Monday, September 01, 2014


The Pump Don't Work 'Cause The Russians Hacked The Handle (Except They Didn't)

One of the doomsday scenarios of cyberwarfare is hackers taking down critical infrastructure. The electricity grid is taken offline, points fail at railway junctions, life-saving networks at hospitals are rendered obsolete.

So when a center for information sharing under the U.S. Department of Homeland Security and the Department of Justice released a report in 2011 alleging that Russians had hacked into the control system of an Illinois water pump, people sat up and took notice.

According to Kim Zetter at "Wired," the report "sow[ed] panic in the industrial control system community":

The report, which was meant to be confidential, claimed that attackers from Russia had hacked into the network of a software vendor that made the SCADA system used by a water district in Illinois and stolen usernames and passwords that the vendor maintained for its customers. The hackers then supposedly used the credentials to gain remote access to the utility's network and cause a water pump to burn out. The report was leaked to the media by an industrial control systems expert who had gained access to it.

In reality, however, the water-pump system hadn't been hacked at all. "Wired" details what happened:
 
Someone did access the water district’s SCADA system from Russia, but it was a water district contractor who was asked to access the system by water district employees, as Wired first reported. They had called him to seek his opinion on something while he was on vacation in Russia, and he had logged into the system remotely to check on some data for them.

When the pump broke five months later and someone examined the network logs to determine the cause, they found an IP address from Russia listed in the logs next to the username and password of the contractor. No one ever bothered to call the contractor to see if he had logged in from Russia; they just assumed someone in Russia had stolen his credentials.

Even though the FBI ascertained that the reports of Russian hacking were baseless, according to a new Senate subcommittee investigation, the so-called fusion center and the Department of Homeland Security's Office of Intelligence and Analysis continued to spread the reports.
 
Fusion centers were set up after the 9/11 terrorist attacks to enable information sharing between federal and local agencies:
 
"Almost no part of the initial reports of the incident had been accurate -- not the fusion center report, or DHS's own intelligence report, or its intelligence briefing," write the Senate investigators in their report. "The only fact that they got right was that a water pump in a small Illinois water district had burned out."

The Lawyer Who Defends Anonymous

A man wearing a trademark Anonymous mask takes part in an opposition rally in St.Petersburg.

As a lawyer not particularly immersed in the technology world, Jay Leiderman first became interested in the hacker collective Anonymous around December 2010. That was when Anonymous activists launched distributed denial of service attacks (DDoS) against Mastercard and PayPal, who stopped processing donations to WikiLeaks.

Since then, he has represented a number of high-profile hackers, including Commander X, who is on the run from the FBI for a DDoS attack on a county website in Santa Cruz, California, to protest a ban on public sleeping, and Raynaldo Rivera, a suspected hacker from LulzSec who is accused of stealing information from Sony computer systems.

Both Commander X and Rivera could face up to 15 years in prison.
 
Leiderman, who represents many of his hacker clients pro bono, argues that the law should be changed on DDoS.

In an interview I conducted with Leiderman recently, he told me why slapping teenaged hackers with harsh prison sentences is counterproductive.
 
Luke Allnutt: How did you first become involved with representing Anonymous?
 
Jay Leiderman:
The politics of it spoke to me and the fact that it was a newly emerging area of law really spoke to me. My partner and I do a lot of medical marijuana law. Primary among the reasons that we do that are that it's new and emerging so we can help shape the way that the law ultimately fits society. And because we believe in the politics behind it. And it's the exact same with Anonymous.
 
We have an opportunity here to make the courts, as these cases wind their way up, understand privacy issues, emerging tech issues, against the backdrop of civil rights and through the prism of free information. And that was something that was just an amazing opportunity for me and something that still engages me as I continue to take on these cases.
 
Allnutt: You've said about DDoS attacks that "they are the equivalent of occupying the Woolworth's lunch counter during the civil rights movement," but under U.S. law DDoS attacks are illegal. Do you think the law should be changed?
 
Leiderman
: Oh, absolutely. Keep in mind that I didn't say that in an unqualified manner about DDoS. If you were knocking someone's front page offline to ultimately rape their servers and take credit-card information and things like that, that's not speech in the classic sense. When you look at Commander X's DDoS, what he was accused of in Santa Cruz, or with [the] PayPal [protests], these are really perfect examples. And very rarely in law do we have perfect examples.
 
Take PayPal for example, just like Woolworth's, people went to PayPal and said, I want to give a donation to WikiLeaks. In Woolworth's they said, all I want to do is buy lunch, pay for my lunch, and then I'll leave. People said I want to give a donation to WikiLeaks, I'll take up my bandwidth to do that, then I'll leave, you'll make money, I'll feel fulfilled, everyone's fulfilled. PayPal will take donations for the Ku Klux Klan, other racists and questionable organizations, but they won't process donations for WikiLeaks. All the PayPal protesters did was take up some bandwidth. In that sense, DDoS is absolutely speech, it should absolutely be recognized as such, protected as such, and the law should be changed.
 
Allnutt: But say that I had a rival law practice across town from you and I was perhaps a bigger more powerful rival with more money and perhaps I wanted to down your website every single day. Isn't that just the equivalent of me just going outside and spray painting and taking down your sign every day and preventing customers from coming to you?
Jay LeidermanJay Leiderman
x
Jay Leiderman
Jay Leiderman

Leiderman: But both of those actions would be illegal in the abstract. Taking down my sign or vandalizing it would be a graffiti or vandalism type charge whereas repeatedly DDoSing my site would be similar in method and manner to that. It's why you have to be careful with the speech. What you have with PayPal, it's a pure form of speech -- it was a limited and qualified thing like Woolworth's. African-Americans went into Woolworth's and said, I want lunch, feed me lunch, I will eat it, pay for it, and leave. Same with PayPal.
 
Santa Cruz perhaps provides a more compelling case on that because Santa Cruz was about literally petitioning the government for a redress of grievances. Santa Cruz wanted to essentially criminalize -- or did criminalize -- homeless people sleeping in public without qualification. And the city council wouldn't listen, the police wouldn't listen, no one would listen. People regularly die from exposure, because they can't find safe and secure places to sleep in the community. Therefore getting your government's attention in that manner should not be something that the U.S. government is interested in criminalizing and spending resources to prosecute. So in those regards, it's different from the examples you gave, where I would be under perpetual DDoS.
 
Allnutt: So you're not saying decriminalize DDoS per se, but perhaps it's the way that DDoS is used and other legal factors would come into play there.
 
Leiderman:
Here's what we conceived in terms of the DDoS. The government and people who write about tech tend to call it a "DDoS attack" but in certain circumstances it's not a DDoS attack, but a DDoS protest. So the law should be narrowly drawn and what needs to be excised from that are the legitimate protests. It's really easy to tell legitimate protests, I think, and we should be broadly defining legitimate protests. The example you gave of the rival law firms, that's not protest activities or traditional free speech activities.
 
Allnutt: The argument has been made that the problem with some of the sentences for Anonymous/LulzSec members is that a lot of them are really just foot soldiers, naive, young, vulnerable kids, who perhaps get into something over their heads. And they're not skilled hackers who are trying to bring down the U.S. government and they don't deserve long jail terms . Would you agree with that?
 
Leiderman:
Absolutely, that's probably one of the most often-repeated and truest things about a lot of these Anonymous members is that they're not these ill-intentioned, misanthropes that really need to have the weight of the law come down on them. I agree with that 100 percent.
 
Allnutt: Who should the weight of the law come down on then? Should the weight of the law come down on the ringleaders who are behind these people?
 
Leiderman:
Sabu's cooperation [aside], he would be a good example of someone who's cruising for one of these eye-popping over-the-top sentences. [Editor's note: Sabu was a founder of LulzSec who was arrested in June 2011. It was revealed that he was an FBI informant.] He was a bit older, he had been involved in the hacking world for 10 or 15 years; he had a lot of prior Internet misdeeds. He was very skilled, or at least reasonably skilled, he had special skills. He was involved in other criminal activity, he was selling pounds of marijuana, which they didn’t charge him with. They dismissed those charges as part of his cooperation.
 
He was using his skills to commit credit-card fraud, without ideology, without politics behind it, without anything. He was literally stealing from people -- this was not a big, nameless, faceless corporation...There was no ideology behind him stealing credit-card numbers from Mr. and Mrs. Smith…. He was recruiting people actively into LulzSec. One of the allegations in the case I'm handling [Raynaldo Rivera] is that Sabu recruited my client based upon my client's skill, through another member of LulzSec, an intermediary.
 
Sabu was unquestionably the leader of LulzSec. When you read through the reports, as I have, it's very clear that Sabu was giving orders, pressuring people to "get their hands dirty." … It was Sony Pictures and the databases were organized via movie sweepstakes -- names and password that were ultimately dumped on the Internet -- and Sabu made individual people go in there and do individual databases so everyone had their hands dirty so that he could exert more control and get them to do more. He had importuned them to criminality. […]
 
He's looking at 124 years so that’s obviously beyond ludicrous. But if Sabu were to get a decade or something, that [could be] a sentence for someone like him with a really malignant heart. But for someone like Rivera and the typical member of Anonymous, no, those sentences simply don’t fit and for the most part I don't believe they should be going to jail . A lot of these kids -- and most of them are kids -- don’t understand the criminal consequences here and could be rehabilitated; scared straight without a jail sentence. There are other things that we could do to them to make them understand that this is in fact illegal and not the way to express yourselves politically.
 
Allnutt: If we are not talking about harsh prison sentences, how should society respond to rehabilitate those hackers?
 
Leiderman:
I really think this is a situation where a lot of these people are really scared of the consequences once they understand them. Usually someone like that, a criminal conviction in and of itself is a terrible black mark on someone's record now. It becomes difficult to get a job. If you're a person with computer skills, it becomes difficult to get computer clearances to be able to work your way up in a lot of these areas. So simply the conviction alone gets the message across, a probationary period where they're being monitored or checked in on, some community-type service, working with the community in a productive manner. All sorts of creative punishments like those that are available and at the government's disposal
 
Allnutt: Do you think denying them access to the Internet is useful?
 
Leiderman:
In some cases it might be useful and appropriate. You really have to look at the offense and the offender. If someone's really unhealthy in their Internet use, it may not be a bad thing to look at them and say, a year, 18 months, two years, let's see how you do without Internet in your life except work and school. That may well be a very good and healthy thing for some people, but you have to look at the offense and the offender before saying we should just yank this person's Internet privileges.
 
Allnutt: You don't think there's a purpose to passing harsh prison sentences in that it sends a message and acts as a deterrent to any potential offenders?
 
Leiderman:
I don't necessarily think that message gets received by this population which are exclusively naive, not legally savvy, fairly young first-time offenders. That's not a population who can really understand in a practical sense that if you do this, you're going to get a harsh prison sentence. In some of their minds, it almost may be worse, to take away Internet use or modify their behavior in some ways as it so violently changes how their life ordinarily progresses .
 
