Slashdot Mirror
FBI Wiretapping Audit Secrets Uncovered Via Ctrl+C
mytrip notes a story in Wired's Threat Level blog on the latest boneheaded government moves with redaction. (We've been discussing redaction follies here for years.) This time it's an FBI report (PDF) on implementing CALEA — you can select text from redacted areas, copy it, and paste into a text editor, as University of Pennsylvania professor Matt Blaze discovered. From Wired: "Once again, supposedly sensitive information blacked out from a government report turns out to be visible by computer experts armed with the Ctrl+C keys — and that information turns out to be not very sensitive after all... [Among] the tidbits considered too sensitive to be aired publicly: The FBI paid Verizon $2,500 apiece to upgrade 1,140 old telephone switches. Oddly the report didn't redact the total amount paid to the telecom — slightly more than $2.9 million dollars — but somehow the bad guys will win if they knew the number of switches and the cost paid."
If they were running a website, they would use:
<FONT
style="BACKGROUND-COLOR: black">Top Secret!</FONT>
The meme is dead, long live the meme!
Your government dollars at work!
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
The headline and summary made took a minute for me to grasp, I just couldn't understand how you could get data out of something by halting execution.
Then my brain woke up and I realized they were thinking of the Windows command Ctrl+C which copies the marked text..
/Mikael
Greylisting is to SMTP as NAT is to IPv4
Look, the point of blacking out is not just to remove critical information, it is also to get you used to large parts of documents being blacked out. It is a way of hiding a signal within a lot of noise.
By randomly blacking out stuff, you will never know if there is vital information hiding underneath the black text. And you will become more and more accepting of documents that have barely any text at all.
The purpose is, of course, to allow more and more freedom to the agencies doing the blacking out. And less and less to you.
Most of the time something deemed "secret" rarely is. Also when I was last in the public Sector, IT was woefully underfunded and overall employee training was even worse. Things like this will continue to be a major mess.
Do not look at laser with remaining good eye.
This is a classic example of secrecy being used not for national security but to avoid embarrassment. There are likely thousands of these types of secrets that cost money to keep but that are for no reason at all. Ass clowns.
Can we get a new category, like "Gallows Humor"?
Besides, we shouldn't be reporting on this stuff-- our only defense against this government anymore is its own monumental stupidity.
"Redacted" was apparently implemented by covering the area with a white rectangle. Since the PDF has real text/vector graphics (as opposed to a bitmap), the information is still present in the file and even the standard Acrobat viewer can access it. Someone "Failed at Behaving Intelligently"
What confuses me is that, and I might be too generous in my assumption, I assume that there's an IT professional somewhere that looks over these released files prior to their release? I know that common sense is entirely too uncommon these days, but if I were to release a digital file (whether to an individual or the public) I'd make sure that someone from the IT department looked it over before release.
Otherwise it's like having a flu vaccine released by managers that went nowhere near an immunologist or virologist.
Still, I'm sure that, sometime soon, MS will remove the Ctrl+C combination. For national security, of course.
They have done real boneheaded stuff like xxxx xxx xxxxxx xxx xxxx xx xxxxx xxxxxx xxx. Wonder why no one has ever talked about it before.
Note: This post had been edited by the FBI for your protection. Thank you for your continued co-operation.
Sometimes items are redacted because of contractual commitments or confidentiality agreements. Take the example in the story; now, all Verizon's competition needs to do is bid $2,499 per switch and they get the job. So what if they could have supplied the switches at $2,200 and still made a healthy profit - they just need to be low. So that's $299 extra per switch that the government (aka, taxpayers) will have to pay because the competitive bid environment has been contaminated.
But hey, they made their point about evil government masterminds being wholly incompetent, so what does logic matter?
"As God is my witness, I thought turkeys could fly." A. Carlson
visible by computer experts armed with the Ctrl+C keys
The FBI is trying to trick me into thinking they're all stupid so they can find out where I've got the 500 acre marijuana farm with its fiftten thousand tons of marijuana in the barn, 500 beautiful hookers and the casino downstairs, where you can buy white lightning and moonshine.
