[Noisebridge-discuss] National Security Letters (NSLs)

warning at type-error.net warning at type-error.net
Thu Mar 21 09:15:36 UTC 2013


NSLs were still alive and kicking up until a week of so ago, when the
EFF's successful ruling was announced. The EFF has let me know that
the ruling only stands for 90 days and that there is a possibility the
ruling will be rescinded after that upon appeal. So, we are not safe
yet. I was in contact with the EFF this month regarding the issue.
They referred me to some lawyers, but basically, the advice to me in
general has been is that no digital information is protected from
snooping unless it is stored in your home and encrypted. But even
then, I am told that silent "black bag" jobs (tampering your home
electronic devices) are a possibility if you are labeled a threat to
national security.

Here is some feedback I can share, since I am a rare person to have
realized the snooping was in effect while it was occurring. I also got
confirmation of this due to lack of a confidentiality requirement when
multiple agents attempted to visit me in person and called me on the
phone. They wanted to follow-up after their many months of snooping
revealed that I was not in fact a "terrorist" -- simply a security
researcher that had identified vulnerabilities of a North American
utility company. After half a year of working with the utility
company, they did nothing to protect my own data, so I went online to
blow the whistle about the company being breached and all user data
(including home addresses and names) being compromised. With this
vulnerability, someone could effectively find your home address /
phone / name on account no matter where you lived in North America,
since you are required to provide this when receiving utility service.
To my knowledge, the companies involved have still not gone public
with this information.

Some things the Secret Service did to snoop on me that you should also
be aware of, and some feedback follow:

* SS served Google with an NSL to obtain my account information.

* Around January, upon logging into the Google account, Google showed
a strange NOTICE message asking me to accept the terms of usage of my
account. This was odd, because in a decade of being a Google user, I
had never seen this. I am told that this is Google's way of "telling
you without telling you" that you have been served an NSL. Google, by
law, is not allowed to tell you about the NSL, but they definitely are
within their right to ask you to accept their TOS upon login. This is
the "tell" that everyone here should be aware of. If you see this, you
are likely being monitored.

* My Google account was being operated by someone else, despite
utilizing 2-step and very strong passwords. This may have been limited
to a Google Chat 0day, unpublished vulnerability, or a Google
backdoor. My chat contacts said I was online when I was not online or
had messaged them, when I had not.

* I received multiple emails from shady individuals asking me to
provide / sell 0day. Some were in poor English. I presume this may
have been a baiting tactic to get me on some technicality. I did not
sell any 0day nor did I accept their request to "help them" with
whatever they were seeking in terms of shady deals.

* One of my encrypted Desktop home Linux computers was mysteriously
wiped upon my return from a trip. The RAID array was 'corrupted'.

* People I know started getting strange calls from random numbers at
odd hours. I wonder if this was some attempt to exploit remote
listening flaws in some phones, but I am justly paranoid.

* Someone opened mail / packages at my physical residence to reveal
the contents inside. This was very odd and not something that ever
happens. It occurred at least twice to my knowledge.

* Local police were posted outside my residence the morning I received
numerous calls from SS agents.

* SS confirmed over the phone that they monitored my Google account,
after I told them I knew they were. At first, they would not tell me
they did and denied it. The agent actually said "Google should not
have told you that". When I asked how many other online accounts they
monitored, the agent refused to let me know the details. When asked if
they monitored my financial / banking / health records, they said the
surveillance was limited to electronic records. I presume this
includes my ISP, Google, phone, any accounts signed up via Google
(third-party registration / account emails give it away), etc.

* I was told that my security research activities are a "legal grey
area", but that the investigation was being closed. The SS said that
the data they have on me "is safe" and "will be destroyed" after some
"expiration period". I vehemently expressed my distrust that it would
be held securely or destroyed.

For your background, I have been on the other side of such requests,
as the person providing data to the Secret Service field agents
before. These people don't understand technology and don't understand
what they are asking for many times. They also don't understand even
the most basic concepts of how the Internet works. I presume the
non-field agents (the people that are in operations centers and don't
talk to people) are the ones that penetrate the end-user
electronically, as necessary. Unfortunately, I have no evidence to
support the above other than the strange activity on my account. An
entirely separate and more likely scenario is that the Secret Service
communications are hacked by Nation States that used that surveillance
to target me directly. A scary assumption, but not out of the
question. Mitnick was reading GOV emails long ago and I would have to
presume that adversaries are snooping GOV emails still to this day.

If you have any other insights, I would be glad to hear them. I would
love to speak with anyone else that can come forward as an NSL victim.

On Wed, Mar 20, 2013 at 5:10 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> Did you receive one of the few NSLs without a confidentiality
> requirement, or did you manage to get it set aside, or are you relying
> on Judge Illston's decision in this disclosure?  (Just curious.)

It did not have a confidentiality requirement, to my knowledge. I am
attempting to get the FOIA data on myself, but it has been rejected
thus far.

On Wed, Mar 20, 2013 at 5:10 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Wed, Mar 20, 2013 at 01:49:05PM -0700, warning at type-error.net wrote:
>> I had an National Security Letter (NSL) served against me from the
>> Secret Service.
>
> Did you receive one of the few NSLs without a confidentiality
> requirement, or did you manage to get it set aside, or are you relying
> on Judge Illston's decision in this disclosure?  (Just curious.)
>
>> Has anyone on the list here (other than Jake)
>> experienced this?
>
> To the best of my knowledge, Noisebridge has never received any kind of
> subpoena, NSL, grand jury summons, demand letter, or similar legal
> process.
>
> Also to the best of my knowledge no officer, volunteer, or member of
> Noisebridge has received any subpoena, NSL, summons, or demand in
> relation to Noisebridge.
>
> -andy
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEcBAEBAgAGBQJRSlANAAoJEK+gpF/tPRFtzJsIAJiG2qpl4epp3mYjNBeoGftf
> WrAbhBLoSxl9XJLJks+HJwYPFpHdKzMtgu6rsyAnKVDtE7Izilz79HlF/hOfalD7
> v8KlvLy4StnGNmv4mBHvpKAmgTWNoB8N1GNu51Dt7y1KTE19J364teI4Y1x8PCQa
> y8tItiOd6wyw1di8ELwnf3FOWX5S4ksCWQdfLJrnv8cdmSJye0n7GWePQDpjHjqC
> 61ZXEl//S3tVHks87Djl9DhCF0RHyV9lQxVvncF7kQh2/DZCK8GbNfcn5Q51j3T0
> BYCkVNwjBs7t2HdjH944MK6BRisR/coS4nwIvxwb71zW/AOPtK1HrhaSDJkmZ04=
> =nYcG
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>



-- 
Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://profiles.google.com/kristian.hermansen


More information about the Noisebridge-discuss mailing list