Mese: novembre 2014

Webcam Videos Exposed by Weak Password

Webcam Videos Exposed by Weak Passwords

Russian Website Live-Streaming Feeds from Insecure Cameras

By November 21, 2014.

Webcam Videos Exposed by Weak Passwords

A website in Russia is streaming live footage accessed from security cameras used by businesses, closed-circuit television networks, and even built-in cameras on baby monitors around the world. The exposure of these videos highlights the dangers of weak passwords and the need for organizations to vet the security settings of their Internet-connected cameras and other devices.

The website is accessing the video feeds of the cameras by using the default login credentials for thousands of devices, the UK Information Commissioner’s Office warns in a Nov. 20 blog post. The devices’ default access credentials are public knowledge, and easily found online. Likewise, search engines such as Shodan make it easy for such websites – never mind unscrupulous corporate competitors or would-be stalkers – to automatically locate numerous types of Internet-connected devices, including webcams.

The commissioner’s report doesn’t name the Russian website that’s serving as a live-streaming portal for unsecured, Internet-connect cameras. But according to threads that began appearing in September on the website Reddit’s “creepy” forum – and subsequently in numerous press reports – the site is http://www.insecam.cc, which claims to be live-streaming footage from 125 different countries, listing 4,591 different feeds alone from the United States, 2,058 from France and 1,576 from the Netherlands. Feeds from Japan, Italy and the United Kingdom also are featured.

The site’s interface not only includes a stream from the camera, but also the camera’s geographical location – in latitude and longitude – although it’s not clear how accurate those coordinates might be. But according to the Reddit forum, multiple such sites exist, not all of which are publicly known, and there have been previous cases involving camera – including baby-monitor – hacking.

“We all need to be aware of the threats that exist to our personal information,” says Simon Rice, group manager for the technology team at the ICO. “If [not], then you’re leaving your information vulnerable, and no one likes being watched by a stranger.”

Rice encourages organizations and users to proactively change the default passwords installed on all Internet-connected devices, including webcams. Regardless, Rice recommends always picking a strong, difficult-to-guess password, as well as using two-factor authentication, whenever possible. “When you begin using your camera, you may be given a simple default password that you’ll need to enter to get the device working,” such as “password” or “12345,” he says. Some webcam manufacturers, such as Foscam, have configured their devices so that users must now select a unique password before they can begin using the device, but the “pick a strong password” advice still stands.

Many Internet-enabled cameras include additional, built-in security features, but these typically are not enabled by default and must be activated, Rice says, noting that taking just a few minutes to review the user manual will typically tell users everything they need to know about how to correctly lock down their device. “The ability to access footage remotely is both an Internet camera’s biggest selling point and, if not set up correctly, potentially its biggest security weakness,” he says. Accordingly, he recommends users review whether they need to remotely access the camera feed via the Internet at all, since that can be disabled while retaining the ability to access the camera feed via a local Wi-Fi network. Less technological approaches may also suffice for some users. “As a last resort, you can always cover the lens if you don’t want to use the camera all of the time,” he says.

Vetting for Security Gaps

Default passwords are easy prey for cybercriminals who target enterprises or consumers, says Al Pascual, director of fraud and security at Javelin Strategy and Research. “For something as remedial as passwords, basic management still remains a challenge, which only bolsters the argument that alternatives are sorely needed.”

Annunci

Amnesty International releases public anti-surveillance tool

SecuritySurveillanceSolutionsImage2
Is your computer being watched?via latticesemi.com

Post-Snowden, we’re more aware than ever of how closely we’re being watched. Amnesty International has decided to take action with a new tool that picks up government surveillance spyware on home computers. Detekt is believed to be the first public, open-source software of its kind.

“Governments are increasingly using dangerous and sophisticated technology that allows them to read activists and journalists’ private emails and remotely turn on their computer’s camera or microphone to secretly record their activities,” Marek Marczynski, Head of Military, Security and Police at Amnesty, said.

“Detekt is a simple tool that will alert activists to such intrusions so they can take action. It represents a strike back against governments who are using information obtained through surveillance to arbitrarily detain, illegally arrest and even torture human rights defenders and journalists.”

Developed by German security researcher Claudio Guarnieri, Detekt is currently only available for Windows, with a Mac version in the pipeline. If you install Detekt and it finds that your computer has been compromised, it’s recommended that you do not reconnect to the internet.

According to developers, “the attacker will likely have remote-control access of your computer, meaning they can view not only your files and emails but everything you type on your keyboard and could even switch on your webcam and microphone remotely”.

Governments have become au fait with technologies that can monitor Skype conversations, infiltrate webcams and read emails. Targets have included human rights activists, political dissidents and even journalists such as Citizenfour filmmaker Laura Poitras. But really, you could add absolutely everybody on to that list.

Check out all these different times that governments have used spyware against people. You can download Detekt here.

Remarks by the President on Review of Signals Intelligence

Remarks by the President on Review of Signals Intelligence

Department of Justice
Washington, D.C.

11:15 A.M. EST

THE PRESIDENT:  At the dawn of our Republic, a small, secret surveillance committee borne out of the “The Sons of Liberty” was established in Boston.  And the group’s members included Paul Revere.  At night, they would patrol the streets, reporting back any signs that the British were preparing raids against America’s early Patriots.

Throughout American history, intelligence has helped secure our country and our freedoms.  In the Civil War, Union balloon reconnaissance tracked the size of Confederate armies by counting the number of campfires.  In World War II, code-breakers gave us insights into Japanese war plans, and when Patton marched across Europe, intercepted communications helped save the lives of his troops.  After the war, the rise of the Iron Curtain and nuclear weapons only increased the need for sustained intelligence gathering.  And so, in the early days of the Cold War, President Truman created the National Security Agency, or NSA, to give us insights into the Soviet bloc, and provide our leaders with information they needed to confront aggression and avert catastrophe.

Throughout this evolution, we benefited from both our Constitution and our traditions of limited government.  U.S. intelligence agencies were anchored in a system of checks and balances — with oversight from elected leaders, and protections for ordinary citizens.  Meanwhile, totalitarian states like East Germany offered a cautionary tale of what could happen when vast, unchecked surveillance turned citizens into informers, and persecuted people for what they said in the privacy of their own homes.

In fact, even the United States proved not to be immune to the abuse of surveillance.  And in the 1960s, government spied on civil rights leaders and critics of the Vietnam War.  And partly in response to these revelations, additional laws were established in the 1970s to ensure that our intelligence capabilities could not be misused against our citizens.  In the long, twilight struggle against Communism, we had been reminded that the very liberties that we sought to preserve could not be sacrificed at the altar of national security.

If the fall of the Soviet Union left America without a competing superpower, emerging threats from terrorist groups, and the proliferation of weapons of mass destruction placed new and in some ways more complicated demands on our intelligence agencies.  Globalization and the Internet made these threats more acute, as technology erased borders and empowered individuals to project great violence, as well as great good.  Moreover, these new threats raised new legal and new policy questions.  For while few doubted the legitimacy of spying on hostile states, our framework of laws was not fully adapted to prevent terrorist attacks by individuals acting on their own, or acting in small, ideologically driven groups on behalf of a foreign power.

The horror of September 11th brought all these issues to the fore.  Across the political spectrum, Americans recognized that we had to adapt to a world in which a bomb could be built in a basement, and our electric grid could be shut down by operators an ocean away.  We were shaken by the signs we had missed leading up to the attacks — how the hijackers had made phone calls to known extremists and traveled to suspicious places.  So we demanded that our intelligence community improve its capabilities, and that law enforcement change practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack.

It is hard to overstate the transformation America’s intelligence community had to go through after 9/11.  Our agencies suddenly needed to do far more than the traditional mission of monitoring hostile powers and gathering information for policymakers.  Instead, they were now asked to identify and target plotters in some of the most remote parts of the world, and to anticipate the actions of networks that, by their very nature, cannot be easily penetrated with spies or informants.

And it is a testimony to the hard work and dedication of the men and women of our intelligence community that over the past decade we’ve made enormous strides in fulfilling this mission.  Today, new capabilities allow intelligence agencies to track who a terrorist is in contact with, and follow the trail of his travel or his funding.  New laws allow information to be collected and shared more quickly and effectively between federal agencies, and state and local law enforcement.  Relationships with foreign intelligence services have expanded, and our capacity to repel cyber-attacks have been strengthened.  And taken together, these efforts have prevented multiple attacks and saved innocent lives — not just here in the United States, but around the globe.

And yet, in our rush to respond to a very real and novel set of threats, the risk of government overreach — the possibility that we lose some of our core liberties in pursuit of security — also became more pronounced.  We saw, in the immediate aftermath of 9/11, our government engaged in enhanced interrogation techniques that contradicted our values.  As a Senator, I was critical of several practices, such as warrantless wiretaps.  And all too often new authorities were instituted without adequate public debate.

Through a combination of action by the courts, increased congressional oversight, and adjustments by the previous administration, some of the worst excesses that emerged after 9/11 were curbed by the time I took office.  But a variety of factors have continued to complicate America’s efforts to both defend our nation and uphold our civil liberties.

First, the same technological advances that allow U.S. intelligence agencies to pinpoint an al Qaeda cell in Yemen or an email between two terrorists in the Sahel also mean that many routine communications around the world are within our reach.  And at a time when more and more of our lives are digital, that prospect is disquieting for all of us.

Second, the combination of increased digital information and powerful supercomputers offers intelligence agencies the possibility of sifting through massive amounts of bulk data to identify patterns or pursue leads that may thwart impending threats.  It’s a powerful tool.  But the government collection and storage of such bulk data also creates a potential for abuse.

Third, the legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas.  This is not unique to America; few, if any, spy agencies around the world constrain their activities beyond their own borders.  And the whole point of intelligence is to obtain information that is not publicly available.  But America’s capabilities are unique, and the power of new technologies means that there are fewer and fewer technical constraints on what we can do.  That places a special obligation on us to ask tough questions about what we should do.

And finally, intelligence agencies cannot function without secrecy, which makes their work less subject to public debate.  Yet there is an inevitable bias not only within the intelligence community, but among all of us who are responsible for national security, to collect more information about the world, not less.  So in the absence of institutional requirements for regular debate — and oversight that is public, as well as private or classified — the danger of government overreach becomes more acute.  And this is particularly true when surveillance technology and our reliance on digital information is evolving much faster than our laws.

For all these reasons, I maintained a healthy skepticism toward our surveillance programs after I became President.  I ordered that our programs be reviewed by my national security team and our lawyers, and in some cases I ordered changes in how we did business.  We increased oversight and auditing, including new structures aimed at compliance.  Improved rules were proposed by the government and approved by the Foreign Intelligence Surveillance Court.  And we sought to keep Congress continually updated on these activities.

What I did not do is stop these programs wholesale — not only because I felt that they made us more secure, but also because nothing in that initial review, and nothing that I have learned since, indicated that our intelligence community has sought to violate the law or is cavalier about the civil liberties of their fellow citizens.

