Tbf Singapore is a city state and integrating surveillance infrastructure on a smaller scale is easier, but that's still pretty impressive.
To this day I've got no idea why it happened. Singapore may be very modern, but deep down the government is still very authoritarian. Funnily enough, I lived in mainland China for a couple years but never experienced anything like that there.
Those two really have no relation to each other, though.
I don't get it. Why don't the agents act normal until after they got to the hotel?
I see this time and again. All the data in a single database where one compromised access can get it all. Data should be compartmentalized, and rate limited.
If I recall, some of those references also got notifications in the mail.
That said, the compromised database was from a civilian, non-intelligence agency. Of course, logically, CIA agents shouldn't have been in that database but it seems they were.
And the other thing is that you have CIA, NSA etc working hard to spy on everyone but none of them were willing and able to keep the larger Federal Government from having terrible security practices. Which comes from the intelligence agencies being more about catching people and learning secrets than about protecting the US as such.
Yet they had fingerprints, meaning they must have gotten the data from the government.
But it does lead to a larger question. Articles by cybersecurity people always seem to focus on preventing unauthorized access. I've never read one that talked about given the inevitability of unauthorized access, how to avoid losing everything?
After all, we have ships with watertight compartments. Even spy networks are organized into "cells" to limit the damage from compromised agents.
Why is security not talking about compartmentalization?
Well, this is one article and it's always possible this is one of those "write down official X's talking points" articles, and official X doesn't talk about compartmentalization because the impression they are aiming for is "look us, we're helpless, helpless against these threats, please give us unlimited money and power and might be able to fix things, if we're lucky."
>Even a switch of employer, or an unexplained gap in one’s résumé, can be a giveaway to a foreign intelligence service, say former officials. In response, the agency has also shifted to recruiting individuals within the companies they already work at, and, with the approval of corporate leadership, secretly transitioning those persons onto the CIA payroll, and training them intermittently and clandestinely, far from any known CIA facility.
>“There is a serious legal and policy process” in place at the CIA to manage these relationships, says a former official. Otherwise, “you could break industries.”
This is going to be the end of multinational companies. Once a company starts providing cover to CIA officers, those companies will be blacklisted from many countries around the world. This policy will also raise suspicion of pretty much every US company operating abroad.
Bosch and GE for example. Siemens and GE.
I think the article makes it clear that data from many sources is being used and that there's no one "source of truth". It also points out that there's an increasing sophistication to the creation of online presences.
Given how simple and relatively cheap that is I would be very suprised if they don't. This is a kind of operation that a few people with their private budgets could pull off (I mean just scraping the contents and storing a single copy , not the analysis part) so don't expect powerful and not-so-powerful organizations or goverments restraining themselves from doing so. This is neither expensive nor difficult while being extremely valuable
That's called building a legend and YES, the intelligence agencies have been doing it for years. But more importantly, in professional networks (mostly LinkedIn) generally you wouldn't have to. Most people don't use it the same way as Facebook or Twitter with regular updates and it doesn't show others when you connected so if you create a profile and fill in details, the system takes care of most of the rest.
The most likely place that would leak the age of the profile is whatever internal profile id that might be embedded in the urls or the page itself. If it's too high, it would be more recent than claimed.
Here are some of the details you can explore:
if I actually scraped all the profiles in 2009, then in 2014 and then in 2019 I could tell whether an account is a 10+-year old account by simply checking if it is available in my 2009 snapshot. Does not matter if the social network displays or leaks profile age in one way or another. If it's not in my 2009 and not in 2014 snapshots then that profile is 5- years old. With frequent enough snapshots I would get even better timing resolotion. Now given that it's neither that hard nor that expensive to scrape or store that amounts of data, such an approach would actually be feasible.
The drawbacks are:
a) Not having a profile isn't definitive. You could have missed it, it could have been locked down, or the person joined late.
b) You can't go back to build your baseline. You had to have the foresight to scrape it then or count on one of the breaches to establish who had accounts when.
The primary mitigation here would be LinkedIn (or any social network) itself. Whatever controls they had to block spidering, limit further than immediate contacts, etc would have to kick in.
On the other hand their business requires the ability to discover candidates by HR people so I guess that completely disabling search/discovery is out of question. Of course a simple limit to a number of queries or their reach would still be a huge problem for the scraper while not being a problem for most of the users and therefore not hurting the business.
Then considering that such massive scraping is probably already illegal and additionally the operation is being done by some intelligence agency meaning that legality is not an issue we can do a lot more that simple scraping using some proxies. This could include use of botnets (free resources, mich wider and more realistic pool of IPs) and/or hacked accounts (to scrape as a verified reputable user).
