‘The intelligence coup of the century’ – For decades, the CIA and German BND read the encrypted communications of allies and adversaries.

‘The intelligence coup of the century’ – For decades, the CIA and German BND read the encrypted communications of allies and adversaries.

An investigative report by The Washington Post and ZDF – published 11 FEB 2020.

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret.

The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.

The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence [BND]. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.

The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations’ gullibility for years, taking their money and stealing their secrets.

The operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history.

“It was the intelligence coup of the century,” the CIA report concludes. “Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”

From 1970 on, the CIA and its code-breaking sibling, the National Security Agency, controlled nearly every aspect of Crypto’s operations — presiding with their German partners over hiring decisions, designing its technology, sabotaging its algorithms and directing its sales targets.

Then, the U.S. and West German spies sat back and listened.

They monitored Iran’s mullahs during the 1979 hostage crisis, fed intelligence about Argentina’s military to Britain during the Falklands War, tracked the assassination campaigns of South American dictators and caught Libyan officials congratulating themselves on the 1986 bombing of a Berlin disco.

A Royal Navy helicopter takes off after transporting Royal Marines to Darwin, Falkland Islands, in 1982. During the Falklands War, U.S. spies fed intelligence about Argentina’s military to Britain. (Paul Haley/Imperial War Museums/Getty Images)
An American hostage is guided outside the U.S. Embassy compound in Tehran in 1979, after students stormed the embassy and took its diplomatic staff hostage. Using Crypto, the United States monitored Iran’s mullahs during the crisis.
(Kaveh Kazemi/Getty Images)

The program had limits. America’s main adversaries, including the Soviet Union and China, were never Crypto customers. Their well-founded suspicions of the company’s ties to the West shielded them from exposure, although the CIA history suggests that U.S. spies learned a great deal by monitoring other countries’ interactions with Moscow and Beijing.

There were also security breaches that put Crypto under clouds of suspicion. Documents released in the 1970s showed extensive — and incriminating — correspondence between an NSA pioneer and Crypto’s founder. Foreign targets were tipped off by the careless statements of public officials including President Ronald Reagan. And the 1992 arrest of a Crypto salesman in Iran, who did not realize he was selling rigged equipment, triggered a devastating “storm of publicity,” according to the CIA history.

But the true extent of the company’s relationship with the CIA and its German counterpart was until now never revealed.

The German spy agency, the BND, came to believe the risk of exposure was too great and left the operation in the early 1990s. But the CIA bought the Germans’ stake and simply kept going, wringing Crypto for all its espionage worth until 2018, when the agency sold off the company’s assets, according to current and former officials.

The company’s importance to the global security market had fallen by then, squeezed by the spread of online encryption technology. Once the province of governments and major corporations, strong encryption is now as ubiquitous as apps on cellphones.

Even so, the Crypto operation is relevant to modern espionage. Its reach and duration help to explain how the United States developed an insatiable appetite for global surveillance that was exposed in 2013 by Edward Snowden. There are also echoes of Crypto in the suspicions swirling around modern companies with alleged links to foreign governments, including the Russian anti-virus firm Kaspersky, a texting app tied to the United Arab Emirates and the Chinese telecommunications giant Huawei.

This story is based on the CIA history and a parallel BND account, also obtained by The Post and ZDF, and interviews with current and former Western intelligence officials as well as Crypto employees. Many spoke on the condition of anonymity, citing the sensitivity of the subject.

It is hard to overstate how extraordinary the CIA and BND histories are. Sensitive intelligence files are periodically declassified and released to the public. But it is exceedingly rare, if not unprecedented, to glimpse authoritative internal histories of an entire covert operation. The Post was able to read all of the documents, but the source of the material insisted that only excerpts be published.

The CIA and the BND declined to comment, though U.S. and German officials did not dispute the authenticity of the documents. The first is a 96-page account of the operation completed in 2004 by the CIA’s Center for the Study of Intelligence, an internal historical branch. The second is an oral history compiled by German intelligence officials in 2008.

The overlapping accounts expose frictions between the two partners over money, control and ethical limits, with the West Germans frequently aghast at the enthusiasm with which U.S. spies often targeted allies.

But both sides describe the operation as successful beyond their wildest projections. At times, including in the 1980s, Crypto accounted for roughly 40 percent of the diplomatic cables and other transmissions by foreign governments that cryptanalysts at the NSA decoded and mined for intelligence, according to the documents.

All the while, Crypto generated millions of dollars in profits that the CIA and BND split and plowed into other operations.

Crypto’s sign is still visible atop its longtime headquarters near Zug, Switzerland, though the company was liquidated in 2018. (Jahi Chikwendiu/The Washington Post)

Crypto’s products are still in use in more than a dozen countries around the world, and its orange-and-white sign still looms atop the company’s longtime headquarters building near Zug, Switzerland. But the company was dismembered in 2018, liquidated by shareholders whose identities have been permanently shielded by the byzantine laws of Liechtenstein, a tiny European nation with a Cayman Islands-like reputation for financial secrecy.

Two companies purchased most of Crypto’s assets. The first, CyOne Security, was created as part of a management buyout and now sells security systems exclusively to the Swiss government. The other, Crypto International, took over the former company’s brand and international business.

Each insisted that it has no ongoing connection to any intelligence service, but only one claimed to be unaware of CIA ownership. Their statements were in response to questions from The Post, ZDF and Swiss broadcaster SRF, which also had access to the documents.

CyOne has more substantial links to the now-dissolved Crypto, including that the new company’s chief executive held the same position at Crypto for nearly two decades of CIA ownership.

A CyOne spokesman declined to address any aspect of Crypto AG’s history but said the new firm has “no ties to any foreign intelligence services.”

Andreas Linde, the chairman of the company that now holds the rights to Crypto’s international products and business, said he had no knowledge of the company’s relationship to the CIA and BND before being confronted with the facts in this article.

“We at Crypto International have never had any relationship with the CIA or BND — and please quote me,” he said in an interview. “If what you are saying is true, then absolutely I feel betrayed, and my family feels betrayed, and I feel there will be a lot of employees who will feel betrayed as well as customers.”

The Swiss government announced on Tuesday that it was launching an investigation of Crypto AG’s ties to the CIA and BND. Earlier this month, Swiss officials revoked Crypto International’s export license.

The timing of the Swiss moves was curious. The CIA and BND documents indicate that Swiss officials must have known for decades about Crypto’s ties to the U.S. and German spy services, but intervened only after learning that news organizations were about to expose the arrangement.

The histories, which do not address when or whether the CIA ended its involvement, carry the inevitable biases of documents written from the perspectives of the operation’s architects. They depict Rubicon as a triumph of espionage, one that helped the United States prevail in the Cold War, keep tabs on dozens of authoritarian regimes and protect the interests of the United States and its allies.

The papers largely avoid more unsettling questions, including what the United States knew — and what it did or didn’t do — about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses.

The revelations in the documents may provide reason to revisit whether the United States was in position to intervene in, or at least expose, international atrocities, and whether it opted against doing so at times to preserve its access to valuable streams of intelligence.

Nor do the files deal with obvious ethical issues at the core of the operation: the deception and exploitation of adversaries, allies and hundreds of unwitting Crypto employees. Many traveled the world selling or servicing rigged systems with no clue that they were doing so at risk to their own safety.

Juerg Spoerndli is an electrical engineer who spent 16 years working at Crypto. Deceived employees said the revelations about the company have deepened a sense of betrayal, of themselves and customers. (Jahi Chikwendiu/The Washington Post)

In recent interviews, deceived employees — even ones who came to suspect during their time at Crypto that the company was cooperating with Western intelligence — said the revelations in the documents have deepened a sense of betrayal, of themselves and customers.

“You think you do good work and you make something secure,” said Juerg Spoerndli, an electrical engineer who spent 16 years at Crypto. “And then you realize that you cheated these clients.”

Those who ran the clandestine program remain unapologetic.

“Do I have any qualms? Zero,” said Bobby Ray Inman, who served as director of the NSA and deputy director of the CIA in the late 1970s and early 1980s. “It was a very valuable source of communications on significantly large parts of the world important to U.S. policymakers.”

Boris Hagelin, the founder of Crypto, and his wife arrive in New York in 1949. Hagelin fled to the United States when the Nazis occupied Norway in 1940. (Bettmann Archive)

A denial operation

This sprawling, sophisticated operation grew out of the U.S. military’s need for a crude but compact encryption device.

Boris Hagelin, Crypto’s founder, was an entrepreneur and inventor who was born in Russia but fled to Sweden as the Bolsheviks took power. He fled again to the United States when the Nazis occupied Norway in 1940.

He brought with him an encryption machine that looked like a fortified music box, with a sturdy crank on the side and an assembly of metal gears and pinwheels under a hard metal case.

It wasn’t nearly as elaborate, or secure, as the Enigma machines being used by the Nazis. But Hagelin’s M-209, as it became known, was portable, hand-powered and perfect for troops on the move. Photos show soldiers with the eight-pound boxes — about the size of a thick book — strapped to their knees. Many of Hagelin’s devices have been preserved at a private museum in Eindhoven, the Netherlands.

Marc Simons and Paul Reuvers founded the Crypto Museum in Eindhoven, Netherlands. The virtual museum has preserved many of Hagelin’s devices. (Jahi Chikwendiu/The Washington Post)
Hagelin’s M-209 encryption machine had a crank on the side and an assembly of metal gears and pinwheels under a hard metal case. Portable and hand-powered, it was used mainly for tactical messages about troop movements.
(Jahi Chikwendiu/The Washington Post)

Sending a secure message with the device was tedious. The user would rotate a dial, letter by letter, and thrust down the crank. The hidden gears would turn and spit out an enciphered message on a strip of paper. A signals officer then had to transmit that scrambled message by Morse code to a recipient who would reverse the sequence.

Security was so weak that it was assumed that nearly any adversary could break the code with enough time. But doing so took hours. And since these were used mainly for tactical messages about troop movements, by the time the Nazis decoded a signal its value had probably perished.

Over the course of the war, about 140,000 M-209s were built at the Smith Corona typewriter factory in Syracuse, N.Y., under a U.S. Army contract worth $8.6 million to Crypto. After the war, Hagelin returned to Sweden to reopen his factory, bringing with him a personal fortune and a lifelong sense of loyalty to the United States.

Even so, American spies kept a wary eye on his postwar operations. In the early 1950s, he developed a more advanced version of his war-era machine with a new, “irregular” mechanical sequence that briefly stumped American code-breakers.

Marc Simons, co-founder of Crypto Museum, a virtual museum of cipher machines, explains how secret messages were created using the Hagelin CX-52. (Stanislav Dobak/The Washington Post)

Alarmed by the capabilities of the new CX-52 and other devices Crypto envisioned, U.S. officials began to discuss what they called the “Hagelin problem.”

These were “the Dark Ages of American cryptology, ” according to the CIA history. The Soviets, Chinese and North Koreans were using code-making systems that were all but impenetrable. U.S. spy agencies worried that the rest of the world would also go dark if countries could buy secure machines from Hagelin.

The Americans had several points of leverage with Hagelin: his ideological affinity for the country, his hope that the United States would remain a major customer and the veiled threat that they could damage his prospects by flooding the market with surplus M-209s from the war.

The U.S. Army’s Signals Intelligence Service was headed by William Friedman, center, in the mid-1930s. Other members, from left: Herrick F. Bearce, Solomon Kullback, U.S. Army Capt. Harold G. Miller, Louise Newkirk Nelson, seated, Abraham Sinkov, U.S. Coast Guard Lt. L.T. Jones and Frank B. Rowlett. (Fotosearch/Getty Images)

The United States also had a more crucial asset: William Friedman. Widely regarded as the father of American cryptology, Friedman had known Hagelin since the 1930s. They had forged a lifelong friendship over their shared backgrounds and interests, including their Russian heritage and fascination with the complexities of encryption.

There might never have been an Operation Rubicon if the two men had not shaken hands on the very first secret agreement between Hagelin and U.S. intelligence over dinner at the Cosmos Club in Washington in 1951.

The deal called for Hagelin, who had moved his company to Switzerland, to restrict sales of his most sophisticated models to countries approved by the United States. Nations not on that list would get older, weaker systems. Hagelin would be compensated for his lost sales, as much as $700,000 up front.

It took years for the United States to live up to its end of the deal, as top officials at the CIA and the predecessor to the NSA bickered over the terms and wisdom of the scheme. But Hagelin abided by the agreement from the outset, and over the next two decades, his secret relationship with U.S. intelligence agencies deepened.

In 1960, the CIA and Hagelin entered into a “licensing agreement ” that paid him $855,000 to renew his commitment to the handshake deal. The agency paid him $70,000 a year in retainer and started giving his company cash infusions of $10,000 for “marketing” expenses to ensure that Crypto — and not other upstarts in the encryption business — locked down contracts with most of the world’s governments.

It was a classic “denial operation” in the parlance of intelligence, a scheme designed to prevent adversaries from acquiring weapons or technology that would give them an advantage. But it was only the beginning of Crypto’s collaboration with U.S. intelligence. Within a decade, the whole operation belonged to the CIA and BND.

In 1967, Crypto released the H-460, an all-electronic machine whose inner workings were designed by the NSA. (Jahi Chikwendiu/The Washington Post)

A brave new world

U.S. officials had toyed since the outset with the idea of asking Hagelin whether he would be willing to let U.S. cryptologists doctor his machines. But Friedman overruled them, convinced that Hagelin would see that as a step too far.

The CIA and NSA saw a new opening in the mid-1960s, as the spread of electronic circuits forced Hagelin to accept outside help adapting to the new technology, or face extinction clinging to the manufacturing of mechanical machines.

NSA cryptologists were equally concerned about the potential impact of integrated circuits, which seemed poised to enable a new era of unbreakable encryption. But one of the agency’s senior analysts, Peter Jenks, identified a potential vulnerability.

