Best Infosec-Related Long Reads of the Week, 10/1/22

The CIA burned Iranian informants, Lawrence Abrams tried to steer ransomware gangs away from hospitals, The pedestrian nature of surveillance, IPVM blows China's surveillance cover, more

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Let us know what you think, and feel free to let us know of your favorite long-reads via Twitter @Metacurity. We’ll gladly credit you with a hat tip. Happy reading!

America’s Throwaway Spies: How the CIA failed Iranian informants in its secret war with Tehran

Joel Schectman and Bozorgmehr Sharafedin at Reuters have this in-depth and heartbreaking investigation into how a faulty covert CIA communications system burned Iranian informants, a failure that when combined with aggressive efforts by the CIA to gather Iranian intelligence, exposed them to punishment and imprisonment.

Such aggressive steps by the CIA sometimes put average Iranians in danger with little prospect of gaining critical intelligence. When these men were caught, the agency provided no assistance to the informants or their families, even years later, the six Iranians said.

James Olson, former chief of CIA counterintelligence, said he was unaware of these specific cases. But he said any unnecessary compromise of sources by the agency would represent both a professional and ethical failure.

“If we’re careless, if we’re reckless and we’ve been penetrated, then shame on us,” Olson said. “If people paid the price of trusting us enough to share information and they paid a penalty, then we have failed morally.”

The men were jailed as part of an aggressive counterintelligence purge by Iran that began in 2009, a campaign partly enabled by a series of CIA blunders, according to news reports and three former U.S. national security officials. Tehran has claimed in state media reports that its mole hunt ultimately netted dozens of CIA informants.

Inside the Ransomware Gangs That Extort Hospitals

ProPublica’s Renee Dudley and Daniel Golden offer in New York Magazine this excerpt from their upcoming book The Ransomware Hunting Team, which tells the story of how Bleeping Computer’s Lawrence Abrams organized a team of ransomware fighters, the Ransomware Hunting Team, to persuade hackers into leaving healthcare facilities out of their target list at the beginning of the pandemic.

In 2016, Abrams helped organize the most dedicated of these volunteers, spread across the U.S. and Europe, into what became known as the Ransomware Hunting Team. This invitation-only band of about a dozen tech wizards in seven countries soon proved indispensable to victims who couldn’t afford, or refused out of principle, to pay ransoms to cybercriminals. Without charging for its services, the team has cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars in ransom. Abrams functions as the team’s project manager and publicist, chronicling his collaborators’ achievements in his BleepingComputer posts.

The Banality of Surveillance

Ph.D. student Sophia Goodfriend has two book reviews in The Boston Review that examine the roots of modern surveillance.

Two recent books—Brian Hochman’s The Listeners: A History of Wiretapping in the United States and Roberto González’s War Virtually: The Quest to Automate Conflict, Militarize Data, and Predict the Future—join a cascade of new titles on the genealogy, impact, and future of contemporary surveillance regimes. Hochman and González set themselves apart by moving away from the usual protagonists: amoral CEOs selling spyware to dictators or sinister government agencies monopolizing power. Instead, both authors are concerned with the regular people whose ordinary aspirations drive the expansion of surveillance. These carefully researched books focus on petty criminals who spy on the state, social scientists who think robots will redeem civilization’s shortcomings, and data analysts seduced by the high salaries of Silicon Valley. By telling their stories, Hochman and González shows how surveillance thrives less on the machinations of evil men than on the pedestrian facts of political economy.

The Tech Site That Took On China’s Surveillance State

Timothy McLaughlin offers hope for small independent publishers in this Atlantic profile of IPVM, which started as a trade publication for professionals and technicians working in commercial surveillance but has blossomed into a significant source of scoops on China’s digital spying on Uyghur Muslims.

This record of breaking important stories has made IPVM a closely read publication among not just people interested in surveillance technology but those who want to understand Beijing’s geopolitical ambitions, as well as the deeply strained relations between the United States and China, arguably the world’s most consequential bilateral relationship.

The Thorny Problem of Keeping the Internet’s Time

Nate Hopper has this fascinating New Yorker piece about the “jolly old elf” David Mills, an eccentric engineer and computer scientist who created the Network Time Protocol, or NTP, which became a key component of how time is synchronized across the internet.

For decades, Mills was the person who decided how N.T.P. should work (though he disputes the suggestion that he acted with total sovereignty). Quirky, prickly, authoritative, and sometimes opaque—“He does not suffer fools gladly,” one longtime collaborator said—he has served as the Internet’s Father Time. But his tenure is coming to an end. Mills was born with glaucoma. When he was a child, a surgeon was able to save some of the vision in his left eye, and he has always worked using very large computer displays. Around a decade ago, his vision began to fail, and he is now completely blind. Examining computer code and writing out explanations and corrections have become maddeningly tedious. Drawing diagrams or composing complex mathematical equations is nearly impossible.

‘They Are Watching’: Inside Russia’s Vast Surveillance State

Paul Mozur, Adam Satariano, Aaron Krolik, and Aliza Aufrichtig offer a revealing and graphically innovative walk-through of a cache of nearly 160,000 files from Russia’s powerful internet regulator Roskomnadzor that was leaked by hacktivists earlier this year and laundered by DDoSecrets.

Roskomnadzor’s activities have catapulted Russia, along with authoritarian countries like China and Iran, to the forefront of nations that aggressively use technology as a tool of repression. Since the agency was established in 2008, Mr. Putin has turned it into an essential lever to tighten his grip on power as he has transformed Russia into an even more authoritarian state.

The internet regulator is part of a larger tech apparatus that Mr. Putin has built over the years, which also includes a domestic spying system that intercepts phone calls and internet traffic, online disinformation campaigns and the hacking of other nations’ government systems.

The agency’s role in this digital dragnet is more extensive than previously known, according to the records. It has morphed over the years from a sleepy telecom regulator into a full-blown intelligence agency, closely monitoring websites, social media and news outlets, and labeling them as “pro-government,” “anti-government” or “apolitical.”

Security in the billions: Toward a multinational strategy to better secure the IoT ecosystem

Patrick Mitchell, Liv Rowley, Justin Sherman, and others at the Atlantic Council delve deep into international policy around the security of the internet-of-things (IoT) and the range of initiatives developed by governments, companies, and civil society to meet this challenge of securing IoT.

In light of [IoT’s] systemic risk, this report offers a multinational strategy to enhance the security of the IoT ecosystem. It provides a framework for a clearer understanding of the IoT security landscape and its needs—one that focuses on the entire IoT product lifecycle, looks to reduce fragmentation between policy approaches, and seeks to better situate technical and process guidance into cybersecurity policy. Principally, it analyzes and uses as case studies the United States, United Kingdom (UK), Australia, and Singapore, due to combinations of their IoT security maturity, overall cybersecurity capacity, and general influence on the global IoT and internet security conversation. It additionally examines three industry verticals, smart homes, networking and telecommunications, and consumer healthcare, which cover different products and serve as a useful proxy for understanding the broader IoT market because of their market size, their consumer reach, and their varying levels of security maturity.