This all of course makes such a scrape a lot harder and probably not something that a single person with just a personal budget could do,but I believe this is still within the reach of even a small organization. And I'm 100% certain that this does not require multi-billion black budgets or large datacenters hidden underground.
>a) Not having a profile isn't definitive. You could have missed it, it could have been locked down, or the person joined late.
of course you are right with that, but then I could have full-scrapes being done once a year or even more often. While missing a profile once is obviously quite realistic and actually expected I assume that it would be unlikely that the same profile is ommited 20 times in a row given that the scraping has generally been proven to be effective.
Additionally I was initially thinking about using such data as one of the metrics not as a definitive spy-detector. Your account missing in my 2009-2017 scrapes and appearing just recently does not make you a spy but does increase a likelihood of you being so.
>You can't go back to build your baseline. You had to have the foresight to scrape it then or count on one of the breaches to establish who had accounts when.
Thats true. And even with data available from breaches might not be accurate or even be intentionally altered. But then again not everyone runs an intelligence agency
Is the technology currently good enough to detect the same person if they have different color eyes, different sized lips & eyebrows, abundance of lack of facial hair etc, downturned mouth vs smile etc?
If you take someone who hasn't slept for 3 days + hangover + flue their face will look substantially different than when fresh as a daisy.
Why would the Chinese do that? Here is this treasure trove of information why share it with anyone. But I do see the Chinese being hacked by the Russians scenario after they figured out the Chinese had that kind of info.
- The simplest but least likely is money. Reselling some portions of the data or even running it as a "Go Fish" service is immensely valuable.
- The more likely scenario is an enemy of my enemy situation where the value of screwing up US operations is useful to a) show you have the power or b) build a more amicable relationship with Russia.
But realistically, all of that was probably unnecessary. Google Robin Sage and check out how much sensitive information people share entirely by accident OR that is not sensitive by itself but when combined with other aspects can become weaponized.
That's why whenever anyone says "none of this data was classified!" it's an almost meaningless statement. None of us understand what missing puzzle piece will put it all together.
* Both my wife and I were included in the breach. When the new broke, I wrote it up here: https://caseysoftware.com/blog/why-this-security-breach-is-w...
Surprised that on the Wikipedia page there's no mention of anyone trying to do a reverse image search of the profile picture which is claimed to be of a porn star. Often quicker & easier than browsing almuni pages etc.
China could have viewed the potential damage to an adversary (the US) to be smaller than any disadvantage it incurred itself by sharing.
Or China could have seen a small cost to itself in sharing, and a large gain to Russia, offering the opportunity to bargain for other things.
Also! I would also hate to be the person that copies iranian_secret_spy_ssns.json over to the wrong bucket.
Privacy in meatspace is dead. 100% dead. Never coming back.
Until we have body transplants, anyway.
I gotta say, though, that I was disappointed by it.
I much preferred the books. They censored too much stuff, such as the torture sequence, where he was a little Arab girl being tortured, and then back as himself went on an impressive rampage, killing most all of the medical staff.
And then they changed too many characters.
In general, it's getting harder to smuggle humans into different countries, but the vast deployment of hardware with questionable security properties world wide has led to major opportunities for intelligence agencies. The Internet of Things is the newest opportunity to collect data in large quantities.
The app, Strava, which calls itself “the social network for athletes,” allows millions of users to time and map their workouts and to post them online for friends to see, and it can track their movements at other times. The app is especially popular with young people who are serious about fitness, which describes many service members.
Since November, the company has published a global “heat map” showing the movements of people who have made their posts public. In the last few days, after the app’s oversharing was identified on Twitter by a 20-year-old Australian university student, security analysts have started to take note of that data, and some have argued that the map represents a security breach.
Strava “is sitting on a ton of data that most intelligence entities would literally kill to acquire,” Jeffrey Lewis of the Middlebury Institute of International Studies at Monterey, Calif., warned on Twitter.
Some analysts have taken to social media to warn that, although the map does not name the people who traced its squiggles and lines, individual users can easily be tracked, by cross-referencing their Strava data with other social media use. That could put individual members of the military at risk, even when they are not in war zones.
The perfect gift for everyone on your list.
Gift subscriptions to The Times. Starting at $25.
The outlines of known military bases around the world are clearly visible on the map, especially in countries like Afghanistan, Iraq and Syria, where few locals own exercise tracking devices. In those places, the heat signatures on American bases are set against vast dark spaces. Tobias Schneider, a security analyst, wrote on Twitter that “known Coalition (i.e. US) bases light up the night.”