To the contrary, in an extraordinarily difficult job — one in which actions are second-guessed, success is unreported, and failure can be catastrophic — the men and women of the intelligence community, including the NSA, consistently follow protocols designed to protect the privacy of ordinary people.  They’re not abusing authorities in order to listen to your private phone calls or read your emails.  When mistakes are made — which is inevitable in any large and complicated human enterprise — they correct those mistakes.  Laboring in obscurity, often unable to discuss their work even with family and friends, the men and women at the NSA know that if another 9/11 or massive cyber-attack occurs, they will be asked, by Congress and the media, why they failed to connect the dots.  What sustains those who work at NSA and our other intelligence agencies through all these pressures is the knowledge that their professionalism and dedication play a central role in the defense of our nation.

Now, to say that our intelligence community follows the law, and is staffed by patriots, is not to suggest that I or others in my administration felt complacent about the potential impact of these programs.  Those of us who hold office in America have a responsibility to our Constitution, and while I was confident in the integrity of those who lead our intelligence community, it was clear to me in observing our intelligence operations on a regular basis that changes in our technological capabilities were raising new questions about the privacy safeguards currently in place.

Moreover, after an extended review of our use of drones in the fight against terrorist networks, I believed a fresh examination of our surveillance programs was a necessary next step in our effort to get off the open-ended war footing that we’ve maintained since 9/11.  And for these reasons, I indicated in a speech at the National Defense University last May that we needed a more robust public discussion about the balance between security and liberty.  Of course, what I did not know at the time is that within weeks of my speech, an avalanche of unauthorized disclosures would spark controversies at home and abroad that have continued to this day.

And given the fact of an open investigation, I’m not going to dwell on Mr. Snowden’s actions or his motivations; I will say that our nation’s defense depends in part on the fidelity of those entrusted with our nation’s secrets.  If any individual who objects to government policy can take it into their own hands to publicly disclose classified information, then we will not be able to keep our people safe, or conduct foreign policy.  Moreover, the sensational way in which these disclosures have come out has often shed more heat than light, while revealing methods to our adversaries that could impact our operations in ways that we may not fully understand for years to come.

Regardless of how we got here, though, the task before us now is greater than simply repairing the damage done to our operations or preventing more disclosures from taking place in the future.  Instead, we have to make some important decisions about how to protect ourselves and sustain our leadership in the world, while upholding the civil liberties and privacy protections that our ideals and our Constitution require.  We need to do so not only because it is right, but because the challenges posed by threats like terrorism and proliferation and cyber-attacks are not going away any time soon.  They are going to continue to be a major problem.  And for our intelligence community to be effective over the long haul, we must maintain the trust of the American people, and people around the world.

This effort will not be completed overnight, and given the pace of technological change, we shouldn’t expect this to be the last time America has this debate.  But I want the American people to know that the work has begun.  Over the last six months, I created an outside Review Group on Intelligence and Communications Technologies to make recommendations for reform.  I consulted with the Privacy and Civil Liberties Oversight Board, created by Congress.  I’ve listened to foreign partners, privacy advocates, and industry leaders.  My administration has spent countless hours considering how to approach intelligence in this era of diffuse threats and technological revolution.  So before outlining specific changes that I’ve ordered, let me make a few broad observations that have emerged from this process.

First, everyone who has looked at these problems, including skeptics of existing programs, recognizes that we have real enemies and threats, and that intelligence serves a vital role in confronting them.  We cannot prevent terrorist attacks or cyber threats without some capability to penetrate digital communications — whether it’s to unravel a terrorist plot; to intercept malware that targets a stock exchange; to make sure air traffic control systems are not compromised; or to ensure that hackers do not empty your bank accounts.  We are expected to protect the American people; that requires us to have capabilities in this field.

Moreover, we cannot unilaterally disarm our intelligence agencies.  There is a reason why BlackBerrys and iPhones are not allowed in the White House Situation Room.  We know that the intelligence services of other countries — including some who feign surprise over the Snowden disclosures — are constantly probing our government and private sector networks, and accelerating programs to listen to our conversations, and intercept our emails, and compromise our systems.  We know that.

Meanwhile, a number of countries, including some who have loudly criticized the NSA, privately acknowledge that America has special responsibilities as the world’s only superpower; that our intelligence capabilities are critical to meeting these responsibilities, and that they themselves have relied on the information we obtain to protect their own people.

Second, just as ardent civil libertarians recognize the need for robust intelligence capabilities, those with responsibilities for our national security readily acknowledge the potential for abuse as intelligence capabilities advance and more and more private information is digitized.  After all, the folks at NSA and other intelligence agencies are our neighbors.  They’re our friends and family.  They’ve got electronic bank and medical records like everybody else.  They have kids on Facebook and Instagram, and they know, more than most of us, the vulnerabilities to privacy that exist in a world where transactions are recorded, and emails and text and messages are stored, and even our movements can increasingly be tracked through the GPS on our phones.

Third, there was a recognition by all who participated in these reviews that the challenges to our privacy do not come from government alone.  Corporations of all shapes and sizes track what you buy, store and analyze our data, and use it for commercial purposes; that’s how those targeted ads pop up on your computer and your smartphone periodically.  But all of us understand that the standards for government surveillance must be higher.  Given the unique power of the state, it is not enough for leaders to say:  Trust us, we won’t abuse the data we collect.  For history has too many examples when that trust has been breached.  Our system of government is built on the premise that our liberty cannot depend on the good intentions of those in power; it depends on the law to constrain those in power.

I make these observations to underscore that the basic values of most Americans when it comes to questions of surveillance and privacy converge a lot more than the crude characterizations that have emerged over the last several months.  Those who are troubled by our existing programs are not interested in repeating the tragedy of 9/11, and those who defend these programs are not dismissive of civil liberties.

