Wednesday, October 14, 2015

What Did Clinton Mean When She Said Snowden Files Fell Into the “Wrong Hands” ?

Hillary Clinton asserted at Tuesday night’s Democratic presidential debate that NSA whistleblower Edward Snowden “stole very important information that has unfortunately fallen into a lot of the wrong hands.”
She seemed to be darkly intimating that the information Snowden gave to journalists in Hong Kong before he was granted asylum in Moscow also ended up with the Chinese and/or Russian governments.
But that conclusion is entirely unsupported by the evidence; it’s a political smear that even the most alarmist Obama administration intelligence officials have not asserted as fact.
As Snowden has repeatedly explained, after turning over copies of the heavily encrypted files to reporters, he destroyed his own before he left Hong Kong.
He did not take the files to Russia “because it wouldn’t serve the public interest,” he told the New York Times in 2013. “There’s a zero percent chance the Russians or Chinese have received any documents,” he said.
The Rupert Murdoch-owned Sunday Times newspaper ran a front-page story in June asserting that Russia and China had “cracked the top-secret cache of files” that the paper, citing anonymous sources, claimed Snowden had brought with him to Moscow. But the story was thoroughly debunked and a video clip of the reporter acknowledging that “we just publish what we believe to be the position of the British government” went viral.
Apparently, Clinton was engaging in similarly hyperbolic, unsupported scare tactics – that is, unless by “the wrong hands” she meant ours: Journalists and the public.
Snowden’s attorney, ACLU lawyer Ben Wizner, was one of many who suggested as much on Twitter on Tuesday night:
Government transparency advocate Daniel Schuman reached the same conclusion:
Or did she mean us?
Snowden turned over his cache of documents to Intercept founding editors Glenn Greenwald and Laura Poitras, and the result has been the exposure – to the public – of the extraordinarily expansive and invasive surveillance apparatus that the U.S. government had secretly built over the years.
In the U.S., laws have already been changed – if only a little. Europeans are balking at sending their data to U.S. servers. And surveillance and privacy are now major issues in the presidential campaign.
Vermont senator Bernie Sanders said during the debate that “Snowden played a very important role in educating the American people to the degree in which our civil liberties and our constitutional rights are being undermined.”
Sanders said Snowden should face a penalty, but that “what he did in educating us should be taken into consideration.” (That is also Snowden’s position.)
Sanders also said he would immediately shut down the warrantless domestic surveillance program that Snowden exposed. “I’d shut down what exists right now is that virtually every telephone call in this country ends up in a file at the NSA. That is unacceptable to me.”
Clinton’s comments on Snowden were flawed in more than one way. She also insisted, incorrectly, that he could have accomplished his goals by going through normal channels.
“He could have been a whistleblower. He could have gotten all of the protections of being a whistleblower. He could have raised all the issues that he has raised. And I think there would have been a positive response to that,” she said.
But Snowden, as a contractor, was not covered by whistleblower protections. He did try going through established channels, but he said his concerns fell on deaf ears.  And the response to his leaks has made abundantly clear that no one in his chain of command was the least bit interested in going public with the information.
Some Republicans were delighted with Clinton’s statements about Snowden – though their reasoning varied. Former Bush White House press secretary Ari Fleischer cheered Clinton on:
Right-wing Clinton-haters found another angle of attack, comparing her response to Snowden with the accusations that her private email server was a security risk:

Court Reinstates Lawsuit Against NYPD Muslim Spying, Citing History of Racist Scares

In a stunning legal decision issued today, the Third Circuit Court of Appeals ruled that Muslim-Americans who had been subjected to blanket mass-surveillance by the NYPD Intelligence Division have grounds to sue the department for discrimination. The ruling reverses a 2014 decision by the United States District Court of New Jersey that found the plaintiffs had insufficient legal standing to challenge the surveillance against them, and that the blanket surveillance of Muslim communities itself was not evidence of bias.
Linda Sarsour, Executive Director of the Arab American Association of New York, lauded today’s verdict, saying “The courts could not deny that in fact there is reason to believe that the NYPD engages in unwarranted surveillance of Muslims based on their faith alone…We haven’t won yet, but this is a step in the right direction” Sarsour also said the NYPD program had generated widespread fear and paranoia. “This issue has never been just paranoia, this is a reality for Muslim communities,” she added.
In 2011, a landmark investigation by the Associated Press revealed that the NYPD’s Intelligence Division had been conducting highly-invasive, suspicion-less surveillance on Muslim-Americans living in and around the New York area. This surveillance, which lasted for years and which involved mapping out Muslim neighborhoods and businesses, building databases on information on ordinary people, and using undercover operatives to infiltrate entire communities, ultimately failed to turn up even one lead related to terrorism.
Despite failing to make any meaningful contribution to the fight against terrorism, the NYPD program, which was officially disbanded in 2014, did manage to fuel widespread paranoia among Muslim-Americans, while also triggering a number of lawsuits seeking to halt what was perceived to be a blatantly discriminatory program. Among these were the lawsuit filed in 2012 by the Center for Constitutional Rights and Muslim Advocates that the court upheld today.
In its ruling, the court took pains to position the mass-surveillance of Muslim-Americans within a broader historical context of misguided suspicion and hostility towards minority communities in the United States. In a strongly worded opinion, the court wrote that, “We have been down similar roads before. Jewish-Americans during the Red Scare, African-Americans during the Civil Rights Movement, and Japanese-Americans during World War II.” Citing another decision, it added that “we are left to wonder why we cannot see with foresight what we see so clearly with hindsight — that ‘loyalty is a matter of the heart and mind, not race, creed, or color.’”
The decision, as well as the exceptionally strong language used to deliver it, was welcomed by the civil society organizations that had been working to bring the spying program to legal scrutiny.
“The court was clearly writing for history by comparing this program to policies in the past that targeted Japanese-Americans, Jews and others,” said Glenn Katon, legal director of Muslim Advocates. “We hope that this decision reverberates not just throughout the country but throughout the federal government as well, which we know is still conducting all types of surveillance based on religion and ethnicity.”

Government Likens Ending Bulk Surveillance to Opening Prison Gates

A Justice Department prosecutor said Thursday that ordering the immediate end of bulk surveillance of millions of Americans’ phone records would be as hasty as suddenly letting criminals out of prison.
“Public safety should be taken into consideration,” argued DOJ attorney Julia Berman, noting that in a 2011 Supreme Court ruling on prison overcrowding, the state of California was given two years to find a solution and relocate prisoners.
By comparison, she suggested, the six months Congress granted to the National Security Agency to stop indiscriminately collecting data on American phone calls was minimal.
Ending the bulk collection program even a few weeks before the current November 29 deadline would be an imminent risk to national security because it would create a dangerous “intelligence gap” during a period rife with fears of homegrown terrorism, she said.
The argument came during a hearing before U.S. District Court Judge Richard Leon on plaintiff Larry Klayman’s request for a preliminary injunction that would immediately halt the NSA program that tracks who in the United States is calling who, when, and for how long.
The bulk telephony metadata program, which the NSA said was authorized under section 215 of the USA Patriot Act, was closed down by Congress in June with the passage of new legislation—the USA Freedom Act. However, the new bill allowed for a grace period of six months in which the government could set up a less all-inclusive alternative..
Klayman, an idiosyncratic plaintiff with a history of accusing the government of lying, seemed a bit unsure about specifically what relief he sought at the Thursday hearing.
But he argued that the transition period granted to the NSA was too long. “One day of constitutional violation is one day too much,” he said in his opening remarks.
The Second Circuit Court of Appeals in May ruled that the bulk telephony program was illegal.
Judge Leon ruled in Klayman’s favor in 2013, calling the government’s spying “almost Orwellian.”
When Berman made her analogy to releasing prisoners en masse, Leon responded: “That’s really a very different kind of situation, don’t you think?”.
And Berman was unable to cite any evidence that the bulk collection prevented any sort of terrorist attack, or that ending it now would be a serious threat.
“That’s a problem I had before—wonderful high lofty expressions, general vague terms…but [the government] did not share a single example,” Leon said.
Klayman, whose arguments consisted mostly of accusing the government of lying and violating the law, decided by the end of the hearing that he actually wanted the entire USA Freedom Act stricken from the books—because he insisted that Congress, in allowing an unconstitutional program to proceed, had violated the Constitution itself.
Judge Leon promised a ruling “as soon as possible.”
Caption: Plaintiff Larry Klayman in 2014. 

Thursday, October 08, 2015

Tony Blair milked 9/11 – and ruined my election, says Ian Duncan Smith

Former British Prime Minister Tony Blair © Brendan McDermid
Tony Blair milked 9/11 and ruined Ian Duncan Smith’s Tory leadership tenure as a result, the Work and Pensions secretary claimed shortly after Blair gave a speech on extremism at the 9/11 memorial museum in New York.
Speaking at a fringe meeting at the Conservative party conference in Manchester, Duncan Smith bemoaned the lack of coverage his 2001 election as Tory leader attracted.
The day before I got elected the twin towers were struck,” Duncan Smith said. “So first of all we got no lift on my announcement. It had to be buried the following day, hardly anybody was paying attention.
Now you know, when the nation is kind of at war there is only one person they look to and it is the prime minister, because the prime minister is powerful. He’s the one who directs it. And Blair, of course, which maybe you can argue, he milked that for all that was worth,” Duncan Smith said.
He complained that it had been impossible to get any domestic issues brought up and that foreign policy is not generally an issue that the opposition wins on.
Duncan Smith’s comment came a day after Blair, whose support for the 2003 Iraq War at the time made him a more popular figure in the US than at home, laid out his vision of where jihadism comes from and how to approach it.
The conspiracy theories which illuminate much of the jihadi writings have significant support even amongst parts of the mainstream population of some Muslim countries,” he told the audience.
There are millions of schoolchildren every day in countries round the world – not just in the Middle East – who are taught a view of the world and of their religion which is narrow-minded, prejudicial and therefore, in the context of a globalized world, dangerous.
READ MORE: Politicians should witness ‘direct consequences of their lust for war’ – Labour MP 
Blair said the battle against radical Islam is a “general struggle” against a particular “ideology” within Islam.
He also said there are many within the faith who “feel a deep sense of outrage at the hijacking of their religion by the extremists and who are determined to retake it and restore its true purpose.

Webcam hacker spied on sex acts with BlackShades malware


A Leeds-based hacker used a notorious piece of malware called BlackShades to spy on people via their webcams.Investigators from the National Crime Agency found images on the computer of Stefan Rigo, 34, including ones of people involved in sexual activity, some of whom were on Skype at the time.
Rigo was arrested in November last year during an international investigation.
He has been given a 20-week suspended sentence and placed on the sex offenders' register for seven years.
Rigo targeted a variety of victims after gaining remote access to their computers' webcams.
Incriminating images on his computer were discovered after a forensic examination.
Out of 14 confirmed individuals he spied on - roughly half were people he knew personally, an NCA spokesman told the BBC.
At a hearing in July, Rigo pleaded guilty to one count of voyeurism and another computer-related offence.
The court took Rigo's guilty plea into account when handing down the 20 week sentence. As well as being placed on the sex offenders register, Rigo will have to complete 200 hours of unpaid work within the next 12 months.

Victims 'unaware'

Investigators found and arrested Rigo after raiding two addresses in Leeds.
The hacker had used his ex-girlfriend's details to purchase BlackShades, a remote access trojan (RAT) which allows for a high level of surreptitious control over a victim's computer.
"The problem with RATs specifically is a lot of the time people don't know they're being affected," the NCA spokesman said.
"In the case of Stefan Rigo that we were looking at, his victims weren't aware."
BlackShades has been around since 2010 and has been sold for as little as $40 (£26), explained Jens Monrad at cyber security firm FireEye.
"The application in itself is not that difficult to detect but typically the attackers will wrap some sort of exploit around the application," said Mr Monrad.
"Even with patches the victim will still be vulnerable so long as there is a hole in the operating system."
Mr Monrad recommended that computer users be careful of clicking on suspicious links or downloading dubious email attachments.

Cam scams

The criminal market for webcam hacking tools is highly active, according to Mr Monrad, since malicious hackers are often able to exploit their victims after taking covert images of them.
There have also been cases in which hackers sold access to specific cameras.
Connected security cameras in buildings may be at risk too, though there are sometimes difficulties in publicly discussing how secure they are.
One researcher recently cancelled a forthcoming talk on the issue following legal pressure from the manufacturers of widely-used surveillance cameras.
Gianni Gnesa was due to discuss "vulnerabilities found on major surveillance cameras and show how an attacker could used them to stay undetected" at the HITB GSEC security conference in Singapore.
The Register reports that a legal threat from one, unnamed, manufacturer resulted in Gnesa withdrawing his presentation.

Google Adblock shock a load of cock – users mock post hoc

Adblock denies Google has found a way to block Adblock

AdBlock Plus has denied Google has found a way of getting around its adblocking tool, instead blaming the problem on Chrome.
Users complained that ads were loading on YouTube and not displaying a skip button.
Initially it was thought the failure to use the adblocking tool was an aggressive tactic by Google to combat its flagging YouTube ad revenues.
One user said: "I'm having trouble using Adblock on managed Chrome devices like the Chromebook and Chromebox. I have them setup to be Public Kiosks, and I've added Adblock to be a forced installed extension, but it never installs.
"I'm wondering if Google has blocked Adblock from being installed in a public session."
Another tweeted: "So YouTube has finally clamped down on Adblock, if Adblock is active on the page, the pre-roll ad will play without a skip option."
However, Be Williams, director of AdBlock Plus, said: "The problems on YouTube are because of an issue in Chrome. It apparently is only affecting a small subset of users. We know about it, I imagine they'll get a fix up soon."
A recent post on Google's Chromium support forum reported a workaround had been found through a patch.
Adblock Plus owner Eyeo recently saw off two legal cases in Germany fought by publishers claiming its practice of adblocking was not legal. ®

Adobe patches Flash dirty dozen, ignores 155 in Shockwave shocker

Sixteen code execution holes closed

Adobe has patched nearly two dozen vulnerabilities in its Flash player including 16 that lead to code execution but is still serving flawed versions with hundreds of holes as part of its Shockwave bundle.
The Flash vulnerabilities patched yesterday affect Windows, Mac, and Linux as part of the version 19.x updates.
It addresses code execution flaws resulting from buffer overflow vulnerabilities, memory corruption, and stack and stack overflow corruption.
Some of the 23 fixes include information disclosure, an update to harden against vector length corruptions, and validation checks to reject content from vulnerable JSONP callback APIs.
Google's Project Zero, HP's Zero Day Initiative, and Alibaba were among those security shops credited with discovering and reporting the holes.
While users running Flash should receive automatic updates, those grabbing clean installations of bundled Shockwave will risk having deployed severely outdated versions of the ravaged runtime.
The bundled Adobe Shockwave is serving Flash versions dating back to 16.0.0.305 released Feburary and containing a staggering 155 vulnerabilities, according to KrebsonSecurity.
Installation tests by this author on Windows 10 found Shockwave had installed version 18, released June.
Both borked versions would leave users open to dangerous attacks including some code execution holes being actively exploited in popular attack tools like the Angler exploit kit.
Version 18 leaves users exposed to three then zero day holes dumped in the Hacking Team breach, a 23 June activel;y exploited zero day flaw, 37 vulnerabilities dropped in July, and 35 in August.
It's not all bad news for Flash lovers; the latest update introduces shiny features like AIR Workers for iOS, better Stage3D error messages, and bug fixes. ®

AVG to flog your web browsing, search history from mid-October

Your secrets sold to advertisers
Changes in the privacy policy of AVG's free antivirus doodad will allow it to collect your web browsing and search history – and sell it to advertisers to bankroll its freemium security software products.
The changes will come into play on 15 October, according to the Czech-based biz in a blog post. The revised privacy policy can be found here, with the key paragraph extracted below:
We collect non-personal data to make money from our free offerings so we can keep them free, including:
  • Advertising ID associated with your device.
  • Browsing and search history, including meta data.
  • Internet service provider or mobile network you use to connect to our products.
  • Information regarding other applications you may have on your device and how they are used.
AVG will also collect and broker information about apps it finds on a user's computer or device.
The security software firm says it will not sell personal information such as names, emails, addresses, or payment card details, and will try to "anonymize the data we collect and store it in a manner that does not identify you."
The biz admitted that private information may be exposed or inferred from one's browsing history. "Sometimes browsing history or search history contains terms that might identify you," AVG's privacy policy reads.
"If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information." ®

Webcam spyware voyeur sentenced to community service

Nabbed in operation targeting 'low-skilled' crooks

Woman slaps man. Pic: Shutterstock

A UK voyeur who hacked webcams to spy on victims has avoided going to prison for his crimes.
Stefan Rigo, 33, of Leeds, used the Blackshades malware to infect systems and spy on victims. He was arrested in November 2014 as part of an international operation targeting low-skilled crooks using Blackshades, which gives hackers complete control of compromised Windows PCs.
“A forensic examination of Rigo’s computer equipment found a series of images that involved people engaged in sexual acts over Skype or in front of their computers,” a statement by police at the UK’s National Criminal Agency explains. “Under interview Rigo admitted using functions of Blackshades that enabled him to control others’ webcams and monitor their desktops, enabling him to obtain passwords and email content.”
Rigo was found guilty of voyeurism offences following a trial at Leeds Magistrates Court. During his trial the 33-year-old admitted to being addicted to monitoring people via their computers, spending five to 12 hours a day doing so over a three-year period. He also pled guilty to hacking (Computer Misuse Act) offences.
The voyeur received a 40-week suspended sentence for his offences. In addition, Rigo's name was added to the sex offenders register for seven years and he was ordered to perform 200 hours of unpaid work during a sentencing hearing on 7 October. His computers have been seized.
Angela McKenna, senior investigating officer for the NCA’s National Cyber Crime Unit, said: “People using malicious tools like Blackshades can massively violate the privacy of their victims, and use compromised computers to facilitate further crime.
“Users of these tools are continuing to find that despite having no physical contact or interaction with their victims, they can still be identified, tracked down and brought to justice by the NCA and its partners,” she added.
Tips for avoiding infection from malicious RATs such as Blackshades can be found on UK government websites, cyberstreetwise.com and getsafeoline.org. Victims of online crimes can report them to the police via Action Fraud, the UK’s national fraud and internet crime reporting centre.
Malware has been used to spy on victims for years. Many such scams rely on spying on vulnerable youngsters alone in their bedrooms and capturing images before blackmailing victims into handing over more salacious material. Targets of such sextortion scams down the years have included former Miss Teen USA Cassidy Wolf and many others.
Security experts reckon the privacy problem of devices in the home is only going to get worse with the growing popularity of (often insecure) Internet of Things devices.
Adrian Beck, director of enterprise security program management at application security firm Veracode, commented: ”With yet another case of webcams compromised by hackers, the threat of insecure connected devices to our privacy could never be clearer. In this shocking case, people’s most intimate moments were watched, and the threat of compromised connected devices will only get worse as we introduce more and more smart products into our homes.” ®

Rights groups: Darn you Facebook with your 'government names'

ZuckerBorg can assimilate us, but not on those terms

facebook_shock_648

The ZuckerBorg's continued refusal to assimilate anyone who won't provide their "real" name to the site has provoked an angry letter from 75 human rights, digital rights, LGBTQ and women's rights advocates.
Facebook has always claimed its "real name" policy protects users from harassment, as without the right to anonymity users are less likely to behave online in a manner they would not attempt in meatspace.
A letter sent to the company today, however, takes issue with this.
The so-called "Nameless Coalition" stated: "It's time for Facebook to provide equal treatment and protection for all who use and depend on Facebook as a central platform for online expression and communication."
The coalition members – which included the American Civil Liberties Union of California, the Electronic Frontier Foundation and Human Rights Watch – issued five demands to which it asked Facebook to respond by 31 October.
  • Commit to allowing pseudonyms and non-legal names on its site in appropriate circumstances, including but not limited to situations where using an every day name would put a user in danger, or situations where local law requires the ability to use pseudonyms.
  • Require users filing real name policy abuse reports to support their claims with evidence. This could come in written form, multiple-choice questions, or some alternative documentation.
  • Create a compliance process through which users can confirm their identities without submitting government ID. This could include allowing users to submit written evidence, answer multiple-choice questions, or provide alternative documentation such as links to blog posts or other online platforms where they use the same identity.
  • Give users technical details and documentation on the process of submitting identity information such as where and how it is stored, for how long, and who can access it. Provide users with the ability to submit this information using PGP or another common form of encrypted communication, so they may protect their identity information during the submission process.
  • Provide a robust appeals process for users locked out of their accounts. This could include the ability to request a second review, to submit different types of evidence, and to speak to a real Facebook employee, especially in cases involving safety.
The coalition notes several incidents in which Facebook's reporting process has been abused for harassment or censorship purposes.

A Short History of U.S. Bombing of Civilian Facilities

On October 3, a U.S. AC-130 gunship attacked a hospital run by Médecins Sans Frontières in Kunduz, Afghanistan, partially destroying it. Twelve staff members and 10 patients, including three children, were killed, and 37 people were injured. According to MSF, the U.S. had previously been informed of the hospital’s precise location, and the attack continued for 30 minutes after staff members desperately called the U.S. military.
The U.S. first claimed the hospital had been “collateral damage” in an airstrike aimed at “individuals” elsewhere who were “threatening the force.” Since then, various vague and contradictory explanations have been offered by the U.S. and Afghan governments, both of which promise to investigate the bombing. MSF has called the attack a war crime and demanded an independent investigation by a commission set up under the Geneva Conventions.
While the international outcry has been significant, history suggests this is less because of what happened and more because of whom it happened to. The U.S. has repeatedly attacked civilian facilities in the past but the targets have generally not been affiliated with a European, Nobel Peace Prize-winning humanitarian organization such as MSF.
Below is a sampling of such incidents since the 1991 Gulf War. If you believe some significant examples are missing, please send them our way. To be clear, we’re looking for U.S. attacks on specifically civilian facilities, such as hospitals or schools.
Matt_Bors-1
Illustration: Matt Bors
Infant Formula Production Plant, Abu Ghraib, Iraq (January 21, 1991)

On the seventh day of Operation Desert Storm, aimed at evicting Iraq military forces from Kuwait, the U.S.-led coalition bombed the Infant Formula Production Plant in the Abu Ghraib suburb of Baghdad. Iraq declared that the factory was exactly what its name said, but the administration of President George H.W. Bush claimed it was “a production facility for biological weapons.” Colin Powell, then chairman of the Joint Chiefs of Staff, chimed in to say, “It is not an infant formula factory. It was a biological weapons facility — of that we are sure.” The U.S. media chortled about Iraq’s clumsy, transparent propaganda, and CNN’s Peter Arnett was attacked by U.S. politicians for touring the damaged factory and reporting that “whatever else it did, it did produce infant formula.”
Iraq was telling the truth. When Saddam Hussein’s son-in-law, Hussein Kamel, defected to Jordan in 1995, he had every incentive to undermine Saddam, since he hoped the U.S. would help install him as his father-in-law’s successor — but he told CNN “there is nothing military about that place. … It only produced baby milk.” The CIA’s own investigation later concluded the site had been bombed “in the mistaken belief that it was a key BW [Biological Weapon] facility.” The original U.S. claims have nevertheless proven impossible to stamp out. The George W. Bush administration, making the case for invading Iraq in 2003, portrayed the factory as a symbol of Iraqi deceit. When the Newseum opened in 2008, it included Arnett’s 1991 reporting in a section devoted to — in the New York Times’ description — “examples of distortions that mar the profession.”
Air Raid Shelter, Amiriyah, Iraq (February 13, 1991)

The U.S. purposefully targeted an air raid shelter near the Baghdad airport with two 2,000-pound laser-guided bombs, which punched through 10 feet of concrete and killed at least 408 Iraqi civilians. A BBC journalist reported that “we saw the charred and mutilated remains. … They were piled onto the back of a truck; many were barely recognizable as human.” Meanwhile, Army Lt. Gen. Thomas Kelly of the U.S. Joint Chiefs of Staff said: “We are chagrined if [civilian] people were hurt, but the only information we have about people being hurt is coming out of the controlled press in Baghdad.” Another U.S. general claimed the shelter was “an active command-and-control structure,” while anonymous officials said military trucks and limousines for Iraq’s senior leadership had been seen at the building.
In his 1995 CNN interview, Hussein Kamel said, “There was no leadership there. There was a transmission apparatus for the Iraqi intelligence, but the allies had the ability to monitor that apparatus and knew that it was not important.” The Iraqi blogger Riverbend later wrote that several years after the attack, she went to the shelter and met a “small, slight woman” who now lived in the shelter and gave visitors unofficial tours. Eight of her nine children had been killed in the bombing.
Al Shifa pharmaceutical factory, Khartoum, Sudan (August 20, 1998)

After al Qaeda attacks on U.S. embassies in Kenya and Tanzania in 1998, the Clinton administration targeted the Al Shifa factory with 13 cruise missiles, killing one person and wounding 11. According to President Bill Clinton, the plant was “associated with the bin Laden network” and was “involved in the production of materials for chemical weapons.”
The Clinton administration never produced any convincing evidence that this was true. By 2005, the best the U.S. could do was say, as the New York Times characterized it, that it had not “ruled out the possibility” that the original claims were right. The long-term damage to Sudan was enormous. Jonathan Belke of the Near East Foundation pointed out a year after the bombing that the plant had produced “90 percent of Sudan’s major pharmaceutical products” and contended that due to its destruction “tens of thousands of people — many of them children — have suffered and died from malaria, tuberculosis, and other treatable diseases.” Sudan has repeatedly requested a U.N. investigation of the bombing, with no success.
Train bombing, Grdelica, Serbia (April 12, 1999)

During the U.S.-led bombing of Serbia during the Kosovo war, an F-15E fighter jet fired two remotely-guided missiles that hit a train crossing a bridge near Grdelica, killing at least 14 civilians. Gen. Wesley Clark, then Supreme Allied Commander Europe, called it “an unfortunate incident we all regret.” While the F-15 crew was able to control the missiles after they were launched, NATO released footage taken from the plane to demonstrate how quickly the train was moving and how little time the jet’s crew had to react. The German newspaper Frankfurter Rundschau later reported that the video had been sped up three times. The paper quoted a U.S. Air Force spokesperson who said this was accidental, and they had not noticed this until months later — by which point “we did not deem it useful to go public with this.”
Radio Television Serbia, Belgrade, Serbia (April 23, 1999)

Sixteen employees of Serbia’s state broadcasting system were killed during the Kosovo War when NATO intentionally targeted its headquarters in Belgrade. President Clinton gave an underwhelming defense of the bombing: “Our military leaders at NATO believe … that the Serb television is an essential instrument of Mr. Milosevic’s command and control. … It is not, in a conventional sense, therefore, a media outlet. That was a decision they made, and I did not reverse it.” U.S. envoy Richard Holbrooke told the Overseas Press Club immediately after the attack that it was “an enormously important and, I think, positive development.” Amnesty International later stated it was “a deliberate attack on a civilian object and as such constitutes a war crime.”
Chinese Embassy, Belgrade, Serbia (May 7, 1999)

Also during the Kosovo war, the U.S. bombed the Chinese embassy in Serbia’s capital, killing three staff and wounding more than 20. The defense secretary at the time, William Cohen, said it was a terrible mistake: “One of our planes attacked the wrong target because the bombing instructions were based on an outdated map.” The Observer newspaper in the U.K. later reported the U.S. had in fact deliberately targeted the embassy “after discovering it was being used to transmit Yugoslav army communications.” The Observer quoted “a source in the U.S. National Imagery and Mapping Agency” calling Cohen’s version of events “a damned lie.” Prodded by the media watchdog organization Fairness and Accuracy in Reporting, the New York Times produced its own investigation finding “no evidence that the bombing of the embassy had been a deliberate act,” but rather that it had been caused by a “bizarre chain of missteps.” The article concluded by quoting Porter Goss, then chairman of the House Intelligence Committee, as saying he believed the bombing was not deliberate – “unless some people are lying to me.”
Red Cross complex, Kabul, Afghanistan (October 16 and October 26, 2001)

At the beginning of the U.S-led invasion of Afghanistan, the U.S. attacked the complex housing the International Committee of the Red Cross in Kabul. In an attempt to prevent such incidents in the future, the U.S. conducted detailed discussions with the Red Cross about the location of all of its installations in the country. Then the U.S. bombed the same complex again. The second attack destroyed warehouses containing tons of food and supplies for refugees. “Whoever is responsible will have to come to Geneva for a formal explanation,” said a Red Cross spokesperson. “Firing, shooting, bombing, a warehouse clearly marked with the Red Cross emblem is a very serious incident. … Now we’ve got 55,000 people without that food or blankets, with nothing at all.”
Al Jazeera office, Kabul, Afghanistan (November 13, 2001)

Several weeks after the Red Cross attacks, the U.S. bombed the Kabul bureau of Al Jazeera, destroying it and damaging the nearby office of the BBC. Al Jazeera’s managing director said the channel had repeatedly informed the U.S. military of its office’s location.
Al Jazeera office, Baghdad, Iraq (April 8, 2003)

Soon after the start of the U.S.-led invasion of Iraq, the U.S. bombed the Baghdad office of Al Jazeera, killing reporter Tarek Ayoub and injuring another journalist. David Blunkett, the British home secretary at the time, subsequently revealed that a few weeks before the attack he had urged Prime Minister Tony Blair to bomb Al Jazeera’s transmitter in Baghdad. Blunkett argued, “I don’t think that there are targets in a war that you can rule out because you don’t actually have military personnel inside them if they are attempting to win a propaganda battle on behalf of your enemy.”
In 2005, the British newspaper The Mirror reported on a British government memorandum recording an April 16, 2004, conversation between Blair and President Bush at the height of the U.S. assault on Fallujah in Iraq. The Bush administration was infuriated by Al Jazeera’s coverage of Fallujah, and according to The Mirror, Bush had wanted to bomb the channel at its Qatar headquarters and elsewhere. However, the article says, Blair argued him out of it. Blair subsequently called The Mirror’s claims a “conspiracy theory.” Meanwhile, his attorney general threatened to use the Official Secrets Act to prosecute any news outlet that published further information about the memo, and, in a secret trial, did in fact prosecute and send to jail a civil servant for leaking it.
Palestine Hotel, Baghdad, Iraq (April 8, 2003)
The same day as the 2003 bombing of the Al Jazeera office in Baghdad, a U.S. tank fired a shell at the 15th floor of the Palestine Hotel, where most foreign journalists were then staying. Two reporters were killed: Taras Protsyuk, a cameraman for Reuters, and Jose Couso, a cameraman for the Spanish network Telecinco. An investigation by the Committee to Protect Journalists concluded that the attack, “while not deliberate, was avoidable.”
This story has been updated to include the April 8, 2003, attack on the Palestine Hotel in Baghdad.

Saudi Arabia Continues Hiring Spree of American Lobbyists, Public Relations Experts

Photo: Saud Loeb/AFP/Getty Images

Saudi Arabia Continues Hiring Spree of American Lobbyists, Public Relations Experts

Oct. 5 2015, 4:53 p.m.
Saudi Arabia is in the market for a better reputation in Washington, D.C.
In September alone, foreign lobbying disclosure documents show the Saudi government signing deals with PR powerhouse Edelman and lobbying leviathan the Podesta Group, according to recent disclosures.
Edelman, the largest privately owned public relations agency in the world, is known for helping clients win favorable media coverage on mainstream outlets. The Podesta Group is a lobbying firm founded by Tony Podesta, a major fundraiser for the Hillary Clinton presidential campaign.
The new signings are the latest in a year-long hiring spree by the Persian Gulf state as it further builds up its already formidable political arsenal inside the Beltway. The Saudi Arabian Royal Embassy did not respond to a request for comment.
In March, the Saudi Royal Embassy retained two influential lobbying firms, DLA Piper and Pillsbury Winthrop Shaw Pittman. DLA Piper, for instance, employs a small army of former government officials, including retired U.S. Sens. Saxby Chambliss and George Mitchell. Also in March, the embassy retained two firms that specialize in analyzing big data for political clients, Targeted Victory and Zignal Labs.
Saudi Arabia’s political operation already includes former Sen. Norm Coleman, R-Minn., who chairs one of the largest Republican Super PACs in the country, as well as the public relations firm MSLGROUP/Qorvis, and Saudi Aramco, the state-owned oil company that funds several influential American political groups, including the American Petroleum Institute. Aramco’s U.S. subsidiary, Saudi Refining, is a registered agent of the Saudi government. The government also finances a number of think tanks and universities, and has made contributions to prominent American nonprofits, including the Clinton Foundation.
The Podesta Group contract is with the Center for Studies and Media Affairs at the Saudi Royal Court. The contract, filed in the Justice Department’s foreign lobbying database, says that the firm will provide “public relations” work for the center.
It is our company policy not to comment further on our work for clients beyond what is required by law and to direct reporters and other interested parties to our clients for any additional information,” said Missi Tessier, a spokesperson for the Podesta Group, when reached for more information about the relationship.
Edelman’s contract calls for the firm to “engage with opinion influencers, establish media engagement opportunities for [sic] principal, and assist in opinion editorial placement” on behalf of the Saudi Arabian General Investment Authority.
The Saudi regime is currently facing yet another public relations crisis as the Kingdom moves to execute Ali Mohammed al-Nimr, the young son of a government critic.
The nation also faces international outcry over the widespread killing of civilians in Yemen. Since March, Saudi Arabia has led a coalition that includes the U.S., U.K., Egypt and several Persian Gulf nations to support the Yemeni government in its war against the Houthi rebels. The Saudi-led coalition has repeatedly attacked schools, hospitals, and other civilian targets, including recent reports of a wedding party that was bombed, killing over 100 people.
Last week, I spoke to a number of lawmakers about Saudi human rights abuses, but found them extremely reluctant to criticize the Kingdom. Disclosures reveal that the lobbying firms that have worked for Saudi Arabia for years communicate frequently with senior members of Congress. Beyond entrenched military and economic ties between Saudi Arabia and the United States, the Kingdom appears to be working to maintain its political clout.

Drone Flies Over NSA Complex in Germany, Dropping Leaflets

A group of activists flew a drone over a key National Security Agency complex in Germany on Friday, dropping leaflets encouraging the intelligence workers inside to quit in protest over invasive surveillance.
The site of the drone fly-by, the Dagger Complex, is a U.S. military installation south of Frankfurt. It houses the European Cryptologic Center — a major source of signals and communications intelligence in Europe for the NSA. According to German media, its 1,100 employees monitor massive amounts of communications with tools such as XKEYSCORE, one of the programs revealed by NSA whistleblower Edward Snowden.
The group behind the drone mission, Intelexit, made headlines last week when it drove moving billboards past intelligence agencies in the U.S. and abroad. The billboards, framed by picturesque scenes of sunsets and American flags, include catchphrases such as “Complicit in mass surveillance and drone wars?” and “Listen to your heart, not to private phone calls,” directing observers to “exit intelligence.”
The latest campaign added a layer of symbolism with its use of a drone.
“We are inviting our many supporters to think of innovative ways to reach those who are in distress because of their role in supporting mass surveillance and drone warfare,” Sascha Fugel, a spokesperson for the campaign, said in a press release.
“Germany remains inactive and has to date taken no responsibility for the activities at the Dagger Complex,” Fugel continued. “We know that there are employees of the Dagger Complex who are experiencing great moral conflict because of their tacit involvement in spying.”
Activists who went to GCHQ headquarters, the British spying agency, were “really harassed by security/police who it seems, had already expected them,” Ariel Fischer, one of Intelexit’s organizers, wrote in an email to The Intercept. Freelance photographer Ben Grad accompanied a driver hired by Intelexit to drive around NSA headquarters in Fort Meade, Maryland. Grad told The Intercept that he and the driver took pictures on the NSA campus, but were told by security guards to delete them.
“In general, the response from the intelligence community so far has been to try and get rid of us as quickly as possible!” wrote Fischer.
Intelexit is supported by whistleblowers including Thomas Drake, a former senior NSA official who was indicted under the Espionage Act for sharing information about programs he viewed as expensive, illegal, and major risks to citizens’ privacy. Drake is featured in Intelexit’s homepage video.
According to a press release, Intelexit will be rolling out its networked support program for spies in its next phase.