If “carefully designed by a clever crypto-mathematician,” he said, a circuit-based system could be made to appear that it was producing endless streams of randomly generated characters, while in reality it would repeat itself at short enough intervals for NSA experts — and their powerful computers — to crack the pattern.

Two years later, in 1967, Crypto rolled out a new, all-electronic model, the H-460, whose inner workings were completely designed by the NSA.

The CIA history all but gloats about crossing this threshold. “Imagine the idea of the American government convincing a foreign manufacturer to jimmy equipment in its favor,” the history says. “Talk about a brave new world.”

The NSA didn’t install crude “back doors” or secretly program the devices to cough up their encryption keys. And the agency still faced the difficult task of intercepting other governments’ communications, whether plucking signals out of the air or, in later years, tapping into fiber optic cables.

But the manipulation of Crypto’s algorithms streamlined the code-breaking process, at times reducing to seconds a task that might otherwise have taken months. The company always made at least two versions of its products — secure models that would be sold to friendly governments, and rigged systems for the rest of the world.

In so doing, the U.S.-Hagelin partnership had evolved from denial to “active measures.” No longer was Crypto merely restricting sales of its best equipment but actively selling devices that were engineered to betray their buyers.

The payoff went beyond the penetration of the devices. Crypto’s shift to electronic products buoyed business so much that it became addicted to its dependence on the NSA. Foreign governments clamored for systems that seemed clearly superior to the old clunky mechanical devices but in fact were easier for U.S. spies to read.

German and American partners

By the end of the 1960s, Hagelin was nearing 80 and anxious to secure the future for his company, which had grown to more than 180 employees. CIA officials were similarly anxious about what would happen to the operation if Hagelin were to suddenly sell or die.

Hagelin had once hoped to turn control over to his son, Bo. But U.S. intelligence officials regarded him as a “wild card” and worked to conceal the partnership from him. Bo Hagelin was killed in a car crash on Washington’s Beltway in 1970. There were no indications of foul play.

U.S. intelligence officials discussed the idea of buying Crypto for years, but squabbling between the CIA and NSA prevented them from acting until two other spy agencies entered the fray.

The French, West German and other European intelligence services had either been told about the United States’ arrangement with Crypto or figured it out on their own. Some were understandably jealous and probed for ways to secure a similar deal for themselves.

In 1967, Hagelin was approached by the French intelligence service with an offer to buy the company in partnership with German intelligence. Hagelin rebuffed the offer and reported it to his CIA handlers. But two years later, the Germans came back seeking to make a follow-up bid with the blessing of the United States.

In a meeting in early 1969 at the West German Embassy in Washington, the head of that country’s cipher service, Wilhelm Goeing, outlined the proposal and asked whether the Americans “were interested in becoming partners too.”

Months later, CIA Director Richard Helms approved the idea of buying Crypto and dispatched a subordinate to Bonn, the West German capital, to negotiate terms with one major caveat: the French, CIA officials told Goeing, would have to be “shut out.”

West Germany acquiesced to this American power play, and a deal between the two spy agencies was recorded in a June 1970 memo carrying the shaky signature of a CIA case officer in Munich who was in the early stages of Parkinson’s disease and the illegible scrawl of his BND counterpart.

The two agencies agreed to chip in equally to buy out Hagelin for approximately $5.75 million, but the CIA left it largely to the Germans to figure out how to prevent any trace of the transaction from ever becoming public.

A Liechtenstein law firm, Marxer and Goop, helped hide the identities of the new owners of Crypto through a series of shells and “bearer” shares that required no names in registration documents. The firm was paid an annual salary “less for the extensive work but more for their silence and acceptance,” the BND history says. The firm, now named Marxer and Partner, did not respond to a request for comment.

A new board of directors was set up to oversee the company. Only one member of the board, Sture Nyberg, to whom Hagelin had turned over day-to-day management, knew of CIA involvement. “It was through this mechanism,” the CIA history notes, “that BND and CIA controlled the activities” of Crypto. Nyberg left the company in 1976. The Post and ZDF could not locate him or determine whether he is still alive.

The two spy agencies held their own regular meetings to discuss what to do with their acquisition. The CIA used a secret base in Munich, initially on a military installation used by American troops and later in the attic of a building adjacent to the U.S. Consulate, as the headquarters for its involvement in the operation.

The CIA and BND agreed on a series of code names for the program and its various components. Crypto was called “Minerva,” which is also the title of the CIA history. The operation was at first code-named “Thesaurus,” though in the 1980s it was changed to “Rubicon.”

Each year, the CIA and BND split any profits Crypto had made, according to the German history, which says the BND handled the accounting and delivered the cash owed to the CIA in an underground parking garage.

From the outset, the partnership was beset by petty disagreements and tensions. To CIA operatives, the BND often seemed preoccupied with turning a profit, and the Americans “constantly reminded the Germans that this was an intelligence operation, not a money-making enterprise.” The Germans were taken aback by the Americans’ willingness to spy on all but their closest allies, with targets including NATO members Spain, Greece, Turkey and Italy.

Mindful of the limitations to their abilities to run a high-tech company, the two agencies brought in corporate outsiders. The Germans enlisted Siemens, a Munich-based conglomerate, to advise Crypto on business and technical issues in exchange for 5 percent of the company’s sales. The United States later brought in Motorola to fix balky products, making it clear to the company’s CEO this was being done for U.S. intelligence. Siemens declined to comment. Motorola officials did not respond to a request for comment.

To its frustration, Germany was never admitted to the vaunted “Five Eyes,” a long-standing intelligence pact involving the United States, Britain, Australia, New Zealand and Canada. But with the Crypto partnership, Germany moved closer into the American espionage fold than might have seemed possible in World War II’s aftermath. With the secret backing of two of the world’s premier intelligence agencies and the support of two of the world’s largest corporations, Crypto’s business flourished.

A table in the CIA history shows that sales surged from 15 million Swiss francs in 1970 to more than 51 million in 1975, or $19 million. The company’s payroll expanded to more than 250 employees.

“The Minerva purchase had yielded a bonanza,” the CIA history says of this period. The operation entered a two-decade stretch of unprecedented access to foreign governments’ communications.

Egyptian President Anwar Sadat and President Jimmy Carter meet during the Egyptian-Israeli peace negotiations at Camp David in September 1978. During the negotiations, the NSA was secretly monitoring Sadat’s communications back to Cairo. (White House/CNP/Getty Images)

Iranian suspicions

The NSA’s eavesdropping empire was for many years organized around three main geographic targets, each with its own alphabetic code: A for the Soviets, B for Asia and G for virtually everywhere else.

By the early 1980s, more than half of the intelligence gathered by G group was flowing through Crypto machines, a capability that U.S. officials relied on in crisis after crisis.

In 1978, as the leaders of Egypt, Israel and the United States gathered at Camp David for negotiations on a peace accord, the NSA was secretly monitoring the communications of Egyptian President Anwar Sadat with Cairo.

A year later, after Iranian militants stormed the U.S. Embassy and took 52 American hostages, the Carter administration sought their release in back-channel communications through Algeria. Inman, who served as NSA director at the time, said he routinely got calls from President Jimmy Carter asking how the Ayatollah Khomeini regime was reacting to the latest messages.

“We were able to respond to his questions about 85 percent of the time,” Inman said. That was because the Iranians and Algerians were using Crypto devices.

Inman said the operation also put him in one of the trickiest binds he’d encountered in government service. At one point, the NSA intercepted Libyan communications indicating that the president’s brother, Billy Carter, was advancing Libya’s interests in Washington and was on leader Moammar Gaddafi’s payroll.

Inman referred the matter to the Justice Department. The FBI launched an investigation of Carter, who falsely denied taking payments. In the end, he was not prosecuted but agreed to register as a foreign agent.

Throughout the 1980s, the list of Crypto’s leading clients read like a catalogue of global trouble spots. In 1981, Saudi Arabia was Crypto’s biggest customer, followed by Iran, Italy, Indonesia, Iraq, Libya, Jordan and South Korea.

To protect its market position, Crypto and its secret owners engaged in subtle smear campaigns against rival companies, according to the documents, and plied government officials with bribes. Crypto sent an executive to Riyadh, Saudi Arabia, with 10 Rolex watches in his luggage, the BND history says, and later arranged a training program for the Saudis in Switzerland where the participants’ “favorite pastime was to visit the brothels, which the company also financed.”

At times, the incentives led to sales to countries ill-equipped to use the complicated systems. Nigeria bought a large shipment of Crypto machines, but two years later, when there was still no corresponding payoff in intelligence, a company representative was sent to investigate. “He found the equipment in a warehouse still in its original packaging,” according to the German document.

In 1982, the Reagan administration took advantage of Argentina’s reliance on Crypto equipment, funneling intelligence to Britain during the two countries’ brief war over the Falkland Islands, according to the CIA history, which doesn’t provide any detail on what kind of information was passed to London. The documents generally discuss intelligence gleaned from the operation in broad terms and provide few insights into how it was used.

Plainclothes U.S. military officers walk around the scene of the bombing at the La Belle disco in West Berlin, which killed two U.S. soldiers and a Turkish woman in 1986. In an address, Reagan appears to have jeopardized the Crypto operation by citing evidence of Libya’s complicity in the attack. (Andreas Schoelzel/Associated Press)

Reagan appears to have jeopardized the Crypto operation after Libya was implicated in the 1986 bombing of a West Berlin disco popular with American troops stationed in West Germany. Two U.S. soldiers and a Turkish woman were killed as a result of the attack.

Reagan ordered retaliatory strikes against Libya 10 days later. Among the reported victims was one of Gaddafi’s daughters. In an address to the country announcing the strikes, Reagan said the United States had evidence of Libya’s complicity that “is direct, it is precise, it is irrefutable.”

The evidence, Reagan said, showed that Libya’s embassy in East Berlin received orders to carry out the attack a week before it happened. Then, the day after the bombing, “they reported back to Tripoli on the great success of their mission.”

Reagan’s words made clear that Tripoli’s communications with its station in East Berlin had been intercepted and decrypted. But Libya wasn’t the only government that took note of the clues Reagan had provided.

Iran, which knew that Libya also used Crypto machines, became increasingly concerned about the security of its equipment. Tehran didn’t act on those suspicions until six years later.

The irreplaceable man

After the CIA and BND acquisition, one of the most vexing problems for the secret partners was ensuring that Crypto’s workforce remained compliant and unsuspecting.

Even while hidden from view, the agencies went to significant lengths to maintain Hagelin’s benevolent approach to ownership. Employees were well paid and had abundant perks including access to a small sailboat on Lake Zug near company headquarters.

And yet, those who worked most closely with the encryption designs seemed constantly to be getting closer to uncovering the operation’s core secret. The engineers and designers responsible for developing prototype models often questioned the algorithms being foisted on them by a mysterious external entity.

Crypto executives often led employees to believe that the designs were being provided as part of the consulting arrangement with Siemens. But even if that were so, why were encryption flaws so easy to spot, and why were Crypto’s engineers so routinely blocked from fixing them?

In 1977, Heinz Wagner, the chief executive at Crypto who knew the true role of the CIA and BND, abruptly fired a wayward engineer after the NSA complained that diplomatic traffic coming out of Syria had suddenly became unreadable. The engineer, Peter Frutiger, had long suspected Crypto was collaborating with German intelligence. He had made multiple trips to Damascus to address complaints about their Crypto products and apparently, without authority from headquarters, had fixed their vulnerabilities.

Frutiger “had figured out the Minerva secret and it was not safe with him,” according to the CIA history. Even so, the agency was livid with Wagner for firing Frutiger rather than finding a way to keep him quiet on the company payroll. Frutiger declined to comment for this story.

Mengia Caflisch, circa 1990s. After she was hired by Crypto, Caflisch, a gifted electrical engineer, began probing the vulnerabilities of the company’s products. (Obtained by The Washington Post)

U.S. officials were even more alarmed when Wagner hired a gifted electrical engineer in 1978 named Mengia Caflisch. She had spent several years in the United States working as a radio-astronomy researcher for the University of Maryland before returning to her native Switzerland and applying for a job at Crypto. Wagner jumped at the chance to hire her. But NSA officials immediately raised concerns that she was “too bright to remain unwitting.”

The warning proved prescient as Caflisch soon began probing the vulnerabilities of the company’s products. She and Spoerndli, a colleague in the research department, ran various tests and “plaintext attacks” on devices including a teletype model, the HC-570, that was built using Motorola technology, Spoerndli said in an interview.

“We looked at the internal operations, and the dependencies with each step,” Spoerndli said, and became convinced they could crack the code by comparing only 100 characters of enciphered text to an underlying, unencrypted message. It was an astonishingly low level of security, Spoerndli said in an interview last month, but far from unusual.

“The algorithms,” he said, “always looked fishy.”

In the ensuing years, Caflisch continued to pose problems. At one point, she designed an algorithm so strong that NSA officials worried it would be unreadable. The design made its way into 50 HC-740 machines rolling off the factory floor before company executives discovered the development and stopped it.

“I just had an idea that something might be strange,” Caflisch said in an interview last month, about the origin of her suspicions. But it became clear that her probing wasn’t appreciated, she said. “Not all questions appeared to be welcome.”

The company restored the rigged algorithm to the rest of the production run and sold the 50 secure models to banks to keep them out of the hands of foreign governments. Because these and other developments were so hard to defend, Wagner at one point told a select group of members of the research and development unit that Crypto “was not entirely free to do what it wanted.”

The acknowledgment seemed to subdue the engineers, who interpreted it as confirmation that the company’s technology faced constraints imposed by the German government. But the CIA and BND became increasingly convinced that their routine, disembodied interference was unsustainable.

Crypto had become an Oz-like operation with employees probing to see what was behind the curtain. As the 1970s came to a close, the secret partners decided to find a wizard figure who could help devise more advanced — and less detectable — weaknesses in the algorithms, someone with enough cryptological clout to tame the research department.

