WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • The NSA Can Use Incidental Data Under Certain Conditions

    One of the scariest parts about the NSA’s spying program is its collection of incidental data – information that may or may not be about American citizens that just so happens to be picked up with information on non-U.S. targets. It’s been said that the NSA can’t use this data, but a new report says they can under certain conditions.

    The Guardian released another two documents today that detail how the NSA can use information it inadvertently collects on Americans. Both documents were submitted to the secretive FISA court by Attorney General Eric Holder as they bear his signature.

    So, without further ado, here’s what the NSA can do with the data it may or may not have collected on Americans:

  • Keep data that could potentially contain details of US persons for up to five years;
  • Retain and make use of “inadvertently acquired” domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;
  • Preserve “foreign intelligence information” contained within attorney-client communications;
  • Access the content of communications gathered from “U.S. based machine[s]” or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.

    • What makes the above especially worrisome is that the documents reveal there is not a lot of oversight in regards to who the NSA actually targets. NSA analysts are allowed to pick and choose who they target without having to get clearance from the courts. The only thing in place is an internal audit system that reviews targets.

    Another worrisome aspect is a different order from 2010 that says that NSA is allowed to collect information on a target as long at that person “is a non-United States person reasonably believed to be outside the United States.” That doesn’t sound so bad until you read that the order allows the NSA to just automatically assume the target is outside the U.S. if it can’t confirm the target’s location. To make matters worse, the NSA can read messages from and listen in on phone calls of assumed non-U.S. persons to confirm whether or not they are in the U.S.

    Now, what happens once the target has been confirmed to a U.S. person? The NSA must then start what it calls a “minimization procedure.” In short, it means that the NSA must stop collecting information on the target immediately. Of course, the NSA analyst in charge of the investigation can appeal to a higher up to keep the information if they feel that it contains information related to the one of the following:

  • Significant foreign intelligence information
  • Evidence of a crime
  • Technical data base information (a.ka. encrypted data)
  • Information pertaining to a threat of serious harm to life or property

    • The NSA must immediately destroy data on U.S. persons if it does not pertain to one of the above categories. However, the agency is allowed to keep information on U.S. persons if they’re found to be communicating with someone outside the U.S. On top of that, the communications between non-U.S. and U.S. persons can be shared with friendly governments if the U.S. person is anonymized.

    All of these rules fly out the window when the NSA throws out a wide data collection net. In that case, the agency argues that it can’t filter out information on U.S. persons that is inadvertently collected alongside information on non-U.S. persons.

    The big takeaway from all of this is that the NSA is not subjected to as much oversight as President Obama and others have indicated. In fact, it seems that the NSA can pretty much do whatever the hell it wants with only internal audits and individual discretion getting in the way of data collection. It makes you really wish Congress would pass one of those transparency bills that would make the NSA’s data collection open for debate.

  • Chinese Hackers Targeted Obama, McCain in 2008, Say Officials

    In 2009, President Obama admitted that his campaign’s infrastructure had fallen victim to a hacking attack. He said that hackers had gained access to some emails, various campaign files, and policy position papers. But he didn’t attach any foreign entity to the job.

    Now we know who did it. According to Michael Isikoff at NBC News, hackers from the People’s Republic of China are to blame for attacks that targeted both the Obama and McCain campaigns back in 2008.

    The goal of the attacks? “To export massive amounts of internal data from both campaigns – including internal position papers and private emails of key advisers in both camps,” says NBC News.

    “Based on everything I know, this was a case of political cyberespionage by the Chinese government against the two American political parties,” said Dennis Blair, President Obama’s director of national intelligence in 2009 and 2010. “They were looking for positions on China, surprises that might be rolled out by campaigns against China.”

    This is the first time that we’re hearing reports on the source and gravity of the attacks. Former security officials tell NBC News that the breach was ” far more serious than has been publicly known, involving the potential compromise of a large number of internal files.”

    The attack wasn’t too complicated on the surface – a simple email to staffers that contained malware. But the security team that was tapped to contain and eliminate the infection, once it was identified months later, says that is was a very sophisticated attack that replicated fast and was designed to stay hidden for a long time.

    What’s interesting about the timing of this reveal is that President Obama is set to meet with Chinese President Xi Jinping this weekend at a U.S.-China summit. Reuters says that cybersecurity will be a main focus of the meeting.

  • White House Finally Responds To CISPA Petition, Says Cybersecurity Legislation Must Respect Privacy

    CISPA is all but dead once again, and the Senate is moving ahead with its own cybersecurity legislation. That doesn’t mean the fight is over though. In fact, the Senate might just propose a bill that’s worse, but the White House says that it won’t let that happen.

    In an official response to the “Stop CISPA” petition on the We The People Web site, the White House says that any new cybersecurity legislation “must not violate Americans’ right to privacy.” The administration says that’s the reason why it issued a veto threat against CISPA earlier this month. That veto threat may led to CISPA’s death, but the White House says it’s still open to working with everybody to pass cybersecurity legislation.

    To that end, the White House says that cybersecurity legislation is a must to counter the “constant threat of cyber crime, espionage, and attacks.” The administration, unlike the House, does admit there are already tools in place, however, to facilitate cooperation between the government and private companies to share threat information. It just feels that the current tools in place aren’t enough:

    But you might ask, “Isn’t this collaboration already happening?” The simple answer is yes, but inefficiently. When it comes to information sharing, we need clearer rules to promote collaboration and protect privacy. Right now, each company has to work out an individual arrangement with the government and other companies on what information to share about cyberthreats. This ambiguity can lead to harmful delays.

    There is broad consensus on the need for more threat-related information sharing — including among the leading privacy advocates we regularly engage on the issue. The essential question on which people across the spectrum disagree isn’t if we can share cybersecurity information and preserve the principles of privacy and liberty that make the United States a free and open society — but how.

    The White House has admirable goals, but we’ve heard all of this before from the House. We were promised that CISPA would respect privacy and civil liberties, but that obviously wasn’t the case in the end.

    To allieve the concerns of citizens, the White House says that it will only support cybersecurity legislation that adheres to these three principles:

    It’s important that any information shared under a new cybersecurity law must be limited to what’s relevant and necessary for cybersecurity purposes. That also means minimizing information that can be used to identify specific individuals. For example, if a utility company is looking for government assistance to respond to a cyber attack, it is unlikely that it needs to share the personal information of its customers, like contact information or energy-use history, with the government.

