Time filter

Source Type

Washington, DC, United States

Stewart M.G.,University of Newcastle | Mueller J.,Ohio State University | Mueller J.,Cato Institute
Risk Analysis | Year: 2013

We evaluate, for the U.S. case, the costs and benefits of three security measures designed to reduce the likelihood of a direct replication of the 9/11 terrorist attacks. To do so, we assess risk reduction, losses, and security costs in the context of the full set of security layers. The three measures evaluated are installed physical secondary barriers (IPSB) to restrict access to the hardened cockpit door during door transitions, the Federal Air Marshal Service (FAMS), and the Federal Flight Deck Officer (FFDO) Program. In the process, we examine an alternate policy measure: doubling the budget of the FFDO program to $44 million per year, installing IPSBs in all U.S. aircraft at a cost of $13.5 million per year, and reducing funding for FAMS by 75% to $300 million per year. A break-even cost-benefit analysis then finds the minimum probability of an otherwise successful attack required for the benefit of each security measures to equal its cost. We find that the IPSB is costeffective if the annual attack probability of an otherwise successful attack exceeds 0.5% or one attack every 200 years. The FFDO program is costeffective if the annual attack probability exceeds 2%. On the other hand, more than two otherwise successful attacks per year are required for FAMS to be costeffective. A policy that includes IPSBs, an increased budget for FFDOs, and a reduced budget for FAMS may be a viable policy alternative, potentially saving hundreds of millions of dollars per year with consequences for security that are, at most, negligible. © 2013 Society for Risk Analysis. Source

Bandow D.,Cato Institute
Orbis | Year: 2012

Although the shift back towards a more normal international order seems inevitable, its timing and manner are not. The transformation will be smoother and America's security will be greater if the U.S. adapts to changing circumstances by exercising restraint and placing greater responsibility on allied and other associated states. Ultimately, the status of the Near Seas matters most to nearby nations which are both prosperous and friendly. They must do more to preserve an open political and economic order in East Asia. © 2012. Source

Shapiro I.,Cato Institute | Jost T.S.,Washington and Lee University
Health Affairs | Year: 2010

This essay argues that the Patient Protection and Affordable Care Act exceeds Congress's authority to regulate interstate commerce and its taxing power, and infringes on state prerogatives. The lawsuits that have been filed by states and individuals arguing these points raise serious legal issues, not the least of which is whether there are any constitutional limits remaining on government power. Because the new law is unprecedented - in both its regulatory scope and its expansion of federal authority - it is difficult to predict how courts will react. However, a holding that these measures were in fact constitutional would fundamentally alter the relationship of the federal government to the states and the people, as there would seem to be no constitutional limits on federal power. ©2010 Project HOPE - The People-to-People Health Foundation, Inc. Source

