[liberationtech] National Security Letters (NSLs) - in case you missed this

Fri Mar 22 10:44:09 PDT 2013

Great to hear your perspective, and I'm sorry you're disappointed.
But that's why we have discussion lists.

Best,

Yosem

On Fri, Mar 22, 2013 at 10:30 AM, Andy Isaacson <adi at hexapodia.org> wrote:
> For the record, I do not think that the poster of this message is a
> reliable narrator, and I regret that this is being put about as a
> "noisebridge" document.  It's present on the Noisebridge webserver
> merely because it was sent to a public mailing list which is
> automatically archived.
>
> The so-called "ToS tell" is obviously not a reliable indicator of NSL
> activity, and most of his evidence is similarly questionable.  I do
> believe that this individual was interviewed by law enforcement as a
> follow-on to his full-disclosure posts about security weaknesses in US
> utility company systems, but the rest of the story seems weak.
>
> There's a pretty strong cultural tradition at Noisebridge of treating
> even fairly outlandish claims with a modicum of tongue-in-cheek respect
> (although like all "rules" it's observed mostly in the breach, and
> trolling and mockery rule the day).  Please read my posts in that
> archive thread with that in mind.
>
> Yosem, I'm disappointed that you forwarded this to libtech without an
> editorial caution.
>
> -andy
>
> On Fri, Mar 22, 2013 at 10:00:19AM -0700, Yosem Companys wrote:
>> https://www.noisebridge.net/pipermail/noisebridge-discuss/2013-March/035200.html
>>
>> Thu Mar 21 09:15:36 UTC 2013
>>
>> NSLs were still alive and kicking up until a week of so ago, when the
>> EFF's successful ruling was announced. The EFF has let me know that
>> the ruling only stands for 90 days and that there is a possibility the
>> ruling will be rescinded after that upon appeal. So, we are not safe
>> yet. I was in contact with the EFF this month regarding the issue.
>> They referred me to some lawyers, but basically, the advice to me in
>> general has been is that no digital information is protected from
>> snooping unless it is stored in your home and encrypted. But even
>> then, I am told that silent "black bag" jobs (tampering your home
>> electronic devices) are a possibility if you are labeled a threat to
>> national security.
>>
>> Here is some feedback I can share, since I am a rare person to have
>> realized the snooping was in effect while it was occurring. I also got
>> confirmation of this due to lack of a confidentiality requirement when
>> multiple agents attempted to visit me in person and called me on the
>> phone. They wanted to follow-up after their many months of snooping
>> revealed that I was not in fact a "terrorist" -- simply a security
>> researcher that had identified vulnerabilities of a North American
>> utility company. After half a year of working with the utility
>> company, they did nothing to protect my own data, so I went online to
>> blow the whistle about the company being breached and all user data
>> (including home addresses and names) being compromised. With this
>> vulnerability, someone could effectively find your home address /
>> phone / name on account no matter where you lived in North America,
>> since you are required to provide this when receiving utility service.
>> To my knowledge, the companies involved have still not gone public
>> with this information.
>>
>> Some things the Secret Service did to snoop on me that you should also
>> be aware of, and some feedback follow:
>>
>> * SS served Google with an NSL to obtain my account information.
>>
>> * Around January, upon logging into the Google account, Google showed
>> a strange NOTICE message asking me to accept the terms of usage of my
>> account. This was odd, because in a decade of being a Google user, I
>> had never seen this. I am told that this is Google's way of "telling
>> you without telling you" that you have been served an NSL. Google, by
>> law, is not allowed to tell you about the NSL, but they definitely are
>> within their right to ask you to accept their TOS upon login. This is
>> the "tell" that everyone here should be aware of. If you see this, you
>> are likely being monitored.
>>
>> * My Google account was being operated by someone else, despite
>> utilizing 2-step and very strong passwords. This may have been limited
>> to a Google Chat 0day, unpublished vulnerability, or a Google
>> backdoor. My chat contacts said I was online when I was not online or
>> had messaged them, when I had not.
>>
>> * I received multiple emails from shady individuals asking me to
>> provide / sell 0day. Some were in poor English. I presume this may
>> have been a baiting tactic to get me on some technicality. I did not
>> sell any 0day nor did I accept their request to "help them" with
>> whatever they were seeking in terms of shady deals.
>>
>> * One of my encrypted Desktop home Linux computers was mysteriously
>> wiped upon my return from a trip. The RAID array was 'corrupted'.
>>
>> * People I know started getting strange calls from random numbers at
>> odd hours. I wonder if this was some attempt to exploit remote
>> listening flaws in some phones, but I am justly paranoid.
>>
>> * Someone opened mail / packages at my physical residence to reveal
>> the contents inside. This was very odd and not something that ever
>> happens. It occurred at least twice to my knowledge.
>>
>> * Local police were posted outside my residence the morning I received
>> numerous calls from SS agents.
>>
>> * SS confirmed over the phone that they monitored my Google account,
>> after I told them I knew they were. At first, they would not tell me
>> they did and denied it. The agent actually said "Google should not
>> have told you that". When I asked how many other online accounts they
>> monitored, the agent refused to let me know the details. When asked if
>> they monitored my financial / banking / health records, they said the
>> surveillance was limited to electronic records. I presume this
>> includes my ISP, Google, phone, any accounts signed up via Google
>> (third-party registration / account emails give it away), etc.
>>
>> * I was told that my security research activities are a "legal grey
>> area", but that the investigation was being closed. The SS said that
>> the data they have on me "is safe" and "will be destroyed" after some
>> "expiration period". I vehemently expressed my distrust that it would
>> be held securely or destroyed.
>>
>> For your background, I have been on the other side of such requests,
>> as the person providing data to the Secret Service field agents
>> before. These people don't understand technology and don't understand
>> what they are asking for many times. They also don't understand even
>> the most basic concepts of how the Internet works. I presume the
>> non-field agents (the people that are in operations centers and don't
>> talk to people) are the ones that penetrate the end-user
>> electronically, as necessary. Unfortunately, I have no evidence to
>> support the above other than the strange activity on my account. An
>> entirely separate and more likely scenario is that the Secret Service
>> communications are hacked by Nation States that used that surveillance
>> to target me directly. A scary assumption, but not out of the
>> question. Mitnick was reading GOV emails long ago and I would have to
>> presume that adversaries are snooping GOV emails still to this day.
>>
>> If you have any other insights, I would be glad to hear them. I would
>> love to speak with anyone else that can come forward as an NSL victim.
>>
>> On Wed, Mar 20, 2013 at 5:10 PM, Andy Isaacson <adi at hexapodia.org> wrote:
>> > Did you receive one of the few NSLs without a confidentiality
>> > requirement, or did you manage to get it set aside, or are you relying
>> > on Judge Illston's decision in this disclosure?  (Just curious.)
>>
>> It did not have a confidentiality requirement, to my knowledge. I am
>> attempting to get the FOIA data on myself, but it has been rejected
>> thus far.
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech