Resources

Bloomberg’s Spy Chip Story Reveals the Murky World of National Security Reporting

Chinese spies reportedly infiltrated the supply chain and installed tiny chips the size of a pencil tip on the motherboards built by Supermicro, which are used in data center servers across the U.S. tech industry — from Apple to Amazon. That chip can compromise data on the server, allowing China to spy on some of the world’s most wealthy and powerful companies. Apple, Amazon and Supermicro — and the Chinese government — strenuously denied the allegations. Apple also released its own standalone statement later in the day, as did Supermicro.

Welcome to the murky world of national security reporting.

I’ve covered cybersecurity and national security for about five years, most recently at CBS, where I reported exclusively on several stories — including the U.S. government’s covert efforts to force tech companies to hand over their source code in an effort to find vulnerabilities and conduct surveillance. And last year I revealed that the National Security Agency had its fifth data breach in as many years, and classified documents showed that a government data collection program was far wider than first thought and was collecting data on U.S. citizens.

Even with this story, my gut is mixed.

In the aftermath of the disclosure of PRISM, the NSA’s data pulling program that implicated several tech companies — including Apple, but not Amazon — the companies came out fighting, vehemently denying any involvement or connection. Was it a failure of reporting? Partially, yes. But the companies also had plausible deniability by cherry picking what they rebuffed. Despite a claim by the government that PRISM had “direct access” to tech companies’ servers, the companies responded that this wasn’t true. They didn’t, however, refute indirect access — which the companies wouldn’t be allowed to say in any case.

Commercial Spyware is “Out of Control”

Throughout 2016 and 2017, individuals in Canada, United States, Germany, Norway, United Kingdom, and numerous other countries began to receive suspicious emails. It wasn’t just common spam. These people were chosen.

The emails were specifically designed to entice each individual to click a malicious link. Had the targets done so, their internet connections would have been hijacked and surreptitiously directed to servers laden with malware designed by a surveillance company in Israel. The spies who contracted the Israeli company’s services would have been able to monitor everything those targets did on their devices, including remotely activating the camera and microphone.

Who was behind this global cyber espionage campaign? Was it the National Security Agency? Or one of its “five eyes” partners, like the GCHQ or Canada’s CSE? Given that it was done using Israeli-made technology, perhaps it was Israel’s elite signals intelligence agency, Unit 8200?

In fact, it was none of them. Behind this sophisticated international spying operation was one of the poorest countries in the world; a country where less than 5 percent of the population has access to the internet; a country run by an autocratic government routinely flagged for human rights abuses and corruption. Behind this operation was… Ethiopia.

The details of this remarkable clandestine activity are outlined in a new Citizen Lab report published today entitled “Champing at the Cyberbit.” In our report my co-authors and I detail how we monitored the command and control servers used in the campaign and in doing so discovered a public log file that the operators mistakenly left open. That log file provided us with a window, for roughly a year, into the attackers’ activities, infrastructure, and operations. Strong circumstantial evidence points to one or more government agencies in Ethiopia as the responsible party.

We were also able to identify the IP addresses of those who were targeted and successfully infected: a group that includes journalists, a lawyer, activists, and academics. Our access also allowed us enumerate the countries in which the targets were located. Many of the countries in which the targets live—the United States, Canada, and Germany, among others—have strict wiretapping laws that make it illegal to eavesdrop without a warrant. It seems individuals in Ethiopia broke those laws.

If a government wants to collect evidence on a person in another country, it is customary for it to make a formal legal request to other governments through a process like the Mutual Legal Assistance Treaties. Ethiopia appears to have sidestepped all of that. International norms would suggest a formal démarche to Ethiopia from the governments whose citizens it monitored without permission, but that may happen quietly if at all.

Our team reverse-engineered the malware used in this instance, and over time this allowed us to positively identify the company whose spyware was being employed by Ethiopia: Cyberbit Solutions, a subsidiary of the Israel-based homeland security company Elbit Systems. Notably, Cyberbit is the fourth company we have identified, alongside Hacking Team, Finfisher, and NSO Group, whose products and services have been abused by autocratic regimes to target dissidents, journalists, and others. Along with NSO Group, it’s the second Israel-based company whose technology has been used in this way.