    Cybersecurity legislation needs to preserve the traditional roles for civilian and intelligence agencies that we all understand. Specifically, if legislation authorizes new information sharing between the private sector and the government, then that new information should enter the government through a civilian department rather than an intelligence agency. That doesn’t mean breaking the existing mechanisms that already work. For example, victims of cyber crime ought to continue to report those violations to federal law enforcement agencies and public-private information-sharing relationships that already exist should be preserved.

    Any new legislation ought to provide legal clarity for companies that follow the rules and appropriately share data with the government. But it should not provide broad immunity for businesses and organizations that act in ways likely to cause damage to third parties or result in the unwarranted disclosure of personal information.

    In short, the above takes care of pretty much every complaint privacy advocates had with the original CISPA. The White House says it will continue to apply the above principles in its on-going discussions with those in the Senate currently crafting cybersecurity legislation.

    CISPA may be dead, but the issue of cybersecurity is far from over. We’ll continue to follow the Senate’s efforts as it works on its own cybersecurity legislation.

  • CISPA Add-On Banning Employers from Seeking Facebook Passwords Killed

    As you probably know, on Thursday the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act, better known as CISPA. The bill, which aims to help the government react to cybersecurity threats by making it easier to share information between itself and private companies, saw bipartisan support. Opponents of CISPA have argued that the bill is a a massive invasion of privacy, and will be used to justify wholesale spying on the American public by making companies who give up private user info immune from suits or prosecution.

    Although CISPA as a whole saw bipartisan support, one last-minute amendement that looked to curtail a worrisome practice by employers was shot down on party lines.

    Colorado Democrat Ed Perlmutter attempted to tack on a provision to CISPA that would make it illegal for employers to require prospective employees to hand over their social media passwords as a condition of acquiring or keeping a job.

    Has an employer even demanded one of your social media passwords as a condition of being hired or keeping your job? What was your reaction? Let us know in the comments.

    The proposal was voted down 224-189, with Republicans in the majority.

    “People have an expectation of privacy when using social media like Facebook and Twitter. They have an expectation that their right to free speech and religion will be respected when they use social media outlets. No American should have to provide their confidential personal passwords as a condition of employment. Both users of social media and those who correspond share the expectation of privacy in their personal communications. Employers essentially can act as imposters and assume the identity of an employee and continually access, monitor and even manipulate an employee’s personal social activities and opinions. That’s simply a step too far,” said Perlmutter.

    This isn’t the first time that Perlmutter has introduced this sort of legislation. Last year, the same employee password protection language was rejected in the House.

    Last year, the practice of employers demanding the Facebook passwords of prospective employees became a hot topic. Both state legislatures and the U.S. Congress introduced measures to counteract the rising trend. One particular bill, the Password Protection Act of 2012, was introduced in both the House and the Senate, but went nowhere.

    That bill was introduced by Democratic Senator Richard Blumenthal. Before the bill was presented, back in May of 2012, he, along with Senator Chuck Schumer (D-NY) sent a letter to both the Department of Justice and the U.S. Equal Employment Opportunity Commission asking them to “launch a federal investigation into a disturbing new trend.”

    Soon after that letter was sent, a motion called “Mind Your Own Business on Passwords” failed in Congress. It would have made the employee password issue one monitored by the Federal Communication Commission. They would have had the right to declare the practice illegal.

    So, the Password Protection Act of 2012 moved forward. The language made it a crime that any employer “for the purposes of employing, promoting, or terminating employment, compels or coerces any person to authorize access, such as by providing a password or similar information through which a computer may be accessed.”

    But it died, and has been referred back to committee.

    The Password Protection Act of 2012 isn’t the only federal bill proposed to deal with the issue. Say hello to SNOPA, or the Social Networking Online Protection Act. It aims to do what the PPA tried to do, but with even clearer languge:

    To prohibit employers and certain other entities from requiring or requesting that employees and certain other individuals provide a user name, password, or other means for accessing a personal account on any social networking website.

    It’s been introduced, and referred to committee. No movement yet.

    On the flip side, some states have had success in passing bans on the practice. First, the state of Maryland enacted a law banning password snooping. And this year, laws in both California and Illinois went into effect.

    “It’s not déjà vu — this is the same amendment I introduced twice last year, so people have had plenty of time to study and discuss it. It has bipartisan support. It wouldn’t kill the underlying cyber-security bill; it wouldn’t send it back to committee. It merely safeguards an individuals’ personal privacy as they use their own personal social media accounts,” said Perlmutter of his CISPA add-on.

    It’s important to note that Perlmutter did in fact vote yes on CISPA.

    But despite those claims, the provision was crushed. If the past year is any indication, password protection legislation must be tackled at the state level, as it’s the only place that its been able to see any sort of success.

    Do you think that we need a federal law banning the practice of password snooping by employers? Do you think that it’s better left to the states? Or, do you see no reason for any such legislation on any level? Let us know in the comments.

  • CISPA Is Kind Of Dead, But Not Really

    Last week, a cry rang out from privacy advocates everywhere as the House overwhelmingly passed CISPA. Those same advocates soon gathered up their forces for a fight in the Senate, but it looks like the Senate got to killing CISPA before they could.

    US News reports that the Senate has decided not to take up CISPA. In short, CISPA is dead. The bill that would have given companies full legal immunity when sharing your personal information with the government will have its remains scattered on the winds of history yet again.

    It seems that CISPA’s death can be largely attributed to two factors. For one, Sen. Jay Rockefeller, chairman of the Committee on Commerce, Science and Transportation, came out against CISPA saying it lacked privacy protections. Rockefeller holds considerable sway in the Senate, and his committee would have had a lot of say over CISPA. Secondly, President Obama’s veto threat most likely played a major role in the Senate’s rejection of CISPA.

    We can relax now that CISPA is dead, right? Unfortunately, the answer is a little unclear at this point. An unnamed representative on Rockefeller’s committee says that “issues and key provisions” of CISPA will be divvied up and made into separate bills. In other words, CISPA will be broken up into smaller, separate bills in the Senate. The problem with this approach is that some of the less vile, but still damaging, provisions of CISPA can make it through as they won’t be attached to the really bad stuff.

    Of course, there’s always the possibility that the Senate will craft a handful of bills that narrowly target the areas not covered by President Obama’s cybersecurity executive order without sacrificing civil liberties. It would certainly be nice, but the Senate’s past attempts at writing cybersecurity legislation certainly don’t inspire confidence.

    Either way, we won’t be seeing any cybersecurity legislation out of the Senate for a while. The unnamed representative says the Senate currently has its hands full with a number of other bills that take priority over cybersecurity, including the controversial Marketplace Fairness Act.

  • Senate To Take Up Email Privacy Bill Today

    UPDATE: And it passed.

    Last week, Sen. Patrick Leahy said that the Senate Judiciary Committee would be marking up an update to the Electronic Communications Privacy Act. The decades old bill allows law enforcement to obtain emails without a warrant as long as said email is 180 days old.

    The Hill reports that both the Senate and the House will be taking up their respective email privacy bills today. The Senate Judiciary Committee will be taking a look at Leahy’s bill – S. 607 – that simply requires the police to obtain a warrant when accessing any electronic communication, including email.

    In the original announcement of the mark up, Leahy said that ECPA must be updated to counter concerns over the “growing and unwelcome intrusions into our private lives in cyberspace.” Those concerns certainly came to a head earlier this month when documents obtained by the ACLU revealed that the IRS told its agents that they could obtain emails without a warrant. The agency also said that “Internet users do not have a reasonable expectation of privacy.”

    Since then, IRS Commissioner Steven Miller said that his agency always obtains a warrant before searching emails. Miller also said that his agency never snoops through email during civil investigations. It wasn’t exactly reassuring, but an updated ECPA would ensure that the IRS, or any government agency for that matter, would never be able to obtain emails without a warrant.

    It should be noted that the House will be making a mockery of itself this week by discussing an update to the ECPA after passing CISPA. The House Judiciary Committee will be discussing whether or not the ECPA should be updated to require that law enforcement obtain a warrant before accessing geolocation data. The irony here is that CISPA, in its current form, would allow mobile carriers to share geolocation data with the government without a warrant. Even if the carrier was found in violation of an updated ECPA, it would enjoy full legal immunity under CISPA.

    Even so, we’ll continue to follow both discussions and keep you up to date on any changes. The Senate seems to have made an updated ECPA a priority so we may see a final vote as early as next week. That is, of course, if the Senate doesn’t run into any problems with its current controversial bill – the Marketplace Fairness Act.

  • Anonymous Organizes CISPA Blackout, Not Many Web Sites Show Up

    The SOPA blackout protest was something else. Google, Wikipedia, Reddit and other major online players blacked out part or all of their Web sites in opposition to a proposed bill that would have given the U.S. government unchecked power to regulate the Internet as it saw fit.

    Likewise, CISPA gives the government and corporations the ability to share your private information without a warrant and without much oversight. The bill has been met with some resistance, but not enough. The House passed it with relative ease, and now the fight will go to the Senate. Now everybody’s favorite (or most hated) hacktivist group wants to send the Senate a message with a blackout of its own.

    Last week, Anonymous announced that it was organizing a CISPA blackout similar to the SOPA blackout of early 2012. Anonymous had hoped to coerce a number of Web sites into going dark today, but it only managed to get a little over 400 volunteers.

    Getting over 400 Web sites to go dark for a day is no small feat, but it just doesn’t compare to the thousands that went dark in protest of SOPA.

    Of course, a CISPA blackout could be effectual if Web sites frequently visited by millions of Internet users went dark. Unfortunately, the heavy hitters behind the SOPA blackout (i.e. Google, Reddit, Wikipedia) are refusing to go dark today in protest of CISPA. There are probably a number of reasons for this, but we can only guess at a few of them.

    For starters, CISPA isn’t an immediate threat to companies. SOPA would burden Web sites with the responsibility of policing their own content. CISPA encourages companies to share private customer data with the government while granting them complete immunity from legal recourse. CISPA may not present any immediate threat to Internet companies, but Rep. Jared Polis argued last week that it would cause some pretty serious damage all the same:

    “[CISPA] directly hurts the confidence of Internet users. Internet users – if this were to become law – would be much more hesitant to provide their personal information – even if assured under the terms of use that it will be kept personal because the company would be completely indemnified if they ‘voluntarily’ gave it to the United States government.”

    The other thing standing in the way of an organized CISPA blackout is the organizers themselves. Even among anti-CISPA Web sites like Mozilla, Reddit and others, Anonymous isn’t exactly well-liked. The group’s intentions may be pure this time around, but there’s an argument to be made that CISPA was crafted in response to attacks from Anonymous and other hacking groups.

    Anonymous’ planned blackout isn’t a failure, but it isn’t much of a success either. That being said, it at least shows that large groups of people are in opposition to CISPA. It might not be opposed by the teenagers who use Wikipedia to write term papers, but those in the tech community are rightly concerned about the overly broad legislation. It’s unfortunate then that Congress seems to think that only 14-year-olds living in their basements are the only ones opposed to CISPA.

    [h/t: RT]

  • House Passes CISPA, Controversial Cybersecurity Bill Moves To Senate

    During a vote in the House today, a majority of representatives voted in favor of passing CISPA for the second year in a row. Now the bill heads to the Senate where it will either live or die. Free Internet advocates and privacy proponents would much prefer the latter.

    To recap, CISPA is a proposed bill that aims to boost the government’s ability to respond to cyber threats and cyber attacks by sharing private customer information between itself and companies. Its opponents claim the bill is a massive invasion of privacy that serves no use in combatting cyberattacks, but rather will be used to spy on American citizens by granting immunity to those companies that share information.

    With CISPA’s passage in the House, the EFF vows to take its fight to the Senate:

    “This bill undermines the privacy of millions of Internet users,” said Rainey Reitman, EFF Activism Director. “Hundreds of thousands of Internet users opposed this bill, joining the White House and Internet security experts in voicing concerns about the civil liberties ramifications of CISPA. We’re committed to taking this fight to the Senate and fighting to ensure no law which would be so detrimental to online privacy is passed on our watch.”

    If history repeats itself, the EFF won’t have much of a fight in the Senate. CISPA died in the Senate last year as its members argued over its own law – the Cybersecurity Act of 2012. It was a marked improvement over CISPA, but it did have its own issues. The bill died after it failed a Senate floor vote and CISPA was never taken up.

    For this year, the Senate will be debating the Cybersecurity and American Cyber Competitiveness Act of 2013. Like CSA, it’s a bit better than CISPA, but its lack of bipartisan sponsorship doesn’t bode well. It also doesn’t help that the bill still hasn’t even been picked up by its respective committee yet.

    So, what happens if CISPA somehow makes its way through the Senate? It has to get signed into law by the president, and his administration just recently threatened to veto CISPA if it makes it to his desk. The administration suggested a number of common sense additions to CISPA that would make it far more pro-privacy, but the House ignored those suggestions. Now its up to the Senate to decide if it will actually listen to the thousands of people who are against CISPA.

  • CISPA Amendment Stripped Of Its Pro-Privacy Provision

    We reported yesterday that CISPA was finally shaping up. Rep. Mike McCaul introduced an amendment late into the game that would have forced companies to share customers’ private information only with the Department of Homeland Security. It sounded too good to be true. Unfortunately, it was.ci

    The Hill reports that the amendment we saw yesterday is entirely different from the amendment that actually wound up in the bill. The amendment has been stripped of its requirement that companies only share information with the DHS. With that requirement gone, the amendment is worthless. It’s only purpose now is to make it seem like CISPA actually respects your privacy.

    Needless to say, pro-privacy groups are not happy. The EFF wrote a scathing review of the amendment last night:

    The amendment in question does not strike or amend the part of CISPA that actually deals with data flowing from companies to other entities, including the federal government. The bill still says that: “Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes…share such cyber threat information with any other entity, including the Federal Government.” The liability immunity provisions also remain.

    While this amendment does change a few things about how that information is treated within the government, it does not amend the primary sharing section of the bill and thus would not prevent companies from sharing data directly with military intelligence agencies like the National Security Agency if they so choose.

    The amendment looks bad, and it will probably remain that way. That being said, there might be some changes made to it and the overall bill today before it heads to the floor for final vote. A House aide reportedly said that the sponsors of this latest amendment are in discussions to fix the language in it. If that was the case, why did they change the original text of the amendment that actually did some good? Are they just going to change the amendment back to what it was?

    At this point, it’s hard to believe that we’ll actually see any positive changes in CISPA. After all, the bill’s sponsors believe that only 14-year-olds hate CISPA.

  • House Approves Pro-Privacy CISPA Amendment

    UPDATE: The amendment no longer contains pro-privacy language. The language requiring companies to share information only with the DHS was removed before being added to the bill. More on that here.

    Original story continues below:

    It seemed that CISPA couldn’t get any worse, but its sponsors proved that it could during a rules hearing yesterday. All the of the pro-privacy amendments being proposed were unceremoniously blocked without much of a debate. Now the bill’s sponsors have backtracked by finally supporting a good amendment.

    The Hill reports that Rep. Mike McCaul offered up an amendment to CISPA today that has the full backing of CISPA sponsors Reps. Mike Rogers and Dutch Ruppersberger. The amendment would ensure that all cyberthreat information being submitted to the government would first go through an entity created by the Departments of Justice and Homeland Security, both of which are civilian agencies. The amendment was approved in a 227-192 vote.

    In the words of Ruppersberger, “This is a huge concession.” Why? The original text of CISPA allowed companies to share cyberthreat information with any governmental agency, including military agencies like the NSA. Privacy advocates demanded that all identifiable information go through a civilian agency first to reduce the chance of abuse.

    So, why did Rogers and Ruppersberger back this amendment when they were adamant about not backing any pro-privacy amendments yesterday? It seems that the veto threat from the White House spooked them into backing more pro-privacy amendments in a bid to get Obama’s signature.

    “Rogers and I are just trying to deal with the issue of the White House concerns, realizing that if we pass a bill here and it doesn’t pass the Senate and the president doesn’t sign it, we have no bill,” Ruppersberger said. “This threat is so severe, the cyber threat, that we have to do something.”

    The amendment is a great first step, but it doesn’t address all the issues that the White House and privacy advocates have with the bill. CISPA in its current state, even with this new amendment, does not address the issue of private information being removed only after it’s already in the government’s hands. The bill also doesn’t remove the provision that grants total immunity to companies that break the law when handing your information over to the government.

    CISPA is on track for a full vote on the House floor tomorrow. We’ll be sure to bring you the final vote at that time.

  • White House Threatens To Veto CISPA, Recommends Fixes To Bill’s Language

    White House Threatens To Veto CISPA, Recommends Fixes To Bill’s Language

    Last week, the White House said that CISPA still had some problems that weren’t addressed by the amendments added during its markup period. Unfortunately, the administration didn’t issue a veto threat at that time, but now it has.

    In a statement released by the White House today, the Obama administration laid out its beef with CISPA. The first issue it has with the legislation is that it still doesn’t do enough to protect private information:

    The Administration, however, remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities. Citizens have a right to know that corporations will be held accountable – and not granted immunity – for failing to safeguard personal information adequately. The Administration is committed to working with all stakeholders to find a workable solution to this challenge. Moreover, the Administration is confident that such measures can be crafted in a way that is not overly onerous or cost prohibitive on the businesses sending the information.

    Now this is huge. The administration is saying that companies should not be granted immunity if it uses your private information in an inappropriate fashion. Corporate immunity is one of the cornerstones of CISPA and one of the main reasons the tech industry is so in love with it. If the immunity provision is removed, the backing of the tech industry will vanish along with it.

    The other issue is that it doesn’t like how CISPA allows companies to share private information with any agency of its choosing, including the NSA. The White Houses says that all private information should enter government through a civilian agency:

    The Administration supports the longstanding tradition to treat the Internet and cyberspace as civilian spheres, while recognizing that the Nation’s cybersecurity requires shared responsibility from individual users, private sector network owners and operators, and the appropriate collaboration of civilian, law enforcement, and national security entities in government. H.R. 624 appropriately seeks to make clear that existing public-private relationships – whether 2 voluntary, contractual, or regulatory – should be preserved and uninterrupted by this newly authorized information sharing. However, newly authorized information sharing for cybersecurity purposes from the private sector to the government should enter the government through a civilian agency, the Department of Homeland Security.

    So, what does the White House want to see out of CISPA or any other cybersecurity bill? Pretty much what CISPA is now, but with better privacy protections:

    The Administration believes that carefully updating laws to facilitate cybersecurity information sharing is one of several legislative changes essential to protect individuals’ privacy and improve the Nation’s cybersecurity. While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections.