Meanwhile, Osama's still loose.
Attention FBI: Look, dumbasses, print the damned thing out, black out the parts that embarrass the President and your Director with a magic marker and scan it to a TIF file (that's a graphics format, guys. Pay attention!) and "print" THAT to PDF.
But you already know that, you're trying to find my pot gambling hooker farm!
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
This is the sort of thing that seems innoculous, but, in theory, could be used to compromise an investigation.
For example, if I was a bad guy and I suspected the FBI might be on to me, and I could have my buddy who works for verizon watch for $1,500 payments from the FBI. And then see where techs are dispatched. If one is dispatched to my area, even if it was unrelated, I'd move my safe house, or the very least cease talking about bad guy things on the phone. Goodbye weeks of work getting wiretap warrant (well, now that the lids been blown off, its back to weeks).
This is also the sort of information that could be used in a social engineering attack. (This is verizon, we haven't yet recieved our payment for the upgrade to switch XXX-XXXX)
Maybe the FBI should stick to something, like wiretapping for example, rather than performing simple math for a report ...
1140 x $2,500 $2.9 million (see the reverse pacman sign)
Honestly, same here. Some of those headlines are becoming really hard to read.
"Wiretapping": verb. The FBI is wiretapping something. "is" omitted as in many headlines.
"Audit": verb. The FBI's act of wiretapping is auditing something (Huh?)
"Secrets": verb. The Audit of the FBI's wiretapping is leaking something. Wait isn't "secrete" writting with an extra "e"?
"Uncovered": verb, passive. By now I'm sort doubtful I got it right in the fourth attempt.
"Via Ctrl+C": By what?
It took me reading the link in the original post to figure they meant a key press and not a screen name or a publication I wasn't familiar with, also helped me sort the four verbs into some semblance of legal grammar.
How about: "Copy & Paste Reveals FBI Wiretapping Audit Secrets"?
Remember school: Passive is bad for you.
Right, I had one moment where I thought that hitting Ctrl+C would somehow reveal that the FBI is auditing you, too.
Now, I'm all up for good gov't conspiracy, and working for the gov't, I know how they spend inappropriately.
But there is something called the mosaic effect. The short of it is that you have two (or more) documents. None of them by themselves are sensitive, but as a group, they become sensitive because they give you a complete picture. It's quite possible that this redacted info gives that picture.
In addition, gov't entities regularly leave out the specifics like the number of switches because they do not want to demonstrate the scope of their operations. Not for any malicious reasons, but for what they perceive as a security risk. It might be a false risk, but it's not malicious.
Why, yes I have been touched by His noodly appendage. And I plan to sue.
For me, the best part of the article was the link to the NSA redaction guidelines. Interesting reading I suppose, but the fact that throughout the entire paper the screencaps of MS Word had that damn Clippy-substitute cat sitting in the corner was classic. I'm not sure I'd trust someone (even at the NSA) to give me advice on MS Word options and settings when they can't even turn of the animated assistant.
The FBI paid Verizon $2,500 apiece to upgrade 1,140 old telephone switches. Oddly the report didn't redact the total amount paid to the telecom â" slightly more than $2.9 million dollars â" but somehow the bad guys will win if they knew the number of switches and the cost paid.
It's more likely that the total number is large and people go "ok must be a lot" but at 2.5k usd per switch people would go "how fucking much!!!" - that's what they may want to avoid
Jaj
Figure B: "SCREENSHOT OF ASKCALEA HELP DESK DATABASE"
It shows requests from:
Montogmery County, MD
Baltimore County (state not listed)
Omaha branch of the FBI
Kenner, Louisiana
US Secret Service
Racine (Wisconsin?)
Taylorsville, Utah
Look at all of those small towns. Given that even the very small towns are using CALEA, it looks like the use of wiretaps is very widespread.
how abused and misapplied all those "in the interest of national security" procedures are when there is no oversight in place. When will the legislators ever learn, anything that can be abused or misused, will be abused and misused in the absence of oversight? It's not even "might" or "is very likely". It always happens. It's human nature to take advantage for personal gain without risk. They censor anything that they want to, for any agenda, because they can. And this just exposes that truth.