Israel does regulate the export of commercial spyware abroad, although apparently not very well from a human-rights perspective. Cyberbit was able to sell its services to Ethiopia—a country with not only a well-documented history of governance and human rights problems, but also a track record of abusing spyware. When considered alongside the extensive reporting we have done about UAE and Mexican government misuse of NSO Group’s services, it’s safe to conclude Israel has a commercial spyware control problem.

How big of a problem? Remarkably, by analyzing the command and control servers of the cyber espionage campaign, we were also able to monitor Cyberbit employees as they traveled the world with infected laptops that checked in to those servers, apparently demonstrating Cyberbit’s products to prospective clients. Those clients include the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, and the Philippine president’s Malacañang Palace. Outlining the human rights abuses associated with those government entities would fill volumes.

Cyberbit, for its part, has responded to Citizen Lab’s findings: “Cyberbit Solutions offers its products only to sovereign governmental authorities and law enforcement agencies,” the company wrote me on November 29. “Such governmental authorities and law enforcement agencies are responsible to ensure that they are legally authorized to use the products in their jurisdictions.“ The company declined to confirm or deny that the government of Ethiopia is a client, but did note that “Cyberbit Solutions can confirm that any transaction made by it was approved by the competent authorities.”

Governments like Ethiopia no longer depend on their own in-country advanced computer science, engineering, and mathematical capacity in order to build a globe-spanning cyber espionage operation. They can simply buy it off the shelf from a company like Cyberbit. Thanks to companies like these, an autocrat whose country has poor national infrastructure but whose regime has billions of dollars can order up their own NSA. To wit: Elbit Systems, the parent company of Cyberbit, says it has a backlog of orders valuing $7 billion. An investment firm recently sought to acquire a partial stake in NSO Group for a reported $400 million before eventually withdrawing its offer.

Of course, these companies insist that spyware they sell to governments is used exclusively to fight terrorists and investigate crime. Sounds reasonable, and no doubt many do just that. But the problem is when journalists, academics, or NGOs seek to expose corrupt dictators or hold them accountable, those truth tellers may then be labelled criminals or terrorists. And our research has shown that makes those individuals and groups vulnerable to this type of state surveillance, even if they live abroad.

Indeed, we discovered the second-largest concentration of successful infections of this Ethiopian operation are located in Canada. Among the targets whose identities we were able to verify and name in the report, what unites them all is their peaceful political opposition to the Ethiopian government. Except one. Astoundingly, Citizen Lab researcher Bill Marczak, who led our technical investigation, was himself targeted at one point by the espionage operators.

Countries sliding into authoritarianism and corruption. A booming and largely unregulated market for sophisticated surveillance. Civilians not equipped to defend themselves. Add these ingredients together, and you have a serious crisis of democracy brewing. Companies like Cyberbit market themselves as part of a solution to cyber security. But it is evident that commercial spyware is actually contributing to a very deep insecurity instead.

Remedying this problem will not be easy. It will require legal and policy efforts across multiple jurisdictions and involving governments, civil society, and the private sector. A companion piece to the report outlines some measures that could hopefully begin that process, including application of relevant criminal laws. If the international community does not act swiftly, journalists, activists, lawyers, and human rights defenders will be increasingly infiltrated and neutralized. It’s time to address the commercial spyware industry for what it has become: one of the most dangerous cyber security problems of our day.

More than 80% of US Adults now get news on their phones

Mobile devices have rapidly become one of the most common ways for Americans to get news, and the sharpest growth in the past year has been among Americans ages 50 and older, according to a Pew Research Center survey conducted in March.

More than eight-in-ten U.S. adults now get news on a mobile device (85%), compared with 72% just a year ago and slightly more than half in 2013 (54%). And the recent surge has come from older people: Roughly two-thirds of Americans ages 65 and older now get news on a mobile device (67%), a 24-percentage-point increase over the past year and about three times the share of four years ago, when less than a quarter of those 65 and older got news on mobile (22%).

The strong growth carries through to those in the next-highest age bracket. Among 50- to 64-year-olds, 79% now get news on mobile, nearly double the share in 2013. The growth rate was much less steep – or nonexistent – for those younger than 50.”