The two agencies turned to other spy services for potential candidates before settling on an individual put forward by Sweden’s intelligence service. Because of Hagelin’s ties to the country, Sweden had been kept apprised of the operation since its outset.

Kjell-Ove Widman, a mathematics professor in Stockholm, had made a name for himself in European academic circles with his research on cryptology. Widman was also a military reservist who had worked closely with Swedish intelligence officials.

To the CIA, Widman had an even more important attribute: an affinity for the United States that he had formed while spending a year in Washington state as an exchange student.

His host family had such trouble pronouncing his Swedish name that they called him “Henry,” a moniker he later used with his CIA handlers.

Officials involved in Widman’s recruitment described it as almost effortless. After being groomed by Swedish intelligence officials, he was brought to Munich in 1979 for what purported to be a round of interviews with executives from Crypto and Siemens.

The fiction was maintained as Widman faced questions from a half-dozen men seated around a table in a hotel conference room. As the group broke for lunch, two men asked Widman to stay behind for a private conversation.

“Do you know what ZfCh is?” asked Jelto Burmeister, a BND case officer, using the acronym for the German cipher service. When Widman replied that he did, Burmeister said, “Now, do you understand who really owns Crypto AG?”

At that point, Widman was introduced to Richard Schroeder, a CIA officer stationed in Munich to manage the agency’s involvement in Crypto. Widman would later claim to agency historians that his “world fell apart completely” in that moment.

If so, he did not hesitate to enlist in the operation.

Without even leaving the room, Widman sealed his recruitment with a handshake. As the three men joined the rest of the group at lunch, a “thumbs up” signal transformed the gathering into a celebration.

Crypto installed Widman as a “scientific advisor” reporting directly to Wagner. He became the spies’ hidden inside agent, departing Zug every six weeks for clandestine meetings with representatives of the NSA and ZfCh. Schroeder, the CIA officer, would attend but tune out their technical babble.

They would agree on modifications and work up new encryption schemes. Then Widman would deliver the blueprints to Crypto engineers. The CIA history calls him the “irreplaceable man,” and the “most important recruitment in the history of the Minerva program.”

His stature cowed subordinates, investing him “with a technical prominence that no one in CAG could challenge.” It also helped deflect the inquiries of foreign governments. As Widman settled in, the secret partners adopted a set of principles for rigged algorithms, according to the BND history. They had to be “undetectable by usual statistical tests” and, if discovered, be “easily masked as implementation or human errors.”

In other words, when cornered, Crypto executives would blame sloppy employees or clueless users.

In 1982, when Argentina became convinced that its Crypto equipment had betrayed secret messages and helped British forces in the Falklands War, Widman was dispatched to Buenos Aires. Widman told them the NSA had probably cracked an outdated speech-scrambling device that Argentina was using, but that the main product they bought from Crypto, the CAG 500, remained “unbreakable.”

“The bluff worked,” the CIA history says. “The Argentines swallowed hard, but kept buying CAG equipment.”

Widman is long-retired now and living in Stockholm. He declined to comment. Years after his recruitment, he told U.S. officials that he saw himself as “engaged in a critical struggle for the benefit of Western intelligence,” according to the CIA document. “It was, he said, the moment in which he felt at home. This was his mission in life.”

That same year, Hagelin, then 90 years old, became ill on a trip to Sweden and was hospitalized. He recovered well enough to return to Switzerland, but CIA officials became worried about Hagelin’s extensive collection of business records and personal papers at his office in Zug.

Schroeder, with Hagelin’s permission, arrived with a briefcase and spent several days going through the files. To visitors, he was introduced as a historian interested in tracing Hagelin’s life. Schroeder pulled out the documents “that were incriminating,” according to the history, and shipped them back to CIA headquarters, “where they reside to this day.”

Hagelin remained an invalid until he died in 1983. The Post could not locate Wagner or determine whether he is still alive. Schroeder retired from the CIA more than a decade ago and teaches part-time at Georgetown University. When contacted by a reporter from The Post, he declined to comment.

The Hydra crisis

Crypto endured several money-losing years in the 1980s, but the intelligence flowed in torrents. U.S. spy agencies intercepted more than 19,000 Iranian communications sent via Crypto machines during that nation’s decade-long war with Iraq, mining them for reports on subjects such as Tehran’s terrorist links and attempts to target dissidents.

Iran’s communications were “80 to 90 percent readable” to U.S. spies, according to the CIA document, a figure that would probably have plunged into the single digits had Tehran not used Crypto’s compromised devices.

In 1989, the Vatican’s use of Crypto devices proved crucial in the U.S. manhunt for Panamanian leader Manuel Antonio Noriega. When the dictator sought refuge in the Apostolic Nunciature — the equivalent of a papal embassy — his whereabouts were exposed by the mission’s messages back to Vatican City.

In 1992, however, the Crypto operation faced its first major crisis: Iran, belatedly acting on its long-standing suspicions, detained a company salesman.

Hans Buehler, then 51, was considered one of the company’s best salesmen. Iran was one of the company’s largest contracts, and Buehler had traveled in and out of Tehran for years. There were tense moments, including when he was questioned extensively in 1986 by Iranian officials after the disco bombing and U.S. missile strikes on Libya.

Six years later, he boarded a Swissair flight to Tehran but failed to return on schedule. When he didn’t show, Crypto turned for help to Swiss authorities and were told he had been arrested by the Iranians. Swiss consular officials allowed to visit Buehler reported that he was in “bad shape mentally,” according to the CIA history.

Buehler was finally released nine months later after Crypto agreed to pay the Iranians $1 million, a sum that was secretly provided by the BND, according to the documents. The CIA refused to chip in, citing the U.S. policy against succumbing to ransom demands for hostages.

Buehler knew nothing about Crypto’s relationship to the CIA and BND or the vulnerabilities in its devices. But he returned traumatized and suspicious that Iran knew more about the company he worked for than he did. Buehler began speaking to Swiss news organizations about his ordeal and mounting suspicions.

William Friedman in Switzerland in 1957 with his wife and fellow cryptanalyst, Elizebeth Friedman, left, and Annie Hagelin, Boris Hagelin’s wife. (George C. Marshall Foundation)
Boris Hagelin in 1972. (George C. Marshall Foundation)

The publicity brought new attention to long-forgotten clues, including references to a “Boris project” in Friedman’s massive collection of personal papers, which were donated to Virginia Military Institute when he died in 1969. Among the 72 boxes delivered to Lexington, Va., were copies of his lifelong correspondence with Hagelin.

In 1994, the crisis deepened when Buehler appeared on Swiss television in a report that also featured Frutiger, whose identity was concealed from viewers. Buehler died in 2018. Frutiger, the engineer who had been fired for fixing Syria’s encryption systems years earlier, did not respond to requests for comment.

Michael Grupe, who had succeeded Wagner as chief executive, agreed to appear on Swiss television and disputed what he knew to be factual charges. “Grupe’s performance was credible, and may have saved the program,” the CIA history says. Grupe did not respond to requests for comment.

Even so, it took several years for the controversy to die down. In 1995, the Baltimore Sun ran a series of investigative stories about the NSA, including one called “Rigging the Game” that exposed aspects of the agency’s relationship with Crypto.

The article reported NSA officials had traveled to Zug in the mid-1970s for secret meetings with Crypto executives. The officials were posing as consultants for a front company called “Intercomm Associates” but then proceeded to introduce themselves by their real names — which were recorded on notes of the meeting kept by a company employee.

Amid the publicity onslaught, some employees began to look elsewhere for work. And at least a half-dozen countries — including Argentina, Italy, Saudi Arabia, Egypt and Indonesia — either canceled or suspended their Crypto contracts.

Astonishingly, Iran was not among them, according to the CIA file, and “resumed its purchase of CAG equipment almost immediately.”

The main casualty of the “Hydra” crisis, the code name given to the Buehler case, was the CIA-BND partnership.

For years, BND officials had recoiled at their American counterpart’s refusal to distinguish adversaries from allies. The two partners often fought over which countries deserved to receive the secure versions of Crypto’s products, with U.S. officials frequently insisting that the rigged equipment be sent to almost anyone — ally or not — who could be deceived into buying it.

In the German history, Wolbert Smidt, the former director of the BND, complained that the United States “wanted to deal with the allies just like they dealt with the countries of the Third World.” Another BND official echoed that comment, saying that to Americans, “in the world of intelligence there were no friends.”

The Cold War had ended, the Berlin Wall was down and the reunified Germany had different sensitivities and priorities. They saw themselves as far more directly exposed to the risks of the Crypto operation. Hydra had rattled the Germans, who feared the disclosure of their involvement would trigger European outrage and lead to enormous political and economic fallout.

In 1993, Konrad Porzner, the chief of the BND, made clear to CIA Director James Woolsey that support in the upper ranks of the German government was waning and that the Germans might want out of the Crypto partnership. On Sept. 9, the CIA station chief in Germany, Milton Bearden, reached an agreement with BND officials for the CIA to purchase Germany’s shares for $17 million, according to the CIA history.

German intelligence officials rued the departure from an operation they had largely conceived. In the German history, senior intelligence officials blame political leaders for ending one of the most successful espionage programs the BND had ever been a part of.

With their departure, the Germans were soon cut off from the intelligence that the United States continued to gather. Burmeister is quoted in the German history wondering whether Germany still belonged “to this small number of nations who are not read by the Americans.”

The Snowden documents provided what must have been an unsettling answer, showing that U.S. intelligence agencies not only regarded Germany as a target but monitored German Chancellor Angela Merkel’s cellphone.

Alive and well

The CIA history essentially concludes with Germany’s departure from the program, though it was finished in 2004 and contains clear indications that the operation was still underway.

It notes, for example, that the Buehler case was “the most serious security breach in the history of the program” but wasn’t fatal. “It did not cause its demise,” the history says, “and at the turn of the century Minerva was still alive and well.”

In reality, the operation appears to have entered a protracted period of decline. By the mid-1990s, “the days of profit were long past,” and Crypto “would have gone out of business but for infusions from the U.S. government.”

As a result, the CIA appears to have spent years propping up an operation that was more viable as an intelligence platform than a business enterprise. Its product line dwindled and its revenue and customer base shrank.

But the intelligence kept coming, current and former officials said, in part because of bureaucratic inertia. Many governments just never got around to switching to newer encryption systems proliferating in the 1990s and beyond — and unplugging their Crypto devices. This was particularly true of less developed nations, according to the documents.

Most of the employees identified in the CIA and BND histories are in their 70s or 80s, and some of them have died. In interviews in Switzerland last month, several former Crypto workers mentioned in the documents described feelings of unease about their involvement in the company.

They were never informed of its true relationship to intelligence services. But they had well-founded suspicions and still wrestle with the ethical implications of their decisions to remain at a firm they believed to be engaged in deception.

“Either you had to leave or you had to accept it in a certain way,” said Caflisch, now 75, who left the company in 1995 but continues to live on the outskirts of Zug in a converted weaving factory where she and her family for many years staged semiprofessional operas in the barn. “There were reasons I left,” she said, including her discomfort with her doubts at Crypto and her desire to be home more for her children. After the latest revelations, she said, “It makes me wonder whether I should have left earlier.”

Spoerndli said he regrets his own rationalizations.

“I told myself sometimes it may be better if the good guys in the United States know what is going on between these Third World dictators,” he said. “But it’s a cheap self-excuse. In the end, this is not the way.”

Most of the executives directly involved in the operation were motivated by ideological purpose and declined any payment beyond their Crypto salaries, according to the documents. Widman was among several exceptions. “As his retirement drew near, his covert compensation was substantially increased,” the CIA history says. He was also awarded a medal bearing the CIA seal.

After the BND’s departure, the CIA expanded its clandestine collection of companies in the encryption sector, according to former Western intelligence officials. Using cash amassed from the Crypto operation, the agency secretly acquired a second firm and propped up a third. The documents do not disclose any details about these entities. But the BND history notes that one of Crypto’s longtime rivals — Gretag AG, also based in Switzerland — was “taken over by an ‘American’ and, after a change of names in 2004, was liquidated.”

Crypto itself hobbled along. It had survived the transitions from metal boxes to electronic circuits, going from teletype machines to enciphered voice systems. But it struggled to maintain its footing as the encryption market moved from hardware to software. U.S. intelligence agencies appear to have been content to let the Crypto operation play out, even as the NSA’s attention shifted to finding ways to exploit the global reach of Google, Microsoft, Verizon and other U.S. tech powers.

In 2017, Crypto’s longtime headquarters building near Zug was sold to a commercial real estate company. In 2018, the company’s remaining assets — the core pieces of the encryption business started nearly a century earlier — were split and sold.

The transactions seemed designed to provide cover for a CIA exit.

CyOne’s purchase of the Swiss portion of the business was structured as a management buyout, enabling top Crypto employees to move into a new company insulated from the espionage risks and with a reliable source of revenue. The Swiss government, which was always sold secure versions of Crypto’s systems, is now CyOne’s only customer.

Giuliano Otth, who served as CEO of Crypto AG from 2001 until its dismemberment, took the same position at CyOne after it acquired the Swiss assets. Given his tenure at Crypto, it is likely he was witting to the CIA ownership of the company, just as all of his predecessors in the job had been.

“Neither CyOne Security AG nor Mr. Otth have any comments regarding Crypto AG’s history,” the company said in a statement.

Crypto’s international accounts and business assets were sold to Linde, a Swedish entrepreneur, who comes from a wealthy family with commercial real estate holdings.

In a meeting in Zurich last month, Linde said he had been drawn to the company in part by its heritage and Hagelin connection, a past that still resonates in Sweden. Upon taking over operations, Linde even moved some of Hagelin’s historic equipment from storage into a display at the factory entrance.

When confronted with evidence that Crypto had been owned by the CIA and BND, Linde looked visibly shaken, and said that during negotiations he never learned the identities of the company’s shareholders. He asked when the story would be published, saying he had employees overseas and voicing concern for their safety.