News Article | March 18, 2016
Site: http://motherboard.vice.com/

On June 9, 2013, a then-unknown intelligence contractor named Edward Snowden revealed himself to be the source behind a series of explosive scoops based on top secret National Security Agency documents. The next day, a secret court in Virginia ordered the owner of a small email provider in Texas to help investigators surveil Snowden’s email communications. That order set off a long legal fight that was mostly shrouded in complete secrecy for two months, until Ladar Levison, the owner of the email provider called Lavabit, decided to shut down his service rather than “become complicit in crimes against the American people,” as he put it at the time. Even then, most details of the case remained under seal until October 2013, when a judge in Alexandria agreed to publish part of the court documents filed in the fight. Finally, in early March of this year, almost three years later, the judge ordered even more documents to be released. Some information in the court documents still remains redacted, such as the basis, or “probable cause,” as to why the US government was interested in Snowden’s email data. In fact, the US government went to great lengths to redact who the case was really about. But a mistake in the redaction process confirms it was indeed about Snowden’s email. But more importantly, read again three years later, the documents shed the light on a case that in many ways shares many similarities with the recent fight between the FBI and Apple. At the heart of both cases there’s the same fundamental question: How far can the US government force tech companies to go to help access their users’ data? After Snowden outed himself, the government wanted to get a bunch of information from Snowden’s Lavabit account, including his IP address and the unique ids (MAC addresses) of the computers he used while sending emails from the service, as well as payment and other records. Part of the court order asking Levison to disclose Snowden’s email metadata. Levison responded to the government’s order by mail on June 11, providing “very little” of the information the government wanted, according to the documents. At that point the US government got another order compelling Levison to install what’s known as a “pen register” to get Snowden’s email metadata in real-time. When the feds showed up at Levison’s door to hand deliver him the order, he said that’d be impossible, because the target of the investigation had paid to have an extra layer of protection on his account, so all that information was encrypted. But the FBI had done its homework, and already had another card under its sleeve: If only Levison agreed to hand over the encryption keys protecting Lavabit’s server, then the feds themselves could “capture the user’s connections, and password in the clear.” A few days later Levison himself admitted that the FBI’s solution was technically possible in an email to the prosecutor. Part of Levison’s email to the prosecutor in the case. In a hearing on July 16, Levison went to court by himself, without the help of a lawyer, arguing he had been ready to comply with the pen register order ever since he met with the FBI agents, but he also said giving up the encryption keys was too much, because it would compromise the privacy of all his customers, not just the one target of this investigation. “Those keys are used to secure the traffic for all users,” Levison said, according to a transcript. “I’ve always been willing to accept the [pen register] device. I just have some concern about ensuring that it’s used properly,” he later added. Levison, who claimed to have brought a copy of Lavabit’s encryption keys in case he was forced to give them up, also asked for the case to be made public. “I believe it’s important for the industry and the people to understand what the government is requesting by demanding that I turn over these encryption keys for the entire service,” he added. The prosecutor snarkily dismissed this request, arguing that all Levison wanted was to get the industry “to come in and litigate as a surrogate for him.” “I don’t think he’s entitled to try to make this a public proceeding to invite others in to litigate those issues on his behalf,” said Assistant US Attorney James Trump, adding that by industry he meant groups and others “who have litigated issues like this in the WikiLeaks context and others.” Judge Claude Hilton didn’t directly weigh on the merits of Levison’s argument, but eventually rejected it, simply saying that “this was a criminal investigation” and it required secrecy. The prosecutor reiterated that this was just about one account, and dismissed Levison’s concern that the FBI could spy on all his 400,000 customers saying there wouldn’t be any agents “looking through the 400,000 other bits of information, customers, whatever.” In a previous filing, the US government had also argued that giving up SSL keys wasn’t a big deal because Levison could just change them after the government was done intercepting data from Snowden’s email account. Eventually, Judge Hilton ordered Levison to turn over the keys in 24 hours. Within the deadline, Levison complied with the order, but delivered the 2,560 characters making up the keys in an extremely small font spread over an 11-page printout. A portion of the Lavabit encryption keys Levison printed in a tiny font on 11 pages. Then the government complained and got the court to impose a sanction of $5,000 per each day of delay until Levison delivered the keys in an electronic form. Two days and $10,000 later, Levison apparently gave up, sending a “usable version of Lavabit’s encryption keys” to the government. The next day, however, he shut down his service, making those keys completely useless. THE SHADOW OF LAVABIT OVER THE APPLE VS FBI CASE While many circumstances in the Lavabit case are different than the case of the San Bernardino shooters’ iPhone, there are also obvious similarities. In the Lavabit case, the feds argued it was just about one account; in the Apple case, the US government claims this is just about one phone. In both cases, the feds argued that it’s not too burdensome to simply hand over some code. Given Lavabit’s precedent, some are worried that what happened with Levison and his small email provider could happen again with the giant Apple. That’s not just speculation—the Justice Department explicitly cited the Lavabit case in a footnote in its most recent filing in the case. The government’s argument is essentially that its current order, which asks Apple to undermine some security features of the iPhone’s operating system so that it can hack into it, is just a friendly request that could very well anticipate a more unkind one: get Apple to surrender its developer encryption keys so that investigators can write and install their own version of Apple’s operating system to get around its security measures. “Such a move would signal a race to the bottom of the slippery slope that has haunted privacy advocates: A world where companies can be forced to sign code developed by the government to facilitate surveillance,” Julian Sanchez, a surveillance expert and fellow at the Cato Institute, wrote in a blog post on Thursday. Sanchez also notes that what’s even more worrying is that such a request could potentially rely on firmer legal ground that the FBI’s current one, which relies on an obscure and controversial 1789 law. “‘Give us your dev key’ is probably on firmer ground legally than ‘write custom code for us’ but arguably way, way scarier,” Sanchez said earlier. Furthermore, several tech companies have been forced to give up their source code in the past, as a ZDNet investigation published on Thursday revealed. It’s unclear if those cases involved encryption keys, but it wouldn’t be a stretch for the US government to argue that it makes no difference. Whether the judge in the Apple case, and the judges who will hear the inevitable appeals, will side with the government—if it ever decides to request Apple’s keys—remains to be seen. In the meantime, Levison, who’s been working on a more secure replacement for email since shutting down Lavabit, chastised the government for trying to draw a parallel with his case, calling it “disturbing.” In a statement published on Wednesday, Levison highlighted the fact that the appeals court that held up the sanctions against him for refusing to comply with the pen register order based his decision “on a contrived procedural technicality,” not on the merits of the original request. In other words, according to him, Lavabit’s case shouldn’t be considered a precedent, although it does have something in common with the Apple case. “The current Apple case, together with the Lavabit case, join a growing litany of recent court decisions which have eroded away our personal liberties,” he wrote. “Taken together, these rulings force us to ask difficult questions. Specifically, can the federal government be trusted to defend our rights, and protect our freedom?”