“Social Media” has destroyed discourse

Hossein Derakshan, an Iranian-Canadian author, media analyst, and performance artist writes in MIT Technology Review:

“Like TV, social media now increasingly entertains us, and even more so than television it amplifies our existing beliefs and habits. It makes us feel more than think, and it comforts more than challenges. The result is a deeply fragmented society, driven by emotions, and radicalized by lack of contact and challenge from outside. This is why Oxford Dictionaries designated “post-truth” as the word of 2016: an adjective “relating to circumstances in which objective facts are less influential in shaping public opinion than emotional appeals.”

[…]

Traditional television still entails some degree of surprise. What you see on television news is still picked by human curators, and even though it must be entertaining to qualify as worthy of expensive production, it is still likely to challenge some of our opinions (emotions, that is).

Social media, in contrast, uses algorithms to encourage comfort and complaisance, since its entire business model is built upon maximizing the time users spend inside of it. Who would like to hang around in a place where everyone seems to be negative, mean, and disapproving? The outcome is a proliferation of emotions, a radicalization of those emotions, and a fragmented society. This is way more dangerous for the idea of democracy founded on the notion of informed participation.

This means we should write and read more, link more often, and watch less television and fewer videos — and spend less time on Facebook, Instagram, and YouTube.

Our habits and our emotions are killing us and our planet. Let’s resist their lethal appeal.”

Social media and the anti-fact age

Adam Turner at The Age writes:

“When you look at how social media works, it was inevitable that it would turn into one of the world’s most powerful propaganda tools. It’s often painted as a force for good, letting people bypass the traditional gatekeepers in order to quickly disseminate information, but there’s no guarantee that this information is actually true.

Facebook has usurped the role of the mainstream media in disseminating news, but hasn’t taken on the fourth estate’s corresponding responsibility for keeping the bastards honest. The mainstream media has no-one to blame but itself, having engaged in a tabloid race to the bottom which devalued truth to the point that blatant liars are considered more honest.

The fragmentation of news is already creating a filter bubble in that most people don’t tend to read the newspaper from front to back, or sit through entire news bulletins, they just pick and choose what interests them. The trouble with Facebook is that it also reinforces bias, the more extreme your political views the less likely you are to see anything with an opposing viewpoint which might help you develop a more well-rounded view of the world.”

Brooke Binkowski, the managing editor of the fact-checking at Snopes.com says, “Honestly, most of the fake news is incredibly easy to debunk because it’s such obvious bullshit…”

The problem, Binkowski believes, is that the public has lost faith in the media broadly — therefore no media outlet is considered credible any longer. The reasons are familiar: as the business of news has grown tougher, many outlets have been stripped of the resources they need for journalists to do their jobs correctly. “When you’re on your fifth story of the day and there’s no editor because the editor’s been fired and there’s no fact checker so you have to Google it yourself and you don’t have access to any academic journals or anything like that, you will screw stories up,” she says.”

UPDATE 1/12/2016 — Most students can’t spot fake news

“If you thought fake online news was a problem for impressionable adults, it’s even worse for the younger crowd. A Stanford study of 7,804 middle school, high school and college students has found that most of them couldn’t identify fake news on their own. Their susceptibility varied with age, but even a large number of the older students fell prey to bogus reports. Over two thirds of middle school kids didn’t see why they shouldn’t trust a bank executive’s post claiming that young adults need financial help, while nearly 40 percent of high schoolers didn’t question the link between an unsourced photo and the claims attached to it.

Why did many of the students misjudge the authenticity of a story? They were fixated on the appearance of legitimacy, rather than the quality of information. A large photo or a lot of detail was enough to make a Twitter post seem credible, even if the actual content was incomplete or wrong. There are plenty of adults who respond this way, we’d add, but students are more vulnerable than most.

As the Wall Street Journal explains, part of the solution is simply better education: teach students to verify sources, question motivations and otherwise think critically.”

(Emphasis added)

Cop Watchers (2016)

Groups of citizens wielding cameras take to the streets of New York to document the systemic police brutality and racism facing the public. The cops hate it and so they push back hard. This is how police accountability plays out in the real world. Take heed.