In a subsequent interview, Linde said his company is investigating all the products it sells to determine whether they have any hidden vulnerabilities. “We have to make a cut as soon as possible with everything that has been linked to Crypto,” he said.

When asked why he failed to confront Otth and others involved in the transaction about whether there was any truth to the long-standing Crypto allegations, Linde said he had regarded these as “just rumors.”

He said he took assurance from the fact that Crypto continued to have substantial contracts with foreign governments, countries he assumed had tested the company’s products vigorously and would have abandoned them if they were compromised.

“I even acquired the brand name, ‘Crypto,’ ” he said, underscoring his confidence in the company’s viability. Given the information now coming to light, he said, this “was probably one of the most stupid decisions I’ve ever made in my career.”

The company’s liquidation was handled by the same Liechtenstein law firm that provided cover for Hagelin’s sale to the CIA and BND 48 years earlier. The terms of the 2018 transactions have not been disclosed, but current and former officials estimated their aggregate value at $50 million to $70 million.

For the CIA, the money would have been one final payoff from Minerva.

 

Reporting for this article was done in collaboration with Peter F. Mueller, a journalist and documentary filmmaker based in Cologne, Germany. Julie Tate in Washington contributed to this report.

See also:

Author Greg Miller

Greg Miller is a national security correspondent for The Washington Post and a two-time winner of the Pulitzer Prize. He is the author of “The Apprentice,” a book on Russia’s interference in the 2016 U.S. presidential race and the fallout under the Trump administration.

https://www.sueddeutsche.de/digital/crypto-spionage-bnd-cia-1.4794872
https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/
https://en.wikipedia.org/wiki/Crypto_AG
https://de.wikipedia.org/wiki/Crypto_AG

 

 

 

 

Human Vs. Machine – Does Technology Require People at Battlefield?

Human Vs. Machine – Does Technology Require People at Battlefield?

This post is also available in: heעברית (Hebrew)

More sensors mean more data. Today’s battlefield is networked with sensors at an unprecedented scale. It is the Internet of Battlefield Things (IoBT) that encompasses drone payloads, video cameras, signal and radio sensors, cyber sensors and scores of other devices. This  cohesive network increases situational awareness, risk assessment, and response time. At the tactical level, IoBT networks connect combat gear embedded with biometric wearables to help soldiers identify the enemy, perform better in battle, and access devices and weapons systems using speedy edge computing.

In fact, the global battlefield management systems market will reach $26.24 billion by 2027, with a CAGR growth rate of 6.4% over the period 2019-2027, according to reportlinker.com.

This state of affairs is by and large enabled by artificial intelligence which is increasingly critical for tapping into data acquired by the exploding volume and diversity of sensors as well as to power emerging applications that rely on this data. AI technologies are expected to shift the burden from human to machine so that only the most relevant and timely data reaches those who need it.

According to C4ISRnet.com, AI can make sense of sensor data in six major aspects:

  • Video processing with analytics, object and threat detection – for example, the US DoD’s Project Maven has leveraged Google’s TensorFlow AI systems to analyze U.S. drone footage, detect objects of note, and then pass them on to analysts.
  • Automated cyber security operations – to maintain an edge over cyber adversaries, tapping AI to automate cyber security operations is critical.
  • Sensor fusion, soldier health monitoring, and augmented reality
  • EW signal processing and signal intelligence – EW sensors can generate a lot of false signals, or noise. In order to make sense of the data and convert it to actionable information. AI technologies can filter noise and classified signals, reducing the warfighter “cognitive load” when it comes to signal detection.
  • Predictive maintenance – to prevent the high costs of military vehicle and equipment breakdowns, sensors can supply real-time AI-based data, e.g. a U.S. Army program which uses AI to improve combat readiness for its fleet of Bradley tanks.
  • Battlefield situational awareness and decision support – Advanced Battle Management Systems (ABMS) was designed to connect technology across US military services to better address increasingly sophisticated adversarial threats. The ABMS field test, which linked communications and sensor data collected by Air Force and Navy fighters, a naval destroyer, and an Army unit, is part of a new warfighting concept that envisions coordinated combat that spans the five warfare domains: land, sea, air, space, and cyberspace.

Experts in this field claim that a human still has a role at the battlefield, but the challenges t would be very different from what we have known – his situational awareness, adversary identification capabilities, real-time intelligence, forces location, etc. – all these will be at the tip of his fingers.

Interested in learning more about the role of AI in tactical systems? Attend i-HLS’s InnoTech Expo in Tel Aviv – Israel’s largest innovation, HLS, and cyber technologies expo – on November 18-19, 2020 at Expo Tel Aviv, Pavilion 2.

For details and registration 

 

 

You better understand what data you share all the time with Google (or Apple):

You better understand what data you share all the time with Google (or Apple):

Oracle VP highlights what happens when data leaves your devices.

No SIM card, no browser or app open, only the WiFi connection enabled:
Android constantly transmits: GPS location, time & date, movement, temperature, atmospheric pressure, other smartphones and WiFi hotspots nearby — all to Google, to the tune of 4 megabytes each hour.

Device sensor data, app data, network data, “goes to Google,” Oracle VP says

During a keynote presentation at the Competitive Carriers Association’s Mobile Carriers Show, Oracle Vice President of Strategic Initiatives Peter Lord provided an illuminating look at the amount and specificity of data sent from Android-based smartphones to Google, which created the pervasive mobile operating system.

He prefaced the presentation by noting, “This is not a magic show,” then explained how Oracle became interested in how Google uses data to conduct ad targeting. Engineers used an out-of-the-box Android device, coupled with a network tap and other monitoring tools, to understand the process.

“Android has taken over global compute,” Lord said, noting the OS runs more than 70% of global computing. “These devices are data collection devices. As a network provider, you get some information about your calls you’re making and what not. But information about the user and the data from that device, that goes to Google.” Same with sensor data, application data and more. “These devices…they know who you are.”

Lord said the demo phone, configured to default settings, sent 4.2 megabytes of upstream data compared to 150 kilobytes of downstream data when not in use for a period of time.

He said information leaving the phone is “probably for someone else’s benefit. If I’m roaming on your network, I’m paying Google. I’m subsidizing Google with my cell subscriber plan. That information…is not something that I thought I was sharing with anyone. Moreover, I didn’t think I was actually having to pay for it.”

Running through where the data was going, Lord pointed out a number of Google destinations as well as Facebook, which wasn’t even running on the phone. “We haven’t signed into Facebook. Why is this phone talking to Facebook? They’re actually trying to figure out the network quality and screen size of this device. They’re trying to give themself a fast lane on this device. That’s without me launching the app. It’s really curious for us as to why that’s actually happening.”

For a look at Lord’s full presentation, check out this video from CCA:

 

Hitting on the same spot (28 FEB 2020):

BERLINER MORGENPOST | FREITAG, 28. FEBRUAR 2020

 

Battlefield Tech: What electronic warfare can learn from a wagon full of smartphones

Battlefield Tech: What electronic warfare can learn from a wagon full of smartphones

Normally creating a traffic jam takes actual traffic, like the cars seen here. With a wagon full of smartphones, a traffic jam can be created without the need for a long line of cars. (EveryPicture, via Wikimedia Commons CC-BY-SA-3.0)

A single red wagon, hand pulled down the middle of a lightly traveled street, is an odd delivery mechanism for an electronic warfare attack.

It is only slightly less unusual as a kind of art exhibit. But the wagon’s payload, and its artist brush, is the same: 99 second-hand smartphones, all opened to Google Maps.

In a simple demonstration, Berlin-based artist Simon Weckert rolled the wagon full of phones through several streets and, in so doing, created virtual traffic jams as Google Maps interpreted the phones as slow-moving cars. Screen captures of the demonstration, paired with video from the street, show the traffic mapper interpreting the wagon phones as first nothing, then as a slowdown, and then in a deep red line painted over the virtual road, as a rush hour-esque standstill.

It is not that often that a Berlin digital arts experiment has lessons for electronic warfare and digital manipulation, but with the greater proliferation of virtual environments its worth pulling a few principles from this wagon of tricks.

First: identify how the default use of a system can be actively gamed.

Basing traffic density algorithms on the number of smartphones geolocated to a path along a street is, by and large, an effective short-hand for mapping traffic density in an era where cars themselves do not broadcast their location. Faking traffic, as done in real life by Weckert here or as explored within the code of the navigation apps as with this Waze demonstration from 2014, is a risk, but one that mostly requires deliberate action, and which can be checked against in-person observation, if needed.

Second: virtual hacks mostly cause real-life obstacles for people who rely on them.

Without having been in Berlin as Weckert rolled his wagon down the street, it’s hard to conclusively say what effect the virtual traffic jam had. For people already on the road, the new route information may have redirected them elsewhere, but only if they were also using a traffic-navigation aide.

As the military adopts tools like ATAK, the Android Team Awareness Kit, for tracking and coordinating movement in a virtual environment, planners and commanders should be aware of the possibility that additional, misleading information is pumped into the same system. Hiding the location of a formation of troops, or creating a false impression of a team in a vital overwatch position, are ways a spoofed virtual environment could lead to disaster.

Third: the existence of tracking data from commercial smart devices is only going to complicate the future.

Weckert’s demonstration used phones to simulate cars in a civilian street. That alone could be a means for forcing a reroute of a target and laying an ambush, should a malicious actor decide to do so. (And if Google doesn’t respond to mitigate how the map hack worked.) In a future where infantry carry personnel trackers, spoofed Fitbits attached to a drone could allow an adversary to create a false impression of peril far from where they want to act, pulling needed resources away from a fight on a virtual snipe chase.

Because virtual environments are used in real-time to understand and interpret the world, manipulating effects in a virtual space can spill over to real-world consequences.

Watch Weckert wheel the wagon below:

 

from: https://www.c4isrnet.com/battlefield-tech/2020/02/06/what-electronic-warfare-can-learn-from-a-wagon-full-of-smart-phones/

 

 

LoRaWAN Encryption Keys Easy to Crack, Jeopardizing Security of IoT Networks

LoRaWAN Encryption Keys Easy to Crack, Jeopardizing Security of IoT Networks

New research from IOActive has found that “blindly” trusting the encryption of the widely adopted device protocol can lead to DDoS, sending of false data and other cyber attacks.

The LoRaWAN protocol has become standard in the world of industrial IoT because of its support for low-power wireless devices over long distances and its end-to-end encryption technology. However, bad implementations and security flaws make the protocol a real blind spot in the fraught world of IoT security, as LoRaWAN is easily susceptible to threats that could cause widespread disruption and even destruction if it’s not implemented correctly, IOActive researchers have found.

LoRaWAN, or Long Range Wide Area Networking protocol, allows low-powered devices to communicate with internet-connected applications over long-range wireless connections.  Users and developers of IoT devices in smart cities, industrial IoT, smart homes, smart utilities, vehicle tracking and healthcare have widely embraced the protocol because of the false sense of security its encryption provides, according to a report by IOActive released Tuesday.

In reality, LoRaWAN encryption keys are easily obtained by a savvy hacker to conduct DDoS attacks and send false data to networks, researchers have found. Moreover, it’s currently impossible for organizations to know if a LoRaWAN network is under attack or if an encryption key has been compromised, making defending such attacks perilous, they said.

Indeed, it’s the perception that LoRaWAN is inherently secure that makes it so dangerous, noted Cesar Cerrudo, CTO at IOActive, the lead author of the report, “LoRaWAN networks susceptible to hacking: Common cyber security problems, how to detect and prevent them.”

“The LoRaWAN protocol is advertised as having ‘built-in encryption’ making it ‘secure by default,’” he wrote in the report. “As a result, users are blindly trusting LoRaWAN networks and not paying attention to cyber security; however, implementation issues and weaknesses can make these networks easy to hack.”

In version 1.0. of the protocol, there are four key elements that shape a LoRaWAN implementation.

The LoRaWAN protocol defines two layers of security: one at the network level and another at the application level, researchers described in the report.

The network-level security ensures the authenticity of the device in the network, providing integrity between the device and the network server, they wrote. The application-layer security is responsible for confidentiality with end-to-end encryption between the device and the application server, preventing third parties from accessing the application data being transmitted.

Each layer of protection depends on the security of two encryption keys–the Network Session Key (NwkSKey) and the Application Session Key (AppSKey), both of which are 128 bits long. These keys are “the source of the network’s only security mechanism, encryption,” and thus, once cracked, basically give hackers an open invitation to the devices and networks being protected by them, researchers noted.

Session Keys and Functions in LoRaWAN v1.0.3

The problem with this architecture is that the keys are surprisingly easy to obtain for people who aren’t supposed to have access to the network or devices, researchers found, who outline numerous ways bad actors can obtain the keys to LoRaWAN networks.

These methods include: using reverse engineering to “sniff” keys from devices; obtaining keys from device tags displaying the code administrators forgot to remove before a device was placed in its final location; stealing source code for a device from open-source repositories or vendors websites; guessing keys that show lack of sufficient randomness; or cracking a network with default or weak credentials or other security vulnerabilities and stealing the keys from these servers.

Other ways hackers can obtain encryption keys to LoRaWAN networks include by compromising the system of the device manufacturer responsible for installing the firmware with device keys; hacking the devices or computers of technicians responsible for deploying devices where the keys might be stored; obtaining the keys from flash drives or emails of clients or device manufacturers where they were disclosed and shared; breaching a service provider who had keys stored in their backups or databases; or obtaining an AppKey in a dictionary or brute-force attack, researchers wrote.

AppKey Cracking with JoinRequest and JoinAccept

Once bad actors obtain the encryption keys for a LoRaWAN network, they have a number of attack options available “to compromise the confidentiality and integrity of the data flowing to and from connected devices,” IOActive researchers wrote. These include conducting DDoS attacks that can disrupt communications between connected devices and the network server so companies can’t receive any data.