Allnutt: Are there any Anons you wouldn't represent?
 
Leiderman:
It depends. I've been asked that question before and I struggle with it and here's why. I don't have to like or agree with the people that I represent to represent them. I have represented neo-Nazis and I'm Jewish. I've been assigned them when I was a public defender and it never really occurred to me until someone asked me, how do you feel about representing this skinhead and I said, you know, I didn't think about it.

Everyone is entitled to a defense and the more reprehensible they are and maybe the more guilty they seem at the beginning of the case makes them more entitled to a vigorous and hard-hitting defense. So I don't necessarily know that there's someone I wouldn't represent based upon what they did or based upon their politics. I wouldn't go ahead and represent someone whose views I didn't agree with pro bono. I'm not going to spend my time and energy that way. [..] Certainly there are many people I wouldn't represent pro bono.
 
Allnutt: Would you represent Sabu pro bono?
 
Leiderman:
No. The damage he did by turning so completely on people he used to call his brother [was considerable]. People who cooperate, throw someone else into harm's way so they can soften the blow on themselves, I tend not to represent. For those reasons, I wouldn't represent Sabu at all. […] He hurt a lot of people and he did it to save his own skin and he hurt a lot of people worse than they would otherwise be hurt.

Watch The World’s Computers Attack Each Other In Real Time

It looks like something you’d see in a 1980s film about a nuclear apocalypse. A screen in a control room in an underground bunker, where our mutually assured destruction was being mapped out. 

In fact it’s a real-time visualization of computers attacking other computers.

The Honeynet Project, which runs the map, works by setting up “honeypot” sensors, computers that behave as potential targets for malware. The red markers on the map symbolize the attacks, mostly from botnets and worms. The yellow are the honeypots.
 
The worms attempt to exploit the sensors by scanning them and looking for open ports. Just like the famed femmes fatales in the world of espionage, honeypots mimic vulnerabilities in order to learn how attackers operate and what tactics they use.
 
In the text scroll on the map, you can see where the attacks are coming from -- mostly from Russia, the United States, Brazil, and Eastern Europe. The recipient of the attack is always one of the sensors, so for instance Aachen, Germany, comes up a lot as the project hosts a sensor at a university there. “The actual location of these sensors could be university server rooms or living rooms at home and they are mostly dedicated computers or virtual machines,” says Mark Schloesser, a research assistant at the RWTH Aachen University who is involved with the project.
 
I asked Schloesser whether the map is representative of reality or is it skewed by where they have sensors:
 
That depends on the worm code that actually attacks the sensors. Historically this kind of visualization would be skewed by the sensor location but with newer attack code (e.g. Conficker) [a computer worm] this is not true anymore, as the attack target selection is randomized. This means that a infected machine in Russia has the same chance of attacking Aachen as it has in attacking China. This means that the red dots roughly depict reality, but the amount of events is high at big sensors and low at small sensors.
 
There have been other visualizations of network attacks. Check out this one from Akamai.


And if you thought packets of data couldn’t be beautiful, have a look at this stylized visualization of cybercriminals hitting a VOIP (Voice over Internet protocol) server.

WATCH: Visualizing a cyberattack on a VOIP server from Ben Reardon, Dataviz Australia on Vimeo.


Just like disease tracking, the initiative could be helpful in helping fight malware, as Kyt Dotson points out at Silicon Angle:
 
With data collection ventures like the Honeynet Project and a strong sifting through of the Big Data by security researchers and other outfits, we might see a revolution in how we track and prepare for the malware storms of the future. Mobile devices and PCs could make good use of anti-virus companies having access to knowledge of what’s trending so that they can prepare their flu-shots and vaccines early by prototyping and fingerprinting new malware.
 
Japan's National Institute of Information and Communications Technology is doing this with its project Daedalus, which visualizes network attacks in real time.

But for now the people behind HoneyMap are aware of its limited functionality. “To be honest, this specific visualization just looks nice and raises awareness about the still-existing worm infections and automated spreading code in use. In terms of actionable intelligence, you can't get a lot out of this,” Schloesser says.
 
“In the future, as we add more sensor types and data sources, we hope that we can use the map as an easy monitoring solution and representation of Honeynet coverage. Also, for other botnet/worm families and other sensor types it actually might yield some insights. Right now it gives a purpose to our big screen at the office.”

Tags:cyberattacks


Why We’re More Likely Than Ever Before To Believe Fake News

The story sounded almost too good to be true. Valery Gergiev, a conductor known as a strong supporter of the Putin regime, interrupted a performance at London's Covent Garden to speak out in favor of the feminist performance artists Pussy Riot: 

"The thing is, yesterday Moscow saw another day of hearings in the fabricated case of Pussy Riot.... I apologize for such a vulgar comparison, but the Russian state is acting like a dominant male in a group of monkeys, compelled to show off his sex organs to make the others fear him." The text of Gergiev’s speech went viral.

But in fact, Gergiev never made the speech -- it came instead from a Russian spoof website called Fognews.com. Gergiev later denied he made the comments, but the damage was already done.

Ever since a wag scrawled an untruth about someone in a Roman latrine, there has been satire, but the Internet has greatly increased its potential reach and efficacy. With content platforms and social media democratizing publishing and distribution, the entrance barrier for fakery is lower than ever before. And because there is more of it swimming around than ever before and because the way we consume content has radically evolved, we are increasingly more susceptible to encountering and believing fakes.

