Great to hear your perspective, and I'm sorry you're disappointed. But that's why we have discussion lists.
Best, Yosem On Fri, Mar 22, 2013 at 10:30 AM, Andy Isaacson <[email protected]> wrote: > For the record, I do not think that the poster of this message is a > reliable narrator, and I regret that this is being put about as a > "noisebridge" document. It's present on the Noisebridge webserver > merely because it was sent to a public mailing list which is > automatically archived. > > The so-called "ToS tell" is obviously not a reliable indicator of NSL > activity, and most of his evidence is similarly questionable. I do > believe that this individual was interviewed by law enforcement as a > follow-on to his full-disclosure posts about security weaknesses in US > utility company systems, but the rest of the story seems weak. > > There's a pretty strong cultural tradition at Noisebridge of treating > even fairly outlandish claims with a modicum of tongue-in-cheek respect > (although like all "rules" it's observed mostly in the breach, and > trolling and mockery rule the day). Please read my posts in that > archive thread with that in mind. > > Yosem, I'm disappointed that you forwarded this to libtech without an > editorial caution. > > -andy > > On Fri, Mar 22, 2013 at 10:00:19AM -0700, Yosem Companys wrote: >> https://www.noisebridge.net/pipermail/noisebridge-discuss/2013-March/035200.html >> >> Thu Mar 21 09:15:36 UTC 2013 >> >> NSLs were still alive and kicking up until a week of so ago, when the >> EFF's successful ruling was announced. The EFF has let me know that >> the ruling only stands for 90 days and that there is a possibility the >> ruling will be rescinded after that upon appeal. So, we are not safe >> yet. I was in contact with the EFF this month regarding the issue. >> They referred me to some lawyers, but basically, the advice to me in >> general has been is that no digital information is protected from >> snooping unless it is stored in your home and encrypted. But even >> then, I am told that silent "black bag" jobs (tampering your home >> electronic devices) are a possibility if you are labeled a threat to >> national security. >> >> Here is some feedback I can share, since I am a rare person to have >> realized the snooping was in effect while it was occurring. I also got >> confirmation of this due to lack of a confidentiality requirement when >> multiple agents attempted to visit me in person and called me on the >> phone. They wanted to follow-up after their many months of snooping >> revealed that I was not in fact a "terrorist" -- simply a security >> researcher that had identified vulnerabilities of a North American >> utility company. After half a year of working with the utility >> company, they did nothing to protect my own data, so I went online to >> blow the whistle about the company being breached and all user data >> (including home addresses and names) being compromised. With this >> vulnerability, someone could effectively find your home address / >> phone / name on account no matter where you lived in North America, >> since you are required to provide this when receiving utility service. >> To my knowledge, the companies involved have still not gone public >> with this information. >> >> Some things the Secret Service did to snoop on me that you should also >> be aware of, and some feedback follow: >> >> * SS served Google with an NSL to obtain my account information. >> >> * Around January, upon logging into the Google account, Google showed >> a strange NOTICE message asking me to accept the terms of usage of my >> account. This was odd, because in a decade of being a Google user, I >> had never seen this. I am told that this is Google's way of "telling >> you without telling you" that you have been served an NSL. Google, by >> law, is not allowed to tell you about the NSL, but they definitely are >> within their right to ask you to accept their TOS upon login. This is >> the "tell" that everyone here should be aware of. If you see this, you >> are likely being monitored. >> >> * My Google account was being operated by someone else, despite >> utilizing 2-step and very strong passwords. This may have been limited >> to a Google Chat 0day, unpublished vulnerability, or a Google >> backdoor. My chat contacts said I was online when I was not online or >> had messaged them, when I had not. >> >> * I received multiple emails from shady individuals asking me to >> provide / sell 0day. Some were in poor English. I presume this may >> have been a baiting tactic to get me on some technicality. I did not >> sell any 0day nor did I accept their request to "help them" with >> whatever they were seeking in terms of shady deals. >> >> * One of my encrypted Desktop home Linux computers was mysteriously >> wiped upon my return from a trip. The RAID array was 'corrupted'. >> >> * People I know started getting strange calls from random numbers at >> odd hours. I wonder if this was some attempt to exploit remote >> listening flaws in some phones, but I am justly paranoid. >> >> * Someone opened mail / packages at my physical residence to reveal >> the contents inside. This was very odd and not something that ever >> happens. It occurred at least twice to my knowledge. >> >> * Local police were posted outside my residence the morning I received >> numerous calls from SS agents. >> >> * SS confirmed over the phone that they monitored my Google account, >> after I told them I knew they were. At first, they would not tell me >> they did and denied it. The agent actually said "Google should not >> have told you that". When I asked how many other online accounts they >> monitored, the agent refused to let me know the details. When asked if >> they monitored my financial / banking / health records, they said the >> surveillance was limited to electronic records. I presume this >> includes my ISP, Google, phone, any accounts signed up via Google >> (third-party registration / account emails give it away), etc. >> >> * I was told that my security research activities are a "legal grey >> area", but that the investigation was being closed. The SS said that >> the data they have on me "is safe" and "will be destroyed" after some >> "expiration period". I vehemently expressed my distrust that it would >> be held securely or destroyed. >> >> For your background, I have been on the other side of such requests, >> as the person providing data to the Secret Service field agents >> before. These people don't understand technology and don't understand >> what they are asking for many times. They also don't understand even >> the most basic concepts of how the Internet works. I presume the >> non-field agents (the people that are in operations centers and don't >> talk to people) are the ones that penetrate the end-user >> electronically, as necessary. Unfortunately, I have no evidence to >> support the above other than the strange activity on my account. An >> entirely separate and more likely scenario is that the Secret Service >> communications are hacked by Nation States that used that surveillance >> to target me directly. A scary assumption, but not out of the >> question. Mitnick was reading GOV emails long ago and I would have to >> presume that adversaries are snooping GOV emails still to this day. >> >> If you have any other insights, I would be glad to hear them. I would >> love to speak with anyone else that can come forward as an NSL victim. >> >> On Wed, Mar 20, 2013 at 5:10 PM, Andy Isaacson <adi at hexapodia.org> wrote: >> > Did you receive one of the few NSLs without a confidentiality >> > requirement, or did you manage to get it set aside, or are you relying >> > on Judge Illston's decision in this disclosure? (Just curious.) >> >> It did not have a confidentiality requirement, to my knowledge. I am >> attempting to get the FOIA data on myself, but it has been rejected >> thus far. >> -- >> Too many emails? Unsubscribe, change to digest, or change password by >> emailing moderator at [email protected] or changing your settings at >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
