*************************************************************** Security-news A security bulletin for autonomous resistance movements Produced by the folks who bring you http://security.tao.ca *************************************************************** March 24, 3002 Just when you think things can't possibly get worse, they always seem to. The past week of war and the several weeks leading up to it have been truly terrible times for the global population awaiting yet another American assault on the world. At the same time, the struggles against the war globally have been truly inspiring to participate in and to watch from afar. The thousands who have been arrested in the United States, the hundreds of thousands marching in the streets every day around the world - these are the moments we are fighting to keep in a world increasingly repressing its dissident voices. With resistance comes repression, and it is in this vein that we put out the 13th Security-news. We urge our brothers and sisters to stay strong and safe in these times of struggle. ********************************** Security-news: Issue #13 - Contents ********************************** * Upcoming Event: Little Sister 2003 * News & Analysis: These Are Not Your Father's Wiretaps * News & Analysis: U.S. Steps Up Secret Surveillance * How to: There's a War On - Do you know where your data is? ***** Event: Little Sister 2003 ***** Little Sister 2003 Community Resistance, Security, Law and Technology May 9-11 Vancouver, British Columbia (Coast Salish Territory) All activist folks interested in security issues during this heightened time of global crackdown should seriously plan to attend this three day conference! The Little Sister website is up and running at https://littlesister2003.org. There is information Conference registration and workshop submissions are handled at this site. PLEASE NOTE that the workshop sub and registration deadlines are fast approaching - so get your applications in to us asap! We believe that our greatest strength in defeating the security and legal maneuvers used against us as community organizers is by unifying and building common cause in our movements. This means building diverse coalitions who are willing to support each other in order to create safe spaces for opposition to the policies and practices of governments and corporations. Ultimately, as organizers, our goal is to resist the injustices our communities face, while retaining our physical and emotional freedom. It is these themes on which the Little Sister 2003 organizing committee is building the conference program. Visit our website for more info or email us at info@littlesister2003.org Little Sister 2003 Organizing Committee ***** News & Analysis: These Are Not Your Father's Wiretaps By Jane Black, Business Week February 27, 2003 ***** In the old days, tapping a phone was as easy as one-two-three. All calls ran over Ma Bell's copper wires. To listen in, law-enforcement agents simply requested that the phone company isolate the suspect's wire and record any calls made or received. One phone company. One network. One flip of a switch. That was eons ago by techno-standards, however. The new world of telecommunications has made it much harder for the FBI to thwart evildoers -- and for privacy advocates to ensure that the agency doesn't overstep its bounds. Today, dozens of new technologies need to be monitored, such as packet voice and cellular text messaging. And thousands of new service providers are now in business. "Every time the technology moves ahead, you have all these pitfalls -- all these potential points where we can creep away from the status quo to a far more intrusive type of surveillance," says Lee Tien, a senior attorney at San Francisco-based advocacy group the Electronic Frontier Foundation. The job of sorting out the mess falls in large part to Les Szwajkowski, the director of the FBI's CALEA surveillance policy and planning unit. (CALEA is an acronym for Communications Assistance for Law Enforcement Act, which was passed in 1994 and granted the FBI the right to conduct surveillance on any new technologies that arise.) With his staff of 50 engineers, lawyers, and surveillance experts, Szwajkowski's most pressing task is finding a way to tackle the challenge of packetized voice, better known as VOIP (for voice over Internet protocol), which is steadily gaining a foothold in the U.S. market. VOIP provider Vonage in Edison, N.J., alone has lured 15,000 customers since it launched in April, 2002. "SHORT ONE PLAYER." Last month, law-enforcement officials and telecom providers such as Vonage gathered at a closed-door meeting in Chicago to plan for the digital future. The technology makes for some tough issues for policymakers. Unlike a traditional phone call, where a line is dedicated between two parties, VOIP slices each call into millions of tiny digital packets, each of which can take a discrete route over the Internet. That means surveillance equipment must either be installed permanently on a network or calls must be routed through FBI surveillance equipment before being delivered to the caller, which experts say can create a suspicious delay. "Our tactical people are trying to plug every hole. But it's like playing the field short one player," says Szwajkowski. "A call that is not [able to be intercepted] is a major public-safety and security dilemma." This isn't the first time the FBI has faced such a challenge. As early as the 1980s, new features such as call forwarding and conference calling created loopholes for crafty criminals. If the FBI tapped a suspect's office phone, that person could forward the call to a home line if he or she smelled a wiretap -- outfoxing the FBI. Conference calls also thwarted so-called pen register and trap-and-trace orders, which allow law-enforcement agencies to record all the calls made or received on a particular line. WHO YA GONNA CALL? To trick the feds, one untapped person could call another and then conference in the suspected wrongdoer, without the call being registered by law enforcement. From 1992 to 1994, a total of 183 federal, state, and local law-enforcement cases were impeded by advances in digital technology, according to congressional testimony by then-FBI Director Louis Freeh. Szwajkowski's job is all the more complicated because of the explosion of new communications providers since the 1996 Telecommunications Act. Today, it's not just the phone company that completes calls. It could be an Internet service provider, a VOIP startup, or both. In rural areas, it's not uncommon for startups, such as Paul Bunyon Telecom in Bemidji, Minn., or CBeyond Communications in Atlanta, to serve just a few thousand customers apiece. "The number of new players is staggering to us," Szwajkowski says. "It was hard enough before to balance technology and economics. Today we have to negotiate with a whole new set of entrants with a range of demands and circumstances." HUNGRY CARNIVORE. Therein lies a danger, say privacy advocates. They worry that the FBI will use the rise of the packet technology and the expanding number of players as an excuse to expand its all-seeing, all-knowing surveillance power. Here's why: VOIP travels across the Internet the same way that e-mail does. Address information (the number dialed or the e-mail address) is contained in the same packet as the content (what is said or written). The FBI's solution for e-mail is the notorious Carnivore technology, which sucks up all data that passes its way. The FBI claims that Carnivore filters traffic and delivers to investigators only packets that they're lawfully authorized to obtain. But because the details remain secret, the public must trust the FBI's characterization of the system and -- more significant -- that it's complying with legal requirements. Carnivore has been highly controversial, and privacy advocates fear the FBI will develop a similar system for VOIP. "The very nature of packet technology means that whether it's an e-mail or a voice call, [the FBI] can get more and more information that allows them to be more and more privacy-invasive," says the EFF's Tien. A NEW ERA. The sheer number of players could put privacy at an even greater disadvantage. In the old days, the FBI went head-to-head with the likes of AT&T (T ) or Verizon (VZ ), each of which has an army of lawyers to fight off any onerous requirements. In an emerging area such as VOIP, however, small companies are on the cutting edge, and they have no money to staff a huge legal department. Szwajkowski plays down these fears. "I'm a citizen too. I don't want to be surveilled without law enforcement having built up a serious case in front of a judge," he says. "All we want is the ability to intercept, whatever technology they use to communicate." Figuring out just how to do that will be tough -- even with the best of intentions. Compromises between law enforcement and carriers over the coming year will usher in a new era of government surveillance. To avoid another Carnivore, privacy advocates must stay alert. ***** News & Analysis: U.S. Steps Up Secret Surveillance FBI, Justice Dept. Increase Use of Wiretaps, Records Searches By Dan Eggen and Robert O'Harrow Jr. March 24, 2003; Page A01 ***** Article at: http://www.washingtonpost.com/wp-dyn/articles/A16287-2003Mar23.html Since the Sept. 11, 2001, attacks, the Justice Department and FBI have dramatically increased the use of two little-known powers that allow authorities to tap telephones, seize bank and telephone records and obtain other information in counterterrorism investigations with no immediate court oversight, according to officials and newly disclosed documents. The FBI, for example, has issued scores of "national security letters" that require businesses to turn over electronic records about finances, telephone calls, e-mail and other personal information, according to officials and documents. The letters, a type of administrative subpoena, may be issued independently by FBI field offices and are not subject to judicial review unless a case comes to court, officials said. Attorney General John D. Ashcroft has also personally signed more than 170 "emergency foreign intelligence warrants," three times the number authorized in the preceding 23 years, according to recent congressional testimony. Federal law allows the attorney general to issue unilaterally