Top European Court Rules That NSA Spying Makes U.S. Unsafe For Data

The European Union no longer considers the United States a “safe harbor” for data because the National Security Agency surveillance exposed by whistleblower Edward Snowden “enables interference, by United States public authorities, with the fundamental rights of persons.”
The EU’s highest court, the Court of Justice, declared on Tuesday that an international commercial data-sharing agreement allowing U.S. companies free-flowing access to large amounts of European citizens’ data was no longer valid.
As Snowden revealed in 2013, the NSA has been interpreting section 702 of the Foreign Intelligence Surveillance Act as giving it license to intercept Internet and telephone communications in and out of the U.S. on a massive scale. That is known as “Upstream” collection. The NSA is not required to demonstrate probable cause of a crime before a court or judge before examining the data. Another 702 program, called PRISM, explicitly collects communications of “targeted individuals” from providers such as Facebook, Yahoo and Skype.
When Max Schrems, an Austrian law student, learned about Snowden’s revelations, he argued that Facebook was ignoring stronger European privacy laws when it sent his data from its European headquarters in Ireland back to the United States, where it was being intercepted by the NSA. Schrems wrote that the lawsuit he launched against Facebook was about “transparency” and “user control” because he could not determine what was being done with his data—which goes against the European Union Charter of Fundamental Rights.
On September 23, the Court of Justice’s top legal adviser, Yves Bot, concluded that the safe harbor agreement was invalid because of U.S. surveillance. “It is apparent from the findings of the High Court of Ireland and of the Commission itself that the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection,” Bot wrote. “Interference with fundamental rights is contrary to the principle of proportionality, in particular because the surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance.”
The United States argued in response that the agreement protects privacy, and is vital to both U.S. and European businesses. A statement from the United States mission to the European Union insited that “The United States does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens.”
But it did not provide any indication of how it defines “indiscriminate” – and the European court didn’t buy it.
“National security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” the Court wrote.
Although the safe harbor provision applies to commercial data, the underlying issue is the overbroad access of U.S. intelligence agencies to European citizens data, said Jens-Henrik Jeppesen, director of European Affairs for the Center for Democracy and Technology. “Surveillance is the heart of this matter,” Jeppesen told The Intercept. “The highest court in the European Union is not satisfied with the guarantees such as they are under current U.S. laws.”
“The European decision is one of the best ones we’ve seen come out of Snowden revelations,” says Tiffiny Cheng, co-founder of the online advocacy group, Fight for the Future. “It is an actual conversation on the responsibility of companies and government to protect data they hold.”
The ruling was seen as posing a major obstacle for U.S.-based technology companies like Facebook, Google and Yahoo, whose business models require moving massive amounts of data back and forth between the U.S. and Europe.
What’s not yet clear is what they can do about it.
Sen. Ron Wyden, D-Ore., had a suggestion: reform U.S. surveillance law.
The decision is disastrous for U.S. companies, Wyden said in a statement. By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses,” he said. “Yet, U.S. politicians who allowed the National Security Agency to secretly enact a digital dragnet of millions of phone and email records also bear responsibility. These ineffective mass surveillance programs did nothing to make our country safer, but they did grave damage to the reputations of the American tech sector.”
Wyden called on Congress to “start taking the next steps on surveillance reform now, and not wait for the expiration of section 702 of the FISA statute in December 2017 to get started.”
Snowden himself celebrated the decision in a stream of live-tweets, writing that “we are all safer as a result.”
And European privacy activists were optimistic about the fallout. “Invalidating Safe Harbour is a unique opportunity for the EU and the US to develop an accountable mechanism for data transfer that would protect individuals’ rights to privacy and data protection and provide companies with legal certainty at the same time,” wrote Estelle Masse, a policy analyst for Access in Brussels.
A narrower ruling, wrote Félix Tréguer, co-founder of the French civil rights group La Quadrature du Net, might have simply resulted in “the relocation of European’s personal data in Europe where local intelligence agencies would have been able to get their hands more easily on that data.”
“Thankfully, the ruling goes further than that,” he wrote. “It sets the stage for future cases (for instance those we’ll soon introduce against the French Intelligence Act, or those against the GCHQ that are currently pending before the European Court of Human Rights). It give[s] us room for legal maneuver; legal opportunities that civil rights groups all across Europe (and beyond probably) will be able to use in resisting the dangerous drift toward mass surveillance.”
Caption: A slide describing PRISM and UPSTREAM, NSA surveillance programs vacuuming up telephone and Internet communications from major companies, revealed by Edward Snowden in 2013.

Members of Congress Say OPM Can’t Be Trusted With Security Clearance Data Anymore

Representatives Ted Lieu, D-Calif., and Steve Russell, R-Okla., have asked the Obama administration to remove sensitive security clearance information from Office of Personnel Management computers and put it somewhere safer.
The congressmen acted in the wake of data breaches at OPM that compromised sensitive information on more than 20 million people who have undergone background checks for security clearances.
“We strongly believe that security clearance data — which has been described as ‘crown jewels’ of our national intelligence — should not be protected by OPM, which is neither an intelligence agency nor a defense organization,” Lieu and Russell wrote in a letter obtained by The Intercept.
Though the administration has been working on revamping the notoriously slow and flawed process of security clearances since 2004, the OPM data breach over the summer brought new concerns over the security of the information from invaders.
In July, President Obama announced a 90-day review of the security clearance process to be conducted by an interagency panel chaired by David Mader, the deputy director of the Office of Management and Budget.
The congressmen — members of the House Oversight and Government Reform Committee — wrote to Mader that they were “shocked to learn” in committee hearings “that for years OPM leadership had ignored warnings from the inspector general of ‘material weakness’ in data security. OPM’s failure to address known vulnerabilities was inexcusable.”
And Lieu and Russell, both former active duty military officers, noted that the matter was a personal concern for them. “We felt the impact of this negligence firsthand,” they wrote.
“We have drafted, and are prepared to offer, legislative authority to accomplish [the] goal” of extracting clearances from OPM, they wrote. In fact, the congressmen have been working on drafting legislation to remove security clearance information from OPM, but have been met with some roadblocks.
Lieu told The Intercept last month that he was facing “funding issues, issues related to capacity … whether an agency wants” to take on the responsibility for the records.

A Short History of U.S. Bombing of Civilian Facilities

On October 3, a U.S. AC-130 gunship attacked a hospital run by Médecins Sans Frontières in Kunduz, Afghanistan, partially destroying it. Twelve staff members and 10 patients, including three children, were killed, and 37 people were injured. According to MSF, the U.S. had previously been informed of the hospital’s precise location, and the attack continued for 30 minutes after staff members desperately called the U.S. military.
The U.S. first claimed the hospital had been “collateral damage” in an airstrike aimed at “individuals” elsewhere who were “threatening the force.” Since then, various vague and contradictory explanations have been offered by the U.S. and Afghan governments, both of which promise to investigate the bombing. MSF has called the attack a war crime and demanded an independent investigation by a commission set up under the Geneva Conventions.
While the international outcry has been significant, history suggests this is less because of what happened and more because of whom it happened to. The U.S. has repeatedly attacked civilian facilities in the past but the targets have generally not been affiliated with a European, Nobel Peace Prize-winning humanitarian organization such as MSF.
Below is a sampling of such incidents since the 1991 Gulf War. If you believe some significant examples are missing, please send them our way. To be clear, we’re looking for U.S. attacks on specifically civilian facilities, such as hospitals or schools.
Matt_Bors-1
Illustration: Matt Bors
Infant Formula Production Plant, Abu Ghraib, Iraq (January 21, 1991)

On the seventh day of Operation Desert Storm, aimed at evicting Iraq military forces from Kuwait, the U.S.-led coalition bombed the Infant Formula Production Plant in the Abu Ghraib suburb of Baghdad. Iraq declared that the factory was exactly what its name said, but the administration of President George H.W. Bush claimed it was “a production facility for biological weapons.” Colin Powell, then chairman of the Joint Chiefs of Staff, chimed in to say, “It is not an infant formula factory. It was a biological weapons facility — of that we are sure.” The U.S. media chortled about Iraq’s clumsy, transparent propaganda, and CNN’s Peter Arnett was attacked by U.S. politicians for touring the damaged factory and reporting that “whatever else it did, it did produce infant formula.”
Iraq was telling the truth. When Saddam Hussein’s son-in-law, Hussein Kamel, defected to Jordan in 1995, he had every incentive to undermine Saddam, since he hoped the U.S. would help install him as his father-in-law’s successor — but he told CNN “there is nothing military about that place. … It only produced baby milk.” The CIA’s own investigation later concluded the site had been bombed “in the mistaken belief that it was a key BW [Biological Weapon] facility.” The original U.S. claims have nevertheless proven impossible to stamp out. The George W. Bush administration, making the case for invading Iraq in 2003, portrayed the factory as a symbol of Iraqi deceit. When the Newseum opened in 2008, it included Arnett’s 1991 reporting in a section devoted to — in the New York Times’ description — “examples of distortions that mar the profession.”
Air Raid Shelter, Amiriyah, Iraq (February 13, 1991)