The challenge is getting the details right, and that is not simple.  In fact, during the course of our review, I have often reminded myself I would not be where I am today were it not for the courage of dissidents like Dr. King, who were spied upon by their own government.  And as President, a President who looks at intelligence every morning, I also can’t help but be reminded that America must be vigilant in the face of threats.

Fortunately, by focusing on facts and specifics rather than speculation and hypotheticals, this review process has given me — and hopefully the American people — some clear direction for change.  And today, I can announce a series of concrete and substantial reforms that my administration intends to adopt administratively or will seek to codify with Congress.

First, I have approved a new presidential directive for our signals intelligence activities both at home and abroad.  This guidance will strengthen executive branch oversight of our intelligence activities.  It will ensure that we take into account our security requirements, but also our alliances; our trade and investment relationships, including the concerns of American companies; and our commitment to privacy and basic liberties.  And we will review decisions about intelligence priorities and sensitive targets on an annual basis so that our actions are regularly scrutinized by my senior national security team.

Second, we will reform programs and procedures in place to provide greater transparency to our surveillance activities, and fortify the safeguards that protect the privacy of U.S. persons.  Since we began this review, including information being released today, we have declassified over 40 opinions and orders of the Foreign Intelligence Surveillance Court, which provides judicial review of some of our most sensitive intelligence activities — including the Section 702 program targeting foreign individuals overseas, and the Section 215 telephone metadata program.

And going forward, I’m directing the Director of National Intelligence, in consultation with the Attorney General, to annually review for the purposes of declassification any future opinions of the court with broad privacy implications, and to report to me and to Congress on these efforts.  To ensure that the court hears a broader range of privacy perspectives, I am also calling on Congress to authorize the establishment of a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.

Third, we will provide additional protections for activities conducted under Section 702, which allows the government to intercept the communications of foreign targets overseas who have information that’s important for our national security.  Specifically, I am asking the Attorney General and DNI to institute reforms that place additional restrictions on government’s ability to retain, search, and use in criminal cases communications between Americans and foreign citizens incidentally collected under Section 702.

Fourth, in investigating threats, the FBI also relies on what’s called national security letters, which can require companies to provide specific and limited information to the government without disclosing the orders to the subject of the investigation.  These are cases in which it’s important that the subject of the investigation, such as a possible terrorist or spy, isn’t tipped off.  But we can and should be more transparent in how government uses this authority.

I have therefore directed the Attorney General to amend how we use national security letters so that this secrecy will not be indefinite, so that it will terminate within a fixed time unless the government demonstrates a real need for further secrecy.  We will also enable communications providers to make public more information than ever before about the orders that they have received to provide data to the government.

This brings me to the program that has generated the most controversy these past few months — the bulk collection of telephone records under Section 215.  Let me repeat what I said when this story first broke:  This program does not involve the content of phone calls, or the names of people making calls.  Instead, it provides a record of phone numbers and the times and lengths of calls — metadata that can be queried if and when we have a reasonable suspicion that a particular number is linked to a terrorist organization.

Why is this necessary?  The program grew out of a desire to address a gap identified after 9/11.  One of the 9/11 hijackers — Khalid al-Mihdhar — made a phone call from San Diego to a known al Qaeda safe-house in Yemen.  NSA saw that call, but it could not see that the call was coming from an individual already in the United States.  The telephone metadata program under Section 215 was designed to map the communications of terrorists so we can see who they may be in contact with as quickly as possible.  And this capability could also prove valuable in a crisis.  For example, if a bomb goes off in one of our cities and law enforcement is racing to determine whether a network is poised to conduct additional attacks, time is of the essence.  Being able to quickly review phone connections to assess whether a network exists is critical to that effort.

In sum, the program does not involve the NSA examining the phone records of ordinary Americans.  Rather, it consolidates these records into a database that the government can query if it has a specific lead — a consolidation of phone records that the companies already retained for business purposes.  The review group turned up no indication that this database has been intentionally abused.  And I believe it is important that the capability that this program is designed to meet is preserved.

Having said that, I believe critics are right to point out that without proper safeguards, this type of program could be used to yield more information about our private lives, and open the door to more intrusive bulk collection programs in the future.  They’re also right to point out that although the telephone bulk collection program was subject to oversight by the Foreign Intelligence Surveillance Court and has been reauthorized repeatedly by Congress, it has never been subject to vigorous public debate.

For all these reasons, I believe we need a new approach.  I am therefore ordering a transition that will end the Section 215 bulk metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.

This will not be simple.  The review group recommended that our current approach be replaced by one in which the providers or a third party retain the bulk records, with government accessing information as needed.  Both of these options pose difficult problems.  Relying solely on the records of multiple providers, for example, could require companies to alter their procedures in ways that raise new privacy concerns.  On the other hand, any third party maintaining a single, consolidated database would be carrying out what is essentially a government function but with more expense, more legal ambiguity, potentially less accountability — all of which would have a doubtful impact on increasing public confidence that their privacy is being protected.

During the review process, some suggested that we may also be able to preserve the capabilities we need through a combination of existing authorities, better information sharing, and recent technological advances.  But more work needs to be done to determine exactly how this system might work.

Because of the challenges involved, I’ve ordered that the transition away from the existing program will proceed in two steps.  Effective immediately, we will only pursue phone calls that are two steps removed from a number associated with a terrorist organization instead of the current three.  And I have directed the Attorney General to work with the Foreign Intelligence Surveillance Court so that during this transition period, the database can be queried only after a judicial finding or in the case of a true emergency.