these classified warrants for wiretaps and physical searches of suspected terrorists and other national security threats under certain circumstances. They can be enforced for 72 hours before they are subject to review and approval by the ultra-secret Foreign Intelligence Surveillance Court. Government officials describe both measures as crucial tools in the war on terrorism that allow authorities to act rapidly in the pursuit of potential threats without the delays that can result from seeking a judge's signature. Authorities also stress that the tactics are perfectly legal. But some civil liberties and privacy advocates say they are troubled by the increasing use of the tactics, primarily because there is little or no oversight by courts or other outside parties. In both cases, the target of the investigation never has to be informed that the government has obtained his personal records or put him under surveillance. "When this kind of power is used in the regular criminal justice system, there are some built-in checks and balances," said David Sobel, general counsel of the Electronic Privacy Information Center (EPIC), which is suing the Justice Department for information about its secretive anti-terrorism strategies. "The intelligence context provides no such protection. That's the main problem with these kinds of secretive procedures." The use of national security letters has been accelerated in part because Congress made it easier to use and apply them. The USA Patriot Act, a package of sweeping anti-terrorism legislation passed after the Sept. 11 attacks, loosened the standard for targeting individuals by national security letters and allowed FBI field offices, rather than a senior official at headquarters, to issue them, officials said. The records that can be obtained through the letters include telephone logs, e-mail logs, certain financial and bank records and credit reports, a Justice official said. The Patriot Act also significantly increased the amount of intelligence information that can be shared with criminal prosecutors and federal grand juries, giving authorities new powers in the war on terrorism. National security letters can be used as part of criminal investigations and preliminary inquiries involving terrorism and espionage, according to officials and internal FBI guidelines on the letters. According to documents given to EPIC and the American Civil Liberties Union as part of their lawsuit, the FBI has issued enough national security letters since October 2001 to fill more than five pages of logs. There is no way to determine exactly how many times the documents have been employed because the logs were almost entirely blacked out, according to a copy provided to The Washington Post by the ACLU. The Justice Department and FBI refuse to provide summary data about how often the letters are used. Several lawmakers have proposed legislation that would require the department to provide that kind of data. "In our view, the public is entitled to these statistics," said Jameel Jaffer, staff attorney for the ACLU's national legal department. "We have no idea how those are being used." FBI spokesman John Iannarelli said "it's safe to say that anybody who is going to conduct a terrorism investigation is probably going to use them at some point. . . . It's a way to expedite information, and there's nothing that needs expediting more than a terrorism investigation." But a November 2001 memorandum prepared by FBI attorneys warned that the letters "must be used judiciously" to avoid angering Congress, which will reconsider Patriot provisions in 2005. "The greater availability of NSLs does not mean they should be used in every case," the memo says. Beryl A. Howell, former general counsel to Sen. Patrick Leahy (D-Vt.) and a specialist in surveillance law, described national security letters as "an unchecked, secret power that makes it invisible to public scrutiny and difficult even for congressional oversight." Howell now is a managing director and general counsel at Stroz Friedberg LLC, a computer forensic firm in the District. Under the Foreign Intelligence Surveillance Act (FISA), the government has the power to obtain secret warrants for telephone wiretaps, electronic monitoring and physical searches in counterterrorism and espionage cases. The Justice Department has expanded its use of such warrants since a favorable FISA court ruling last year, which determined that the Patriot Act gave federal officials broad new authority to obtain them. The warrants, cloaked in secrecy and largely ignored by the public for years, have become a central issue in the ongoing debate over missteps before the Sept. 11 attacks. The FBI has come under sharp criticism from lawmakers who say FBI officials misread the FISA statute in the case of Zacarias Moussaoui, the alleged terror conspirator who was in custody before the attacks. No warrant was sought in the Moussaoui case, and his computer and other belongings were not searched until after the attacks. Even less well known are provisions that allow the attorney general to authorize these secret warrants on his own in emergency situations. The department then has 72 hours from the time