The rise of fake news is inextricably linked with the popularity, spread, and click dynamics of social media. In an earlier Internet ecosystem of homepages and bookmarks, we would enter websites through the front door. You go to "The Onion" and you know that you're getting satire. But with much of today’s content consumption done through the side door of social media, or search engines sending us directly to article pages, more and more fake news is evading our satire radars. With the proliferation of news sites and blogs and the diversification and globalization of our consumption habits (most people in the United States weren’t reading Indian news sites 10 years ago), clicking on websites that are unfamiliar to us is a daily occurrence.

A U.S. senatorial candidate, Todd Akin, who had been in the news for remarks he made about rape, was the source of one such hoax, with a widely shared article that claimed he believed ingesting breast milk could cure homosexuality. I received the link from a friend (a savvy consumer of U.S. political news) and for a moment believed it. It was on a site called "The Daily Currant," which I hadn't heard of.

Being in the dark about the source (I just imagined it was one of the many U.S. political blogs I hadn't heard of), my subconscious assessment of its credibility had more to do with the person who shared it than from the publication it originated from. Zig-zagging around the web, guided by recommendations from friends and followers, do we even notice the source any more, let alone the names of authors? Link-shortening services such as bit.ly add an additional layer of opacity, as the site is often not recognizable from its URL.

Our access to a wider array of global news sites and increased sharing across borders has also helped spread fake news. Satire, unfortunately, doesn't always translate. A popular Serbian spoof site, Njuz.net, made headlines with a story, “Shark-el-Sheikh,” about a drunk Serb who killed a shark when he dived into the Red Sea. The story was widely picked up by the Western press. In 2009, a popular Chinese website, Huanqiu.com, ran a story about how U.S. President Barack Obama was sending Kim Jong Il an iPhone and a MacBook Air. The original source, however, was a satirical column from "The Guardian."

Perhaps too it is our own Filter Bubbles -- the idea popularized by Eli Pariser that social media has trapped us in an echo chamber that leads to more homogenous and conservative consumption -- that have made us more gullible. While we might have more exposure to a greater number of news sources than ever before, perhaps the sharers -- the super-curators in our lives -- are as homogenous as they ever have been. No matter that the Facebook viral of U.S. presidential candidate Mitt Romney standing next to his children spelling out "Money" on their T-shirts is a fake (it was a retouched photo and they weren't his kids) if the sentiment is one that dovetails with your political persuasions and belief system. Just hit like and then share.

The caveats we add when sharing -- "Not sure if it’s real or not, but pretty funny" or "unbelievable!" -- are perhaps an indication that half the time we don’t actually care whether it’s true or not. There are probably many people out there who believe that Akin thinks breast milk can cure homosexuality. Appetites for denials are paltry when the story is such a good one. Poynter's Craig Silverman calls it The Law Of Incorrect Tweets: "Initial, inaccurate information will be retweeted more than any subsequent correction."

For digital activists -- or indeed for anyone who can advance their agendas by disseminating fake news -- our collective gullibility is a boon. In July, environmental campaigners Greenpeace and the professional hoaxers, the Yes Men, set up an Arctic Ready website, which spoofed the official Shell site and was focused on Shell's plans for drilling in the Arctic. But that wasn't all. Greenpeace then set up a Twitter account, ShellisPrepared, which was supposedly the company's social-media team reacting to a series of embarrassing ads generated by the fake site. Many Twitter users were hoaxed into thinking this was really Shell's bumbling social-media team, who, with no consideration for the Streisand effect, were telling people not to share the ads. Much Twitter snark ensued.

WikiLeaks got in on the act by disseminating a column purporting to be by former "New York Times" Executive Editor Bill Keller. The column, well-written and eminently plausible, did the rounds, taking in a number of journalists, including some at "The New York Times." The hoax was well planned, with a page mirroring "The New York Times" site and a realistic-enough-looking domain. A fake Twitter account for Keller was also set up and even a fake PayPal blog responding to his column.

In October 2011, hacktivists in the Balkans created a fake Nobel Prize website that awarded the prize for literature to Serbia’s leading nationalist writer, Dobrica Cosic. By the time the real winner, a Swedish poet, had been announced, the wires were on the story and Cosic had been congratulated. The hacktivists responsible said that they had carried out the hoax to "bring to the attention of the Serbian public the dangerous influence of the writer Dobrica Cosic."

There is also a seamier side to the fakery. As a hoax, it was a crude one, but then it didn't need to be particularly sophisticated. Created on March 11, the website's URL suggested it belonged to Azerbajan's main opposition party, Musavat. With a color scheme and design fairly similar to the original, the fake website was full of other content that would have been at home on an opposition site. The site, which had only been live for a few days, was created to host a video purporting to show an investigative journalist, who works for RFE/RL, having sex. After electoral protests in Belarus in December 2010, pro-government forces set up mirrors of independent websites to funnel crowds to the wrong locations.

Censoring governments and sensitive corporations are likely to clamp down more in the future on fake news. In less-than-democratic regimes, there will be arrests, trumped-up charges, and bogus lawsuits. Established democracies, too, won’t be immune from taking harsher measures. Greenpeace's campaign against Shell, for example, generated much discussion about the line between satire and lying and misleading. Writing about the Shell Arctic hoax, Anita Ramasastry, a professor at the University of Washington School of Law, says:

The line between, on one hand, legitimate protest through parody, and, on the other, libelous misrepresentation or trademark infringement is muddy.  And while this may be protected speech, some critics caution that campaigns may backfire—with similar tactics turned against nonprofits like Greenpeace, which partnered with the Yes Men.