Next, step two, I have instructed the intelligence community and the Attorney General to use this transition period to develop options for a new approach that can match the capabilities and fill the gaps that the Section 215 program was designed to address without the government holding this metadata itself.  They will report back to me with options for alternative approaches before the program comes up for reauthorization on March 28th.  And during this period, I will consult with the relevant committees in Congress to seek their views, and then seek congressional authorization for the new program as needed.

Now, the reforms I’m proposing today should give the American people greater confidence that their rights are being protected, even as our intelligence and law enforcement agencies maintain the tools they need to keep us safe.  And I recognize that there are additional issues that require further debate.  For example, some who participated in our review, as well as some members of Congress, would like to see more sweeping reforms to the use of national security letters so that we have to go to a judge each time before issuing these requests.  Here, I have concerns that we should not set a standard for terrorism investigations that is higher than those involved in investigating an ordinary crime.  But I agree that greater oversight on the use of these letters may be appropriate, and I’m prepared to work with Congress on this issue.

There are also those who would like to see different changes to the FISA Court than the ones I’ve proposed.  On all these issues, I am open to working with Congress to ensure that we build a broad consensus for how to move forward, and I’m confident that we can shape an approach that meets our security needs while upholding the civil liberties of every American.

Let me now turn to the separate set of concerns that have been raised overseas, and focus on America’s approach to intelligence collection abroad.  As I’ve indicated, the United States has unique responsibilities when it comes to intelligence collection.  Our capabilities help protect not only our nation, but our friends and our allies, as well.  But our efforts will only be effective if ordinary citizens in other countries have confidence that the United States respects their privacy, too.  And the leaders of our close friends and allies deserve to know that if I want to know what they think about an issue, I’ll pick up the phone and call them, rather than turning to surveillance.  In other words, just as we balance security and privacy at home, our global leadership demands that we balance our security requirements against our need to maintain the trust and cooperation among people and leaders around the world.

For that reason, the new presidential directive that I’ve issued today will clearly prescribe what we do, and do not do, when it comes to our overseas surveillance.  To begin with, the directive makes clear that the United States only uses signals intelligence for legitimate national security purposes, and not for the purpose of indiscriminately reviewing the emails or phone calls of ordinary folks.  I’ve also made it clear that the United States does not collect intelligence to suppress criticism or dissent, nor do we collect intelligence to disadvantage people on the basis of their ethnicity, or race, or gender, or sexual orientation, or religious beliefs.  We do not collect intelligence to provide a competitive advantage to U.S. companies or U.S. commercial sectors.

And in terms of our bulk collection of signals intelligence, U.S. intelligence agencies will only use such data to meet specific security requirements:  counterintelligence, counterterrorism, counter-proliferation, cybersecurity, force protection for our troops and our allies, and combating transnational crime, including sanctions evasion.

In this directive, I have taken the unprecedented step of extending certain protections that we have for the American people to people overseas.  I’ve directed the DNI, in consultation with the Attorney General, to develop these safeguards, which will limit the duration that we can hold personal information, while also restricting the use of this information.

The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security, and that we take their privacy concerns into account in our policies and procedures.  This applies to foreign leaders as well.  Given the understandable attention that this issue has received, I have made clear to the intelligence community that unless there is a compelling national security purpose, we will not monitor the communications of heads of state and government of our close friends and allies.  And I’ve instructed my national security team, as well as the intelligence community, to work with foreign counterparts to deepen our coordination and cooperation in ways that rebuild trust going forward.

Now let me be clear:  Our intelligence agencies will continue to gather information about the intentions of governments — as opposed to ordinary citizens — around the world, in the same way that the intelligence services of every other nation does.  We will not apologize simply because our services may be more effective.  But heads of state and government with whom we work closely, and on whose cooperation we depend, should feel confident that we are treating them as real partners.  And the changes I’ve ordered do just that.

Finally, to make sure that we follow through on all these reforms, I am making some important changes to how our government is organized.  The State Department will designate a senior officer to coordinate our diplomacy on issues related to technology and signals intelligence.  We will appoint a senior official at the White House to implement the new privacy safeguards that I have announced today.  I will devote the resources to centralize and improve the process we use to handle foreign requests for legal assistance, keeping our high standards for privacy while helping foreign partners fight crime and terrorism.

I have also asked my counselor, John Podesta, to lead a comprehensive review of big data and privacy.  And this group will consist of government officials who, along with the President’s Council of Advisors on Science and Technology, will reach out to privacy experts, technologists and business leaders, and look how the challenges inherent in big data are being confronted by both the public and private sectors; whether we can forge international norms on how to manage this data; and how we can continue to promote the free flow of information in ways that are consistent with both privacy and security.

For ultimately, what’s at stake in this debate goes far beyond a few months of headlines, or passing tensions in our foreign policy.  When you cut through the noise, what’s really at stake is how we remain true to who we are in a world that is remaking itself at dizzying speed.  Whether it’s the ability of individuals to communicate ideas; to access information that would have once filled every great library in every country in the world; or to forge bonds with people on other sides of the globe, technology is remaking what is possible for individuals, and for institutions, and for the international order.  So while the reforms that I have announced will point us in a new direction, I am mindful that more work will be needed in the future.

One thing I’m certain of:  This debate will make us stronger.  And I also know that in this time of change, the United States of America will have to lead.  It may seem sometimes that America is being held to a different standard.  And I’ll admit the readiness of some to assume the worst motives by our government can be frustrating.  No one expects China to have an open debate about their surveillance programs, or Russia to take privacy concerns of citizens in other places into account.  But let’s remember:  We are held to a different standard precisely because we have been at the forefront of defending personal privacy and human dignity.