Now watch how they react to it. Do they straighten up their censorship policies? of course not. They'll simply make the abuse harder to discover.
I work for the Department of Redundancy Department.
In the USA you still only have to do the math on the 'number' and 'quality' of roving witetaps.
The use of public or released data to see what police forces are doing is interesting.
In India you have to count the number of dead.
"The records show that Durgiyana Mandir ground was one of three cremation sites in Amritsar
illegally used by the police.
It takes about 300kg of wood to burn a single body and each wood purchase is written in a register.
The police subverted the system, by burning more than one body on each pyre.
http://news.sbs.com.au/dateline/india__who_killed_the_sikhs_130052 [sbs.com.au]
Domestic spying is now "Benign Information Gathering"
If you are running MS-Office and Adobe Acrobat..... 1. Select the text that has been "REDACTED" 2. Right Click 3. Select Open Table in Spreadsheet Opps.... Look what I found!
Semper Fi Ronald Ausman USMC Ret
...must be high on the FBI's list of priorities.
Verizon: We'd love to help you, but, you know, if we do this for you, we'd have to do it for everyone.
FBI: Don't worry, we'll never tell.
"How to Do Nothing," kids activities, back in print!
IINM, normal usage of the word "apiece" implies multiple recipients - eg "My children received pocket money of $10 apiece." which means I was out $20.
Think there was a previous deletion that was successfully hidden and there's actually another recipient involved?
Max.
Airplane Photos, Airline News, Planespotting Guides
I've not seen anyone ask -- but why would the FBI pay Verizon $2.9m to upgrade it's network switches?
This strikes me as an intentional leak perpetrated by an employee who thought it was dumb to retract all of that. Just a gut feeling. I have no way to back that up.
-l
Help cure AIDS, cancer, and more. Donate your unused computer time to worldcommunitygrid.org. Join Team Slashdot!
Headlines usually make extensive use of noun phrases to premodify nouns. In the case of that headline, the only verb is "uncovered".
Quidnam Latine loqui modo coepi?
this is reverse psychology! Hide some nonsense behind CRTL+C and the people point at you laughing about hiding such nonsense. Give 'em nothing but black bars and they will be afraid what terrible things are behind them and shout for more transparency.
This is not about giving too much information to the enemy (whatever the current boogie man is). This is about PR and keeping the public misinformed, while pandering to their national security concerns.
"We spent 2.9 million US$ on improving our communication system" will trigger a "Great! That's tax dollars well spent!" while on the other hand a "We paid 2500 US$ for each of the 1140 telephones we recently purchased" will earn you a "WTF? Is that what our tax money is wasted for??"
the FBI had spent $500 Million for these sort of upgrades. If verizon only cost them $2.9 million, and the other carriers cost only slightly more, where's the other $475 million dollars?
They're using their grammar skills there.
using doc viewer all you have to do is select the "hidden" boxes and you can read the text. I guess you need ctrl+c ctrl+v if you would like to print the hidden message, but otherwise a simple select all will do it!
In Ubuntu if you use the default PDF viewer (Evince), you can see the "sensitive information" in the tables by simply HIGHLIGHTING the text.
;)
No need to even use the keyboard to copy/paste the data!
I just have to say... wow.. i'm amazed... wait, no, I'm not. I've worked for a government organization and this doesn't surprise me. But I was thinking a simple solution is to encrypt sensitive text, turn it into garbage, and then black out the garbage.
The calia network as outlined originally, would have used a fraction of the switches. That number of switches indicates that they were monitoring a LOT more. IOW, this was not about wireless but about the entire world wide network. FBI is tapping all of Verizon.
The one big embarrassment out of that, is that it shows that they had total access to the network, and yet 9/11 occurred. So, does that mean that this was not being used for terrorism, or does this indicate that we did know and ignored what was to happen.