Some critics argue that it would be a more honest and transparent choice for protesters to engage in true civil protest and accept the consequences.  Other critics suggest that parody is acceptable, if it is more clearly and instantaneously recognizable as a spoof, rather than something that fools many viewers.  So a website that called itself “Shill” instead of Shell, and used the a fake but similar logo, to parody Shell, might be seen as acceptable, since it is not an attempt to pass itself off as the real thing.  One corporate spoof, for example, used the logo “Chevwrong” to protest Chevron’s activities in the Amazon.

Under U.S. law, whether such parodies are protected speech is a matter of legal debate -- and, as is often the case with technological innovation, the law lags behind. "To be protected by the fair use exception to copyright law, satire or parody should be obvious -- maybe not immediately obvious, but at least fairly quickly obvious," writes Ramasastry.

Globally, the amount of satire and fake news is likely to grow. Using off-the-shelf scripts, kids will be able to knock up sophisticated fake websites in their bedrooms with a few mouse clicks. There will be more meme generators and tools for digital manipulation will become more accessible for unskilled users. As the web expands, it will be more and more common to read news on websites we have never heard of.

But while the entrance barrier to spoofing will be lowered, our satire radars are likely to become more attuned. What was interesting about the WikiLeaks/Bill Keller hoax was how quickly people collaborated to uncover it and do the forensics of how it spread. Just as new technologies will make hoaxing easier, it may well be easier to recognize fakes using textual analysis tools and image verification software. No doubt, too, with an abundance of hoaxes, our standards for sharing and retweeting information will evolve so that the next time we get a story that sounds too good to be true, we might just think twice before sharing.

With WikiLeaks On Ice, What Has Happened To All Those Digital Whistle-Blowers?

It is hard sometimes to divide the story of Julian Assange from that of WikiLeaks. But once upon a time, before Bradley Manning, the rape allegations, the house arrest, the TV show on RT, and then the Ecuador gambit, WikiLeaks, as an organization and as an idea, was brimming with promise. For many, the age of the anonymous digital whistle-blower was the dawn of a bright new era of radical transparency.
 
WikiLeaks was just the beginning. Whatever you might think of Assange, it was the game-changer and it spawned a multitude of clones. Expectations about the potential of digital whistle-blowing were sky high. A bevy of decentralized organizations, many of them stateless and thus hard to act against in a technical or legal capacity, would spring up. These organizations were of the Internet and thus able to bypass and route around the efforts of censoring governments and corporations.

And sure enough, a slew of WikiLeaks clones followed, many of them in more specialized markets: BalkanLeaks, Enviroleaks, MagyarLeaks. Mainstream media outlets -- who had sometimes turned their noses up at Assange's methods -- tried their hands at building their own dropboxes for anonymous leakers.

Journalists expected bounties (how hard can it be, right?), some activists expected regimes to fall, and openness advocates looked to a brave new world where the power of the leak (or at least the threat of a leak) would keep governments and corporations in check.  

But it never quite happened like that. Many of the digital-whistle-blowing projects, the WikiLeaks clones, are either dead or dormant and efforts to create secure and anonymous dropboxes have floundered.

The possibly exaggerated claims of radical transparency were taken on in a paper by Alasdair Roberts, an academic at Suffolk University Law School in Boston. He wrote that "Advocates of WikiLeaks have overstated the scale and significance of the leaks. They also overlook many ways in which the simple logic of radical transparency -- leak, publish, and wait for the inevitable outrage -- can be defeated in practice."

There was always plenty of techno-determinism and Internet-centrism in the WikiLeaks-era notions of radical transparency: just engineer a secure solution and they will leak.
 
The novelty, it is argued, is that technological change has eliminated many of the practical barriers to executing this program -- because digitized information is easier to leak; because appropriately designed technologies can protect the anonymity of leakers; because the Internet allows the instantaneous and universal sharing of information, and perhaps also because it is easier to mobilize outraged citizens.

But actually those technological solutions to ensure a leaker couldn’t be traced were much harder than perhaps anticipated, especially under the watchful and scrutinous eyes of ever-vigilant privacy and security researchers.

A former WikiLeaker, Daniel Domscheit-Berg, test-launched OpenLeaks in 2011 and asked 3,000 hackers to test its systems, but over 18 months later there is still no active submission system. "The Wall Street Journal's" SafeHouse, its WikiLeaks-style submissions site, was widely criticized by security researchers for its holes.

Public Intelligence, a site that relies on some leaked documents, has disabled its submissions system "following a recent intrusion into our server." They add, "Submissions will resume when we are confident that the information can be handled in a secure manner." Looking down a list of whistle-blowing sites in the Leak Directory, many of the sites are dormant or defunct.

"A truly anonymous electronic dropbox is a very hard problem in computer science terms, particularly if you wanted to make it open-source code,” says Suelette Dreyfus, an academic and expert in digital whistle-blowing.

It's also expensive. “My back of the envelope estimate based on discussions with technical experts in the area is that it would take close to $1 million to do it properly, and probably at least 6-12 months -- with no absolute guarantee it would work," Dreyfus says.
 
"That's to make a highly portable, free open-source software version of a drop box, publicly available and easy to use for any NGO or news organization," she says. "You'd need a project manager who understands journalism, leaks, the NGO world, and technical people. And you'd need a really trusted team of programming experts, who are likely to be scattered around the globe. It's a hard, hard task.”
 
One of those organizations striving to make an open-source secure dropbox is GlobaLeaks. Their project aims to make a suite of software available to organizations who want to set up and maintain a whistle-blowing platform. According to Fabio Pietrosanti, one of GlobaLeaks' developers, the goal is to lower the entrance barrier to people wanting to set up whistle-blowing platforms.
 