As the nation that developed the Internet, the world expects us to ensure that the digital revolution works as a tool for individual empowerment, not government control.  Having faced down the dangers of totalitarianism and fascism and communism, the world expects us to stand up for the principle that every person has the right to think and write and form relationships freely — because individual freedom is the wellspring of human progress.

Those values make us who we are.  And because of the strength of our own democracy, we should not shy away from high expectations.  For more than two centuries, our Constitution has weathered every type of change because we have been willing to defend it, and because we have been willing to question the actions that have been taken in its defense.  Today is no different.  I believe we can meet high expectations.  Together, let us chart a way forward that secures the life of our nation while preserving the liberties that make our nation worth fighting for.

Thank you.  God bless you.  May God bless the United States of America.  (Applause.)

Too big to jail: why the government is quick to fine but slow to prosecute big corporations

Top executives from some of the companies blamed for the financial crisis testify on Capitol Hill.Getty Images

Ever since the financial crisis, many Americans and politicians have been calling for more aggressive prosecutions of Wall Street banks and executives (to little avail). It’s not just banks, though — in his new book, Too Big to Jail, University of Virginia Law professor Brandon Garrett explains that even while fines for corporations across all industries have risen, the government has still often gone easy on big firms that have done wrong. Vox spoke to Garrett about his new book.

DK: What was to you the most surprising or alarming trend you found in writing this book?

BG: There are so many things that are disguised by the rise in fines [see chart below]. My first reaction was, “Oh my God, these corporate crime cases have exploded. I’ve never seen fines like this.” Even just in the last few years, as I’ve been working on the book, all of a sudden these million dollar fines have become more routine, even, each record breaking the next one. So just the sheer amounts of money have surprised everyone. No one ever expected to see cases this big.

But all along, I would have thought that given the things the Department of Justice has been saying about how aggressive they want to get about corporate crime — I would expect to see more corporations prosecuted, and instead, those numbers have been declining. And I would expect to see more individuals prosecuted in these cases, and very few individuals are prosecuted.

Brandon Garrett prosecutions fines

Size of corporate criminal penalties by year (figures for 2014 are for fines thus far). (Source: Brandon Garrett)

DK: it’s so easy to think about these prosecutions as being of banks, ever since the financial crisis. It’s surprising to see how big fines are across the board. 

This isn’t just about banks. The same too-big-to-jail concern exists in a host of settings. Pharmaceutical companies fear being debarred from Medicare and Medicaid. But on the other hand, pharmaceutical companies also know that Medicare and Medicaid patients can’t do without their pharmaceuticals. Realistically, they are not going to get debarred. Just like banks know that realistically, they are not going to lose their charters. Just like hospitals know that realistically, no community wants their nonprofit hospital closed.

And there are good reasons we don’t want to put important companies out of business just because a few employees committed a crime. But when you have a company that really is a breeding ground for crime, and where the crime was really benefiting the company, part of the business plan, then all of a sudden the dynamic gets really ugly.

You worry that the very ability of the company to profit from its crime helps it to remain above the law.

DK: So what does it mean that the type of crime changes by year?

You can really see how in one year it might be pharmaceutical fines that explode. And another year it’s money-laundering. And another year it’s environmental. That chart continue to go up and up and up and up in the last two years, but what that chart disguises is that it’s somewhat random each year — which is the crime, which is the industry that’s going to bring in the blockbuster crime. And what’s driving those numbers is really just a handful of cases each year.

“[A FINE] SEEMS LIKE SOMETHING OF A WORTHWHILE RISK IF YOU DON’T ALWAYS GET CAUGHT”

But that said, in any one of these cases, the fines are a fraction of what they could have been, and in plenty of the cases, the companies are disgorging their profits, but that’s not much of a penalty, to just give up your profits. It seems like something of a worthwhile risk if you don’t always get caught.

The criminal statutes are set up so that companies are to be fined up to twice their gains or twice the losses to victims, and it’s incredibly rare to see that fine provision really used to full effect. Companies are given leniency.

And there’s some good reason to give companies leniency, to really encourage them to report their own crimes and cooperate. I think we’d be even happy to see companies get serious — if the result was prosecutions of individuals who were responsible, or if they were cooperating and they had evidence that they had absolutely reformed themselves so that this could never happen again.

But most companies don’t treat it as an opportunity when they get prosecuted for crimes.

DK: Is the problem that the government is seeking out fines and penalties instead of prosecuting? If so, then why is the government being so shy about this?

BG: Well, one lesson is that the bottom line dollars being paid don’t tell you whether companies are being treated leniently or harshly, because it could just be that more and more serious crimes are being uncovered, but they could be treated just as leniently as before. And I think that’s what the evidence is.

“I WOULD EXPECT TO SEE MORE CORPORATIONS PROSECUTED, AND INSTEAD, THOSE NUMBERS ARE DECLINING”

When we think of criminal punishment, in regular criminal cases, the fine is not the main part of the punishment. Obviously, putting someone in jail is. But there’s also a conviction, and the serious consequences of being a convict, and companies are avoiding that, for starters.

I think we’re going to see this as a bigger and bigger problem as banks and other companies are increasingly recidivists — except [unlike individual criminals] they avoid the consequences of committing new crimes, as the last time they committed crimes they received these non-prosecution agreements [in which they perform specific actions in exchange for dismissed charges or no charges]. So with no crime on their record, nothing happens if they do it again.

Although companies can’t literally be put into jail, despite my cute title, companies can be controlled and supervised, just like an individual criminal can be. So that’s where the non-fine aspects of these agreements come in. Companies can in effect be put on probation, where they’re monitored and forced to change their activities to make sure that employees don’t have the same incentives to commit new crimes. I view that as just as important as paying money, but prosecutors clearly haven’t treated it as particularly important.

