All posts by mitch tanenbaum

EARN-IT Act – Only Outlaws Will Have Strong Encryption


Full disclosure:  it will be obvious which side of the conversation I am on pretty quickly.

The FBI has been trying to ban end to end encryption – any encryption that they can’t break at will – for decades now.  They charged Phil Zimmerman with crimes and almost convicted back in the 90s.  The battle is still going on.

For years the FBI has been using the flag of national security to try and ban encryption, but it hasn’t worked.  Part of the Patriot Act which was implemented after 9-11 required telephone providers to provide metadata of all phone calls to the NSA so that they could search for terrorists.  After a while it was required that the phone companies themselves store the data.  Currently that provision has expired.  In part because it was revealed that the government spent $100 million on the program and it only generated two leads;  one of which didn’t pan out.  The other of which they already knew about.

So now the FBI and their friends are trying a different tactic.  If terrorism didn’t work, how about waving the banner of kiddie porn.  After all, EVERYONE is against kiddie porn.  Of course, I am not aware of anyone who is pro terrorism.

On the foundation of kiddie porn was built a bill, sponsored by Senator Lindsay Graham (R-SC) and supported by a few other Senators who want to appear to be strong against kiddie porn (it looks good on campaign posters, of course).

The bill, called EARN-IT, basically says that online service providers will lose protections that they currently have against being sued for content that their customers create (yes, really) if they do not implement some security standards that have not been defined.  And won’t be until years after the bill would become law.  That’s right the bill would impose requirements that won’t be defined for years after this bill would become law.

The plan is that the bill would create a commission that would make recommendations to the Attorney General and some others and the AG could accept those recommendations or change them any way he wants.  Of course, AB Barr is strongly against encryption, so we understand what will happen here.  Then, if service providers don’t implement these undefined rules, they will lose their immunity from being sued for content that they didn’t create.


Of course we don’t know if this bill will pass – given today’s politics it is a crap shoot.

But people need to understand the goal of the bill.  It is to ban any communications that the government can’t read.  TO PROTECT THE KIDS.

Surely you want to protect the kids.  Oh you don’t?  You probably shouldn’t be in office.  There is no way any politician could possibly win that battle because the public doesn’t have the patience to understand a deeply technical conversation.

Large companies like Google and Facebook **MIGHT** possibly be willing to fight the government and they have deep enough pockets to do that, but almost no one else does.  As a result, everyone else will have to create a back door so the feds can read everything that you do online.

But think about this for a minute.

Crooks don’t generally follow the law.  That’s why we call them criminals.  So they will use software that comes from some other country that doesn’t have a backdoor.  Of course that will stop the feds from reading the communications of the people that they are trying to stop.  BUT IT IS ABOUT THE KIDS.  EVERYONE WANTS TO PROTECT THE KIDS.

Of course, as soon as you put a backdoor in the communications, China will demand that providers give them the keys.  So will Russia and a whole bunch of other unsavory characters.

Does anyone really think that Facebook (or whoever) is going to stand up to China and say OK, if you want our encryption keys, we won’t do business in your country.  Fat chance.  They will say that they had to because the follow the laws in the countries that they are in and since a quarter of the world’s population is in China, guess who will get the encryption keys.  I seem to recall something in the news that people are unhappy that Zoom encryption keys wound up in China last week.  Well if this law passes, those keys will be in China and a bunch of other places forever.

Signal, the encrypted messaging app that is used by tens of millions of people including politicians, said that they will stop doing business in the United States if this bill becomes law.  They can’t afford the risk.  Everyone else is in it to make a buck so if they have to compromise everyone’s privacy and it gets some people killed in unsavory parts of the world, then it is okay.  They didn’t have a choice.

Of course the bad guys in countries like Russia and China and 50 others will use software without encryption backdoors, so we won’t be able to read their stuff anyway.

Note:  AG Barr doesn’t like calling backdoors BACKDOORS.  That term is so unsavory.  He prefers a much more sanitized term – lawful access.  Because if it is lawful, then it is okay.  BECAUSE IT IS ABOUT THE KIDS.

Of course, the people who are into kiddie porn will just use other encryption methods that don’t have backdoors, but the stupid ones will not and they might get caught.  Then the feds can say look how wonderful we are.  Of course the pros won’t get caught.

And even if they don’t catch anyone significant, they will make U.S. software companies less competitive in the world marketplace.  After all, will companies in other countries want to secure their sensitive information with encryption that the U.S. can read.  Entire countries have already banned ZOOM for just that reason.  The good news is that this will create an opportunity for companies in other countries to take business and jobs away from the U.S.  That is a sub-objective, right?