"Our goal is to allow anyone with political motivation willing to start a whistle-blowing initiative not to be dependent on a technician's skills to set up a safe drop box," Pietrosanti says.
 
"We need to reach a point where setting up a whistle-blowing initiative will require only determination and management skills by using easy-to-use GlobaLeaks software, doing publishing through [the] Tor2web network, leveraging public visibility through social networks, Facebook, Twitter, and cloud tools (hosted blogs)," Pietrosanti says.
 
But for other whistle-blowing practitioners, the idea of a secure and anonymous drop box is a chimera, a techno-solve-all that would do for transparency what tablets were supposed to do for magazines' business models.
 
John Young, who runs the Cryptome website, which hosts leaked documents, says that the open-source drop boxes out there are "evanescent, variable, deceptive, self-serving, and none are risk-free."
 
While the digitization of data has made it much easier to copy, share, and publish, it has also made it easier for people to snoop on what we are sharing. Aaron Caplan, an associate professor at Loyola Law School in Los Angeles, wrote:
 
For every exchange of data over the Internet, be it via e-mail or by viewing a website, a trail of metadata is automatically logged that includes, among other things, the IP addresses of the computers involved. In many ways, it is easier to be an anonymous tipster using older media, such as oral communication, an unmarked envelope, or a phone call on a landline. The Internet makes it far easier than before for law enforcement to attribute communications to particular speakers and listeners -- including communications between sources and journalists.
 
With these risks in mind, many of those working in the digital whistle-blowing community are increasingly aware that offering fail-safe anonymity and protection is misleading. Whistle-blowing practitioners have realized they have a responsibility to educate potential leakers in the art of anonymity, rather than promising that they will do it for them.

Claudio Agosti, a developer with the GlobaLeaks project, says: "We, as information and privacy experts, have analyzed the requirements from the security point of view, therefore what we're aiming for is not just software, but a wider project also involving advocacy in personal security for dealing with sensitive documents."

That could mean just advising potential leakers to use the Tor anonymizing software or putting together guides that will help whistle-blowers stay safe.

"We advise sources to protect themselves, that we cannot do that nor can any other outlet," says Cryptome's Young. "Promised protection and security is always fraudulent, either by design or by ignorance. This is not limited to disclosures but covers all forms of security from national to personal."

Security is only one of the challenges that digital whistle-blowing sites face. There is the potential political pressure from governments or litigious corporations. Another is the legal risks of hosting such information or being cut loose by service providers, just as WikiLeaks was when Amazon and PayPal withdrew their services. Opponents could easily try to get a site shut down, for example by flooding it with child pornography.

With sometimes mammoth data dumps, dividing the wheat from the chaff is a laborious task that often requires teams of people who know what they are looking for (much as "The Guardian" used its beat reporters to drill down into the leaked cables). Analysis, verification, and packaging takes time and expertise and can be costly for organizations on shoestring budgets who often have little experience in navigating the myriad logistical, legal, and technical minefields.

“Most of them are run on the smell of an oily rag. They are largely volunteer sites that struggle to cover expenses and don't pay a salary. Many won't accept government money in order to remain independent," Dreyfus says. With media organizations facing budget cuts and with NGO funding at rock bottom it's possible that -- after the enthusiasm surrounding WikiLeaks has died down -- whistle-blowing platforms will increasingly be seen as indulgences.
 
But despite the many stalled or dormant whistle-blowing projects, Dreyfus, who worked with Julian Assange on "Underground," a seminal book on hacking culture, is sanguine about the future of online whistle-blowing sites.

“The sites have actually succeeded a good deal more than I expected on the whole. The fact that so many sprang up and so many are still standing (if moving slowly) -- and many are still active -- is a testimony to success, not failure, on this front,” she says.
 
There is much focus on large generic leak sites, such as WikiLeaks, but the success stories are often found in sites serving more niche communities. “This means that even if they are breaking good stories, you may not hear about it," Dreyfus says, "because they target a specific and sometimes quite narrow community."
 
For example, she says that Balkanleaks.org broke a story about a government prosecutor accused of money laundering, "but if you don't read Russian or Bulgarian, chances are you haven't read it."

"Similarly Enviroleaks published a piece on a controversial dam in Brazil," Dreyfus says. "Again, if you're not up on environmental issues or on Brazilian news you may not have seen this."

A decentralized, sometimes chaotic future is likely what's in store for digital-whistle-blowing initiatives. As Cryptome’s Young says, "multiplicity diffuses targetability." The prominence and centrality of WikiLeaks might well be the exception to the rule. Another model for the future might be the hacktivist collective Anonymous, with its loose ties and culture that (at least in public) shuns leadership. Last year, Anonymous leaked e-mails from Stratfor, a global security firm, after hacking into the company's servers.

In December 2012, Anonymous activists are launching TYLER, which it describes as "WikiLeaks on steroids." In a promotional video, the activists said that "TYLER is a massively distributed and decentralized Wikipedia-style P2P cipherspace structure impregnable to censorship. TYLER will improve where WikiLeaks could not."
 
There is certainly no lack of desire among the public for secrets to be spilled. In Australia, Griffith University and the University of Melbourne are running an international survey about attitudes toward whistle-blowing. The first stage of the survey, which Dreyfus is involved with, found that support for whistle-blowing in Australia is strong, with 87 percent of Australians believing that whistle-blowers should be able to go to the media. Whistle-blowers and leakers, with all their subterfuge, tend to generate headlines, but as GlobaLeaks’ Pietrosanti points out, whistle-blowing is just one part -- a radical part, perhaps -- of a larger transparency movement comprising initiatives such as OpenData and OpenGov.

