Recently in Security Category

An interesting article appeared from The Baltimore Sun today, citing sources who say that the National Security Agency developed and rejected a technology during the late-1990s that would have done a better job sifting phone data and that would have done so in a way that would not have violated U.S. citizens' privacy -- see "NSA rejected system that sifted phone data legally."

The release of this information seems timed to embarrass Michael V. Hayden, Pres. Bush's nominee for CIA director, facing Senate confirmation hearings today. Hayden was head of the NSA at the time the alternative technology, ThinThread, was rejected in favor of the supposedly less-rigorous program that is now generating criticism.

The Sun says the rejected ThinThread technology would have:

-- Used more-sophisticated methods of sorting through massive phone and e-mail data to identify suspect communications.

-- Identified U.S. phone numbers and other communications data and encrypted them to ensure caller privacy.

-- Employed an automated auditing system to monitor how analysts handled the information, in order to prevent misuse and improve efficiency.

-- Analyzed the data to identify relationships between callers and chronicle their contacts. Only when evidence of a potential threat had been developed would analysts be able to request decryption of the records

From news reports today it looks to me as if Hayden wishes everybody would just stop talking about all this and leave the intelligence agencies alone to do their jobs -- see "Hayden Defends Legality of NSA Surveillance" on Fox News, which quotes Hayden as saying that "the intelligence community in general 'has too much become the football of American political discourse. CIA needs to get out of the news as source or subject and focus on protecting the American people by acquiring secrets' from U.S. enemies."

It does seem likely that all this public attention must be inhibiting the ability of U.S. intelligence organizations to do their jobs. And correct me if I'm wrong, but I don't remember hearing specific reports of American citizens being harassed, unfairly targeted or mistreated as a result of the NSA surveillance. But of course the potential is there, and that I guess is the point.

American society demands a lot of transparency and accountability on the part of its government, and the demand for accountability is in part in response to the abuses of the past -- the FBI's machinations against Martin Luther King come to mind, for example.

It brings to mind a problem I've thought of in connection with business ethics. Often business interests complain about government regulation, and about the interference of consumer and environmental advocates and other special interest groups. But it seems to me that if industries did a better job of self-regulation, they would be less likely to face a hue and cry from the public, along with restrictive legislation.

The same might be true of security services and other agencies of government. It's just a thought.

AB -- 5/18/06

TMCnet writer Cindy Waxer reported on Cloudmark's efforts to fight an insidious new variation on the phishing scam that uses a hard-to-trace VoIP phone number and IVR system to collect personal information from victims (see "Phishing Attacks Cast Shadow over VoIP"). Patrick Barnard also wrote about the story and added some good comments from his interview with Cloudmark's senior research scientist Adam O'Donnell (see "Cloudmark Detects - and Thwarts - New VoIP Phishing Threat Discovered on its Network").

I've been using Cloudmark's Microsoft Outlook add-in toolbar for a few years now (get the free trial here), and I can't imagine going over to any other solution. The magic thing about Cloudmark is the way it mixes in the human element to identify and block spam quickly. The system is based on peer-to-peer networking technology, so that as a Cloudmark user you are actually part of a network of users who are collectively flagging and blocking spam on each other's behalf.

Here's an image showing the toolbar:

When a spam appears in your inbox, you select it and click the "Block Spam" button. The spam moves into your spam folder and your "vote" on that spam goes out to the collective network to help flag that message as spam for all other users. But frankly, most of the time you won't even see the spam messages, because many other users have already flagged them and they will go automatically into your spam folder without any action on your part.

For more about the Cloudmark toolbar, see my previous entry, "My Favorite Anti-Spam System."

AB -- 4/25/06

Like most long-time Internet users, I've received many versions of the "Nigeria" spams, a form of flim-flam designed to get me hooked into traveling over to Nigeria with a suitcase full of cash.

But the version that just appeared in my inbox a few minutes ago is the scariest one I've seen. Look carefully at the first few lines, and you'll see that not only is it customized with my name, it also conjures up a wealthy distant cousin named R.A. Bredenberg who recently died in Lome Togo!

Here it is:

-----

Simon Samoeil,Fonser Chambers
Solicitors & Advocates
140,boulevard du 13 janvier,
PB 2932,Lome-Togo
 
Dear Al Bredenberg ,
 
I am Barrister James Kofi, a barrister & solicitor at law. I was the Personal attorney to Mr. R. A Bredenberg, a national of your country, who used to own an oil servicing company in Lome Togo.

Herein after shall be referred to as my client. On the 31st of July, 2003,my client, his wife and their three Children were involved in a car accident along Lome- Cotonou express road. All occupants of the vehicle unfortunately lost their lives. I know that my client had no living kin but I went ahead and made several inquiries to your embassy to locate any of my clients extended relatives but this has proved unsuccessful.I only did so to be double sure of this fact.

I have contacted you to assist in repatriating the money and property left behind by my client before they get confiscated or declared unserviceable by the bank where this huge deposits were lodged, particularly the (b.i.a)Bank of african Lome-Togo where the deceased had an account valued at about $2.million dollars has issued me a notice that in the event that no next of kin comes up for the claim, the account will be confiscated after four years if not claimed.

Since I have been unsuccessful in locating the relatives for over years now I seek your consent to present you as the next of kin of the deceased so that the proceeds of this account valued at $2.million dollars can be paid to you and then you and me can share the money.50% shall be for me and 40% for you while 10% is ear marked for expenses that will be incurred during the process of Transfer of the fund.

I have all necessary legal documents that can be used to back up any claim we may make. All I require is your honest co-operation to enable us see this deal through. I guarantee that this will be executed under a legitimate arrangement that will protect you from any breach of the law. Please get in touch with me by my e-mail to enable us discuss further.You may also send your phone number so that I can call you.I look forward to your urgent response.

Best regards,
 
Barrister James Kofi.
 
E.mail, [email protected] 

-----

AB -- 2/24/06

Earlier today I wrote about issues around eavesdropping on Skype calls. The AP story I cited touched on a topic I've followed a little in the past. The story mentions "broad eavesdropping that the National Security Agency is reputed to be performing, in which it scans thousands or millions of calls at a time for certain phrases."

This kind of surveillance is described in this Boston Globe article: "Wiretaps said to sift all overseas contacts." The key idea is that government agencies are using artificially intelligence technologies to scan voice calls and emails for key words, phrases and patterns to identify possible terrorist communications. One expert quoted in the Globe article says the NSA's systems are able to process "2 million pieces of communications an hour."

The first time I became aware of this kind of technology was at conference in the late 90s at a location that ironically no longer exists because of the 9/11 attacks. I had a long conversation at an expo booth with a rep from a company called Aptex, a subsidiary of HNC, a technology company later acquired by Fair Isaac.

Aptex was marketing a 'text mining' technology that could be used to target web advertising at a user based on intelligent scanning of web documents being viewed by that user. Aptex's technology was based on artificially intelligent neural networks that could 'understand' the content of a text document. The Aptex rep told me that the technology had originally been developed in connection with government contracts for intelligent surveillance of text communications. (He might have told me that he really should kill me after telling me that. Or maybe not.)

Here's an interesting article from the National Science Foundation related to this topic: "Data Mining and Homeland Security Applications."

This kind of technology scares a lot of people because of privacy concerns and the potential for government abuse. That might be a legitimate concern, but its use is also rooted in a desire to use technology innovations to stay ahead of the bad guys -- see "Govt Surveillance: Part of a Taller Wall?"

AB -- 2/16/06