[liberationtech] National Security Letters (NSLs) - in case you missed this

[Andy Isaacson]

For the record, I do not think that the poster of this message is a
reliable narrator, and I regret that this is being put about as a
"noisebridge" document.  It's present on the Noisebridge webserver
merely because it was sent to a public mailing list which is
automatically archived.

The so-called "ToS tell" is obviously not a reliable indicator of NSL
activity, and most of his evidence is similarly questionable.  I do
believe that this individual was interviewed by law enforcement as a
follow-on to his full-disclosure posts about security weaknesses in US
utility company systems, but the rest of the story seems weak.

There's a pretty strong cultural tradition at Noisebridge of treating
even fairly outlandish claims with a modicum of tongue-in-cheek respect
(although like all "rules" it's observed mostly in the breach, and
trolling and mockery rule the day).  Please read my posts in that
archive thread with that in mind.

Yosem, I'm disappointed that you forwarded this to libtech without an
editorial caution.

-andy

On Fri, Mar 22, 2013 at 10:00:19AM -0700, Yosem Companys wrote:
> https://www.noisebridge.net/pipermail/noisebridge-discuss/2013-March/035200.html
> 
> Thu Mar 21 09:15:36 UTC 2013
> 
> NSLs were still alive and kicking up until a week of so ago, when the
> EFF's successful ruling was announced. The EFF has let me know that
> the ruling only stands for 90 days and that there is a possibility the
> ruling will be rescinded after that upon appeal. So, we are not safe
> yet. I was in contact with the EFF this month regarding the issue.
> They referred me to some lawyers, but basically, the advice to me in
> general has been is that no digital information is protected from
> snooping unless it is stored in your home and encrypted. But even
> then, I am told that silent "black bag" jobs (tampering your home
> electronic devices) are a possibility if you are labeled a threat to
> national security.
> 
> Here is some feedback I can share, since I am a rare person to have
> realized the snooping was in effect while it was occurring. I also got
> confirmation of this due to lack of a confidentiality requirement when
> multiple agents attempted to visit me in person and called me on the
> phone. They wanted to follow-up after their many months of snooping
> revealed that I was not in fact a "terrorist" -- simply a security
> researcher that had identified vulnerabilities of a North American
> utility company. After half a year of working with the utility
> company, they did nothing to protect my own data, so I went online to
> blow the whistle about the company being breached and all user data
> (including home addresses and names) being compromised. With this
> vulnerability, someone could effectively find your home address /
> phone / name on account no matter where you lived in North America,
> since you are required to provide this when receiving utility service.
> To my knowledge, the companies involved have still not gone public
> with this information.
> 
> Some things the Secret Service did to snoop on me that you should also
> be aware of, and some feedback follow:
> 
> * SS served Google with an NSL to obtain my account information.
> 
> * Around January, upon logging into the Google account, Google showed
> a strange NOTICE message asking me to accept the terms of usage of my
> account. This was odd, because in a decade of being a Google user, I
> had never seen this. I am told that this is Google's way of "telling
> you without telling you" that you have been served an NSL. Google, by
> law, is not allowed to tell you about the NSL, but they definitely are
> within their right to ask you to accept their TOS upon login. This is
> the "tell" that everyone here should be aware of. If you see this, you
> are likely being monitored.
> 
> * My Google account was being operated by someone else, despite
> utilizing 2-step and very strong passwords. This may have been limited
> to a Google Chat 0day, unpublished vulnerability, or a Google
> backdoor. My chat contacts said I was online when I was not online or
> had messaged them, when I had not.
> 
> * I received multiple emails from shady individuals asking me to
> provide / sell 0day. Some were in poor English. I presume this may
> have been a baiting tactic to get me on some technicality. I did not
> sell any 0day nor did I accept their request to "help them" with
> whatever they were seeking in terms of shady deals.
> 
> * One of my encrypted Desktop home Linux computers was mysteriously
> wiped upon my return from a trip. The RAID array was 'corrupted'.
> 
> * People I know started getting strange calls from random numbers at
> odd hours. I wonder if this was some attempt to exploit remote
> listening flaws in some phones, but I am justly paranoid.
> 
> * Someone opened mail / packages at my physical residence to reveal
> the contents inside. This was very odd and not something that ever
> happens. It occurred at least twice to my knowledge.
> 
> * Local police were posted outside my residence the morning I received
> numerous calls from SS agents.
> 
> * SS confirmed over the phone that they monitored my Google account,
> after I told them I knew they were. At first, they would not tell me
> they did and denied it. The agent actually said "Google should not
> have told you that". When I asked how many other online accounts they
> monitored, the agent refused to let me know the details. When asked if
> they monitored my financial / banking / health records, they said the
> surveillance was limited to electronic records. I presume this
> includes my ISP, Google, phone, any accounts signed up via Google
> (third-party registration / account emails give it away), etc.
> 
> * I was told that my security research activities are a "legal grey
> area", but that the investigation was being closed. The SS said that
> the data they have on me "is safe" and "will be destroyed" after some
> "expiration period". I vehemently expressed my distrust that it would
> be held securely or destroyed.
> 
> For your background, I have been on the other side of such requests,
> as the person providing data to the Secret Service field agents
> before. These people don't understand technology and don't understand
> what they are asking for many times. They also don't understand even
> the most basic concepts of how the Internet works. I presume the
> non-field agents (the people that are in operations centers and don't
> talk to people) are the ones that penetrate the end-user
> electronically, as necessary. Unfortunately, I have no evidence to
> support the above other than the strange activity on my account. An
> entirely separate and more likely scenario is that the Secret Service
> communications are hacked by Nation States that used that surveillance
> to target me directly. A scary assumption, but not out of the
> question. Mitnick was reading GOV emails long ago and I would have to
> presume that adversaries are snooping GOV emails still to this day.
> 
> If you have any other insights, I would be glad to hear them. I would
> love to speak with anyone else that can come forward as an NSL victim.
> 
> On Wed, Mar 20, 2013 at 5:10 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> > Did you receive one of the few NSLs without a confidentiality
> > requirement, or did you manage to get it set aside, or are you relying
> > on Judge Illston's decision in this disclosure?  (Just curious.)
> 
> It did not have a confidentiality requirement, to my knowledge. I am
> attempting to get the FOIA data on myself, but it has been rejected
> thus far.
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech