With a Little Stealth, Just About Anyone Can Get Phone Records

It is not clear how widespread pretexting is, but its perpetrators appear to be mostly private investigators, seeking information for clients involved in divorces or other civil disputes. Hewlett-Packard used investigators to try to ferret out which company directors had leaked information to reporters.

Walt Sharp, a spokesman for AT&T, said AT&T determined that over the last year, records of some 2,500 customers could have been compromised.

HP memo: We will take the necessary action

On Friday, Mark Hurd, president and CEO of Hewlett-Packard and a member of its board of directors, sent the following memo to the company's employees. The memo stresses that leaking information to the media is a problem that must and will be resolved.

Oh, the irony.

HP probe snared a third News.com reporter

An HP spokesman said reporter Stephen Shankland's records were targeted by a subcontractor working for a private investigator hired by the company. Shankland was a contributing reporter on a Jan. 23 article about a long-term board planning session that apparently angered HP Chairman Patricia Dunn, who launched the investigation.

The co-authors of that Jan. 23 News.com article, Dawn Kawamoto and Tom Krazit, were told Thursday by the California attorney general's office that their phone records were also accessed using a controversial method called "pretexting," where someone poses as a telephone subscriber to gain access to that subscriber's records.

The personal phone records of six other reporters, including Pui-Wing Tam and George Anders of The Wall Street Journal and John Markoff of The New York Times, were also targeted by HP's investigators. Friday afternoon, BusinessWeek reported on its Web site that the phone records of three of its reporters, Peter Burrows, Ben Elgin and Roger Crockett, were also targeted.

Also on Friday, Dunn apologized to Kawamoto and Krazit, and said she first learned two days earlier that reporters' records were pretexted. Nonetheless, Dunn still defended the need for HP's investigation.

H.P. Chairwoman Aims Not to Be the Scapegoat

At a board meeting on Sunday, the underlying theme is whether Patricia Dunn should remain as chairwoman. Dunn is the daughter of a vaudeville actor and a Las Vegas showgirl.

"This is not a job I asked for or a job that I particularly wanted," she said.

That sounds a lot like a taunt. She seems to be telling the board, I beg you to fire me!

Ms. Dunn said Friday that she felt that a personal dispute was at the center of the storm. "Tom is a powerful man with friends in powerful places," she said. "This brouhaha is the result of his anger toward me. He is winning the p.r. war."

"He was the most hawkish member of the board for finding the leaker," she added. "He wanted us to bring in lie detectors."

And fire him, too, while you're at it! I can't stand him!

HP Pretexting Scandal - Updates

Over the last year, as Iran, Iraq and Lebanon have dominated headlines, hopes of gaining firmer control of a largely forgotten corner of the war on terrorism — the lawless Pakistan-Afghanistan border region — have quietly evaporated.

On Tuesday, the Pakistani government signed a "truce" with militants which lets militants remain in the area as long as they promised to halt attacks.

Is this the "separate peace" that Rumsfeld was talking about? He must be furious about this, right?

The Taliban leadership is believed to have established a base of operations in and around the Pakistani city of Quetta. The Pakistani government sees the group as a tool to counter growing Indian influence in Afghanistan. In Afghanistan, roadside bomb attacks have doubled this year, and suicide bombings have tripled.

This year, the United States cut its aid to Afghanistan by 30 percent.

Al Qaeda and the Taliban are no doubt betting that time is on their side.

Al Qaeda Finds Its Center of Gravity

Dana Priest sums up the situation.

In the last three months, following a request from President Bush to "flood the zone," the CIA has sharply increased the number of intelligence officers and assets devoted to the pursuit of bin Laden.

The problem, former and current counterterrorism officials say, is that no one is certain where the "zone" is.

The Afghan-Pakistan border is about 1,500 miles.

At least 23 senior anti-Taliban tribesmen have been assassinated in South and North Waziristan since May 2005.

Pakistan has now all but stopped looking for bin Laden.

"Once again, we have lost track of Ayman al-Zawahiri," the Pakistani intelligence official said in a recent interview. "He keeps popping on television screens. It's miserable, but we don't know where he or his boss are hiding."

"There's nobody in the United States government whose job it is to find Osama bin Laden!" one frustrated counterterrorism official shouted. "Nobody!"

"We work by consensus," explained Brig. Gen. Robert L. Caslen Jr. "It's not that effective, or we'd find the guy."

This is an interesting vignette:

In early November 2002, a CIA drone armed with a Hellfire missile killed a top al-Qaeda leader traveling through the Yemeni desert. About a week later, Rumsfeld expressed anger that it was the CIA, not the Defense Department, that had carried out the successful strike.

"How did they get the intel?" he demanded.

Gen. Michael V. Hayden, then director of the National Security Agency and technically part of the Defense Department, said he had given it to them.

"Why aren't you giving it to us?" Rumsfeld wanted to know.

Hayden, according to this source, told Rumsfeld that the information-sharing mechanism with the CIA was working well. Rumsfeld said it would have to stop.

Bin Laden Trail 'Stone Cold'

Daniel Bleichenbacher recently described an attack on PKCS #1 v1.5
signatures. If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.

OpenSSL | RSA Signature Forgery (CVE-2006-4339)

The confrontation at Hewlett-Packard started innocently enough. Last January, the online technology site CNET published an article about the long-term strategy at HP, the company ranked No. 11 in the Fortune 500. While the piece was upbeat, it quoted an anonymous HP source and contained information that only could have come from a director. HP’s chairwoman, Patricia Dunn, told another director she wanted to know who it was; she was fed up with ongoing leaks to the media going back to CEO Carly Fiorina’s tumultuous tenure that ended in early 2005. According to an internal HP e-mail, Dunn then took the extraordinary step of authorizing a team of independent electronic-security experts to spy on the January 2006 communications of the other 10 directors—not the records of calls (or e-mails) from HP itself, but the records of phone calls made from personal accounts. That meant calls from the directors’ home and their private cell phones.

Any time a director resigns from a U.S. public corporation, federal law requires the company to disclose it to the SEC in what’s called an 8-K filing. If the director resigned for reasons related to a “disagreement” with the company about “operations, policies or practices,” that, too, is now required. HP reported Perkins’s resignation to the SEC four days after it happened—back in May—but gave no reason for the resignation, instead including only a press release thanking Perkins for his years of service. Perkins has twice challenged that omission in e-mails to the HP board and, he says, he received no response from HP.

This security team pretexted all the directors' home and cellular phone records. Perkins, who was not the leak, rightly freaked out about this methodology and resigned from the HP BoD. It is possible that HP could wind up in trouble with the SEC, FTC, and the local Attorney General.

Update: Catonic points out that Groklaw has chimed in.

Phone-Records Scandal at HP - Newsweek Business

Does encrypting Internet communications create a reasonable expectation of privacy in their contents, triggering Fourth Amendment protection? At first blush, it seems that the answer must be yes: A reasonable person would surely expect that encrypted communications will remain private. In this paper, Professor Kerr explains why this intuitive answer is entirely wrong: Encrypting communications cannot create a reasonable expectation of privacy. The reason is that the Fourth Amendment regulates access, not understanding: no matter how unlikely it is that the government will successfully decrypt ciphertext, the Fourth Amendment offers no protection if it succeeds. As a result, the government does not need a search warrant to decrypt encrypted communications.

The Volokh Conspiracy - Can Encryption create an expectation of privacy

Stratfor: Terrorism Intelligence Report - August 29, 2006
Airline Incidents: Fear as Force Multiplier
By Fred Burton

During the past month, since British authorities announced the
disruption of a bomb plot involving airliners, there has been a
worldwide increase in security awareness, airline security measures
-- and fear among air passengers. At least 17 public incidents
involving airline security have been reported in the United States
and parts of Europe since Aug. 10. Most of these were innocuous,
but many resulted in airliners making emergency landings off their
scheduled routes, sometimes escorted by fighter aircraft.