The U.S. purposefully targeted an air raid shelter near the Baghdad airport with two 2,000-pound laser-guided bombs, which punched through 10 feet of concrete and killed at least 408 Iraqi civilians. A BBC journalist reported that “we saw the charred and mutilated remains. … They were piled onto the back of a truck; many were barely recognizable as human.” Meanwhile, Army Lt. Gen. Thomas Kelly of the U.S. Joint Chiefs of Staff said: “We are chagrined if [civilian] people were hurt, but the only information we have about people being hurt is coming out of the controlled press in Baghdad.” Another U.S. general claimed the shelter was “an active command-and-control structure,” while anonymous officials said military trucks and limousines for Iraq’s senior leadership had been seen at the building.
In his 1995 CNN interview, Hussein Kamel said, “There was no leadership there. There was a transmission apparatus for the Iraqi intelligence, but the allies had the ability to monitor that apparatus and knew that it was not important.” The Iraqi blogger Riverbend later wrote that several years after the attack, she went to the shelter and met a “small, slight woman” who now lived in the shelter and gave visitors unofficial tours. Eight of her nine children had been killed in the bombing.
Al Shifa pharmaceutical factory, Khartoum, Sudan (August 20, 1998)

After al Qaeda attacks on U.S. embassies in Kenya and Tanzania in 1998, the Clinton administration targeted the Al Shifa factory with 13 cruise missiles, killing one person and wounding 11. According to President Bill Clinton, the plant was “associated with the bin Laden network” and was “involved in the production of materials for chemical weapons.”
The Clinton administration never produced any convincing evidence that this was true. By 2005, the best the U.S. could do was say, as the New York Times characterized it, that it had not “ruled out the possibility” that the original claims were right. The long-term damage to Sudan was enormous. Jonathan Belke of the Near East Foundation pointed out a year after the bombing that the plant had produced “90 percent of Sudan’s major pharmaceutical products” and contended that due to its destruction “tens of thousands of people — many of them children — have suffered and died from malaria, tuberculosis, and other treatable diseases.” Sudan has repeatedly requested a U.N. investigation of the bombing, with no success.
Train bombing, Grdelica, Serbia (April 12, 1999)

During the U.S.-led bombing of Serbia during the Kosovo war, an F-15E fighter jet fired two remotely-guided missiles that hit a train crossing a bridge near Grdelica, killing at least 14 civilians. Gen. Wesley Clark, then Supreme Allied Commander Europe, called it “an unfortunate incident we all regret.” While the F-15 crew was able to control the missiles after they were launched, NATO released footage taken from the plane to demonstrate how quickly the train was moving and how little time the jet’s crew had to react. The German newspaper Frankfurter Rundschau later reported that the video had been sped up three times. The paper quoted a U.S. Air Force spokesperson who said this was accidental, and they had not noticed this until months later — by which point “we did not deem it useful to go public with this.”
Radio Television Serbia, Belgrade, Serbia (April 23, 1999)

Sixteen employees of Serbia’s state broadcasting system were killed during the Kosovo War when NATO intentionally targeted its headquarters in Belgrade. President Clinton gave an underwhelming defense of the bombing: “Our military leaders at NATO believe … that the Serb television is an essential instrument of Mr. Milosevic’s command and control. … It is not, in a conventional sense, therefore, a media outlet. That was a decision they made, and I did not reverse it.” U.S. envoy Richard Holbrooke told the Overseas Press Club immediately after the attack that it was “an enormously important and, I think, positive development.” Amnesty International later stated it was “a deliberate attack on a civilian object and as such constitutes a war crime.”
Chinese Embassy, Belgrade, Serbia (May 7, 1999)

Also during the Kosovo war, the U.S. bombed the Chinese embassy in Serbia’s capital, killing three staff and wounding more than 20. The defense secretary at the time, William Cohen, said it was a terrible mistake: “One of our planes attacked the wrong target because the bombing instructions were based on an outdated map.” The Observer newspaper in the U.K. later reported the U.S. had in fact deliberately targeted the embassy “after discovering it was being used to transmit Yugoslav army communications.” The Observer quoted “a source in the U.S. National Imagery and Mapping Agency” calling Cohen’s version of events “a damned lie.” Prodded by the media watchdog organization Fairness and Accuracy in Reporting, the New York Times produced its own investigation finding “no evidence that the bombing of the embassy had been a deliberate act,” but rather that it had been caused by a “bizarre chain of missteps.” The article concluded by quoting Porter Goss, then chairman of the House Intelligence Committee, as saying he believed the bombing was not deliberate – “unless some people are lying to me.”
Red Cross complex, Kabul, Afghanistan (October 16 and October 26, 2001)

At the beginning of the U.S-led invasion of Afghanistan, the U.S. attacked the complex housing the International Committee of the Red Cross in Kabul. In an attempt to prevent such incidents in the future, the U.S. conducted detailed discussions with the Red Cross about the location of all of its installations in the country. Then the U.S. bombed the same complex again. The second attack destroyed warehouses containing tons of food and supplies for refugees. “Whoever is responsible will have to come to Geneva for a formal explanation,” said a Red Cross spokesperson. “Firing, shooting, bombing, a warehouse clearly marked with the Red Cross emblem is a very serious incident. … Now we’ve got 55,000 people without that food or blankets, with nothing at all.”
Al Jazeera office, Kabul, Afghanistan (November 13, 2001)

Several weeks after the Red Cross attacks, the U.S. bombed the Kabul bureau of Al Jazeera, destroying it and damaging the nearby office of the BBC. Al Jazeera’s managing director said the channel had repeatedly informed the U.S. military of its office’s location.
Al Jazeera office, Baghdad, Iraq (April 8, 2003)

Soon after the start of the U.S.-led invasion of Iraq, the U.S. bombed the Baghdad office of Al Jazeera, killing reporter Tarek Ayoub and injuring another journalist. David Blunkett, the British home secretary at the time, subsequently revealed that a few weeks before the attack he had urged Prime Minister Tony Blair to bomb Al Jazeera’s transmitter in Baghdad. Blunkett argued, “I don’t think that there are targets in a war that you can rule out because you don’t actually have military personnel inside them if they are attempting to win a propaganda battle on behalf of your enemy.”
In 2005, the British newspaper The Mirror reported on a British government memorandum recording an April 16, 2004, conversation between Blair and President Bush at the height of the U.S. assault on Fallujah in Iraq. The Bush administration was infuriated by Al Jazeera’s coverage of Fallujah, and according to The Mirror, Bush had wanted to bomb the channel at its Qatar headquarters and elsewhere. However, the article says, Blair argued him out of it. Blair subsequently called The Mirror’s claims a “conspiracy theory.” Meanwhile, his attorney general threatened to use the Official Secrets Act to prosecute any news outlet that published further information about the memo, and, in a secret trial, did in fact prosecute and send to jail a civil servant for leaking it.
Palestine Hotel, Baghdad, Iraq (April 8, 2003)
The same day as the 2003 bombing of the Al Jazeera office in Baghdad, a U.S. tank fired a shell at the 15th floor of the Palestine Hotel, where most foreign journalists were then staying. Two reporters were killed: Taras Protsyuk, a cameraman for Reuters, and Jose Couso, a cameraman for the Spanish network Telecinco. An investigation by the Committee to Protect Journalists concluded that the attack, “while not deliberate, was avoidable.”
This story has been updated to include the April 8, 2003, attack on the Palestine Hotel in Baghdad.

Wednesday, October 07, 2015

With Virtual Machines, Getting Hacked Doesn’t Have To Be That Bad

All major consumer operating systems, including Windows, Mac OS X, and Linux, are way too easy to hack. One mishap — opening the wrong email attachment, installing malware that pretends to be Flash, not updating your software quickly enough — and you’ve given the keys to the kingdom to an attacker.
If that attacker gets the ability to run programs of their choice on your computer, as they often aim to do, they have access to all of your files. They can start logging your keystrokes, taking screenshots, and even listening to your microphone and watching through your webcam.
But it’s possible to isolate the most risky files and programs from other parts of your computer. Using virtualization software, the same technology that powers much of so-called “cloud computing,” it’s possible for you to protect your system even as you open attachments that might be sketchy, visit websites that you’re not too sure about — porn sites, torrent sites, pirated TV and sports sites — or test out software downloaded from random websites. You can also use this technology to ensure that your anonymous online activity remains anonymous, safeguarding the privacy protections offered by Tor by ensuring that absolutely all internet traffic gets routed through it — even if your software, like Tor Browser or Pidgin, gets hacked specifically to bypass Tor.
In this column, I’m going to start with a simple primer on virtual machines, including how to install the Ubuntu distribution of Linux in one of them, and I encourage you to follow along. Then I’m going to outline a handful of ways you can use virtual machines to reduce your risk of getting hacked, and go over some security caveats. Then I’m going to show off Whonix, an operating system you can run in a virtual machine to maximize your online anonymity; it’s ideal for maintaining a secret identity. And finally I’m going to give a brief overview of Qubes, an operating system that’s more secure than most anything currently available, and takes isolation security to its logical limits.