Attackers also can use the keys to intercept communications and replace these with false data, such as fake sensor and meter readings. In this way, bad actors can hide malicious activity or cause industrial equipment to damage itself, which could not just cause company disruption but potentially destruction of infrastructure or facilities if this occurs at a power plant or in the location of other critical infrastructure, researchers said.

The potential for these attacks is especially troubling since companies have no way to currently detect them, researchers noted. To help solve this issue, IOActive has released a LoRaWAN Auditing Framework on GitHub to help security administrators to audit and pentest the security of their LoRaWAN implementations.

Above all, researchers recommend that those implementing LoRaWAN networks make protecting security keys a top priority in the security of their implementations. Easy ways to do this include replacing keys provided by vendors with random keys; using different keys for different devices; auditing the root keys used to detect weak keys; and making sure service providers follow security best practices and have a secure infrastructure, they said.

 

from: https://threatpost.com/lorawan-encryption-keys-easy-to-crack-jeopardizing-security-of-iot-networks/152276/

 

 

Investitionsstau in Deutschland

Investitionsstau in Deutschland

In Deutschland wird derzeit diskutiert, ob der Staat genug in Infrastruktur und Bildung investiert. Wie die Statista-Grafik auf Basis einer Auswertung des Handelsblatts zeigt, ist das Volumen nicht abgerufener Fördergelder beträchtlich. So sind die Gelder der beiden Fonds, mit denen besonders finanzschwache Kommunen gefördert werden sollen, bis Ende letzten Jahres zu rund 44 Prozent bzw. 92 Prozent noch nicht abgerufen worden. Mit den beiden so genannten Kommunalinvestitionsförderungsfonds sollen unter anderem Krankenhäuser oder Straßen saniert werden.

Ähnlich ist die Lage beim Digitalfonds, wo nur ein Bruchteil des Gesamtvolumens geflossen sind. Der Fond besteht allerdings auch erst seit letztem Jahr. Mit dem Fonds sollen der Breitbandausbau und die Digitalisierung von Schulen gefördert werden. Mit dem Kita-Ausbaufonds sollen 100.000 zusätzliche Betreuungsplätze für Kinder im Alter von drei Jahren geschaffen werden. Das Investitionsprogramm wurde 2017 ins Leben gerufen und soll 2020 abgeschlossen sein. Derzeit sind jedoch erst 0,25 von 1,1 Milliarden Euro abgerufen worden. Auch die Gelder des Ausbauhilfefonds Hochwasser sind noch nicht komplett geflossen. Mit den Mitteln sollen die Schäden der Hochwasserkatastrophe des Jahres 2013 beseitigt werden. Betroffen sind 11 der 16 Bundesländer.

Dies wirft die Frage auf, ob der Investitionsstau in Deutschland tatsächlich mit mehr finanziellen Mitteln zu lösen ist. Eine Untersuchung des IW Köln (PDF-Download) aus dem Jahr 2017 weist auf einen wichtigen Grund für die unbefriedigende Situation hin: so bestünde im Bereich Infrastruktur in vielen Bundesländern ein Mangel an baufähigen Projekten. Das bedeutet, bei diesen Vorhaben besteht kein sofortiges Baurecht. Die Gelder würden dann vielfach an die Bundesländer fließen, die über Projekte verfügen, die baureif sind. Im Bereich Verkehrsinfrastruktur hätte hiervon vor allem Bayern profitiert. Der Mangel an baufähigen Projekten bestehe hauptsächlich aufgrund von Kapazitätsengpässen in Baubehörden, die durch Personalabbau zustande gekommen seien.

 

from: https://de.statista.com/infografik/20577/nicht-abgerufene-mittel-aus-sondervermoegen-des-bundes/

 

 

World’s Most Valuable Tech Companies

World’s Most Valuable Tech Companies

Die Digitalwirtschaft des Silicon Valley konnte ihre weltweite Vormachtstellung weiter ausbauen. Plattform-Unternehmen wie Apple, Microsoft, Amazon, Facebook oder Google, dessen Mutterkonzern Alphabet als vierter US-Konzern eine Börsenbewertung von mehr als einer Billion Dollar erreichte, dominieren die westliche Welt und treffen nur in Asien auf ebenbürtige Konkurrenten. Europa ist abgemeldet.

This Linux smartphone is now shipping for $150

This Linux smartphone is now shipping for $150

Shipping at only $149, Brave Heart is a fully open-source smartphone running Linux.  

Pine64’s open source PinePhone runs Linux and is designed for developers and early-adopters.

Computer and developer-board maker Pine64 has started shipping the first edition of its much-anticipated – at least in the open-source community – PinePhone, after pre-orders sold out. Dubbed “Brave Heart”, the device is indeed designed only for the keener hobbyists.

Shipping at only $149.99, Brave Heart is a fully open-source smartphone running Linux, which the company claims was developed “with the community for the community”, which means with developers and early adopters, and for developers and early adopters; and in this case, preferably for those who have extensive Linux experience.

In a departure from Android and iOS, Pine’s new project provides a platform for customers to develop Linux-on-phone projects. It does not come with a pre-installed OS, but supports all major Linux phone projects such as Ubuntu Touch, Sailfish OS and Plasma Mobile.

Although buyers get to choose their OS, it will be up to them to upload the platform to the Pine Phone – meaning the device is not designed for the average Joe.

“The “BraveHeart” Edition PinePhone does not come with default OS build installed, user needs to install their own favorite build. Most of the OS builds are still in beta stage,” it notes: “Only intend for these units to find their way into the hands of users with extensive Linux experience and an interest in Linux-on-phone.”

The company has been selling single-board computers and notebook computers, initially to compete with Raspberry Pi, since 2016. The devices are designed for developers who are interested in free and open-source software (FOSS) to work on applications. “Regardless of if you want to sequence DNA, build a robot or kill space invaders, we’ve got you covered,” says Pine64 on its website.

Powered by the same signature quad-core ARM64 found in Pine’s A64 single-board computers, the new phone’s specs are promising. Brave Heart has 2GB of RAM, 16GB of storage, a 5MP rear camera and a 2MP front one. There is also a headphone jack, a USB-C port and a Micro-SD slot.

Keeping in line with the company’s objectives, Pine64 also includes strong privacy settings in the new device. Under the removable back, for example, are six dip switches that let users kill the modem, GPS, WiFi, Bluetooth, microphone and cameras. 

The device sets itself against Purism’s Librem 5 smartphone, which started shipping last year albeit at the much higher price of $749. Contrary to Pine64’s technology, Librem 5 comes with Pure OS and Ubuntu Touch; but it includes similar security features such as hardware kill switches for the camera, mic, WiFi, Bluetooth and modem.

Pine64 has called the Brave Heart device a “milestone” for the company and the phone has certainly generated a lot of enthusiasm among developers. Although the early version of the Pine Phone is only shipping to the select few, the company says a consumer-ready version will be available from Spring 2020.

The manufacturer is also working on an open-source Linux tablet with a detachable keyboard, as well as on a smartwatch, so watch this space for more.

from: https://www.zdnet.com/article/this-linux-smartphone-is-now-shipping-for-150/

 

https://www.pine64.org/pinephone/

 

PINEPHONE – “BraveHeart” Limited Edition Linux SmartPhone for early adopters

$149.99

**********************  Disclaimer ***********************

  • The “BraveHeart” Limited Edition PinePhones are aimed solely for developer and early adopter. More specifically, only intend for these units to find their way into the hands of users with extensive Linux experience and an interest in Linux-on-phone.
  • The “BraveHeart” Edition PinePhone does not come with default OS build installed, user needs to install their owns favorite build. Most of the OS builds are still in beta stage.
  • Estimate dispatch in mid January 2020

BODY:

  • Dimensions: 160.5mm x 76.6mm x 9.2mm
  • Weight: 185 grams
  • Build: Plastic
  • Colour: Black
  • SIM: Micro-SIM

DISPLAY:

  • Type: HD IPS capacitive touchscreen, 16M colors
  • Size: 5.95 inches
  • Resolution: 1440×720 pixels, 18:9 ratio

PLATFORM:

  • OS: Various open source mainline Linux or BSD mobile OSes
  • Chipset: Allwinner A64
  • CPU: 64-bit Quad-core 1.2 GHz ARM Cortex A-53
  • GPU: MALI-400

MEMORY:

  • Internal Flash Memory: 16GB eMMC
  • System Memory: 2GB LPDDR3 SDRAM
  • Expansion: micro SD Card support SDHC and SDXC, up to 2TB

CAMERA:

  • Main Camera: Single 5MP, 1/4″, LED Flash
  • Selfie Camera: Single 2MP, f/2.8, 1/5″
  • SOUND:
  • Loudspeaker: Yes, mono
  • 3.5mm jack with mic: Yes, stereo

COMMUNICATION:

  • Worldwide, Global LTE bands
  • LTE-FDD: B1/ B2/ B3/ B4/ B5/ B7/ B8/ B12/ B13/ B18/ B19/ B20/ B25/ B26/ B28
  • LTE-TDD: B38/ B39/ B40/ B41
  • WCDMA: B1/ B2/ B4/ B5/ B6/ B8/ B19
  • GSM: 850/900/1800/1900MHz
  • WLAN: Wi-Fi 802.11 b/g/n, single-band, hotspot
  • Bluetooth: 4.0, A2DP
  • GPS: Yes, with A-GPS, GLONASS

FEATURES:

  • USB: type C (SlimPort), USB Host, DisplayPort Alternate Mode output
  • Sensors: Accelerometer, gyro, proximity, ambient light, magnetometer(compass)
  • Actuator: Vibrator
  • Privacy Switches: LTE (include GPS), Wifi/BT, Mic, and Camera

BATTERY:

  • Removable Li-Po 2750-3000 mAh battery
  • Charging: USB type-C, 15W – 5V 3A Quick Charge, follows USB PD specification

PACKAGE:

  • PinePhone
  • USB-A to USB-C charging cable

Warranty: 30 days

Note:
  • The “BraveHeart” Limited Edition PinePhones are aimed solely for developer and early adopter. More specifically, only intend for these units to find their way into the hands of users with extensive Linux experience and an interest in Linux-on-phone.
  • Due to Lithium-ion battery in PinePhone, the shipment of PinePhone orders will be handled differently from other Pine64 products, that’s the reason we didn’t allow to combined PinePhone order with other Pine64 products. Sorry for any inconvenience caused.
  • Small numbers (1-3) of stuck or dead pixels are a characteristic of LCD screens. These are normal and should not be considered a defect.
  • When fulfilling the purchase, please bear in mind that we are offering the PinePhone at this price as a community service to PINE64, Linux and BSD communities. If you think that a minor dissatisfaction, such as a dead pixel, will prompt you to file a PayPal dispute then please do not purchase the PinePhone. Thank you.

Out of stock

SKU: PPHONE-BH Category:

from: https://store.pine64.org/?product=pinephone-braveheart-limited-edition-linux-smartphone-for-early-adaptor

 

Desktop Operating Systems as of DEC 2019

Desktop Operating Systems as of DEC 2019

Morgen stellt Microsoft den Support für Windows 7 ein.

Das Betriebssystem ist derzeit laut NetMarkeShare mit einem Desktop-Marktanteil von 26,6 Prozent die Nummer zwei hinter Windows 10. Das heißt, dass ab Dienstag weltweit Dutzende Millionen Menschen keine Updates mehr für ihr Betriebssystem bekommen. Damit wird die 2010 erschienene Windows-Version für Anwender zum Sicherheitsrisiko.

Das gilt vor allem für Privatpersonen. Unternehmen und Behörden erhalten gegen Bezahlung drei weitere Jahre Support. Wer dennoch weiter auf Windows 7 benutzt, sollte sich der Gefahren bewusst sein. Dazu das Bundesamt für Sicherheit in der Informationstechnik: “Da öffentlich bekannte Schwachstellen nicht mehr geschlossen werden, birgt die weitere Nutzung von Windows 7 hohe Risiken für die IT-Sicherheit”.

 

from: https://de.statista.com/infografik/20466/desktop-marktanteile-von-betriebssystemen-weltweit/

 

 

2019 – Banner Year For Data Exposures: Top 10 Breaches and Leaky Server Screw Ups

2019 – Banner Year For Data Exposures: Top 10 Breaches and Leaky Server Screw Ups

[Motivation finally enough to walk away from ‘black box systems’
and secure everything with the original Blockchain? — TJACK]

Top 10 Breaches and Leaky Server Screw Ups of 2019

From massive credential spills on the Dark Web and hacked data to card-skimming and rich profiles exposed by way of cloud misconfigurations, 2019 was a notable year for data breaches. Big names like Capital One, Macy’s and Sprint were impacted, as was the entire country of Ecuador and supply-chain companies like the American Medical Collection Agency. Here are our Top 10 data leak moments of the year.

Collections 1-4 Spill Millions of Credentials on the Dark Web

The year started out with a bang when a huge trove of data – containing 773 million unique email addresses and passwordswas discovered on a popular underground hacking forum. The credential spill was dubbed “Collection #1” and totaled 87 GB of data, with records culled from breaches that occurred as far back as 2010, including the well-known compromise of Yahoo. It was one of the largest jackpots ever seen when it comes to account-compromise efforts. Collections 2-4 soon followed, and ultimately more than 840 million account records from 38 companies appeared for sale on the Dark Web in February.

AMCA Supply-Chain Breach Impacts 20.1 Million

A hack of the American Medical Collection Agency (AMCA), a third-party bill collection vendor, impacted 20.1 million patients over the summer, exposing personally identifiable information such as names, addresses and dates of birth, and also payment data. Three clinical laboratories offering blood tests and the like that relied on AMCA to process a portion of their consumer billing were hit: 12 million patients from Quest Diagnostics, another 7.7 million patients from LabCorp and 400,000 victims from OPKO Health.