    If Congress can’t agree on a cybersecurity bill that meets the above criteria, the White House says that “senior advisors would recommend that [the president] veto the bill” if it were presented as it is now.

    The threat of a veto might help certain amendments to be added onto CISPA before it goes to the floor for a vote this week, but I wouldn’t hold my breath. The bill’s authors seem pretty adamant on passing CISPA as is, and it will most likely die another ignoble death in the Senate as its members push for their own cybersecurity bill.

    [h/t: TechDirt]

  • Civil Liberty Groups Still Don’t Like CISPA, Issue Open Letter To Congress

    After a closed door markup, CISPA emerged from the House Intelligence Committee with some new amendments. Rep. Mike Rogers, the author of the bill, said the amendments would address concerns from civil liberty groups. Those same groups could not be in more disagreement as they are still saying that CISPA needs to be changed, or just ditched altogether.

    The Electronic Frontier Foundation alongside 33 other civil liberty groups, including the ACLU and Fight for the Future, have sent an open letter Congress urging members of the House to reject CISPA during its vote this week.

    Earlier this year, many of our organizations wrote to state our opposition to H.R. 624, the Cyber Intelligence Sharing and Protection Act of 2013 (CISPA). We write today to express our continued opposition to this bill following its markup by the House Permanent Select Committee on Intelligence (HPSCI). Although some amendments were adopted in markup to improve the bill’s privacy safeguards, these amendments were woefully inadequate to cure the civil liberties threats posed by this bill. In particular, we remain gravely concerned that despite the amendments, this bill will allow companies that hold very sensitive and personal information to liberally share it with the government, including with military agencies.

    It’s the idea of sharing information with military agencies that has these groups so concerned. They feel that CISPA would be much more effective if any information sharing was narrowly defined as between companies and civilian agencies:

    CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity. Although a carefully-crafted information sharing program that strictly limits the information to be shared and includes robust privacy safeguards could be an effective approach to cybersecurity, CISPA lacks such protections for individual rights. CISPA’s information sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of emails to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command.

    Finally, the letter questions the need for CISPA at all after President Obama’s cybersecurity executive order, and other laws already on the books, do what CISPA does minus the massive privacy infringement:

    Developments over the last year make CISPA’s approach even more questionable than before. First, the President recently signed Executive Order 13636, which will increase information sharing from the government to the private sector. Information sharing in this direction is often cited as a substantial justification for CISPA and will proceed without legislation. Second, the cybersecurity legislation the Senate considered last year, S. 3414, included privacy protections for information sharing that are entirely absent from CISPA, and the Obama administration, including the intelligence community, has confirmed that those protections would not inhibit cybersecurity programs. These included provisions to ensure that private companies send cyber threat information only to civilian agencies, and a requirement that companies make “reasonable efforts” to remove personal information that is unrelated to the cyber threat when sharing data with the government. Finally, witnesses at a hearing before the House Permanent Select Committee on Intelligence confirmed earlier this year that companies can strip out personally identifiably information that is not necessary to address cyber threats, and CISPA omits any requirement that reasonable efforts be undertaken to do so.

    These groups represent a pretty formidable opposition, but they have their work cut out for them. TechDirt reported on Monday that IBM will be sending 200 executives to Washington as part of a lobbying effort to see CISPA passed. Why does IBM want to see CISPA passed so badly? The official line is that it wants information sharing between corporations and government to be easier, but the company’s president has also flat out admitted that he wants to be able to send personal information to the NSA because the agency “know[s] the most” about cyber threats.

    IBM and other companies that are pushing for CISPA could have nothing but admirable intentions, but it’s hard to believe that when they’re all pushing for a law that would give them complete immunity when sharing your private information with the government.

    We’ll continue to follow CISPA as it heads to the House floor for a vote later this week. Don’t get your hopes up though – it passed the House with flying colors last year. We can only assume that the House will do so again this year.

  • Obama Administration Says CISPA Still Has Some Issues

    On Wednesday, CISPA came closer to reality as it passed the markup phase in the House Intelligence Committee. Now the bill has to make it through the House, then the Senate, and finally the President’s desk. That last one may have just become a little harder, however, as the administration doesn’t necessarily like what it sees in the cybersecurity bill.

    The Obama Administration has finally issued a statement in regards to its stance on the controversial CISPA bill that’s expected to go before the House next week. The statement, written by Caitlin Hayden, a National Security Council spokesperson, says the newly amended CISPA is a good start, but doesn’t go far enough in protecting civil liberties:

    “We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections. The Administration seeks to build upon the productive dialogue with Chairman Rogers and Ranking Member Ruppersberger over the last several months, and the Administration looks forward to continuing to work with them to ensure that any cybersecurity legislation reflects these principles. Further, we believe the adopted committee amendments reflect a good faith-effort to incorporate some of the Administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities.”

    This new statement comes almost a year after the White House issued its first statement in opposition to CISPA. At that time, the statement was much longer, and tore CISPA a new one. The old statement also ended with a veto threat.

    It’s unfortunate then that this new statement contains no such thing. The new one doesn’t even address any of the specific failings in CISPA. It would have been nice to see the administration explicitly state it was against granting companies immunity when they share private information with government, or that it was against the bill allowing companies to share information directly with the NSA. We could assume that the administration, based upon last year’s statement, was against these provisions in CISPA yet again, but its silence doesn’t inspire confidence.

    Regardless, it’s nice to see that the White House still has some issues with CISPA. It would have been even nicer to see the administration issue a veto threat, but this will have to do for now. Now we can only hope that the White House finally addresses the CISPA petition that got over 100,000 signatures last month.

    [LA Times via TechDirt]

  • CISPA Advances: Do You Trust Congress With Your Privacy?

    Well, that didn’t take long. The Hill reports that the House Intelligence Committee met in secret Wednesday to mark up CISPA and approve any last amendments before it made its way to the House floor. CISPA was approved on a vote of 18-2.

    Now CISPA is heading to the House floor, but the question still remains – will CISPA protect your privacy? The amendments approved during the mark up point to a bill that’s well intentioned, but some privacy advocates still aren’t convinced. Those very same privacy advocates are now leading the fight to improve or kill what they feel is an attack on their online freedoms.

    Are you concerned about CISPA? Do you think it will pass the House? Let us know in the comments.