On the other hand, other countries like this idea, so some of them could follow in the U.S.’s footsteps.

Probably the most infuriating part of the bill to me (my opinion of course) is that the Congress is abdicating its responsibility by creating this commission instead of specifying the standards.  THAT WAY WHEN THE COMMISSION BANS ENCRYPTION THEY CAN SAY “IT WASN’T ME;  IT WAS THEM”.  Plausible deniability.

If this is such a good idea, define the rules now.  Debate them.  And put them into the law.

Of course if they did that, they couldn’t hide behind that smokescreen.

The bill as it is written now even has some poison pill provisions in it.  If the commission doesn’t approve some rules within a specified time period, the online service providers lose their immunity automatically and if that happens, there is nothing that they can do to get it back because there are no approved rules to follow to “earn” their protections back.

Don’t get me wrong.  I am not a fan of kiddie porn, but the reality here is that this has nothing at all to do with protecting the children and everything about getting back at the Silicon Valley companies that the current administration does not like.

For more information on the bill, check out Bruce Schneier’s column, Bitcoin magazine, The Register and the EFF.

Facebooktwitterredditlinkedinmailby feather

White House Envisions US Leading Global 5G Development

The White House last month released a document called the National Strategy to Secure 5G.

This SIX PAGE document is a little light on details, but like your 10 year old who is assigned homework, the Secure 5G and Beyond Act requires the President to turn in his homework and he did.

So what would the White House like to do?  Four items:

  • Facilitating the domestic roll-out of 5G
  • Assessing the security risks and core principles for infrastructure
  • Managing those economic and security risks
  • Promoting responsible global development and deployment of the 5G infrastructure

These goals, of course, are wonderful.  But how do you actually do it?

Ernst & Young is estimating that China will spend $223 billion just in capital for 5G between 2019 and 2025.

By comparison, Verizon’s total capital expenditure for everything – not just 5G – is estimated to be around $17 billion this year.

The problem is that a lot of that is to buy so-called spectrum, which is likely free in China.  Verizon spent $3.4 billion to buy spectrum last year.  AT&T spent $2.4 billion.  That comes out of the total budget.

The FCC has a plan called Fast 5G which is supposed to help the carriers by allowing them to buy more spectrum.

Beyond that, we are back to the 10 year old’s homework.

The paper says: To that end, the government will work with the private sector to “identify, develop and apply core security principles — best practices in cybersecurity, supply chain risk management, and public safety — to United States 5G infrastructure.”

For the third bullet (managing risk), it says that the White House will develop or identify supply chain risk management standards and practices and will try to stop U.S. businesses from selling technology or the companies themselves to “foreign adversaries” (AKA China).  On a very superficial basis, it reduces risk by forcing China to steal our tech rather than to sell it to them, but so far, that strategy has only been mildly effective.  It also forces China to spend their money with our allies instead of with us or, worst case for them, to have to develop it themselves.

To cover the last bullet, the White House plans to work with other countries to lead the development of 5G technologies.  Two likely candidates might have been Nokia and Motorola, but both of them sold off their cellular business.  I’m not sure who is really left.

Bottom line, the White House complied with the law to produce a document, but really does not have a plan.  In fact, given our current desire to isolate ourselves, it is not clear what friends we really have in this game.

Plus, we need to figure out where we (translate U.S. cellular carriers) come up with hundreds of billions of dollars that will be needed to play catch up.  If China is going to spend $200 billion and is ahead of us, we might need to spend $400 billion.  Or more.   The new law did not come with bags of cash.  Source: CSO Online

Of course the temporary total contraction of the U.S. economy during 2020 doesn’t help much.  The only good news in that is that the pandemic is affecting China in a similar way, possibly worse, but we don’t really know.

Then there is the issue of public support.  In England 5G cell towers were set ablaze after reports of 5G being linked to the Coronavirus.  In China, if you complain they just shoot you.

Finally, there is the problem of “backhaul” which means getting the signal from the cell tower on the light pole on your block back to the Internet.  This is not a simple problem and the amount of bandwidth needed is staggering.

Bottom line, the White House turned in their homework paper, but that won’t really help very much.  This is not a simple problem and the world’s current economic woes are not helping.  Source: CSO Online

Facebooktwitterredditlinkedinmailby feather

New Security Metrics to Consider – 24/72 and 1/10/60

Once a new bug is publicly announced, it takes, on average, seven days for bad guys to figure out how to weaponize it.