News Article | November 16, 2015
Site: http://motherboard.vice.com/

On Friday evening, a group of terrorists launched a string of simultaneous attacks in Paris, killing at least 129 people, according to media reports. Very little information is known about how the terrorists, who allegedly had links to ISIS, planned the attacks. Yet, that hasn’t stopped commentators and the media from speculating the group likely avoided surveillance by using messaging apps that use encryption, and even by communicating over PlayStation 4. Belgian interior minister Jan Jambon ignited the speculation over the weekend when he complained that communications over PlayStation 4 are extremely hard to spy on. His comments were not related to the Paris attacks, however; in fact, they came three days before they even happened, during a talk at a POLITICO event. The author of the viral Forbes article that started the speculation over the weekend also posited that terrorists might very well be communicating “without speaking a word,” perhaps spelling out attack plans in Super Mario Maker’s coins, or writing messages to each other by firing bullets on a wall in Call of Duty. The height of the media frenzy over the unsubstantiated possibility that ISIS is using PlayStation 4 to plot attacks or communicate was probably this inadvertently hilarious segment on the Today show on Monday, where correspondents sent each other chat messages while playing video games. “And remember this doesn’t go through your phone company,” a Today show producer said. Yet, no one has presented any evidence to support the claims that the Paris attackers were using any of these methods. Matt Suiche, a French security researcher who lives in San Francisco, said that obviously it’s possible that ISIS is using video game consoles to recruit or communicate, but that in this case, it’s more likely they “they planned it physically, to avoid leaving any traces.” Many of the suspects involved in the attack were reportedly all living in the same Belgian town. “You may as well use a homing pigeon and write in slang to coordinate a meeting, and nobody would be able to do anything,” Suiche told Motherboard in an online chat. “When it comes to planning we are talking about people who live in the same area, within a few miles radius. They can also definitely pop up to the apartment of one other, like before cellphones existed.” A spokesperson for Sony, which owns Playstation, declined to answer a series of specific questions regarding how Sony collaborates with law enforcement authorities to investigate potential crimes. “We are dedicated to checking behavior and we urge our users and partners to report activities that may be offensive, suspicious or illegal,” the spokesperson said in the statement, sent via email. “When we identify or are notified of such conduct and verify it, we are committed to reviewing it and taking appropriate actions.” Julian Sanchez, a senior fellow at the Cato Institute and an expert on surveillance, said that as far as he knows, “there’s no end to end encryption of user communication” on the PlayStation 4. Sanchez, who noted that he owns and uses a PlayStation 4, also added that it’s possible to access a user account from any device, something that’d be “very hard” to do if there was strong encryption. Moreover, he added, if Sony has mechanism in place to report users being abusive, the company probably has the capability to intercept and review users’ communications for other reasons. In fact, Sony clearly says it can monitor the PlayStation network in its software usage legal terms. Obviously, there are some theoretical advantages to using a non-traditional means of communication that’s less likely to be monitored by authorities. But thanks to documents leaked by Edward Snowden we know that’s not the case. Spies from the NSA and the British intelligence agency GCHQ have been so worried about this in the past that they’ve sent undercover agents into World of Warcraft and Second Life, and monitored users of Xbox Live. Jay Kaplan, who used to work at the NSA, told Motherboard that while non-traditional platforms are more challenging than widely used ones, ”at this point there is very much a ’whatever it takes’ mentality.” ”It is possible that these networks have simply been overlooked or difficult to sort through the troves as data,” Kaplan said in an email. ”Impenetrable? That word doesn't exist in the [intelligence community's] vernacular.” It’s not even clear ISIS tolerates the use of video gaming consoles. The group, which has very strict religious rules, has apparently banned its members from even playing billiards, according to documents retrieved from Syria, and published by Aymenn Jawad Al-Tamimi, a fellow at the Middle East forum think tank. “It is not proper for the mujahideen servants of God to occupy their leisure time with these sorts of things that render no benefit on them but rather constitute a waste of time,” reads a translated ISIS legal document, or “fatwa.” Moreover, given that ISIS members can use, and have been reported to use, encryption apps on their phones, why use the less-portable PlayStation? On Sunday, a New York Times article reported that the attackers used encryption to communicate, namechecking the popular chat program WhatsApp. The article was based on quotes of unnamed European officials, and has since mysteriously disappeared. It’s worth noting that despite the fact that WhatsApp has enabled encryption between Android users, the platform doesn’t appear to be spy-proof. Earlier this year, in fact, a group of alleged terrorists were arrested in Belgium after authorities intercepted their WhatsApp messages. Moreover, even if the messages over WhatsApp are encrypted, authorities likely can still see who’s talking to whom—in other words, metadata. Europol declined to comment for this article. It’s possible that the Paris attackers used encryption apps, and even the PlayStation 4, to communicate. But so far, no one has presented any evidence supporting this claim. The mayor of Vilvoorde, a Brussels suburb where many jihadists who have travelled to Syria reportedly originate from, said on Monday that the country’s intelligence agencies lack of Arabic speakers is “without doubt one of the biggest challenges” to investigating jihadists, according to a Belgian newspaper. Also on Monday, Turkish authorities said they had alerted France months ago about one of the attackers involved in the massacre on Friday, to no avail. The reality might very well be that intelligence and law enforcement simply missed the clues that would have led to the suspects. “It’s just going to be inherently very difficult to catch every single suspicious person who’s having a conversation [online],” Sanchez told Motherboard. “Totally independent of the technical obstacle, it’s always going to be tough.”

Discover hidden collaborations