    The big question is whether or not the House Intelligence Committee actually improved CISPA during the mark up. There were six amendments approved, and all six were backed by the bill’s authors – Reps. Mike Rogers and Dutch Ruppersberger. The amendments talk a big game, but do they really take your privacy seriously?

    Speaking to reporters, Rogers claims that this year’s CISPA addresses all the problems privacy advocates had with the bill:

    “What we came up with, we think, is the right approach. It is the one bill out of everything you’ve seen on both sides of this great institution of the United States Congress that protects a free and open Internet and allows people to share cyber threat information to protect their clients, their business, their [personally identifiable information].”

    One of the more publicized amendments would require the government to strike any personally identifiable information from the data it receives. The same would be required of companies receiving information from the government. The problem with these seemingly well intentioned amendments, at least according to TechDirt, is that the information isn’t wiped before it reaches the government. There’s an expectation that the government will wipe any personally identifiable information from the data as soon as they receive it, but it’s hard to say when that data will be wiped. Will the government wipe the data as soon as it receives it, or will it wipe it when it’s most convenient?

    Another amendment would forbid companies from using the information it receives from the government for marketing purposes. This is definitely the most troublesome amendment only because it admits that CISPA would allow this sort of thing if left unchecked. According to the folks in Washington, CISPA is meant to combat cybersecurity. Why does the bill have to address something like marketing then? There are bigger problems with a cybersecurity bill when the kind of information it shares can be used for marketing purposes.

    Alongside the amendments, the committee also struck some language from CISPA that said the information the government receives could be used for “national security purposes.” Critics said the language was too broad, and feared that information received under CISPA would be used in criminal investigations that have nothing to do with national security.

    Despite these amendments, two members of the House Intelligence Committee still voted against CISPA. Rep. Adam Schiff threatened to vote against CISPA if his amendment wasn’t taken up, and he stayed true to his word. It’s a shame too as his amendment would have addressed a few major concerns privacy advocates have with the bill.

    Schiff’s amendment would do what Rogers’ amendment does in that it removes personally identifiable information from data the government receives from companies. The only difference is that Schiff’s bills called for an automated system that would strike the information from data before it reached the government’s hands. It’s not said why the committee didn’t go with Schiff’s amendment, but some lawmakers have already shown that they don’t trust algorithmic software.

    Even if the privacy protections actually protected users’ privacy, opponents of the bill are still sour over CISPA’s willingness to grant legal immunity to companies that share data with the government. In other words, you can’t sue a company that mishandles your information as long as that data was being used for “national security purposes.”

    Opponents are also still unhappy with the bill not explicitly stating which government agency companies must share data with. Privacy advocates think the information should be sent to a civilian agency, like the Department of Homeland Security, but there’s nothing stopping a company from sharing information with the National Security Agency, a secretive organization that has little governmental oversight and is already rumored to be illegally collecting online communications.

    Do you think the amendments approved by the House Intelligence Committee do enough to protect your privacy? Let us know in the comments.

    CISPA may have passed committee, but now the real fight begins. The first obstacle standing in its way is the rest of Washington as both the White House and Senate were opposed to CISPA last year. The Senate’s insistence on passing the doomed CSA ultimately doomed CISPA as well. Schiff is also confident that the White House will come out against the bill again:

    “I do think that the reservations that the White House has stated to the bill are still there and my expectation is that they would be appreciative of the steps that were taken, but also call for additional steps.”

    Another obstacle standing in CISPA’s way is a renewed Internet grassroots movement dedicated to making sure the bill doesn’t pass. Groups like the ACLU and EFF are leading the charge while Reddit co-founder Alexis Ohanian has teamed up with Fight For The Future to launch a petition aimed directly at stopping CISPA.

    Despite all of this, CISPA will probably make it past the House again. It did last year, and the 2012 elections didn’t dramatically alter the House in a way that would make its members more likely to reject the bill.

    It’s going to get really interesting, however, when the Senate reveals its own cybersecurity legislation. Will it be another bill similar to last year’s CSA or will the Senate adopt something similar to CISPA this time around? Another big question is whether or not the White House will reject it again as the Obama administration has remained quiet on the debate so far despite a White House petition calling for the death of CISPA reaching 100,000 signatures.

    Do you think CISPA has any chance of passing the Senate? Will senators better take your privacy into account? Let us know in the comments.

    [Image: EFF]

  • CISPA Is Looking Better, But Privacy Proponents Still Aren’t Satisfied

    Rep. Adam Schiff announced on Friday that he would be introducing a pro-privacy amendment to CISPA that would force companies to remove any identifiable information from data it shares with the government. Surprisingly enough, the bill’s authors seem to be taking this amendment, and other pro-privacy amendments, seriously.

    The Hill reports that House Intelligence Committee Chairman Mike Rogers and ranking member Dutch Ruppersberger will be adding a number of amendments to CISPA during its markup this week. Rogers insists that CISPA is “not a surveillance bill” and the proposed amendments will reportedly clear up any misconceptions people have about it.

    So, what kind of misconceptions will these amendments clear up? The first would strictly limit what government agencies could use the collected information for. Opponents suggest the current CISPA would allow government agencies to use collected information for non-national security purposes. The amendment would make it clear that any information collected under CISPA must be used only for national security purposes.

    Another amendment would make sure companies are held to the same standard as government agencies. In other words, it would require companies to use any information they receive from government agencies for cybersecurity purposes only.

    One of the more interesting amendments would forbid companies from launching retaliatory attacks against those who launch attacks against them. It’s not exactly a pro-privacy amendment, but it would help keep trigger happy companies under check while the authorities investigate cyberattacks.

    Privacy proponents are obviously happy to see CISPA being improved, but they still have one major issue with the bill. They feel that any information obtained by the government should be sent to a civilian agency, like the Department of Homeland Security. The current bill isn’t exactly clear on which agency companies would share information with, but one interpretation sees CISPA allowing companies to share information directly with NSA, a spy agency with little governmental oversight.

    The currently proposed amendments don’t address all the problems, but it shows that the House Intelligence Committee is at least wanting to address some of the problems privacy proponents have with CISPA. That’s more than what the committee did last year as it passed CISPA without even allowing arguments for proposed amendments to be heard.

  • Rep. Adam Schiff To Propose Pro-Privacy Amendment To CISPA

    This year’s CISPA is just like last year’s CISPA. That has some privacy groups concerned as the bill makes it easier for companies to share private information with the government while granting them immunity. To help address these concerns, one lawmaker will be introducing an amendment to CISPA next week.