Just as the entertainment industry has been engaged in an often futile game of whack-a-mole with torrent sites and peer-to-peer networks, secretive governments and corporations will likely experience the same struggle against a raft of whistle-blowers in different guises who, unlike WikiLeaks, will gain their strength from decentralization and relative obscurity.

Tags:wikileaks, whistle-blower


Snitch On A Driver: Kazakhstan's Bad Parking Vigilantes

Bad parking in Kazakhstan

Like many city dwellers, Roman Slegin has had his fill of bad drivers. But what he hated the most were the drivers who "parked like asses."

So Slegin, a programmer in Kazakhstan's biggest city, Almaty, had an idea. He set up "I Parked Like An Ass," a website where users send in their snaps of egregious parking violations spotted on the streets of the country's commercial capital.

Staffed by three people, the site has grown rapidly and now takes submissions from all over the country, resulting in an online compendium of the too-close, the driveway-blockers, the sidewalk-parkers, and the double-space-straddlers.

After logging in, users can submit photos of "violators," leave comments, and vote for the worst offenders. They can also check -- by searching for their license plate number -- whether their own car features on the site.

In addition to the thousands of photos of bad parking, the site has a section on parking rules, laying out the dos and don'ts of correct parking.

According to RFE/RL's Kazakh Service, the site has been so popular that the traffic police in Almaty have asked Slegin to join forces. They have offered to help verify the authenticity of the photos (users must now add the position and time of the photos). When satisfied that the photos are genuine, police will bring charges against persistent offenders.

A spokesperson for the police, Yerkin Utegenov, told RFE/RL's Kazakh Service that the traffic police are planning to carry out "I Parked Like An Ass"-inspired raids once a month.

The Kazakh website isn't the first to use crowdsourcing to highlight violations on the road.

The site youparklikeanasshole.com was set up in 2010 in Rochester, New York. In additions to photo galleries, it allows users to print out notes that they can stick on the windshields of bad drivers. A safe-driving campaign in Lebanon, Cheyef 7Alak, which in Arabic means "Do You See Yourself?", also encourages users to share examples of bad behavior on the roads.

Photo-sharing sites such as Flickr, blog platforms such as Tumblr, and social networks such as Facebook are full of pages documenting parking transgressions.

It was frustrations about bad drivers and a desire to name-and-shame that led to such crowdsourced websites being set up. At first, many police forces around the world were lukewarm to the idea, preferring more traditional boots on the ground and wheels on the tarmac.

In the United Kingdom, in 2008, police condemned a website encouraging users to report bad drivers, saying that it could lead to vigilantism. But in recent years London's Metropolitan Police have mellowed and launched the RoadSafe website, which allows members of the public to report "criminal, nuisance, and antisocial behavior on the roads of London."

In Almaty, drivers have mixed feelings about "I Parked Like An Ass." While many agree on the need to park properly and think the name and shaming could have a positive impact on drivers' behavior, some are also troubled by the question of verification.

A driver named Azamat told RFE/RL's Kazakh Service that those posting to the site could use Photoshop, where users could alter the color of the cars or even the license plates. And with any crowdsourced-citizen initiative, there is always the potential for the website to be used for petty score-settling and disputes between neighbors.

With onboard cameras, helmet cameras, home surveillance systems, and, of course, cell phones cheaper than ever, initiatives like "I Parked Like An Ass" will grow and grow. The downside could be that drivers are spending so much time on their phones, ever ready to snap a dangerous driver, that they end up causing more accidents themselves.

Reporting by Manshuk Asautay in Almaty

Video An Orgy Of Outrage: Tom Daley, Twitter, And The Internet Hate Machine

On July 30, Tom Daley, an Olympic diver and one of Great Britain's medal hopes, finished in fourth place (with his partner) in the 10-meter synchronized platform competition. Quite soon after Daley failed to secure a medal, a Twitter user decided to taunt him. "You let your dad down I hope you know that" @Rileyy_69  tweeted, a reference to Daley's father who died last year of brain cancer.

Daley retweeted the message, saying, “After giving it my all...you get idiot’s sending me this.” Outraged, Daley’s legions of fans on Twitter rallied to his defense and told @Rileyy_69  exactly what they thought of him. @Rileyy_69 at first apologized to Daley, but then threatened to drown the diver in the pool. (You can see a timeline of @Rileyy's tweets here.)

The next day, the British police swooped in and arrested the unnamed teenager (the rights and wrongs of that are another issue entirely). He later received a police harassment warning. 

While @Rileyy_69’s tweets were idiotic and extremely unpleasant, what was most unsettling was to see how quickly Twitter users came to resemble a lynch mob. Despite all its moral indignation and self-righteousness about the @Rileyy_69 tweets, the mob defending Daley’s honor was equally resplendent in its viciousness. The mob called for his death; people spared no creativity in the ways in which they hoped he would be raped in prison.

Then the more sophisticated elements of the Internet hate machine went into overdrive -- smelling blood, the ambulance-chasers of the meme world and the snarkistas had a new victim. Now @Rileyy_69 was the meme. Videos of him were mashed up and set to music, (here and here), his stupider utterances were Photoshopped onto his more gormless photos, and the tweets of abuse just kept on coming: from other teenagers looking for a fights (digital and real), from lovesick teen girls who felt their beau had been attacked, and from plenty of responsible adults. The people of the Internet fought back. Yeah! Right?