I cannot reveal who I am or where I work, but we became CALEA-compliant in 2006. We receive several requests every few months to 'monitor' someone's telephone connection. Being that I have access to the account database that shows this sort of thing, the reasons behind the wiretaps are usually suspect. If you think that your phone connection is safe, you are wrong.
Feel free to respond and ask questions.
It hurts my brain. The person who (incompetently) redacted the document was probably just following guidelines. My guess is that there's a guideline that says that specific numbers and costs cannot be published in reference to secure systems used by an intelligence or law enforcement agency. Only aggregate costs, as necessary to inform the public and lawmakers.
No conspiracy. No corruption. No deeper meaning than a guideline that requires sticking your neck out and making a case if you want to violate it.
Makes sense, actually, as most intelligence gathering is probably not about sentences like, "John Doe is our super-secret mole in the office of the director", but rather "the phone system has 1100 switches for all of North America, and is taken down every 2 weeks at 1 am for maintenance."
And this leaves me wondering if those who are laughing or outraged at the attempted redaction (as opposed to the incompetence in implementing it) are also the same people who insist that they must have military-grade encryption and anonymous re-routing, using spread-spectrum wireless transmissions to public access facilities, in order to protect their private emails to grandmother. Sigh.
Racine is in the middle of 2 big city's and there is a lot people in that area.
Go through these documents and redact anything sensitive.
What does redact mean?
Just black things out.
What things?
Just make it look good. Anything that seems important
OK sir!
was a 6 months earlier, and got promoted. His name is Peter. He reports to another manager with whom he had mostly the same conversation with an hour earlier with the places reversed...
-- Senior Software Engineer, Attorney appearance services, locallawyerapp.com.
One federal job I'd applied for had a form that could only be done electronically.
Ok, great...less paper.
Form did not work with acrobat4.
Upgraded to 7 and found it was locked and p/w protected. (view only..d'oh)
No mention of p/w or email address/support if problems with the form.
Found app that strips the protection/pw.
Fitting I watched Apollo13 a few days ago and thought "Tell me this isn't a government operation".
Heck, can't get info you're supposed to have/need, what makes one think they can hide stuff you're not supposed to see?
Have you read the moderator guidelines? Well, have you, PUNK? (and I want a Karma: Gnarly option)
Yes the wording is pretty bad, but... you are joking right? "The FBI's act of wiretapping is auditing something" would be "Wiretapping audits [thing]"... "wiretapping audit" is clearly an audit of the wiretapping, as a "security audit" would be an audit of the security of something (which these guys didn't do!)... so that's a noun... it's a thing. It might be something that happens, like an eclipse, but it's not a verb, unless it's eclipsing, eclipsed. And secrets... I can't even think off the top of my head how that could be used in verb form. A secret is a thing that you know... or, more likely, don't know... or was that a joke via the 'secretes'? Hard to tell, not much of this is making sense at all :-/
Bout time you's lot should write proper!
The revolution will not be televised... but it will have a page on Wikipedia
"but somehow the bad guys will win if they knew the number of switches and the cost paid"
I would imagine the real concern is by outside parties using this and other financial info to calculate the real operating budget of the FBI.
from an information security standpoint, this actually makes some sense. Allow me to explain. First, the high value number is going to show up in budgets anyway, so anyone who wants that number could already find it. It's hard to not have a few million dollars show up in the accounting somehow. Second, the reason the exact dollar value per part is usually redacted is that this is a giant clue as to the identity of the part used in the infrastructure. E.g. if I tell you I have a $300 mp3 player, then you know that I have an IPOD. But if I tell you that I bought a bunch of mp3 players and spent $100,000 then you don't know whether I've bought Zens, Zunes, ipods, sansas, or something else. And the problem with telling people what your infrastructure is made of who shouldn't know is that it enables them to focus on vulnerabilities for just that one device. caveat: I actually have a $10 mp3 player.
"Wiretapping": verb. Noun (gerund). "Audit": verb. Noun or verb. "Secrets": verb. Noun (plural). Remember school: Passive is bad for you. Yes, please remember school....