Experts say that this means that you need to harden your systems against that new attack within 72 hours.  That is not very long, even for the best of operations.

How long does it take the average organization to close holes?

On average – 102 days or 15 times the amount of time it takes to weaponize it.

Once a vulnerability is disclosed, it is a race between the good guys and the bad guys to either  fix it or abuse it.

Some examples:

Microsoft patched Bluekeep, a bug that was very well publicized in May 2019.   It was also explained why it was critical to patch.  In December 2019, there were at least 700,000 machines publicly exposed and still vulnerable.

Remember Wannacry?  Sophos says that there are still a large number of machines not patched against it – two years later.

Zero day attacks are even worse – best practice says that they should be patched in 24 hours.

To add to the complexity of the problem for IT, these fixes need to be tested.

So if the benchmark for MEAN TIME TO HARDENING is 24 HOURS FOR ZERO DAYS AND 72 HOURS FOR OTHER FIXES, IT has got a lot of work to do.

The cousin of this is incident response.  Crowdstrike sets the benchmark at 1/10/60.

For those of you not familiar with this benchmark, it means:


These two goals really important and also really hard.  Almost no organizations can currently do this.

These two goals interact with each other.  If we can close off enough holes then we make it harder for the bad guys.  This allows IT to focus on the remaining attacks.

For IT, the battle is basically the need for speed.

So here are the recommendations:

24/72 (hours) for patching

1/10/60 (minutes) for incident response

For almost all organizations, this is a big project.  Everybody ready?

Source: Threatpost

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending April 3, 2020

DoD Concerned Covid Will Cause US IP Loss

In an interesting analysis, Ellen Lord, DoD’s top acquisition official, is concerned that foreign interests (including unfriendly foreign interests) will buy or invest in small U.S. defense subs and steal our tech.  In theory CFIUS and FRRMA should make that harder as the government has the right to nix buyouts if they think they will hurt us, but first they have to know about it.  With Covid potentially impacting the stability of these small companies, the government has its work cut out for it.  Source: Defense Systems

Violating a Web Site’s Terms of Service: Hacking or Not?

The Computer Fraud and Abuse Act (CFAA) was written long before the Internet, but leave it to aggressive prosecutors and companies to use it in a way that was never intended.  But the various federal courts can’t seem to figure out how to interpret it.  The DC federal court has just ruled that using a web site with a legally obtained user account in a way that may violate the web site owner’s terms of service is not hacking and cannot be prosecuted under the CFAA.  Since about half of the federal courts have ruled in each direction on this issue, it is likely to make it up to the Supremes.  This is important both for web site operators and security researchers. Source: Ars Technica

Zoom Does Not Support End to End Encryption, Despite Claims that it Does

In some of Zoom’s documentation, as well as in the client, Zoom says that it supports end to end encryption, but in fact, it does not, at least when video is involved.  I am sure now that it has come out that they lied on their web site, they will likely get sued.  If you think about it, given that they have the ability to record your call, there is no way that it can be end to end encrypted.  The video is encrypted between their data center and you, which is probably good enough for 99% of the planet.  This also means that the fuzz can listen into your call.  Moral of the story, if you are doing something illegal. Or classified.  Don’t discuss it on a public video conference (or audio) service.  There are ways to really do end to end encryption and I have set them up before, but they are neither cheap nor simple.  Source: The Intercept

DoJ Inspector General Says FISA Court Requests Are Suspect

The Department of Justice’s Inspector General says that the FBI has not followed the rules when applying for secret FISA warrants over the last five years.  Given that the whole process is secret, it is not surprising that it is flawed.  Any time the government operates outside the light of day, the opportunity for abuse is there and now, the DoJ IG is questioning 700 warrant requests made over the last 5 years.  The court is basically a rubber stamp since there is no “other side” to any request.  This came to light when Carter Page, a Trump campaign advisor, was the subject of a FISA court wiretap.  This is also at the core of the fight between the House and Senate over the renewal of certain parts of FISA that expired last month.  Source: The Register

California AG Revises CCPA Regulations Again

As the deadline set by the legislature for the enforcement of CCPA lurches closer (July 1), the AG has revised the proposed regulations again.  Among the changes are a re-expansion of the definition of personal information, privacy notice guidance, instructions on responding to data subject requests, clarification/restriction of service provider use of information and a minor clarification of the definition of financial incentives.   See the assessment from law firm ReedSmith here and a copy of the again revised regs here.