Virtual machines 101

A virtual machine (VM) is a fake computer running inside your real computer. Each VM gets to use a chunk of your computer’s memory while it’s running and has its own virtual hard drive, which is just a file on your real hard drive. You can install operating systems in them and you can install and run software in them. You can save snapshots before you do something potentially dangerous and restore the snapshot when you’re done, returning your VM to its previous state.
In virtualization lingo, the operating system that you’re running right now is called your “host,” and every VM that you run is a “guest.” If a guest VM gets hacked, your host remains safe. For this reason, security researchers often use VMs to study viruses: They unleash them on their guest VMs to safely monitor what they’re trying to do and how they work, without risking their host computer. They “isolate” the viruses from the rest of their computer.
Courtesy XKCD
For this article I’m going to be using virtualization software called VirtualBox. It’s open source and free to download. VirtualBox is available for Windows, Mac OS X, and Linux. Go ahead and download and install a copy if you’d like to follow along.
I’m using a Mac host, and I’m going to start by installing the Ubuntu operating system, version 15.04 to be precise, in my VM. Generally speaking, it’s simpler to start off by installing a Linux distribution in your virtual machine, since Linux is free software. You can install as many Linux virtual machines as you want, wherever you want — an easy setup to deal with.
If you want to test a piece of software for Windows or Mac OS X inside a virtual machine to see if it’s malicious, you can also install those operating systems inside of a VM. But there are legal restrictions. For example, while OS X can be installed on up to two virtual machines for free, you have to be on a Mac when you do so. On Windows, you’ll likely need to buy separate Windows licenses for each VM. Here are instructions for installing Mac OS X in a VM and for installing Windows 10 in a VM.
While the steps below are written and illustrated using an Ubuntu virtual machine on a Mac, you can still follow along if you’re running Windows or Linux. And don’t worry about breaking anything; you can always delete your VM and start over. That’s the beauty of VMs: You get infinite lives, in the parlance of videogames, so it’s a great way to experiment and learn.

Creating a VM and installing Ubuntu

Hopefully you’ve already downloaded and installed VirtualBox as instructed above. Next, hop on over to Ubuntu’s website and download a copy of Ubuntu.
Now open VirtualBox and click “New” to create a new VM. I’m calling my VM “ubuntu-test.”
You get to choose how much memory your new VM will have and you get to create a new virtual hard disk for it. Whatever resources you allocate to your VM will not be available to other programs on your computer. I’m sticking with the defaults, 768MB of memory and an 8GB hard drive. You can just click through with all of the default options too if you want, or you can give your VM more resources. Finally, click “Create” to create your new VM.
The next step is to install Ubuntu. With my “ubuntu-test” VM selected, I click “Start” to boot it up. Since the virtual machine is brand new, it prompts me to insert an operating system installation disk. Of course, I don’t actually need a “disk.” Instead I can just find and select the disk image file (in this case, “ubuntu-15.04-desktop-amd64.iso”) and click “Start.”
Now the VM begins to boot to the Ubuntu disk. Notice that if you click in the virtual machine window, VirtualBox will warn you that the VM will “capture” your mouse and keyboard input, which means that when you move the mouse and type on your keyboard you’ll be doing this inside your guest VM rather than on your host machine. You can press the “host key” to make your mouse and keyboard control your regular computer again. On a Mac the host key is the left “Command” key, and on Windows and Linux it’s the right “Ctrl” key.
The Ubuntu disk has finished booting. I’m going to click “Install Ubuntu” and follow the simple instructions. I’m choosing “Erase disk and install Ubuntu” (don’t worry, I’m only erasing the virtual machine’s virtual disk, not my actual hard drive). I’m going to make up a username and password to login to this VM, and then I’m going to let it finish installing. When it’s finally done, the VM will reboot into my freshly installed operating system. (After installing Ubuntu, my VM failed to shut down all the way while it was rebooting. If that happens to you as well, click the Machine menu and choose Reset to force your VM to restart.)

Updating software inside the VM

Now that I’ve booted up and logged in to my Ubuntu VM, I’m going to update all of the software. Always keep your software up to date, even in VMs!
To update all of the software in Ubuntu, I’m running the “Software Updater” program, typing my password, and letting it do its thing. Since I just installed this operating system and have never done updates, it might take awhile to download and install everything.

Installing “Guest Additions”

When it’s finally done updating the existing software, it’s time to install VirtualBox “Guest Additions.” Guest Additions aren’t required, but they allow you to do some nice things, like resize your VM window, share your clipboard between your host machine and your guest machine, and set up shared folders so that your guest VM can access specific files on your host.
In order to install Guest Additions you need to insert a virtual CD, which contains the software, into your VM. You can do this by clicking the “Devices” menu at the very top of the screen, from within the VirtualBox program, and chose “Insert Guest Additions CD image.” It will pop up a dialog asking for permission to install. Click “Run” on the pop-up dialog, and VirtualBox will open a new window showing the install progress. When it’s finished, reboot your VM. You can do this by clicking the gear in the top right, clicking Shut Down, and then clicking Restart.
With “Guest Additions” installed in my VM, I can resize the window like any other windows on my host machine.
I can also share the clipboard between the host and guest VM by clicking the “Devices” menu at the top of my screen, from within the VirtualBox program, and going to “Shared Clipboard.” The choices are “Disabled,” “Host to Guest,” “Guest to Host,” or “Bidirectional.” It’s best to keep this set to “Disabled” unless you need to copy and paste between your guest VM and your host. You can always temporarily enable clipboard sharing and then disable it again when you’re done.

Sharing folders

Sharing files is slightly more complex. First, you need to add your user to the “vboxsf” group in your VM (don’t worry if you don’t understand what this means). Click on the Ubuntu logo in the top left, type “terminal,” and click on the Terminal icon to open a terminal in your VM. Then type:
sudo usermod -a -G vboxsf $(whoami)
You’ll also have to type the password for your user account in Ubuntu in the VM, the one you set up earlier. Then shut down your VM all the way.
In the VirtualBox window, choose your VM and click “Settings,” and move to the “Shared Folders” tab. Click the “+” icon to add a folder to share with your VM. I’m sharing a folder called vbox_share in my Documents folder. This way, if I need to copy files to or from my VM, I have a place to drop those files.
Inside my Ubuntu VM, I can access the shared folder by viewing “/media/sf_vbox_share”. I can get to that by opening the Files app (there’s a launcher icon for it on the left), clicking Computer in the left panel, double-clicking the “media” folder, then double-clicking the “sf_vbox_share” folder. Inside my OS X host machine I can access the same folder by viewing “vbox_share” in my “Documents” folder.

Isolating risky behavior inside of VMs

Now that we have a VM, let’s start doing some things that might be risky if we weren’t isolating them.
Before doing something that you think might break your VM, or might infect it with malware, you might want to save a snapshot of it so you can restore it when you’re done. You can save a snapshot by clicking VirtualBox’s “Machine” menu at the top of your screen, and choosing “Take Snapshot.”
Below are just a few examples of some ways you can use VMs to increase the security of your computer. In the end, virtualization is a tool that has many different uses, so feel free to be creative.

Opening documents that you don’t trust

One of the easiest ways to get hacked is by opening a malicious document. Attackers might email you a booby-trapped “document” hoping that you’ll open it. If you do, the file would exploit a flaw in your operating system or in software like Adobe Reader or Microsoft Word, thus allowing the attacker to take over your computer.
It’s not always clear which documents are safe and which are malicious. A clever attacker could pretend to invite you to a conference that you’re interested in, and attach a malicious file masquerading as the schedule to that conference, or they could pretend to recruit you for your dream job, and attach something that looks like a job description — or they could entice you in any number of other ways. It’s safest to simply not open any attachments or click on any links in emails, but this isn’t feasible, especially for journalists or activists who are actively soliciting sources.
These attacks are not theoretical. My colleague Morgan Marquis-Boire pointed out a few real-world examples that he helped analyze: Vietnamese democracy activist Ngoc Thu‘s computer was hacked when she opened malware she found in her email; the Committee to Protect Journalists’s executive director Joel Simon was also emailed malware, though he didn’t install it; the Moroccan news website Mamkafinch.com received an enticing tip through their contact form that included a link that, when opened, took over the journalist’s computer using Hacking Team malware; and a report from 2014 showed that journalists from 21 of the world’s top 25 news organizations were likely emailed malware by state-sponsored hackers.
You might also find files online that you’d really like to look at but aren’t sure are safe. For example, documents in the Hacking Team email archive. You probably shouldn’t trust those, but you might want to look at them anyway.
Here’s an email where Hacking Team employees appear to be discussing giving a demo of their hacking services to an Egyptian defense contractor. I don’t speak Italian so I don’t entirely understand what this email thread is about, but the attachment is called “Exploit.docx.” Seems legit (*cough*).
If I try opening this dubious file in Chrome, my browser throws a security warning, and for good reason! Any attachments downloaded from the Hacking Team archive might try to, ahem, hack you.
Instead, I’m going to right-click on the document and save it to my vbox_share folder (clicking through Chrome’s warning, because I plan to view this documents in isolation).
Now, back in my VM, I can see the document.
To be extra safe, before opening this documents I’m going to disconnect my VM from the internet. I click the “Devices” menu at the top of the screen, choose “Network,” and uncheck “Connect Network Adapter.” This way, when I open the document, if it tries to hack my VM and connect to a command and control server, or even just phone home to alert the document owner that it’s been opened, it won’t be able to. It’s a good idea to do this whenever you open a suspicious document inside a VM.
Here it is. The document actually appears just to be an email thread pasted into Word. Regardless, I’m glad I didn’t open it on my host machine.