GN
Hey, at least they knew how to change the animation. Perhaps it was meant to be Catbert?
Alternatively they should have changed it to one of the Spy versus Spy characters.
The actual cost of performing the service was likely redacted, not as a matter of national security, but because the pricing is contractually considered proprietary information .
Most companies include this as a standard clause in their master service agreements so that Joe's Barber shop isn't upset that Big Government Office is getting a different (presumably better) price for exactly the same service.
Those were not Ethernet switches. They were the big Old network voice switches like Nortel DMS 100, 250 and 500s. CALEA gives the FBI the ability to tap VoIP calls. Before the IP network did not touch the old voice switches. It cost a HELL of a lot more than $2500 to upgrade those switches. It is just a fee.
Headlines everywhere are suffering from "headlinese".
And it's become so "normal" that people use it even when there's no room constraints, the original reason to use such terminology. We kinda expect headlines to be a bit "blurry", or maybe they are to be interesting. After all, if you don't really get it immediately but it sounds interesting, you read on instead of flipping to the funnies.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
why are we sitting around posting on slashdot? we should be trying to download all the "redacted" PDFs we can before they "upgrade" them!
I think they occasionally leak these documents as 'mistakes', so that people see what's being redacted and go, "Well, duh, that's pretty boring!" And then they won't care about stuff that is REALLY redacted for good reason. Like the truth about the 9/11 conspiracy, the JFK assassination, or the alleged moon landings.
Okay. I'm going to go check on my supply of tinfoil hats, to make sure They haven't stolen them again. Keep safe.
(Posted as Anonymous Coward for obvious reasons...)
Did that raging paranoia get modded to anything but "+5 take your fucking meds so you'll stop bothering us with tin foil hat bullshit"?
I don't know what's scarier, that OP actually believes that crap or that 5 other people agree with him.
re: the price: not just presumably. if it's a GSA contract, the government is guaranteed to get the lowest price you charge for it. If you try to screw them on this, then they can fine you or put you in prison
(I have written a GSA contract before).
They probably have a special configuration on their own machine which they didn't want to reveal, and simply used a fresh install of MS Word to do the screenshots for the instructions.
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Sometimes items are redacted because of contractual commitments or confidentiality agreements. [...] But hey, they made their point about evil government masterminds being wholly incompetent, so what does logic matter?
Please explain the logic behind the government agreeing to confidentiality in a business transaction where taxpayer money is involved?
Please help metamoderate.
The reason to hide the cost per switch is to keep the negotiations invisible from other providers. Sure, you can report $2.9 million to Verizon, but AT&T doesn't know how many switches that was or the cost per switch. Maybe they worked out a cheaper deal with AT&T for, say, $2,000 per switch instead of $2,500. If AT&T knew what Verizon was getting paid, they'd hold out for more themselves. While it may seem silly to hide the details, doing so probably saves a little cash in the long run.
Of course, now, if they ever need to do more switches, I am betting every vendor will be holding out for the highest publicized price (or their own private price, if it's higher still). So, yeah, sometimes disseminating what you think is non-critical information will in fact cost us more in the long run. Revealing it may not make "the bad guys win" but it can definitely make the taxpayer lose.
Just my unredacted $0.02.
WWJD?
JWRTFM!
Since these geniuses simply drew opaque boxes on top of the "sensitive" data, any PDF editing tool can delete the box and restore the document to its pre-redacted state.
If these are the people protecting your country from "cyber terrorists", well, god can't even help you!
-Billco, Fnarg.com
Just wait until they figure out Ctrl-Print Screen.
Oh shi...
Obviously copying & pasting the redacted text is a DMCA violation!
.sig? Get your own damn
If the blacked-out content is not important, then the criticism of the FBI may be unfounded.
That's not an "animated assistant," it's a National Security Consultant!
This anti-passive bullshit is completely incomprehensible. Why is passive bad for you?
Other than it's unfortunate name of passive.
Has it occurred to anyone that they didn't care that much if someone found this info?
In Soviet Russia, Ctrl + C hits you.
Comment removed based on user account deletion