Capital One: Another Year, Another Major FinServ Breach

In July, a massive breach of Capital One customer data hit more than 100 million people in the U.S. and 6 million in Canada. Thanks to a cloud misconfiguration, a hacker was able to access credit applications, Social Security numbers and bank account numbers in one of the biggest data breaches to ever hit a financial services company — putting it in the same league in terms of size as the Equifax incident of 2017. The FBI arrested a suspect in the case: A former engineer at Amazon Web Services (AWS), Paige Thompson, after she boasted about the data theft on GitHub. Researchers said that Capital One victims are going to be phished for years to come – long after their 12 months’ of credit monitoring is done.

Facebook ‘s Year of Breach Problems

Facebook had a bad year for breaches, including the December emergence of a hacked database containing the names, phone numbers and Facebook user IDs of 267 million platform users. The data may have been stolen from Facebook’s developer API before the company restricted API access to phone numbers and other data in 2018. And in September, an open server was discovered leaking hundreds of millions of Facebook user phone numbers. In April, researchers found two separate datasets, held by two app developers (Cultura Colectiva and At the Pool). The actual data source for the records (like account names and personal data) in these databases was Facebook.

Deep Profiles for the Entire Population of Ecuador Are Exposed

In September it came to light that the entire population of Ecuador (as well as Julian Assange) had been impacted by an open database with rich, detailed life information collected from public-sector sources by a marketing analytics company. The trove of data offered any attacker the ability to cross-reference and combine the data into a highly personal, richly detailed view of a person’s life. The records, for 20 million individuals, were gleaned from Ecuadorian government registries, an automotive association called Aeade, and the Ecuadorian national bank. Ecuador has about 16.5 million citizens in total (some of the entries were for deceased persons).

1.2B Rich Profiles Exposed By Data Brokers

In a similar incident to the Ecuador debacle, an open Elasticsearch server emerged in December that exposed the rich profiles of more than 1.2 billion people. The database consisted of scraped information from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter and Github URLs and other data. Taken together, the profiles provide a 360-degree view of individuals, including their employment and education histories. All of the information was unprotected, with no login needed to access it. The data was linked to People Data Labs (PDL) and OxyData.io

Security Specialist Imperva Smarts from Cloud Misconfiguration

In an ironic turn of events, cybersecurity company Imperva allowed hackers to steal and use an administrative Amazon Web Services (AWS) API key in one of Imperva’s production AWS accounts, thanks to a cloud misconfiguration. Hackers used Imperva’s Cloud Web Application Firewall (WAF) product to access a database snapshot containing emails, hashed and salted passwords, and some customers’ API keys and TLS keys. Because the database was accessed as a snapshot, the hackers made off with only old Incapsula records that go up to Sept. 15, 2017. However, the theft of API keys and SSL would allow an attacker to break companies’ encryption and access corporate applications directly.

Sprint Contractor Lays Open Phone Bills for 260K Subscribers

A cloud misconfig was also behind hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers being exposed to the open internet in December, thanks to the oversight of a contractor working with Sprint. More than 261,300 documents were stored – mainly cell phone bills from Sprint customers who switched from other carriers. Cell phone bills are a treasure trove of data, and include names, addresses and phone numbers along with spending histories and in many cases, call and text message records.

Magecart Siphons Off Millions of Payment Card Details

Magecart, the digital card-skimming collective encompassing several different affiliates all using the same modus operandi, is now so ubiquitous that its infrastructure is flooding the internet, researchers said earlier this year. Magecart attacks, which involve inserting virtual credit-card skimmers into e-commerce check-out pages, affected a range of companies throughout 2019; these included bedding retailers MyPillow and Amerisleep, the subscription website for the Forbes print magazine, at least 80 reputable brands in the motorsports industry and luxury apparel segments, popular skin care brand First Aid Beauty, Macy’s and streaming video and podcast content company Rooster Teeth.

Equifax Settlement Rankles Consumers

Equifax made notable news this year when it agreed to pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers. That includes $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties. Some consumers are furious over what they view as an unfair settlement though, with 200,000 of them signing a petition against the deal. The petition argues that very little of that cash will trickle down to those who actually suffered because of the breach.

 

from: https://threatpost.com/top-10-breaches-leaky-server-2019/151386/

 

 

The Great .ORG Heist: Internet Registry is Snatched Up By Private Equity Firm Ethos Capital for $1.1bn, Provoking Uproar

The Great .ORG Heist: Internet Registry is Snatched Up By Private Equity Firm Ethos Capital for $1.1bn, Provoking Uproar

see also the previous article: https://www.bgp4.com/2019/11/26/internet-world-despairs-as-non-profit-org-tld-sold-by-isoc-for-to-private-equity-firm/

The old dream of an internet run in the public interest has long dissipated under pressure from huge corporations seeking to profit from what has become a worldwide information utility.

But one corner of the web seemed to maintain its character as a preserve for public service — the .org domain, which since its creation has been reserved for nonprofit organizations and has become something of a badge of honor of noncommercial activity.

The world’s first web page, in 1992. Things have changed since then.
(Fabrice Coffrini / AFP/Getty Images)

That’s why many in the nonprofit world were startled by the announcement on Nov. 13 that the .org registry had been sold to a private equity firm, Ethos Capital. The seller was the Internet Society, a nonprofit that plays an important role in creating and maintaining internet engineering standards, but has been mostly the guardian of the .org domain. The price, as was revealed more than two weeks later, was a stunning $1.135 billion.

A private equity firm has an incentive to sell censorship as a service.

Mitch Stoltz, Electronic Frontier Foundation

In the original announcement, Internet Society Chief Executive Andrew Sullivan called the sale “an important and exciting development” and described Ethos as “a strong strategic partner that understands the intricacies of the domain industry.”

Others are not so sure. Ethos didn’t even exist until earlier this year, and currently appears to have only two employees, including Erik Brooks, its founder.

Brooks listed his investment principles for me as “intellectual honesty, humility and respect and believing that prosperity can be built together.” But a week after the sale announcement, it emerged that the financial backers of Ethos included several firms with more conventional investment approaches, including funds associated with the families of H. Ross Perot, Mitt Romney and the Johnsons, owners of Fidelity Investments.

Brooks says Ethos is committed to running the .org registry in accordance with principles followed by the Internet Society, but hasn’t made that commitment in writing.

At stake are internet addresses ending in “.org” used by some 10 million organizations. The .org designation, or domain, is one of the oldest on the internet, along with .com (for commercial businesses), .edu (educational institutions), .gov (government agencies) and a handful of others.

It’s traditionally reserved for nonprofit organizations devoted to the public interest, such as the Red Cross, the Girl Scouts, and the United Way.

Not every dot-org meets the public service standard, since applicants aren’t screened. Websites for political fronts, such as the Koch network’s Americans for Prosperity, carry the .org label. So do sites for neo-Nazi hate groups.

But for the most part, organizations genuinely aimed at doing good tend to choose .org addresses. And, for that matter, so do Democratic and Republican party websites.

The domain holds a special place in the hearts of internet users; environmentalist and internet activist Jacob Malthouse calls .org a “digital Yosemite,” evoking the reverence naturalists such as John Muir felt for the real thing.

During a recent online discussion on the sale, Jon Nevett, chief executive of the Public Interest Registry, or PIR, the Internet Society unit that manages .org and is the entity being sold to Ethos, called it “the crown jewel of the domain name system, full stop.”

The sale, which is expected to close in the first quarter of next year, could be derailed only by two entities. One is the Internet Corp. for Assigned Names and Numbers, or ICANN, the web’s Playa Vista-based governing body, which could rule on the transfer any day now. The other is Pennsylvania Orphans Court, which has jurisdiction because PIR is a nonprofit incorporated in that state.

In the meantime, the deal has drawn brickbats from several internet luminaries.

They include Tim Berners-Lee, the inventor of the World Wide Web, who tweeted that “it would be a travesty” if the .org domain were no longer operated in the public interest. Also weighing in was Esther Dyson, the founding chairwoman of ICANN, who tweeted that she was “appalled” at what she called “the great .ORG heist.”

The parties involved in the sale have tried to tamp down the controversy, without notable success. On Nov. 29, Sullivan and Gonzalo Camarillo, the Internet Society chairman, held a conference call with users to defend the deal.

That was followed by a web discussion on Dec. 5 hosted by NTEN, an advocacy group for nonprofits, at which Sullivan was joined by Brooks and Nevett.

Brooks said he was committed to operating PIR in the dot-org community’s interest but was vague about the “mechanism” that would be established to do so. He said Ethos would not be making its financial data public, unlike the Internet Society, which issues an annual financial disclosure.

The dot-org community has two main concerns about the sale. One is that Ethos will jack up the registration fee for .org websites, which is currently about $10 per year and has been subject to a traditional limit on increases of 10% a year.

More important may be Ethos’ ability to facilitate more censorship of .org websites by allowing third parties more latitude to object to content on those sites and prompt their shutdown.

“The .org registry is a point of control on the internet,” says Mitch Stoltz, an attorney at the Electronic Frontier Foundation, which has launched a campaign protesting the deal. “A private equity firm has an incentive to sell censorship as a service.”

Already, registrars of other domains have cut agreements with corporate players, such as the Motion Picture Assn. of America, giving them the authority to order shutdowns of sites they claim are infringing on copyrights without affording site owners the opportunity to appeal.

Academic publishers such as Elsevier have won court rulings aimed at shutting down Sci-Hub, a web service that offers free access to copyrighted scientific research — but it’s up to registries to decide whether to comply with the court orders. And repressive governments such as Turkey and Saudi Arabia have worked through internet intermediaries to censor information on the web.

As the owner of the .org domain, Stoltz observes, Ethos could “enforce any limitations on nonprofits’ speech.” Since many nonprofit organizations “are engaged in speech that seeks to hold governments and industry to account, those powerful interests have every incentive to buy the cooperation of a well-placed intermediary, including an Ethos-owned PIR.”

Brooks said during the NTEN forum that Ethos would take steps to ensure that “.org is a domain that’s open and free and not curated or censored in any way, shape or form.” But he stopped short of agreeing to a legally binding undertaking.

Adding to misgivings about the sale is its chronology. Talks between Ethos and the Internet Society began only weeks after June 30, when ICANN removed price restrictions on the .org domain and made it easier for PIR to take down sites that were the subject of third-party complaints about content.

Brooks says the end of the price caps had nothing to do with the sale, which he would have pursued anyway. But the deal’s critics point out that nonprofits with .org addresses are a “captive audience” for the domain’s owner. Once an organization has begun operating as a dot-org, changing to a different domain would be horrifically costly. Followers would have to be notified of the internet name change, email addresses reconfigured, and so on.

That would give Ethos considerable latitude to raise prices, notwithstanding Brooks’ promise to limit increases to 10% a year.

Sullivan and Camarillo said in their conference call that they had not been planning to put PIR up for sale, but Ethos’ bid was so large “we couldn’t just say no without considering” it.

Since the announcement, Ethos and the Internet Society have been stingy with details of the deal and its goals. Only on Nov. 20 — a week after the sale was announced — did Sullivan reveal, in an email to insiders, that the financial backers of Ethos included Perot Holdings, which is the investment arm of the late Ross Perot’s family; FMR LLC, which owns Fidelity Investments and is privately controlled by the Johnson family of Boston; and Solamere Capital, which was co-founded by Tagg Romney, son of Mitt Romney (who was himself a Solamere partner until he joined the U.S. Senate this year).

One open question is what Ethos expects to gain from its purchase. Domain registries such as PIR are responsible chiefly for maintaining a database of registrations and collecting annual fees. That makes the job “pretty much a license to print money,” Stoltz says.

Will Ethos and its private financial backers be satisfied with running a demure internet registry in the public interest, as opposed to squeezing their $1.135-billion investment for every penny?

Brooks told me by email that he expects PIR to invest in “growth initiatives” to “provide Ethos with a good return on its investment.” Yet there doesn’t seem to be much scope for turbocharging demand for the .org domain, which largely sells itself. That means the opportunity for generating more revenue could hinge on raising the annual fee, unless the firm has other new ideas.

As for the Internet Society, its interest seemed to be stabilizing its finances by replacing the revenue from .org fees — which reached $44.4 million last year, about 85% of its total revenue — with income from a professionally managed $1.135-billion endowment. “Responsibly invested and managed,” Sullivan told listeners on the Nov. 29 conference call, the society could replicate its annual take from .org fees “in perpetuity.”

Sullivan’s words point to what may really be roiling the dot-org community about the deal. That’s the transformation of what was one of the last vestiges of the web’s image as a public utility managed informally in the public interest, immune from commercial or government control, into just another asset to be monetized.

During the conference call and in other forums, Sullivan and Camarillo talked about the need to “diversify” the Internet Society’s revenue stream rather than relying for revenue on “one company in one industry,” which made them sound a bit like the CEO of a washing machine company pondering whether to branch out into refrigerators and cooktops.

Commerce has infiltrated virtually every corner of the web except, up to now, the nonprofit corner represented by dot-orgs. The implication of the .org sale is that no piece of the internet is, in fact, immune from the world of getting and spending — everything is for sale, the public interest be damned.

 

from: https://www.latimes.com/business/story/2019-12-12/dot-org-sale-outrage-internet-society-ethos-capital

 

 

What is a brain-computer interface? Everything you need to know about BCIs, neural interfaces and the future of mind-reading computers

What is a brain-computer interface? Everything you need to know about BCIs, neural interfaces and the future of mind-reading computers

Systems that allow humans to control or communicate with technology using only the electrical signals in the brains or muscles are fast becoming mainstream. Here’s what you need to know.

What is a brain-computer interface? It can’t be what it sounds like, surely?
Yep, brain-computer interfaces (BCIs) are precisely what they sound like — systems that connect up the human brain to external technology.