a search or wiretap is launched to obtain approval from the FISA court, whose proceedings and findings are closed to the public. Officials said that Ashcroft can use his emergency power when he believes there is no time to wait for the FISA court to approve a warrant. There are no additional restrictions on emergency warrants, other than the rules that apply to all FISA applications, officials said. Ashcroft told lawmakers earlier this month that Justice made more than 1,000 applications for warrants to the secret court in 2002, including more than 170 in the emergency category. In the previous 23 years, only 47 emergency FISA warrants were issued. FBI Director Robert S. Mueller III, in similar testimony to the Senate Judiciary Committee, said, "We can often establish electronic surveillance within hours of establishing probable cause that an individual is an appropriate FISA subject." "We have made full and very productive use of the emergency FISA process," Mueller said. Sobel and other civil liberties advocates say they are troubled by the aggressive use of emergency FISAs because it leaves the initial decision up to the attorney general and allows clandestine searches and surveillance for up to three days before any court review. Staff researcher Madonna Lebling contributed to this report. ***** How to: There's a War On - Do you know where your data is? An Open Letter from Cindy Cohn Electronic Frontier Foundation ***** Hi all, With the war declared, it's becoming quite clear that ISPs and other holders and passers of electrons throughout the US (and probably much of the world) are receiving various sorts of subpoenas, court orders and warrants to collect and hold information. about people involved in the peace movement and other progressive organizing, along with anyone with an Arabic sounding name or ties. If this concerns you, or the people you work with, a couple of thoughts: 1) Are you using encryption when you can? Are the people who you work with? Go to www.pgpi.org and download the program and find someone to show you how to use it. It's not that hard and there are plenty of folks on this list and elsewhere who can teach you. If you use Outlook, I've just been told that there is opportunistic encryption built in if you know how to turn it on. I'll send an EFF hat to the first person who sends me an explanation of how to do it that my grandfather could understand. I'll also make sure it gets posted online. If you know how to use PGP, target 3 colleagues who need it and teach them. Then use it with them so that they get well-practiced. And don't forget PGPDisk. No one should cross a border without her hard drive encrypted. We worked hard to free encryption from governmental censorship and control. Please use it. 2) For those of you that administer websites, e-mail systems and similar technologies, what information do you have about your users? Do you need to have it? Does your website gather IP addresses? Does your e-mail system keep log files? Are you keeping them? If so, why and for how long? Double checking the settings on your servers and systems. The techies who write most of those programs set the default to save everything. Do you really need that? Most good sysadmins are packrats by nature; but now is the time to fight that urge to keep every scrap of data "just in case" someone wants it later. That someone could be John Ashcroft. The US has NO data retention requirements. As long as you implement a system of eliminating records as you go and stick to it, there's no liability for you if the feds come to seize your server and there's nothing on it they can use. Let's exercise this freedom NOT to gather information for the government while we still have it. 3) What footprints are you and your colleagues leaving when you travel around the Internet? Think about using anonymizer.com or similar tool for your surfing. It's easy. Anonymizer.com offers a free account to EFF members, but whether you go through us or directly to them or through some other tool. I'm proud of the work the peace movement has done so far and the good use it's made of new technologies to assist in organizing, planning, rallying and support. We've been watching the Ashcroftians closely, however, and it's clear that the war on terrorism and the war on Iraq are being used as excuses to spy on the public and to gather extensive dossiers about us. The peace movement is an obvious target for harassment using this information. Let's not make their job any easier for them. And if you hear from law enforcement about your online activities, please don't hesitate to contact us. Feel free to forward this message to anyone who you think could benefit from it. Take care, Cindy ************************************************ Cindy A. Cohn Cindy@eff.org Legal Director www.eff.org Electronic Frontier Foundation 454 Shotwell Street San Francisco, CA 94110 Tel: (415)436-9333 x 108 Fax: (415) 436-9993 *************************************************************** Security-news Good computer security is no substitute for good sense! To sub or unsub - http://resist.ca/mailman/listinfo/security-news ***************************************************************