    The Hill reports that Rep. Adam Schiff will be introducing a pro-privacy amendment during the House Intelligence Committee’s markup of CISPA. The amendment would make companies do their damnest to remove personally identifiable information from any data that they share with government.

    Beyond that, the amendment would also allow companies to use automated processes in removing personal information from data. The automated removal of information would serve two purposes – it would make the removal of information more accurate, and it would speed up the process to better counter cybersecurity threats.

    The amendment is a great first step to making sure CISPA protects privacy, but Schiff has indicated that he has yet to reach a consensus with the bill’s authors – Reps. Mike Rogers and Dutch Ruppersberger. Fortunately, Schiff says that the tech industry has yet to raise any objections to his amendment.

    Even with the support of industry, Schiff’s amendment may not make it into CISPA. What’s worse is that we won’t even know what actually happened until after the fact thanks to the committee holding the CISPA markup behind closed doors. Still, there’s a small sliver of hope resting on Schiff’s shoulders as the congressman said that he wouldn’t vote CISPA out of committee unless it had his amendment, or another suitable pro-privacy amendment, tacked on to it.

    Even with these proposed amendments, there’s always the chance that CISPA can worm its way through the House just like it did last year. After that, it will be up to the Senate and White House to make sure that it doesn’t go through without reasonable privacy protections.

  • Congress Doesn’t Want You Listening In On The CISPA Debate

    It was revealed in mid-February that CISPA would be back. The dreaded cybersecurity bill is now ready to make its way through Congress, but our elected representatives apparently think that the public doesn’t have the right to know what’s going to go into it.

    The Hill reports that the media and public will not be allowed to watch the House Intelligence Committee’s markup on CISPA next week. A spokesperson for the committee says that the secrecy is because the CISPA discussions will include confidential material that must be kept secret.

    “Sometimes they’ll need to bounce into classified information and go closed for a period of time to talk. In order to keep the flow of the mark-up continuing forward, you can’t stop in the middle of an open hearing, move everyone to another location for a portion of it, and then move back.”

    It’s heavily speculated that the committee is shutting out the media and public to keep both in the dark. Sure, the committee says it will release information on amendments offered, and lawmakers can discuss what happened; but it doesn’t give us the whole picture.

    If you buy into the rhetoric of lawmakers, cybersecurity is incredibly important. If it’s so important, why isn’t the public invited to add their voice to the ongoing deliberations over what was already a bad bill? Most likely, it’s just another excuse to eliminate scrutiny. Unfortunately for the committee, they will only invite more scrutiny on themselves and the bill as it nears a vote in the House.

    It will be interesting to see what the White House says about all of this as the anti-CISPA petition on the We the People Web site has reached the necessary 100,000 signatures for an official response. It’s been almost a month, however, and there’s been no response yet. Here’s hoping the White House still retains its CISPA position from last year.

  • Anti-CISPA White House Petition Crosses 100,000 Signature Threshold

    After CISPA returned in February, privacy advocates started a “We The People” petition asking the White House to stand against the controversial legislation. It’s been a month since the petition was created, and advocates are one step closer to a response.

    The “Stop CISPA” petition on the We The People petition site has crosses the recently instated 100,000 threshold required for a response from the Obama administration. The petition asks the administration to reject CISPA for its overly broad language:

    CISPA is about information sharing. It creates broad legal exemptions that allow the government to share “cyber threat intelligence” with private companies, and companies to share “cyber threat information” with the government, for the purposes of enhancing cybersecurity. The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.

    It will be interesting to see if, and how, the administration responds to this petition. President Obama has already signed an executive order that accomplishes what CISPA aims to do without the civil liberty violations. The President acknowledged, however, that an executive order isn’t enough and called upon Congress to pass cybersecurity legislation.

    That’s going to be the hard part, though, as Congress proved last year that it can’t agree on cybersecurity measures. Privacy advocates may not even have to bother the White House if the House and Senate can’t come to any sort of agreement. Even if they do, the White House promised to stand against CISPA last year. Unless something changes, the White House will stand against CISPA again.

    [h/t: TechDirt]

  • Will Congress Finally Pass An Email Privacy Bill This Year?

    An updated Electronic Communications Privacy Act, or ECPA, was a good idea proposed at the wrong time. The amendment would have protected our privacy in online communications, but its proposal at the end of the last Congress ensured its demise. With a new Congress comes a new chance to pass it, and some lawmakers are taking that chance.

    The Hill reports that House Judiciary Committee Chairman Bob Goodlatte has laid out his priorities for 2013, and the ECPA amendment is near the top. He said that Committee will “look at modernizing the decades-old Electronic Communications Privacy Act to reflect our current digital economy.”

    The amendment’s original sponsor in the Senate, Patrick Leahy, is also reportedly on board with trying to pass the bill again. He and Goodlatte will presumably work together to get something passed this time around.

    Do you think the ECPA can pass the House and Senate this year? Should it be a priority? Let us know in the comments.

    So, why is an updated ECPA important again? The original bill was drafted and passed into law in 1986. It’s intent was to protect electronic communications from government surveillance, but it was written with the technology of the late 80s in mind. Email and other electronic communications have evolved and greatly expanded since then. Some lawmakers and privacy proponents think the bill needs a rewrite to address changes in how we communicate online.

    The current ECPA requires law enforcement to simply obtain a subpoena before going through your email. Beyond that, the only limitation is that they can go through emails that have been opened, or those that are more than 180 days old. It’s kind of ridiculous to think that this was acceptable in the late 80s when there were maybe only a few thousand email messages being sent among a handful of people, but it’s unacceptable when there are billions of email messages being sent out everyday.

    That’s why many lawmakers feel that the ECPA needs to be updated, and Goodlatte isn’t the only one in the House working on a solution. California Rep. Zoe Lofgren has been working on her own version of the bill called ECPA 2.0 Act of 2012, but it was killed with the last Congress. Lofgren will probably reintroduce the bill in this year’s Congress, however, and Goodlatte would be wise to back it. It features a number of protections that any person who communicates over the Internet would appreciate:

  • The government should obtain a warrant before compelling a service provider to disclose an individual’s private online communications.
  • The government should obtain a warrant before it can track the location of an individual’s
    wireless communication device.
  • Before it can install a pen register or trap and trace device to capture real time transactional
    data about when and with whom an individual communicates using digital services (such as
    email or mobile phone calls), the government should demonstrate to a court that such data is
    relevant to a criminal investigation.
  • The government should not use an administrative subpoena to compel service providers to
    disclose transactional data about multiple unidentified users of digital services (such as a bulk
    request for the names and addresses of everyone that visited a particular website during a
    specified time frame). The government may compel this information through a warrant or court order, but subpoenas should specify the individuals about whom the government seeks information.