DK: Is there a disconnect between how a corporation is treated in the justice system vs. individuals? It seems like there may be this inclination to rehabilitate a corporation but to punish someone who has done wrong.

People like me think that rehabilitation should be brought back into the criminal justice system. I wish we focused more on rehabilitating individuals, rather than just throwing them in prison for years, to great harm to them and collaterally.

There has been some softening of our overcriminalized justice system in the last few years. We’ve done a little bit to reduce the impact of sentencing guidelines. There have been efforts to grant clemency to people who receive mandatory minimum sentences that were excessive.

But all of that is tinkering on the back end. What companies get is the front end. They get to avoid convictions entirely. They get to avoid any collateral consequences because there is no conviction.

So it’s not just, “We could rehabilitate prisoners, think about reentering them into society a little bit more, think about making their sentences a little bit milder.” Companies are getting something entirely different.

That said, companies can’t go to jail, and rehabilitating a company is really important. But you don’t have to rehabilitate the company and let all the individuals that committed crimes go free.

DK: I want to focus a little more tightly on the banking sector. Other experts have told me that the DOJ just hasn’t had enough firepower to go after big institutions since the crisis, and that also a lot of these things are tough to prove. What do you think is the reason that we haven’t really seen more aggressive actions here?

BG: There have been people shipped off to prison, but not in the cases people have in mind.

Instead, there have been bank prosecutions, but over crimes that seem tangential to the crisis, like the LIBOR manipulation. But those tend to be crimes where it’s easier to show that a small number of people had intent, and some of those are crimes where there are more easily identifiable victims, versus some of the mortgage fraud, where there are sophisticated actors working with each other, where to show intent to defraud, you have to show that there’s a clearly deceptive scheme that misled someone else.

And to show that you’re intentionally misleading someone else? It is hard to criminalize. You don’t want to criminalize business deals. In any business deal, both sides are going to be trying to puff up their side and say, “This is a great opportunity. You just have to take advantage of it.”

Also, any given deal will have been signed off on by dozens of different people. When you have so many people signing off, and you have the rating agencies signing off in their way, it’s hard to pinpoint blame.

And then there are real questions people have raised about whether that kind of hard-nosed criminal investigation would have even been possible, given that the government was embedded in these banks, trying to prop these financial institutions up after the crisis.

I think people are right to wonder what to make of the mostly civil settlements that have resulted form the financial crisis, since these settlement are hard to understand. It’s hard to understand where the amounts come from, [and] the conduct isn’t really carefully described in the same way that it would be if it was a criminal settlement.

But when the Department of Justice says, “That’s the best we can do,” that may be right because it’s the best they can do now. I just don’t think anyone will ever be able to answer whether they could have done better in an imaginary world where they had sort of gone sort of Eliot Ness on these banks right after the crisis.

DK: So what are the biggest changes we need to make to how we do corporate prosecutions?

BG: The simplest version of that is I think they should be brought as real criminal cases. Insisting on convictions, supervised by a judge, with monitoring, with fines calculated for real under the guidelines. The state of mind should be a criminal state of mind. We should be thinking about punishment. We shouldn’t be thinking about settlements or convenience. And if it takes more resources to really treat these cases as criminal, then those resources should be found.

I would love for them to be diverted from the resources poured into all the low-level drug and immigration cases that so many prosecutors’ offices spend their time on. If that’s the way to readjust the priorities in our federal criminal system, I’m all for it. There would be rehabilitation all around.

But the answer is no, that’s never going to happen. If Congress doesn’t want to fund the SEC, they’re not going to want to fund a serious corporate crime unit. Well, then we can’t blame Eric Holder and the DOJ anymore. Then we have to blame ourselves for not pushing Congress.

$500 million for new Russian cyber army

Russia is recruiting now for new dedicated cyber-forces in the army, with an initial outlay of some US$ 500 million (approximately £315 million).

$500 million for new Russian cyber army
$500 million for new Russian cyber army

The Russian army is setting up a new division to focus on the fight against cyber-threats, according to Sergei Shoigu, Russia’s Minister of Defence.

Among the main tasks of the new division will be monitoring and processing of information coming from the abroad, as well as the fight against cyber-threats and attacks. Foreign languages, and in particular English, will be required for all officers serving in these military units.

Earlier this year the Russian Ministry of Defence announced a “major search (great hunt)” for young programmers and IT experts, graduating from Russian civilian universities.

Sergei Shoigu comments:  “We are starting a “major search” for programmers and IT experts. This need is dictated by the volume of IT and security technologies that are intended to be integrated in the national army over the next five years. We need a new generation of young people who will develop the science of warfare.”

The structure of such units has not yet been disclosed. One of the options is the establishment of a special Cyber ​​Defence Centre in the General Staff, as well as similar centers in each military district and fleet of the country.

In addition to the establishment of new branches, there are plans to create a military cyber-network that will not have any connection to the Internet and will have multi-level protection, intended to prevent any attacks from outside the country.

As part of these plans, the Russian government plans to accelerate training of programmers, mathematicians, engineers, cryptographer, communicators interpreters and other staff, who will be asked to sign a contract for service in Russian army.

So far, special scientific squadrons have already been established in the Russian army, which focus on the defeating of cyber-attacks on the military infrastructure of the country, as well as websites of the Russian Parliament and President; there are an estimated 10,000 such attacks daily.

These new cyber-divisions will come under command of Colonel-General Pavel Popov, deputy minister of defence.

Bob Tarzey, director and analyst for IT consultancy Quocirca Group, told SCMagazineUK.com: “It’s not unusual for a country to review its security against new threats and cyber-space is a new threat. If there is a threat, it’s natural to put defences in place, so (the establishment of a cyber-division) is not a surprise.