The writers’ association PEN praised Tom Daley for retweeting the insult as it was better than involving the law:

Robert Sharp, from English Pen, a writers’ association which campaigns for free expression in print and online, said that Daley’s decision to publicize the comments rather than to make a complaint to the police had been the appropriate course of action.

He said: “People often choose to express themselves in this manner and the police cannot investigate every outburst. In the case of Tom Daley, one has to ask whether these tweets were genuine threats to another person, or simply a rant.

"Tom Daley showed a lot of class in responding to the trolls. He re-tweeted the offensive comments and the Twitter troll received a social humiliation at the hands of Tom’s many fans."

Sharp is right: Social humiliation is exactly what it’s about, although I would disagree that Daley is showing “class” here (that would be ignoring it). The mob can smell blood in the air -- it wants to see @Rileyy_69 humiliated, to see him hung, drawn, and quartered by Photoshop and on YouTube. While I’m sure he didn’t mean it like this, Daley’s retweet sent out a "bat signal" to his followers, a digital wolf whistle, an implicit blessing that it was now fine to put @Rileyy_69 in the stocks and throw tomatoes at him.

Sadly, the specter of the angry mob is all too familiar on Twitter. Depending on your politics and on where your outrage meter is set, many are likely justified and righteous causes, while others little more than tempests in teapots.

In recent days there have been “Twitter fury” stories aplenty on the criticism of NBC over its Olympics coverage, the related story of a British journalist getting temporarily booted off Twitter for tweeting the e-mail address of an NBC executive, a “Wall Street Journal” columnist making insensitive comments following the Aurora shootings, and a British comedian getting into hot water with some of the Twitterati for saying a British swimmer had a face like a dolphin. Much of it is done under the banner of that tired old meme, the meat and potatoes of geek-snark: #Fail.

In the days of old media, for most of us outrage was a private commodity. It was something we shared with partners or friends or the dog. We ranted, and if we were lucky enough someone listened. I could write a letter maybe, or phone the television station, or write letters to politicians, or go walking through the streets wearing a sandwich board. Now, of course, I can tweet directly to the very subject of my ire.

While our levels of outrage might not have changed, there is something about the medium of Twitter that  seems to combust and amplify outrage. With its 140-character limit, Twitter rewards pithy populists and eschews nuance. The transaction costs of participation have been almost reduced to zero, so piling onto a cause (whether it’s calling for intervention in Syria or calling for @Rileyy_69’s death) doesn’t cost you much time or effort.

The anonymity -- real and perceived -- can also fuel outrage. Even if you’re using your real name on Twitter, hashtag dynamics can resemble a real crowd: as it pulsates through the streets, steadily increasing in number, it can provide you with cover; sometimes that protection is real, sometimes it is just a perception of invincibility through anonymity. That’s one reason why people in crowds get carried away and do things they wouldn’t do normally in their everyday lives, like smashing windows or throwing rocks at the police. They do that too with hashtags.

Writing about an audience at SXSW rebelling against a keynote, Kim Hinckley writes:

Mobs form when individuals feel anonymous, and believe that their feelings and behaviors are shared by others. When the behavior becomes visible, and when nobody reacts negatively to it, the behavior gets amplified, with more and more people joining in. 

When thousands of people are threatening to break @Rileyy_69’s legs, then I can probably get away with it as well, or so the thinking goes. But I might not make that threat if I saw @Rileyy_69 in the street. One of the paradoxes of social media is that it can simultaneously make people closer, but yet somehow more remote. With the mediators and middlemen gone, I can tweet to anyone I like anywhere in the world, but many of us still perceive that person’s Twitter account to be an approximation of the person, rather than the real deal. It’s easier to say what you really think to an avatar.

But perhaps the very structure and dynamics of Twitter help stoke outrage. For publicly expressed outrage, you need an audience, but also an enabler -- and Twitter is both of those things. It is the ultimate rant receptacle, as the platform’s conventions can egg users on, with validation found in the number of retweets, the follower bumps, the positive @ replies, the constant opportunities for social ranking, such as appearing in a hashtag’s top tweets. Then there is that ultimate accolade, the equivalent of lighting the revolutionary touch paper: starting a hashtag.

We don’t even need tabloids or partisan cable channels to whip us up into a frenzy anymore. We can do that ourselves. Trapped in our own filter bubbles, we do a good enough job of whipping ourselves up into a self-righteous and venomous lather. Twitterstorms now have a familiar playbook: outrage, castigation, a collective loss of proportion, the herd’s humiliation of the victim, calls for apologies. Then, if the campaign is successful, there is the final act of these mini-operas: apology and maybe perhaps redemption.

While there’s no doubt much of this collective action is a good thing -- it’s hard to argue with calling out criminal corporations or highlighting the crimes of evil regimes -- the angry mobs of Twitter also show the shabbier side of human nature. It's hardly the Demos the early social-media evangelists imagined. (For another example, watch "Twitter mob justice keeps racist tram woman in jail for Christmas" below.)

About This Blog



Written by Luke Allnutt, Tangled Web focuses on the smart ways people in closed societies are using social media, mobile phones, and the Internet to circumvent their governments and the efforts of less-than-democratic governments to control the web. 
Partner Media

No records found for this widget:17474

Whistleblowing Survey

Griffith University and the University of Melbourne are running an international survey about attitudes to whistleblowing. The survey is anonymous and anyone can take part, not just whistleblowers. We invite you to participate in the World Online Whistleblowing Survey.