We're learning more of the secretive world of government data collection
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
September 12, 2014
In light of the NSA-Edward Snowden scandal more than a year ago, the public at large has been getting a broader glimpse at the still-secretive world of government data collection in the last few months, and Yahoo might be helping in this long and very complex process.
Yahoo said late yesterday that it has won the release of over 1,500 pages of documents filed in a secretive surveillance court.
Led by CEO Marissa Mayer since 2012, the company said the documents stem from an unsuccessful lawsuit it brought in 2008 challenging the government's right to demand user information.
Yahoo won a small victory in 2013 when portions of previously-sealed documents were ordered public. As it noted yesterday, disclosures from the Foreign Intelligence Surveillance Court are "extremely rare."
The documents are a public relations victory for Yahoo-- they demonstrate that the company is resisting orders to comply with the surveillance programs.
"Yahoo has not complied with the directives because of concerns that they require Yahoo to assist in conducting warrantless surveillance that is likely to capture private communications of United States citizens located in the U.S. and abroad," Yahoo wrote in a legal document, arguing the orders violated "the privacy of U.S. citizens."
The government placed huge pressure on Yahoo to comply with its order, the company said. "At one point, the U.S. Government threatened the imposition of $250,000 in fines per day if we refused to comply," read the announcement from Ron Bell, on of Yahoo's lawyers.
However, the documents also contain new information that may fuel the public debate over the programs.
Among them is "a mostly unredacted" surveillance order from the federal government and the surveillance court ruling from the 2008 lawsuit. Yahoo was initially blocked from publicly releasing that decision.
Then began a months-long process of declassifying the documents, and the secretive court ruled Thursday that the documents were ready for release.
The documents were subsequently posted online on the Director of National Intelligence's Web site.
On any given day, surveillance laws require Yahoo and other companies to collect information from users and are prohibited from telling the users about the collection.
Yahoo and other technology companies-- Google, Facebook, Microsoft and LinkedIn have all been allowed to disclose broad numbers about how many surveillance requests they receive from U.S. federal authorities, and have called on the government to allow further releases.
On any given day, weather predictions could be thrown into a storm if potential hackers exploited a whole slew of dangerous and years-old security flaws reported in ground control stations for the Joint Polar Satellite System (JPSS).
The security holes, of which 12,703 are considered high risk, have been detailed in a U.S. Government audit report that examined the state of security of the "high impact IT" ground control system of the JPSS and the Suomi National Polar-orbiting Partnership.
The JPSS is the latest U.S. polar-orbiting environmental satellite and provides data for weather forecasts and climate monitoring.
Allen Crawley, the U.S. Department of Commerce's assistant inspector general for systems acquisition and IT security, found shocking flaws in the NASA and National Oceanic and Atmospheric Administration's (NOAA's) ground control station.
"As a direct result, few security controls are fully implemented and many high-risk security vulnerabilities exist within the system," Crawley wrote in a report.
"Software used by the JPSS system contains security vulnerabilities that have been publicly known for several years. Software tools to exploit several of these vulnerabilities are available on the Web," he added.
"Since 2012, the number of high-risk security vulnerabilities in the system has increased by two-thirds despite recent efforts the program has taken to remediate these vulnerabilities," he said.
Some security flaws, including some very bad ones, have persisted for several years due in part to contractors having a four-year reprieve in 2010 from addressing any flaws while the station was repurposed from a research project to the JPSS.
High risk security vulnerabilities were defined as relatively easy for attackers to exploit and cause "significant disruption" to "critical data used in weather forecasting and climate monitoring".
About 26.2 percent of the National Institute of Standards and Technology security controls were fully implemented at the station between fiscal years 2012 and 2013.
Worse, the majority of the security vulnerabilities identified won't be fixed for a further two years despite policy stating that high-risk security flaws must be fixed within a month of being discovered.
In the recent past, it took up to about fourteen months for some security patches to be applied and more than a year for holes identified in penetration tests to be patched.
Management did confess that IT maintenance in 2011 was suspended for almost a year. Old security flaws include more than 9,100 high risk unpatched vulnerabilities, bad configurations and unnecessary operating system and software privileges.
Additionally, about 3,600 password and audit settings not in-line with JPSS policy and three security holes newly identified in 2012 but still not fixed are still present today.
Those security holes could be fixed with only minor alteration to the ground control systems, according to the report.
Crawley also recommends that the station cancel its failed bi-annual maintenance cycle and fix the high risk holes ASAP before meteorologists begin reporting snowfall in the coming winter.
"High-risk security vulnerabilities could lead to a disruption of NOAA’s ability to command and control the Suomi NPP satellite and to provide data that is used in numerical weather models that support weather predictions and climate monitoring. The importance of remediating these vulnerabilities justifies addressing them outside the regular cycle of maintenance deployments," Crawley added.
NOAA's security slap-down comes after it was revealed in July that a staffer had made off with data contained on his laptop which he refused to hand over.
Auditors found insecure access to corporate systems by staff consumer devices and thousands of security vulnerabilities.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!