“First you look at why cyber space is going to be important in future conflicts: The need to gather intelligence as with traditional espionage; the ability to disrupt communications to hamper conventional forces, and also the ability to deliver cyber-assaults on critical infrastructure – including the banking sector, as happened in Estonia. Look at other military powers, certainly the US, so this move is to be expected.”

While the level of investment in the establishment of these new divisions is not disclosed, some sources close to the Russian General Staff say that it may reach up to US$ 500 million (£314 million) in the initial stages.

The Russian parliament had approved probably the most militaristic federal budget in the history of modern Russia. Total expenditure for the army in 2015 is due to reach enormous RUB 3.3 trillion (£45 billion).  This is compares to US-based IHS Inc. estimates for the entire Russian military budget of US$ 78 billion (£50 billion) in 2014, which it predicted would rise to US$ 98 billion (£62 billion) in 2016 – but this figure is still dwarfed by the US military spend of more than US$ 600 billion (£375 billion) in 2013.

Sarb Sembhi, consultancy services director with Storm Guidance and a leading member of the ISACA International security professionals organisations, adds that what is made public is not necessarily to be trusted, in terms of amounts of expenditure and capabilities, as the sector is rife with misinformation.

But nonetheless, Sembhi also sees the move as a logical one, but points out that Russia, while slowly keeping up with more advanced countries, is at a disadvantage given that the five eyes (US, Canada, UK, Australia, New Zealand) are able to share information. However, Russia can potentially call upon the expertise and experience of its criminal fraternity, telling SCMagazineUK.com: “It woud be no surprise if there are links (between government and organised crime), and it would be a great surprise if there were no links.”

How big data has become accessible to everyone

How big data has become accessible to everyone
Image Credit: Steve Davidson/Flickr

It’s been the narrative of technology since the wheel was invented. Something is new, exciting … and expensive. Then we find a way to mass produce it (or something similar). Processes get better, and equipment gets cheaper. Consumers save big. Then something new comes out.

Lather, rinse, repeat.

When big data first rose to market prominence, critics were quick to pounce on the same tired old complaints — it’s too expensive, too insecure, too volatile. We don’t know if it will work. We don’t know if it will make any difference. It’s just too complicated. But data scientists, like their forebears in all realms of discovery and research, turned a deaf ear to the naysayers. They kept working, they kept learning … and they kept getting better.

Today, the marketplace is enjoying the fruits of the established connection between increased data (thanks mobile!), better math, and increasingly cost-effective data storage options. Data scientists can capture more information, understand it better (and easier) and they can store more information — and hold onto it longer — than they could before. These innovations have led to incremental increases in the benefits enjoyed and diverse results gathered from big data.

Now it’s not only the data scientists who are paying close attention to the progress of big data analytics. Business analysts, prognosticators and serial entrepreneurs are digging into the data and finding their own personal pots of gold at the end of a very long and complex data rainbow.

Advanced analytics mean that businesses can better understand their customers and prospects. Instead of carpet-bombing advertising campaigns, they can launch “smart bomb” adverts and build websites that customize themselves for every new visitor.

Internally, businesses are enjoying better and smoother human resources operations. They are finding better fits for positions early in the hiring process. They are tracking how workflow and environment impact their profitability and acting accordingly.

History tells us technology will continue to be refined, making data analysis — and its myriad benefits — better, smarter, and faster. Thinking machines are already moving beyond gathering and collating data to crunching and making connections. Not too long ago, IBM’s Watson was a sideshow anomaly competing on Jeopardy. Today, thinking machines are turning data gathering into a growth industry.

What will tomorrow bring? We can’t say for sure, but we do know big data will be in the driver’s seat.

David Steinberg is the chief executive of Zeta Interactive, a big data and customer lifestyle marketing platform

Quantum leap forward: China to launch world’s longest, ‘hack-proof’ network by 2016

China is completing the project of the planet’s longest, 2,000-kilometer quantum communication network from Beijing to Shanghai. The network is considered “unhackable” and is set to start operating in 2016.

The “unhackability” is due to the most secure encryption technology ever, the South China Morning Post reported.

By 2030, the network is expected to stretch all over the globe, Xinhua news agency said.

For now, the service is to be used by the Chinese government, the military and key business institutions such as banks.

The plans were disclosed by Professor Pan Jianwei, a quantum physicist with the University of Science and Technology of China and a lead scientist behind the project.

“China’s quantum information science and technology is developing very fast and China leads in some areas in this field. Any city in China, as long they want to, can start to build the quantum communication network now,” he said, Xinhua reported.

Chen Yuxiang, chief engineer for the construction of the Beijing-Shanghai network, indicated that the infrastructure would be ready between the end of the year and next summer. The network also needs to be built and activated.

The budget for the Beijing-Shanghai project is estimated at 100 million yuan ($16 million) for every 10,000 users.

Theoretically, the quantum network can’t be hacked: should anyone try to intercept the encryption key, the physical status of the quantum data, or qubits, would change, and alert those who sent the information.

Europe, Japan and Canada are also planning to start their own quantum networks. The US has also been looking for funds to sponsor a 10,000-kilometer network between major cities.

Experts are sure, though, that China is ahead of everyone in the quantum network project.

“The Chinese are really pushing the boundaries. They are moving at an incredible rate. No one else around the world has plans that are this ambitious,” Raymond Laflamme, the head of the Institute for Quantum Computing at the University of Waterloo in Canada, told The Telegraph.

“China is putting itself in the position of having secure private information that other countries will not be able to tap,” he added.