Visiting sketchy websites

On your regular computer, for day-to-day use, it’s always a good idea to harden your web browser. Installing browser add-ons that block ads and malware, and making Flash click-to-play, goes a long way toward blocking software that might try to take over your computer through your web browser.
But even doing all of these things, there’s no guarantee that you won’t get hacked just by loading a website. If you’re going to visit a website that you think might put you at higher risk of getting hacked, you might want to visit that website inside of a VM. You can even set up a dedicated VM just for this purpose. (If you turned networking off in the previous step, you can enable it again by clicking the “Devices” menu, going to “Network,” and checking “Connect Network Adapter.”)
Inside my VM I decided to search for “Mr. Robot streaming” and found myriad pirated streaming websites. Here’s a screenshot of one of them. See that box that’s telling me my Flash Player is out of date, with a helpful link to update it? That’s not actually a real Flash update, that’s malware.
When I clicked through to install this “Flash update,” it ended up installing a Firefox add-on called “Free Games Zone” that changed my browser’s search engine to Ask.com. When I pulled this add-on apart to see how it works I discovered code that injects JavaScript into web pages that I load, and code that tries to prevent me from uninstalling it.
In the scheme of things, this malware is on the tame side — it’s not trying to read my email or watch through my webcam, but it’s still nothing that anyone would ever actually want installed on their computers. But even if it were way worse, it would first have to escape from the VM that it’s trapped in before it could do those things. To completely get rid of it I can restore my VM from a snapshot, or I can delete the VM altogether and create a new one.

Running vulnerable software that you rely on

All programs contain bugs, and these bugs can get exploited to take over our computers. The easiest way not to get hacked is not to use computers, but that’s not an option; we still have to run programs.
Some programs have much bigger attack surfaces than others. For example, libpurple, the underlying code that powers the encrypted chat programs Pidgin and Adium, has been heavily criticized for its old, bloated, and likely buggy source code that was originally written in 1998 (many critical libpurple bugs have been fixed in recent years, so it’s currently in much better shape than it used be). Yet if you want to have encrypted chat conversations on a computer, you don’t have a lot of options but to use it.
If there’s a piece of software that you depend on, but you think running it on your host machine will increase your chances of getting hacked, you can set up a dedicated VM for running that program.
If your dedicated chat VM gets hacked through a Pidgin exploit, for example, the attack will be contained. The attacker will be able to spy on the encrypted chat conversation you have in Pidgin, but that’s it. They won’t be able to access other files on your computer. They won’t be able to see what passwords you’ve saved in your web browser, or listen through your microphone, or read your email, or anything else.

You still have to be careful

All software has bugs, and this includes virtualization software. While isolating dangerous activity inside of a VM considerably reduces the chance of getting your regular computer system hacked, it doesn’t make it impossible.
If your VM gets hacked, it’s feasible that the attacker could then escape your VM in order to run and alter programs freely on your host machine. In order to do this, your attacker must have an exploit against your virtualization software. These bugs are rare but do happen.
You should also be careful with how you use the VirtualBox clipboard sharing and file sharing features I described above. For example, if someone has hacked a VM that has Shared Clipboard set to “Host to Guest” or “Bidirectional,” the attacker could spy on what you’ve copied to your clipboard on your host machine — for example, a password.

Staying anonymous with Whonix

Whonix is an operating system that you can install on your existing computer inside VirtualBox, and that forces all network traffic to go over the anonymity network Tor.
Tor’s flagship product, Tor Browser, does an excellent job of hiding your IP address from websites you visit and hiding what websites you’re visiting from anyone monitoring your internet activity.
But Tor Browser, like all other software, has bugs. If you visit a website in Tor Browser, the website could hypothetically exploit a severe bug to force your computer to make an internet connection to the attacker outside of the Tor network, letting them learn your real IP address and identity. This is exactly how the FBI deanonymized Tor Browser users who visited websites hosted by Freedom Hosting in September 2013. The FBI exploited a bug that was present in older versions of Tor Browser (it didn’t work against users who promptly update their software) in order to hack them and ultimately deanonymize them. (In this case, the FBI was attempting to attack people who allegedly had links to child pornography, but they also presented Tor Browser-hacking malware to users of legitimate websites hosted by Freedom Hosting, including the free anonymous email service TorMail.)
Whonix uses two VMs, called Whonix-Gateway and Whonix-Workstation, to maximize anonymity protections. The gateway VM acts as the upstream internet provider for the workstation VM, and it forces all network traffic to go over the Tor network. The workstation VM is where you use Tor Browser, as well as any other software that you wish to use anonymously. If you get hacked, for example with a Tor Browser exploit like the one that the FBI used, not only is the attacker contained inside of this VM and unable to access your host machine, but the attacker can’t deanonymize you either. All network connections that the attacker makes will go through the gateway VM, which forces them to go through Tor.
Whonix is great because you can be confident that everything you do in the workstation VM is anonymously going through the Tor network. That means that hackers won’t be able to deanonymize you, unless they can escape from your VM. You can use chat software like XChat to connect to IRC servers anonymously, or Pidgin to connect to Jabber servers for anonymous encrypted chats, or Icedove and Enigmail to send anonymous, encrypted email.
But keep in mind that Whonix, like other virtual machine-based security, can’t protect you if your host machine gets hacked or seized. If you are using Whonix to anonymously send documents to a journalist, and you become a suspect in a leak investigation, your Whonix VMs might contain evidence that can be used against you.

Installing and configuring Whonix

It’s slightly complicated to get started with Whonix, but there’s a lot of documentation on the Whonix website, and if you have questions feel free to post them in the comments. Let’s get started!
Head over to the Whonix VirtualBox download page and download a copy of Whonix-Gateway and Whonix-Workstation (a total of 3.1GB, so it might take some time). It’s also a good idea to verify the PGP signatures, but that’s outside the scope of this post.
Once you’ve downloaded them, open VirtualBox, click the “File” menu at the top, and click “Import Appliance.” Browse for the Whonix-Gateway file you just downloaded, and click “Continue.”
Now click “Import,” read the warnings, and click “Agree.” Your Whonix gateway VM will automatically get set up. Repeat these same steps with the Whonix-Workstation. When you’re done, you’ll have two new VMs in VirtualBox.
Start both Whonix-Gateway and Whonix-Workstation. You need to leave the gateway VM open in the background or else the workstation VM won’t have internet access, but you’ll do most of your work in the workstation.
When the gateway VM has finished booting for the first time, you’ll need to configure it. Click through the “Whonix Setup Wizard” to enable Tor and automatic updates.
Click through the “Whonix Setup Wizard” in the workstation VM as well. And in both VMs, change the default password and update the software.
Now it’s time to starting using Whonix. In the workstation VM, go ahead and open Tor Browser. It will automatically download and install it the first time you try opening it. Once it opens, you can browse the web anonymously, and remain anonymous even if Tor Browser gets hacked.

Qubes: Taking isolation security to its logical limits

Since all software has bugs, wouldn’t it be safest to isolate each program in its own VM? Qubes is an operating system that does just that, and does it in a way that’s much more usable and more secure than is possible using virtualization software like VirtualBox or VMWare in a traditional operating system.
In Qubes, your host machine runs a graphical desktop environment, and that’s just about it — your host machine doesn’t even have internet access. You run all of the rest of your software inside of Linux or Windows VMs. Qubes also has great support for Whonix. If you use Whonix inside of Qubes, your host machine has a much smaller attack surface than if you were using a traditional operating system.
Qubes makes it easy to manage separate VMs for your different “security domains.” For example, you can create a work VM that you use to check your work email and login to work-related accounts, and a separate personal VM that you use to login to Facebook and keep track of your photos. You can create an untrusted VM that you use for everyday web surfing, and a vault VM (that doesn’t have networking enabled) that you use to store sensitive files like your password database, or secret documents that you’re working on. And you can right-click on any document to open it in a “disposable VM,” a VM that gets created simply to view this document, and then deleted again when you close the document.
I’ve written about Qubes in the past, and I encourage you to read more about it if you’re interested. But it’s not for the faint of heart. Not yet, at least. For one thing, you can’t test it in a VM like you can most operating systems because it needs to run VMs of its own, and you don’t want to accidentally break the universe (just kidding; it just doesn’t work).
And while it has an active development community and a growing user base, Qubes is not easy to use for non-power users. I don’t recommend you switch to it yet unless you’re already comfortable troubleshooting Linux problems from the command line. In Qubes, simple problems like how to install a new program or take a screenshot can have steep learning curves for the uninitiated. But all that said, if you are using Qubes, you can turn your computer into an incredibly intricate and secure fortress unlike anything that’s possible with a traditional operating system.
Finally, all software has bugs, and this includes Qubes as well as Xen, the virtualization software that powers Qubes. Even if you’re running Qubes, and promptly update all your software, and carefully isolate everything, and only open documents in disposable VMs, and do all of your browsing in Tor Browser inside of a Whonix workstation, it’s still possible for your host machine to get hacked if your attacker has lots of resources, patience, and zero day exploits.

Conclusion

Normally it’s cheap and easy for an attacker to take over your computer. But by isolating the parts of your computer that get attacked within VMs, you can make taking over your computer difficult, expensive, and, with any luck, not worth it.