In Afghanistan, for instance, two of the largest coalition bases in the country — Bagram Airfield, north of Kabul; and Kandahar Airfield, in southern Afghanistan — can easily be picked out. The same is true for smaller bases around the country whose existence has long been public.
But there also appear to be other airstrips and base-like shapes in places where neither the American-led military forces nor the Central Intelligence Agency are known to have personnel stations.
Perhaps more problematic for the military are the thin lines that appear to connect bases. Those lines seem likely to trace the roads or other routes most commonly used by American forces when traveling between locations, and their exposure could leave troops open to attack when they are most vulnerable.
The Pentagon did not directly address whether the heat map had revealed any sensitive location data. But Maj. Audricia Harris, a Pentagon spokeswoman, said that the Defense Department recommends that all its personnel limit their public social media profiles and that it was reviewing the situation.
“Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Major Harris said. The Pentagon “takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required,” the major added.
The Central Intelligence Agency declined to comment.
The threat also extends to countries where the app is more popular. Dr. Lewis of the Middlebury Institute wrote in The Daily Beast that the pattern of movements clearly showed the location of Taiwan’s supposedly secret missile command center.
Strava is not the first program to collect far more information, including location data, than users realize, nor is it the first to make some of that information available to prying eyes, intentionally or not.
Researchers at Kyoto University revealed in 2016 that they could find the precise locations of people who used popular dating sites, even when the users took steps to disguise that information. Last year, data was found online that would allow anyone to track more than half a million cars with GPS devices.
But the Strava app, which works with wearable technology, goes even further in tracing people’s locations with precision and sharing that information with the world. The map’s settings show the extent to which routes are traveled, and whether on foot, by bicycle or in a vehicle.
Strava, which is based in San Francisco, claims tens of millions of users, in almost every country. The app can be used on Apple and Android phones, and wearable activity trackers like Fitbit devices, the Apple watch, and Garmin and Suunto sports watches.
The company released a statement on Sunday noting that the app has privacy settings that can exclude users from the map and hide their activities from the general public. It urged people to read a blog post from last year about how to use those settings.
The map “excludes activities that have been marked as private and user-defined privacy zones,” the company said. “We are committed to helping people better understand our settings to give them control over what they share.”
We’re supposed to trust them with encryption skeleton-keys that can open any phone or web traffic in the world and trust them to keep it safe.
Do they know that we live in a world where Nations burglarise from individuals?
North Korea for example funded their missile program from criminal activity on the internet. Can you imagine what will happen when they steal the skeleton key to intercept credit card traffic worldwide??
It's strange that no one even mentions the possibility of a paradigm like that though.
-One of the techniques these days is to borrow an already existing identity for a period of time. If person A has lived a normal life, their story exists but if they haven't gone through biometrics in country B before then it's easier to get person C in (but obviously it's still harder than before). The identify is then returned
-People with potential for dual nationality have gone up in importance. Especially if they are legally allowed also to change their name.
-Equipment and database owners are key. Watch how popular 3M systems are in the world for example
Undone by biometrics. It's not just about biometrics in other countries, it's also about biometrics leaks.
> People with potential for dual nationality have gone up in importance
...and are also highly suspicious.
> legally allowed also to change their name.
That's public record. Not helping.
I think you are confusing the world of geopolitics with concepts like “fair” and “good” and forgetting Lord Palmerston’s quote: “
Nations have no permanent friends or allies, they only have permanent interests.”
... I don’t care if US spooks lives are more difficult or in peril?
Even if you are not from the US you care because because other world powers (China and in a much smaller way Russia) will be much worse for you.
I could never wrap my head around government databases (that need to be secured) using using AWS or other cloud with default security.
While this article cites 2014, I believe investigators concluded the attackers/admins had access starting sometime in 2009.
I covered the implications of it when the news broke in 2015: https://caseysoftware.com/blog/why-this-security-breach-is-w...
"Government AWS" exists, and may well be better than letting non-experts build their own.
The US collaborates with allies and they share resources and intelligence data.
Governmental contracting is a lowest-bidder game, and budgets are variously limited.
Now you show up at the border of Russia, they’ve got your high school yearbook out there where you wrote about your lifelong ambitions to work for the CIA.
We have some amusing preconceptions of Russia that rarely survive the reality of Russia.
A: detain you and spur an international incident with complaints to the U.N. re human rights abuses and everything else.
B: refuse entry.
C: delay you long enough to get a follow team deployed so they can see what you do without inciting a lot of bad press, or delaying your travels more.