reported to have been among his users. Levison has set up a legal defense fund and is accepting contributions. He likely received a National Security Letter, a search warrant or a subpoena with a gag order attached. He can’t say but he says he’s preparing an appeal to the 4th Circut.

“This experience has taught me one very important lesson: without Congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States,” The New York Times quoted Levison as saying.  I can’t find an image of him online.

The other U.S. email service that preemptively shut down belonged to Silent Circle, a company co-founded by Phil Zimmerman, creator of Pretty Good Privacy encrypted email. It says it wiped the discs containing all that email. The encryption keys were on the servers. Not so with the keys that Silent Circle uses for its text-messaging, video and voice comms services. They are end-to-end secure. The encryption keys are erased when the communcation ends.

Now, which big U.S. tech companies will join the legal challenge in defense of First and Fourth Amendment rights?

Yahoo is the only one known to have challenged a gag order of the type Levison apparently got.

The Internet Archive’s Brewster Kahle, an Internet giant committed to nothing less than providing “universal access to all knowledge,” successfully fought a gag order and is one of the few people who can openly discuss what it’s like to get a National Security Letter.  Read here the New Yorker’s interview with him about it.
Meanwhile, more and more people are posting PGP public keys to servers.