It all sounds a bit sci-fi. Brain-computer interfaces aren’t really something that people are using now, are they?
People are indeed using BCIs today — all around you. At their most simple, a brain-computer interface can be used as a neuroprosthesis — that is, a piece of hardware that can replace or augment nerves that aren’t working properly. The most commonly used neuroprostheses are cochlear implants, which help people with parts of their ear’s internal anatomy to hear. Neuroprostheses to help replace damaged optic nerve function are less common, but a number of companies are developing them, and we’re likely to see widespread uptake of such devices in the coming years.

So why are brain-computer interfaces described as mind-reading technology?
That’s where this technology is heading. There are systems, currently being piloted, that can translate your brain activity — the electrical impulses — into signals that software can understand. That means your brain activity can be measured; real-life mind-reading. Or you can use your brain activity to control a remote device.

When we think, thoughts are transmitted within our brain and down into our body as a series of electrical impulses. Picking up such signals is nothing new: doctors already monitor the electrical activity in the brain using EEG (electroencephalography) and in the muscles using EMG (electromyography) as a way of detecting nerve problems. In medicine, EEG and EMG are used to find diseases and other nerve problems by looking for too much, too little or unexpected electrical activity in a patient’s nerves.

Now, however, researchers and companies are looking at whether those electrical impulses could be decoded to give an insight into a person’s thoughts.

Can BCIs read minds? Would they be able to tell what I’m thinking right now?
At present, no. BCIs can’t read your thoughts precisely enough to know what your thoughts are at any given moment. Currently, they’re more about picking up emotional states or which movements you intend to make. A BCI could pick up when someone is thinking ‘yes’ or ‘no’, but detecting more specific thoughts, like knowing you fancy a cheese sandwich right now or that your boss has been really annoying you, are beyond the scope of most brain-computer interfaces.

OK, so give me an example of how BCIs are used.
A lot of interest in BCIs is from medicine. BCIs could potentially offer a way for people with nerve damage to recover lost function. For example, in some spinal injuries, the electrical connection between the brain and the muscles in the limbs has been broken, leaving people unable to move their arms or legs. BCIs could potentially help in such injuries by either passing the electrical signals onto the muscles, bypassing the broken connection and allowing people to move again, or help patients use their thoughts to control robotics or prosthetic limbs that could make movements for them.

They could also help people with conditions such as locked-in syndrome, who can’t speak or move but don’t have any cognitive problems, to make their wants and needs known.

What about the military and BCIs?
Like many new technologies, BCIs have attracted interest from the military, and US military emerging technology agency DARPA is investing tens of millions of dollars in developing a brain-computer interface for use by soldiers.

More broadly, it’s easy to see the appeal of BCIs for the military: soldiers in the field could patch in teams back at HQ for extra intelligence, for example, and communicate with each other without making a sound. Equally, there are darker uses that the army could put BCIs too — like interrogation and espionage.

What about Facebook and BCIs?  
Facebook has been championing the use of BCIs and recently purchased a BCI company, CTRL-labs, for a reported $1bnFacebook is looking at BCIs from two different perspectives. It’s working with researchers to translate thoughts to speech, and its CTRL-labs acquisition could help interpret what movements someone wants to make from their brain signals alone. The common thread between the two is developing the next hardware interface.

Facebook is already preparing for the way we interface with our devices to change. In the same way we’ve moved from keyboard to mouse to touchscreen and most recently to voice as a way of controlling technology around us, Facebook is betting that the next big interface will be our thoughts. Rather than type your next status update, you could think it; rather than touch a screen to toggle between windows, you could simply move your hands in the air.

I’m not sure I’m willing to have a chip put in my brain just to type a status update.
You may not need to: not all BCI systems require a direct interface to read your brain activity.

There are currently two approaches to BCIs: invasive and non-invasive. Invasive systems have hardware that’s in contact with the brain; non-invasive systems typically pick up the brain’s signals from the scalp, using head-worn sensors.

The two approaches have their own different benefits and disadvantages. With invasive BCI systems, because electrode arrays are touching the brain, they can gather much more fine-grained and accurate signals. However, as you can imagine, they involve brain surgery and the brain isn’t always too happy about having electrode arrays attached to it — the brain reacts with a process called glial scarring, which in turn can make it harder for the array to pick up signals. Due to the risks involved, invasive systems are usually reserved for medical applications.

Non-invasive systems, however, are more consumer friendly, as there’s no surgery required — such systems record electrical impulses coming from the skin either through sensor-equipped caps worn on the head or similar hardware worn on the wrist like bracelets. It’s likely to be that in-your-face (or on-your-head) nature of the hardware that holds back adoption: early adopters may be happy to sport large and obvious caps, but most consumers won’t be keen to wear an electrode-studded hat that reads their brain waves.

There are, however, efforts to build less intrusive non-invasive systems: DARPA, for example, is funding research into non-surgical BCIs and one day the necessary hardware could be small enough to be inhaled or injected.

Why are BCIs becoming a thing now?
Researchers have been interested in the potential of BCIs for decades, but the technology has come on at a far faster pace than many have predicted, thanks largely to better artificial intelligence and machine-learning software. As such systems have become more sophisticated, they’ve been able to better interpret the signals coming from the brain, separate the signals from the noise, and correlate the brain’s electrical impulses with actual thoughts.

Should I worry about people reading my thoughts without my permission? What about mind control?
On a practical level, most BCIs are only unidirectional — that is, they can read thoughts, but can’t put any ideas into users’ minds. That said, experimental work is already being undertaken around how people can communicate through BCIs: one recent project from the University of Washington allowed three people to collaborate on a Tetris-like game using BCIs.

The pace of technology development being what it is, bidirectional interfaces will be more common before too long. Especially if Elon Musk’s BCI outfit Neuralink has anything to do with it.

What is Neuralink? 
Elon Musk galvanised interest in BCIs when he launched Neuralink. As you’d expect from anything run by Musk, there’s an eye-watering level of both ambition and secrecy. The company’s website and Twitter feed revealed very little about what it was planning, although Musk occasionally shared hints, suggesting it was working on brain implants in the form of ‘neural lace’, a mesh of electrodes that would sit on the surface of the brain. The first serious information on Neuralink’s technology came with a presentation earlier this year, showing off a new array that can be implanted into the brain’s cortex by surgical robots.

Like a lot of BCIs, Neuralink’s was framed initially as a way to help people with neurological disorders, but Musk is looking further out, claiming that Neuralink could be used to allow humans a direct interface with artificial intelligence, so that humans are not eventually outpaced by AI. It might be that the only way to stop ourselves becoming outclassed by machines is to link up with them — if we can’t beat them, Musk’s thinking goes, we may have to join them.

 

from: https://www.zdnet.com/article/what-is-bci-everything-you-need-to-know-about-brain-computer-interfaces-and-the-future-of-mind-reading-computers/

see also: https://www.zdnet.com/article/musks-neuralink-uses-brain-threads-to-try-and-read-your-mind/

 

 

One Of The Largest Data Centers In The US – CyrusOne, Texas – Hit by Ransomware Attack

One Of The Largest Data Centers In The US – CyrusOne, Texas – Hit by Ransomware Attack

Texas-based data center provider CyrusOne has reportedly fallen victim to an attack from REvil (Sodinokibi) ransomware, business tech-focused publication ZDNet reported on Dec. 5.

One of the largest data centers in the United States, CyrusOne has reportedly been exposed to an attack by a variant of the REvil (Sodinokibi) ransomware, which previously hit a number of service providers, local governments and businesses in the country.

The scope of the attack

In an email to Cointelegraph, CyrusOne confirmed:

“Six of our managed service customers, located primarily in our New York data center, have experienced availability issues due to a ransomware program encrypting certain devices in their network.” 

The firm went on to assure viewers that law enforcement was working on the matter and that their “data center colocation services, including IX and IP Network Services, are not involved in this incident.” 

Just business

Per the ransom note obtained by ZDNet, the attackers targeted CyrusOne’s network, with the sole objective of receiving a ransom. Those behind the attack claimed in the note that they consider the attack nothing more than a business transaction, aimed exclusively at profiting.

In the event the company does not cooperate with the attackers, it will purportedly lose the affected data as the cybercriminals claim to have the private key.

To pay or not to pay?

This spring, Riviera Beach, Florida, was hit by a hacker attack, in which the hackers allegedly encrypted government records, blocking access to critical information and leaving the city without an ability to accept utility payments other than in person or by regular mail. The city council eventually agreed to pay nearly $600,000 worth of Bitcoin (BTC) to regain access to data encrypted in the attack.

In late October, hackers compromised the website of the city of Johannesburg, South Africa, and demanded ransom in Bitcoin. The breach affected several customer-facing systems — hardware or software customers interact with directly, such as user interfaces and help desks. The city authorities refused to pay the ransom.

Meanwhile, a number of Finnish cities and organizations are rehearsing how to respond when a group of hackers demands the participants pay ransomware during a series of simulated cyberattacks.

 

from: https://cointelegraph.com/news/texas-based-data-center-cyrusone-hit-by-ransomware-attack

 

 

Hilarious Phishing & Malware Attempts

Hilarious Phishing & Malware Attempts

Like everyone else (well, maybe more than everyone else)  I regularly get these phishing messages (“we try to make you click on the attachment, which of course is riddled with mal/ransomware”).

Hilarious to me, when it is sent to an automated, harvested e-mail address, which is 32 years old now (still works, obviously), and a “honeytrap” address these days.

Usually I just click on the “Junk” button, so the sender’s email address is fed into the global anti-spam and anti-phishing databases (the kind of ‘Spamhaus‘, SORBS, SPEWS, and such, which I helped survive against massive dDoS attacks originating from Russian spammers between 2002 and 2005) and thus “burned” … but in some cases, like this one, I am curious where they actually come from.

In this case, no effort is made to hide the origin in the SMTP headers:

Looking up that IP in geo-location services, three different services put it in St Petersburg, Russia (formerly known as ‘Leningrad’, now the second largest city in the Russian Federation):

That does not necessarily mean it is Russians behind it, but for such a lame phishing attempt, it seems hardly useful to run a proxy-server in St Petersburg to make it look like it comes from there.

So, to my friends over there behind the digital iron curtain: nice try! :wink:

Lesson for the esteemed reader: do not ever click on attachments you have the slightest doubt about; if the common-sense-check on a message fails, delete it.

If you are sure it is spam: “junk” it instead of “delete” – as outlined above, it burns the sender e-mail address in a very short time.

And if you actually think such a message could have any validity at all, go directly to your provider’s website (manually!)  and check on it there — let me repeat: do not ever click on any attachments.

Especially if you are of the faithful kind and run Microsoft Windows of any version …

 

 

 

 

 

 

Data on 1.2 Billion Users Found in Exposed AWS Elasticsearch Server

Data on 1.2 Billion Users Found in Exposed AWS Elasticsearch Server

An exposed Elasticsearch server was found to contain data on more than 1.2 billion people, Data Viper security researchers report.

The server was accessible without authentication and it contained 4 billion user accounts, spanning more than 4 terabytes of data, security researchers Bob Diachenko and Vinny Troia discovered last month.

Analysis of the data revealed that it pertained to over 1.2 billion unique individuals and that it included names, email addresses, phone numbers, and LinkedIn and Facebook profile information.

Further investigation led the researchers to the conclusion that the data came from two different data enrichment companies. Thus, the leak in fact represents data aggregated from various sources and kept up to date.

Most of the data was stored in 4 separate data indexes, labeled “PDL” and “OXY”, and the researchers discovered that the labels refer to two data aggregator and enrichment companies, namely People Data Labs and OxyData.

Analysis of the nearly 3 billion PDL user records found on the server revealed the presence of data on roughly 1.2 billion unique people, as well as 650 million unique email addresses.

Not only do these numbers fall in line with the statistics the company posted on their website, but the researchers were able to verify that the data on the server was nearly identical to the information returned by the People Data Labs API.

“The only difference being the data returned by the PDL also contained education histories. There was no education information in any of the data downloaded from the server. Everything else was exactly the same, including accounts with multiple email addresses and multiple phone numbers,” the researchers explain.

Vinny Troia also found in the leak information related to a landline phone number he was given roughly 10 years back as part of an AT&T TV bundle. Although the landline was never used, the information was present on the researcher’s profile, and was included in the data set PeopleDataLabs.com had on him.

The company told the researchers that the exposed server, which resided on Google Cloud, did not belong to it. The data, however, was clearly coming from People Data Labs.

Some of the information on the exposed Elasticsearch, the researchers revealed, came from OxyData, although this company too denied being the owner of that server. After receiving a copy of his own user record with the company, Troia confirmed that the leaked information came from there.

The researchers couldn’t establish who was responsible for leaving the server wide open to the Internet, but suggest that this is a customer of both People Data Labs and OxyData and that the data might have been misused rather than stolen.

“Due to the sheer amount of personal information included, combined with the complexities of identifying the data owner, this has the potential to raise questions on the effectiveness of our current privacy and breach notification laws,” the researchers conclude.

“From the perspective of the people whose information was part of this dump, this doesn’t qualify as a cut-and-dry data breach. The information ‘exposed,’ is already available on LinkedIn, Facebook, GitHub, etc. begging a larger discussion about how we feel about data aggregators who compile this information and sell it, because it’s a standard practice,” Dave Farrow, senior director of information security at Barracuda Networks, told SecurityWeek in an emailed comment.

Jason Kent, hacker at Cequence Security, also commented via email, saying, “Here we see a new and potentially dangerous correlation of data like never before. […] if an attacker has a rich set of data, they can formulate very targeted attacks. The sorts of attacks that can result in knowing password recovery information, financial data, communication patterns, social structures, this is how people in power can be targeted and eventually the attack can work.”

 

from: https://www.securityweek.com/data-12-billion-users-found-exposed-elasticsearch-server

 

 

Can hundreds of unrelated satellites create a GPS backup?

Can hundreds of unrelated satellites create a GPS backup?