Facebooktwitterredditlinkedinmailby feather

WARNING: Covid-19 Increases Security Risk

While the subject line shouldn’t surprise anyone, we are beginning to see more data on the subject.  Here are some examples:

Threatpost surveyed their readers about their “comfort level” regarding remote work preparedness.   52 percent – roughly half – said that they “feel” prepared for the transition.  20 percent admitted they were struggling.  Given the fact that in normal times we hear about breaches every day, feeling prepared doesn’t give me a lot of comfort.  40 percent say they are seeing an increase in cyberattacks as the move to work from home.  That, of course, doesn’t address the VAST majority of small and medium sized businesses that have no monitoring in place to detect such activity beyond traditional anti-virus software, which isn’t really up to the task.

13 percent of the respondents said that they were only ready to move a small part of their workforce to work from home and 5 percent weren’t ready at all.

For 70 percent of the responders, enabling remote work is new for them.  I suggest this means that they don’t even know what the attacks will look like, so the 52 percent who “feel” prepared are likely optimists.

In fairness, at least 28 percent said there were “extremely” worried about cyberattacks as they move to more work from home activity.

A different Threatpost article talked about some of the issues facing organizations as they move to major remote work status.

Organizations have traditionally assumed that their perimeter security provided a strong line of defense and, historically, it has been important.  Unfortunately, the rapid move to remote work doesn’t give organizations time to plan for the security implications of the move.

Already researchers are seeing an uptick in corona virus themed attacks.  This includes remote access trojan (RAT) attacks that quietly take over a user’s system and silently steals their data.

As people work from home, they mix personal and business use of their systems, users get distracted or forget.  The hackers take advantage of that.

Then we have a lack of IT resources.  It is much easier to support users when they are located in a company office, on a company network and using company computers.  Users will try to figure out how to “fix” things themselves when the help desk is not down the hall.

Home WiFi is, for the most part, a dumpster fire, as are home firewalls – if they exist at all.  After all, when was the last time YOU patched your OWN home firewall or WiFi access point?  When was the last time you checked the security configuration of those devices?

Any company using legacy, proprietary software is also probably at greater risk.  Those systems are often designed to work in a closed environment.  The software configuration might have to be changed to even work remotely.

Cyber crooks, however, get to take advantage of everything that they have used in the past to try and trick businesses and employees who are operating in a new environment that no one is prepared for and for which no one had time train employees on new and different practices.

Facebooktwitterredditlinkedinmailby feather

Magically, Carriers Can Stop Spam Robo Calls

For years U.S. telephone carriers have said that they can’t stop spam callers.  Truth is that they make a lot of money from either sending or receiving these calls, so they had zero incentive to figure out a way to stop it.

The problem would decrease a lot if you could believe the information that caller ID was providing you because you could (a) tell if you knew the person who was calling you and (b) you could not answer calls if you didn’t recognize the number.

How many times have you received a call that shows with the area code and exchange (the first 6 digits of a phone number) that looks like it came from your neighborhood.

Caller ID was created decades ago and has zero security in it.    Add to that the fact that adding security costs money to the carriers with no added revenue and you can see why they haven’t done anything about it.

But Congress passed the TRACED Act late last year and this gives the FCC more power to go after phone spammers, it extends the statute of limitations for DoJ to go after spammers and it requires carriers to add security to Caller ID at no cost to subscribers.  It also allows the FCC to fine carriers for first offenses, something the FCC cannot do in most cases.

Magically, when the carriers figured out that they might get fined or even prosecuted, it only took them a couple of months to design at least a partial solution.  This is one of those cases where we don’t want perfect to get in the way of good.

Since most calls are now digital, the current plan, called SHAKEN/STIR, requires Caller ID info to be digitally signed at the source and digitally checked at the destination.

I noticed a couple of months ago that Verizon is now flagging calls as potential spam and is giving me the option to mark any call that I receive as potential spam.  Interesting what happens when the money equation changes.

The FCC *JUST* released rules that require carriers to implement SHAKEN/STIR on the digital portion of their network (such as cell phones) by June 30th of next year.  There is a one year delay for small carriers that may not be able to financially get it done by that date.

Then carriers have to deal with the old analog phone calls.

So while this is far from perfect, the big spammers are all digital because they need to make thousands of calls a hour in order to be profitable crooks.  This new regulation should significantly help this problem.

As long as the FCC keeps the pressure up on the carriers, things should improve over the next couple of years.

Source: ZDNet

Facebooktwitterredditlinkedinmailby feather