    • Lofgren’s proposed legislation is probably the best version of ECPA we’re going to see. It outright bans the ability of law enforcement to obtain emails through subpoenas, and it holds said law enforcement accountable for its actions. Other proposed updates to the ECPA may require a warrant when obtaining emails, but the accountability rules on law enforcement aren’t as strong.

    Unfortunately, we probably won’t see a new ECPA as long as law enforcement is opposed to it. The bill piggybacked on the VPPA last year and almost made its way to the President’s desk before being killed by the Senate. Why? Senate Republicans were concerned that the bill would “hamper police investigations.”

    Should Lofgren’s ECPA be adopted by the House? Or should a more law enforcement friendly version prevail? Let us know in the comments.

    A law enforcement friendly version of ECPA won’t have an easy ride through Congress though. There’s a lot of conflicting interests involved in passing bills like this with privacy proponents and law enforcement standing on opposite sides of the aisle yelling their demands at lawmakers. In the end, however, it may not even matter if the ECPA is amended or not.

    Kim Dotcom, founder of Megaupload and Mega, recently announced that he would introduce an encrypted email service that would be immune to snooping by law enforcement. If true, an updated ECPA may not matter anymore.

    If the Mega email client goes mainstream, we may even see others start offering similar services. Could law enforcement still access email? Sure, but only email services under U.S. jurisdiction. If that were the case, users may start moving their email accounts to offshore email clients that promise privacy.

    That being said, there’s still a need for an updated ECPA. There should be an expectation of Congress to keep up with developments in technology and legislate accordingly. How can we expect Congress to act on something far more important, like cybersecurity, when it can’t even comprehend something as simple as email?

    Should Congress focus its efforts on an updated ECPA this year? Would services like Mega email pick up the slack if Congress failed to act? Let us know in the comments.

  • Experts Say Congress Is Unprepared For A Cyberattack

    President Obama introduced an executive order last week that intended to help protect the nation’s infrastructure from cyber attacks. It’s similar to CISPA in that it increases information sharing between government and private corporations, but thankfully lacks the privacy infringing clauses found in the aforementioned bill. Some experts, however, are saying that it’s not enough.

    Security experts have found that Congress itself is woefully unprepared for a cyberattack on its network. They say that Congressional networks lack the technology and security methods to prevent attacks. The danger here is that a successful hack could yield a treasure trove of classified information from lawmakers.

    Speaking to The Hill, Tom Kellermann, VP of Cybersecurity for Trend Micro, says that Congress is “overly reliant on perimeter defenses that are ineffective in today’s targeted environment.” He also says that Congressional networks “lack their own appropriate levels of funding for technologies and manpower to deal with this properly.”

    If hackers were interested in Congress, who would they hit? Security experts say that high-ranking lawmakers would be first on the list, but important committees like the Intelligence and Armed Services committees would also be high priority targets. These committees hold highly classified information from government agencies like the FBI and the Pentagon that would be especially desirable.

    For their part, many people in Congress told The Hill that they practice “proper cyber hygiene.” That is to say that members of Congress and its employees are trained to spot phishing attempts and malware attacks. It’s a good first line of defense that could prevent incidents like the recent Apple and Facebook hacks that used an exploit in Java to gain access to systems.

    As always, lawmakers can talk a good talk, but are they really doing enough to protect their networks from hackers? Congress’ cybersecurity professionals have been reportedly stepping up their game over the past few years to prevent the kind of attacks that have crippled corporations over the last few years. They do, however, emphasize the need for new cybersecurity regulations. Let’s just hope Congress can provide one devoid of CISPA’s privacy infringing ugliness.

  • Anonymous Hacks State Department, Leaks Database

    #OpLastResort continues as a branch of Anonymous continues its war against the U.S. government in response to the death of Aaron Swartz. The last major offensive saw Anonymous hacking the Fed and releasing banker records on the net.

    In its latest attempt to get the government’s attention, Anonymous announced that it hacked the State Department . To top if off, the hacker collective also released a database it found while going through the Web site. The database contains the personal information of State Department employees in the U.S. and overseas. The information in the dump includes names, birth dates, phone numbers, email addresses, home addresses, etc.

    According to Anonymous, this latest hack is not only a continuation of #OpLastResort, but a response to the U.S. arresting and imprisoning members of Anonymous. Here’s the full statement:

    Our reasons for this attack are very simple. You’ve imprisoned or either censored our people. We will not tolerate things as such. You don’t see us going around censoring everything that is inappropriate or we do not like. Basically, you tried to put an end to us and you got owned, there’s nothing more you can say or do. You took away Topiary, Avunit, Neuron, Pwnsauce, lolspoon, Aaron Swartz shall we go on? Heck you think this makes us weak? We are only growing stronger because of the fact that you are forcing us to revolt. When the lions roar you will hear them. And when it’s feeding time you’ll be our dinner.

    Aaron Swartz this is for you, this is for Operation Last Resort.

    We are Anonymous.
    We are Legion.
    We do not forgive.
    We do not forget.
    Expect us.
    #OpLastResort

    The State Department wasn’t the only target of this latest hack. Anonymous also targeted private investment firm George K. Baum and Company. The site was defaced with a link to a pastebin that featured private account information of all the firm’s customers. According to the OpLastResort Twitter feed, this particular hack was made because of the firm’s ties to Stratfor, the private intelligence company that Anonymous hacked into last year.

    Once again, it looks like #OpLastResort won’t be slowing down anytime soon. Anonymous will continue looking for exploits in government Web sites, and publicly hack them for all to see. At this point, it’s not so much about getting any kind of information, but rather just embarrassing the government.

    It will be interesting to see how Obama’s new cybersecurity executive order will affect how the government reacts to attacks from Anonymous. The new rules for information sharing between public and private institutions may just help stop some of these attacks before they happen, but it isn’t likely.

    [h/t: Net-Security]