The Space Development Agency’s head says that position and timing data from low-Earth orbit satellites can be used to verify or replace GPS in denied or degraded environments. (DARPA)

The head of the Space Development Agency wants to use proliferated low-Earth orbit satellites for navigation when GPS is unavailable.

As adversaries develop tools that can jam or spoof Global Positioning System signals, the military has prioritized the development of alternative sources of positioning, navigation and timing data for the war fighter. Solutions range from using real-time drone imagery to chip-scale atomic clocks, but at the Association of the United States Army conference Oct. 16, Acting Director Derek Tournear threw out another idea: using the positioning and timing data of the hundreds of satellites his agency plans to put in orbit for navigation.

The SDA was established earlier this year to rapidly develop a number of capabilities in low-Earth orbit, and the agency’s current plan calls for hundreds of satellites operating in LEO serving a variety of missions, from hypersonic missile detection and tracking to finding and identifying objects in cislunar space. An important component of that architecture is a data transport layer providing a crosslink between satellites in orbit and then bringing that data down to the ground. According to Tournear, that transport layer could be used to transfer positioning and timing data to ground users from satellites without having another dedicated PNT satellite system in orbit.

“If you have this crosslink between satellites, you can do timing transfer. So, you have very good timing information at the satellite level. If you have open communication down to any system and you can see multiple satellites, that gives you another means to use your existing comms system to get navigation independent of any other user equipment,” explained Tournear.

Using the precise timing and positional information of those satellites in LEO, users could triangulate their position in GPS-denied or -degraded environments. It’s essentially the same way smartphones can use cell towers for navigation if they can’t get a GPS signal.

“If you turn off your GPS receiver on your phone, you will still get a navigation signal on your phone based on cellphone towers, because the cellphone towers know their position and they know exact timing, so they can triangulate your position,” said Tournear. “That is not a replacement for how GPS is used for worldwide PNT coverage, but it is another way to get assured PNT and another way to validate a GPS signal.

 

from: https://www.c4isrnet.com/battlefield-tech/c2-comms/2019/11/29/can-hundreds-of-unrelated-satellites-create-a-gps-backup/

 

 

Persistent broadband connection: Intellian’s 1.5 meter antenna can switch between LEO and GEO

Persistent broadband connection: Intellian’s 1.5 meter antenna can switch between LEO and GEO

The US Navy recently live tested a new antenna that can switch between satellites in low earth orbit and geostationary orbit, fulfilling a key need for the military moving forward.

Using Intellian’s 1.5 meter antenna, the Navy was able to maintain a broadband connection while switching between Telesat’s satellites in low earth orbit and geostationary orbit. The demonstration shows how in a scenario where a satellite in geostationary orbit is attacked or denied, the antenna is able to switch to a LEO satellite to maintain a persistent broadband connection.

“Live testing over Telesat Ka-band satellites with Intellian’s 1.5m Ka convertible VSAT confirms that the antenna is an important innovation accessing space-based ‘layers’ of satellites in next-gen space architecture,” said Kurt Fiscko, technical director of PMW/A 170 at PEO C4I in a statement.

“One of the key elements that the government is looking for, particularly the military, is a path to more resilient, more flexible networking in space,” said Telestat’s Don Brown in an interview. “What Telesat is doing in this demonstration with Intellian is addressing one of the key proof points of future resiliency and flexibility … the ability to go between GEO satellite constellation and LEO constellations.”

According to Telesat’s Rich Pang, the antenna is perfectly sized for use on the Navy’s small ship variants.

Telesat is also a contractor working on DARPA’s Project Blackjack, an effort to demonstrate the military utility of a constellation of small LEO satellites. The Space Development Agency is building off of that effort to build the U.S. military’s next generation space architecture in LEO. Comprised of hundreds of small satellites in LEO, that architecture is meant to create resiliency through numbers and provide a backup to many capabilities that are currently provided through a few exquisite satellites in GEO.

“The real impetus for this demonstration is that the government has come out and said, ‘we don’t want to be locked into not only one particular provider, but we want to be able to operate in multiple regimes so we can be disaggregated and resilient,” said Pang. “So if someone attacks the GEO belt and takes out those assets I can switch to LEO, or vise versa.

 

from: https://www.c4isrnet.com/special-reports/space-missile-defense/2019/11/29/this-antenna-can-switch-between-leo-and-geo/

 

 

Cyborg warriors could be here by 2050, DoD study group says

Cyborg warriors could be here by 2050, DoD study group says

A mockup of U.S. SOCOM’s TALOS suit — a bold project,
but one that ultimately brought less tech than initially hoped. (DoD)

Ear, eye, brain and muscular enhancement is “technically feasible by 2050 or earlier,” according to a study released this month by the U.S. Army’s Combat Capabilities Development Command.

The demand for cyborg-style capabilities will be driven in part by the civilian healthcare market, which will acclimate people to an industry fraught with ethical, legal and social challenges, according to Defense Department researchers.

Implementing the technology across the military, however, will likely run up against the dystopian narratives found in science fiction, among other issues, the researchers added.

The report — entitled Cyborg Soldier 2050: Human/Machine Fusion and the Implications for the Future of the DOD — is the result of a year-long assessment.

It was written by a study group from the DoD Biotechnologies for Health and Human Performance Council, which is tasked to look at the ripple effects of military biotechnology.

The team identified four capabilities as technically feasible by 2050:

  • ocular enhancements to imaging, sight and situational awareness;
  • restoration and programmed muscular control through an optogenetic bodysuit sensor web;
  • auditory enhancement for communication and protection; and
  • direct neural enhancement of the human brain for two-way data transfer.

The study group suggested that direct neural enhancements in particular could revolutionize combat.

“This technology is predicted to facilitate read/write capability between humans and machines and between humans through brain-to-brain interactions,” an executive summary reads. “These interactions would allow warfighters direct communication with unmanned and autonomous systems, as well as with other humans, to optimize command and control systems and operations.”

Cyborg technologies are likely to be used among civil society as well over the next 30 years, the researchers noted.

Development of these capabilities will probably “be driven by civilian demand” and “a robust bio-economy that is at its earliest stages of development in today’s global market,” the group wrote.

But it’s after the year 2050 that the implications of cyborg capabilities become concerning.

Introduction of augmented human beings into the general population, DoD active-duty personnel, and near-peer competitors will accelerate in the years following 2050 and will lead to imbalances, inequalities, and inequities in established legal, security, and ethical frameworks,” the summary reads.

The study group proposed seven recommendations, listed in no particular order, for Pentagon leaders to consider:

  • The military should take a second look at the global and societal perception of human-machine augmentation. Americans typically imagine China or Russia developing runaway technologies because of a lack of ethical concerns, but “the attitudes of our adversaries toward these technologies have never been verified,” researchers wrote.
  • U.S. political leaders should use forums like NATO to discuss how cyborg advancements could impact interoperability between allied forces during operations.
  • The Pentagon should start investing in legal, security and ethical frameworks to anticipate emerging technologies and better prepare for their impact. Leaders should support policies that “protect individual privacy, sustain security, and manage personal and organizational risk, while maximizing defined benefits to the United States and its allies and assets,” the study group wrote.
  • Military leaders should also work to reverse the “negative cultural narratives of enhancement technologies.” It’s no secret that science fiction’s depiction of cyborg technologies revolves around dystopian futures. Transparency in how the military adopts this technology will help to alleviate concerns, while capitalizing on benefits, according to the study group.
  • The Pentagon should use wargames to gauge the impact of asymmetric biotechnologies on tactics, techniques and procedures. DoD personnel can support this through targeted intelligence assessments of the emerging field.
  • A whole-of-nation, not whole-of-government, approach to cyborg technologies is preferred. As it stands, “federal and commercial investments in these areas are uncoordinated and are being outpaced by Chinese research and development,” the study group wrote. If Chinese firms dominate the commercial sector, the U.S. defense sector will also be at a disadvantage.
  • Finally, the long-term safety concerns and the impact of these technologies on people should be monitored closely.

“The benefits afforded by human/machine fusions will be significant and will have positive quality-of-life impacts on humankind through the restoration of any functionality lost due to illness or injury,” the study group wrote.

But as these technologies evolve, “it is vital that the scientific and engineering communities move cautiously to maximize their potential and focus on the safety of our society,” the study group added.

 

from: https://www.armytimes.com/news/your-army/2019/11/27/cyborg-warriors-could-be-here-by-2050-dod-study-group-says/

 

 

Insecure Microsoft Azure Database Exposes Millions of Private SMS Messages

Insecure Microsoft Azure Database Exposes Millions of Private SMS Messages

Researchers discovered an unprotected TrueDialog database hosted by Microsoft Azure with diverse and business-related data from tens of millions of users.

Tens of millions of SMS messages have been found on an unprotected database, putting the private data of hundreds of millions of people in the United States at risk for theft or exposure and leaving a communications company open for potential intrusion, security researchers discovered.

Noam Rotem and Ran Locar from the research team of vpnMentor found the database, which they said belongs to TrueDialog, a U.S.-based communications company, according to a blog post. Based in Austin, Texas, TrueDialog provides bulk SMS services for small businesses, colleges and universities, which means that the majority of the messages were business-related, researchers said.

Moreover, the insecure database was linked to “many aspects” of TrueDialog’s business, potentially increasing unauthorized access to the data of millions of people as well as exposing an unusually diverse data set, they said.

“Hundreds of millions of people were potentially exposed in a number of ways,” according to the post. “It’s rare for one database to contain such a huge volume of information that’s also incredibly varied.”

Despite companies knowing the risks of leaving data unprotected online in this era of cloud-based storage, insecure databases are a persistent problem and remain one of the leading ways data breaches occur. These breaches not only leave customers and users of the companies who exposed the data at risk, but also leave the owners of the databases more susceptible to security threats as well.

Researchers discovered the exposed TrueDialog database on Nov. 26 and contacted TrueDialog two days later, on the 28th. At last look, the database—hosted by Microsoft Azure and on the Oracle Marketing Cloud–included 604 gigabytes of data, including nearly a billion entries that included “sensitive data,” according to researchers.

Types of data found unprotected included:

  • full names of message recipients,
  • TrueDialog account holders and TrueDialog users;
  • message content;
  • email addresses;
  • phone numbers of both recipients and account users;
  • dates and times that messages were sent;
  • and message status indicators.

The account details of TrueDialog account holders also were exposed in the messages, researchers said.

The scope of the leaky data has broad implications for TrueDialog, their users and the recipients of the messages, researchers said.

For users and message-recipients whose data was exposed, their personal details could be sold to marketers and spammers and used for purposes that range from annoying to criminal.

TrueDialog may get the brunt of the impact, however, researchers said. Not only does the unprotected data harm the company’s reputation and allow competitors to capitalize on this, but it also can give competitors an edge over them by providing insight into TrueDialog’s business model and practices, according to the post.

Bad actors also have an opportunity to find and exploit vulnerabilities within TrueDialog’s system by accessing the logs of internal system errors included in the exposed data, researchers added.

 

from: https://threatpost.com/insecure-database-exposes-millions-of-private-sms-messages/

 

 

France to Test Its Central Bank Digital Euro Currency in Q1/2020

France to Test Its Central Bank Digital Euro Currency in Q1/2020

The central bank of France plans to pilot a central bank digital currency (CBDC) for financial institutions in 2020. François Villeroy de Galhau, the governor of the Bank of France, announced that the bank will start testing the digital euro project by the end of the first quarter 2020, French financial publication Les Echos reports Dec. 4.

The Bank of France confirmed the news on Twitter, noting that the announcement was made at a conference co-hosted by two major French financial regulators, the French Prudential Supervision and Resolution Authority and the Autorité des marchés financiers.

https://twitter.com/banquedefrance/status/1202217934560608256?s=20

Digital euro pilot won’t involve retail customers

According to the report, the digital euro pilot will only target private financial sector players and won’t involve retail payments made by individuals. Villeroy reportedly noted that a digital currency for retail customers would “be subject to special vigilance.”

As reported by Les Echos, the initiative intends to strengthen the efficiency of the French financial system, while ensuring trust in the currency.

Preventing Libra’s impact

Moreover, the project aims to assert France’s sovereignty over private digital currency initiatives like Facebook’s stablecoin Libra, Villeroy reportedly said.

Villeroy’s stance falls in line with previous statements by French finance minister Bruno Le Maire, who argued that regulators cannot allow the launch of Libra on European soil due to monetary sovereignty concerns.

According to some reports, France led the anti-Libra effort alongside Germany, Italy, Spain and the Netherlands.

Villeroy calls on France to become the first country in the world to issue a CBDC

According to a tweet by the Bank of France, its governor emphasized that France should become the first country in the world to issue a CBDC and provide an exemplary model to other jurisdictions. He stated:

“I see the interest in rapidly advancing the issuance of at least one central bank digital currency in order to be the leading issuer globally and get the benefits associated with providing an exemplary central bank digital currency.”

France has emerged as a major adopter of blockchain tech and Bitcoin

Meanwhile, France has appeared to be at the forefront of adopting crypto and blockchain technology as its government has initiated and encouraged a number of industry-related projects.

In late November 2019, the first deputy governor of the Bank of France called for a blockchain-based settlements and payments systems in Europe. As reported by Cointelegraph on Nov. 20, the French Armies and Gendarmerie’s Information and Public Relations Center was validating judicial expenses incurred during investigations on the Tezos (XTZ) blockchain at the time.

Alongside developments in blockchain, France has also emerged as a major adopter of biggest cryptocurrency, Bitcoin (BTC). In mid-October, French crypto startup Keplerk relaunched its service to accept Bitcoin payments in over 5,200 tobacco shops in France. Previously, Cointelegraph reported that at least 30 French retailers plan to launch Bitcoin payments support at over 25,000 sales points by early 2020.

 

from: https://cointelegraph.com/news/france-to-test-its-central-bank-digital-currency-in-q1-2020-official

 

 

By continuing to use this site, you agree to the use of cookies. Please consult the Privacy Policy page for details on data use. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close