The spate of incidents -- each of which rings up significant
financial costs to the airline company and governments involved and
causes inconvenience and delays for travelers -- is a reminder that
terrorism, philosophically, is not confined to the goal of filling
body bags or destroying buildings. At a deeper level, it is about
psychology and the "propaganda of the deed." And as far as al Qaeda
is concerned, it is also about economic warfare: Osama bin Laden
personally has stated that one of the group's strategic objectives
is to "bleed America to the point of bankruptcy."

To say that the governments and industries targeted by terrorism
face difficult choices is a gross understatement. The problem lies
in the fact that decision-makers not only must protect the public
against specific groups using known tactics (in al Qaeda's case,
bombs and liquid explosives) but also must protect themselves in
the face of public opinion and potential political blowback.
Officials naturally want to be perceived as doing everything
possible to prevent future acts of violence; therefore, every
threat -- no matter how seemingly ridiculous -- is treated
seriously. Overreaction becomes mandatory. Politicians and
executives cannot afford to be perceived as doing nothing.

This powerful mandate on the defensive side is met, asymmetrically,
on the offensive side by a force whose only requirements are to
survive, issue threats and, occasionally, strike -- chiefly as a
means of perpetuating its credibility.

The Impact to Air Travel

Following the thwarted U.K. airlines plot, security measures in
Britain, the United States and elsewhere were tightened. These new
regulations have included a ban on liquids and electronic items in
the passenger compartment, more stringent baggage checks and
tighter scrutiny of prospective passengers.

These new security measures already have had a financial impact on
the airline industry. On Aug. 25, Irish discount airline Ryanair
filed the lawsuit it had previously threatened against the
British Department for Transport. The lawsuit represents an effort
to change the new re... [ Read More (1.2k in body) ]

Stratfor: Al'Q wins in London even though the attack was foiled.

New Jersey again has the highest household income of any state and one of the lowest poverty rates, according to new data from the U.S. Census Bureau, but two of its biggest cities are among the poorest in the nation.

Camden ranks as the poorest place in the country with a population over 65,000 and Newark is among the poorest cities with more than 250,000 people, according to the figures released Tuesday based on data for 2005.

The numbers illustrate that New Jersey, with its middle-class and wealthy suburbs nestled up against struggling, old industrial cities, continues to be a place of stark economic contrasts.

New Jersey is richest state, but has some of the poorest cities (phillyBurbs.com) | New Jersey News

The barriers to entry have dropped sufficiently so that, as long as anyone has the will to fight, they'll be able to continue fighting. I think that's the strategic picture that's most pertinent to our time."

What if the Iranians could launch swarms of hundreds of missiles simultaneously? All bets might be off. In such a scenario, the Iranians could conceivably devastate an American naval force. Do the Iranians possess enough missiles to do that? The truth is that we don't know. In the longer term, the trend seems clear.

This is the second half of an article recently discussed here.

The democratization of cruise missile technology, part II

Google has launched a site that allows you to do searches on keywords for graphs of their usage, as well as the top cities, regions, and languages involved. This is the right way to expose this kind of data. This type of statistical data is useful, but does not infringe on anyone privacy. This will be useful for trend spotting and interest gauging.

Strangely, there seem to be some things missing. For instance, take these two Google queries: "aol search database" and "quicksilver mac". For both, MemeStreams has similar result ranking on Google, either second or third term. I can pull up trend data for "quicksilver mac", but not "aol search database", even though queries for the AOL database are about 5 times more prevalent.

This could just be because the AOL related searches are more current.. (U: It only includes data up to the turnover of the month, a month ago.) However, that's the situation where this might be most useful. I would very much like to be able to gauge interest level associated with issues over the first week or two of their inception. That would be _very_ useful, especially considering that links are provided to news stories that include the term.

Google needs to turn the knob up to 11 on this one. Anything that sends a few dozen referrals to sites from unique users should get included in this.

Update: These are not particular amazing keyword collections, but they display some ways this is interesting: Events, Places, Organizations, People.

Google Trends