Best Infosec-Related Long Reads of the Week, 6/3/23

India's secret hacking industry, Ten years after Snowden, The MyPillow guy's fake data, Surveillance at Minneapolis schools, Why intel agencies should spy for human rights

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

A Confession Exposes India’s Secret Hacking Industry

The New Yorker’s David Kirkpatrick takes a deep dive into India’s thriving hacker-for-hire community populated by around seventeen companies that generally align themselves with the policies of the Indian government.

The hacking-for-hire business has prospered in India for some of the same reasons that I.T. outsourcing has: an abundance of inexpensive skilled labor in an open marketplace readily accessible to Western clients. But Indian hackers are also unusually brazen, with competing firms publicly touting “ethical” or “white hat” hacking services, and individual hackers bragging on LinkedIn about their spear phishing. In authoritarian havens such as Russia, Iran, and North Korea, cybercriminals do not advertise.

Yet, as both Jonas Rey [a private investigator] and Scott-Railton, of Citizen Lab, told me, Indian hackers appear to share something important with their counterparts in those authoritarian nations: a tacit alliance with their government. Rey told me that, according to target lists and other information that he gained from Indian hackers, the top dozen Indian hacking-for-hire firms “have always tended to have the same profile—they always do a little bit of government work, with private work on the side.”

Scott-Railton said that cybersecurity researchers in both government and the private sector had observed the pattern. “Among those who’ve tracked them, it is widely seen that some of the Indian hacking-for-hire groups pivot into work in the interests of the Indian government.” (India’s fierce rivalries with China and Pakistan extend to cyber warfare.)

Reflections on Ten Years Past The Snowden Revelations

This IETF Memo contains the collective thoughts and recountings by security notables Bruce Schneier, Stephen Farrell, Farzaneh Badii, and Steven Bellovin of the events that transpired during and after the release of information about the NSA by Edward Snowden.

[From Bruce Schneier] I had flown down to Rio de Janeiro in late August at the request of Glenn Greenwald. He had been working on the Edward Snowden archive for a couple of months, and had a pile of more technical documents that he wanted help interpreting. According to Greenwald, Snowden also thought that bringing me down was a good idea.

It made sense. I didn't know either of them, but I have been writing about cryptography, security, and privacy for decades. I could decipher some of the technical language that Greenwald had difficulty with, and understand the context and importance of various document. And I have long been publicly critical of the NSA’s eavesdropping capabilities. My knowledge and expertise could help figure out which stories needed to be reported.

I thought about it a lot before agreeing. This was before David Miranda, Greenwald’s partner, was detained at Heathrow airport by the UK authorities; but even without that, I knew there was a risk. I fly a lot—a quarter of a million miles per year—and being put on a TSA list, or being detained at the US border and having my electronics seized, would be a major problem. So would the FBI breaking into my home and seizing my personal electronics. But in the end, that made me more determined to do it.

How I Won $5 Million From the MyPillow Guy and Saved Democracy

Software forensic scientist Bob Zeidman in Politico walks through how easy it was to claim the $5 million reward Trumpist and pillow salesman Mike Lindell offered to anyone who could disprove that US voting machines were hacked by China using so-called packet data provided by Lindell during a “Cyber Symposium” in Sioux Falls, SD in the summer of 2021.

My eureka moment had arrived. While everyone else was looking at the sky, I had found the golden ticket on the ground; while they were trying to find packet data in the files, the truth was that it wasn’t packet data at all. I said something out loud like, “I’m going to take this back to my hotel room and work on it there,” to no one in particular. I quietly and deliberately packed up my laptop and strolled out of the room and out of the venue. On the way back to the hotel, I called my wife. “Start thinking about what you want to do with 5 million dollars,” I told her.

Back in my room, I wrote up my report and registered a copy online with the U.S. Copyright Office as proof that I had written it by the contest deadline. Just in case.

But Lindell’s game wasn’t over yet. The next day, a little before noon, I strolled into the cyber workroom and found everyone still going at it. It turns out there was more data to analyze — Lindell had given us about 50 gigabytes of additional data to plow through. There were four new files, but when I looked at them, they were essentially the same types as the first day’s files except with a spreadsheet containing 121,128 lines of generic information about internet service providers around the world plus their locations, their latitudes and longitudes, their IP addresses, and other miscellaneous information. I determined that nothing in the file was related to the 2020 presidential election, and wondered what my competitors were seeing.

Minneapolis Schools Secretly Partnered with ShotSpotter Surveillance Company, Cyber Attack Reveals

The 74’s Mark Keierleber reveals that contracts leaked by ransomware attackers who hit the Minneapolis Public School System, which has secretly agreed to host on the rooftops of campus buildings gun detection sensors from a controversial firm ShotSpotter, which critics say are used in selected locations, highlighting the racial and privacy disparities of their use.

Researchers and civil rights groups have warned for years that the technology, which is disproportionately deployed in communities of color, could do more harm than good by routinely sending militarized police into high alert over false alarms. SoundThinking maintains that its ShotSpotter sensors are 97% accurate.

The most comprehensive study on ShotSpotter’s efficacy, published in 2021 in the peer-reviewed Journal of Urban Health, reported dismal findings. The analysis of ShotSpotter in 68 metropolitan counties from 1999 to 2016 found the sensors had no significant impact on firearm-related homicide rates or arrest outcomes.

ShotSpotter deployments have been especially contentious in Chicago, where the sensors are disproportionately installed in neighborhoods with large percentages of Black residents. In more than 31,000 incidents each year, ShotSpotter alerts send Chicago police to locations where they failed to find evidence of gun crimes, according to research by the MacArthur Justice Center at Northwestern University’s law school. Between April 2021 and April 2022, researchers found, 90% of ShotSpotter dispatches failed to find evidence of guns. In a 2022 lawsuit, the group accused the city of relying on a surveillance tool that enables discriminatory policing without a clear public safety benefit.

A separate report from the city’s Office of Inspector General, published in 2021, reached similar results, concluding that the alerts rarely produced evidence of gun-related crimes, investigatory stops or recovered firearms. Yet the sensors led police to make more aggressive stops in certain neighborhoods, the office found, offering fodder for advocates who argue the devices  lead to the over-policing of Black residents.

Spying for Human Rights

Sarah Yager, Washington Director at Human Rights Watch, argues in Foreign Affairs that the US should make spying for human rights as much a priority as gathering intelligence for military purposes because knowing a nation-state’s human rights abuses can warn of other crises down the road.

Eighteen different agencies comprise the U.S. intelligence community, and all are responsible for collecting intelligence based on the top priorities of the president, the national security adviser, the director of national intelligence, and the rest of the cabinet. The National Intelligence Priorities Framework, a document that communicates the president’s priorities, tells the intelligence community where to focus its budgets and personnel—its money, eyes, and ears. Senior experts are assigned to each topic to advise the director of national intelligence on processes for collecting intelligence on that topic.

Right now, human rights considerations make their way into the briefing books that reach top policymakers only in an ad hoc fashion. Senior officials can specifically ask for human rights intelligence—for instance, about protests that turned violent or populations fleeing conflict. But proactive inquiry requires an understanding of how human rights figure into a policy puzzle. It also requires knowing what one doesn’t know. Senior officials are unlikely to request intelligence on human rights issues related to events or situations that they are unaware of.