<http://www.opednews.com/articles/Exclusive-Interview-with-D-by-Joan-Brunwasser-090329-274.html%23comment201397>http://www.opednews.com/articles/Exclusive-Interview-with-D-by-Joan-Brunwasser-090329-274.html%23comment201397
Part One of Interview with David Gewirtz, Author of Where Have All The Emails Gone? How Something as Seemingly Benign as White House Email Can Have Freaky National Security Consequences By Joan Brunwasser David Gewirtz is the author of Where have all the Emails Gone? which was published in 2007. He has also written more than 700 articles "about technology, competitiveness, and national security policy." David has agreed to an extensive interview with OpEdNews. This is the first of a three-part series. Welcome to OpEdNews, David. In an <http://www.outlookpower.com/issues/issue200812/00002304001.html>article you wrote after Obama's victory but before his inauguration, you pleaded with him to treat the White House computers like evidence at a crime scene. Why did you say that? >As you know, there is a continuing search (or at least quest) for >email messages that were sent by Bush White House officials and >which could not be produced according to the FRA and PRA. At the >time, there was some hope that some of those messages might be >recovered by incoming Obama administration officials because old >computers can tell tales, and although many of the Bush computers >were carted off to undisclosed locations, the hope was that some >would contain some of missing records documenting a key time in >American history. President Obama has now been in office for several months. Has this administration taken your words to heart? > Apparently not. In fact, the Obama administration seemed to fight >the disclosure of Bush-era email messages. I wrote about this very >curious situation in an ><http://ac360.blogs.cnn.com/2009/01/26/still-more-twists-from-the-bush-white-house-email-saga/>article > >for CNN. So, where does that leave us? > It's really an interesting problem. Presidents don't like to >disclose their email (Democrat or Republican) and tend to support >their predecessor's "right" to not disclose those records, even >though the law requires it. Even though President Obama came into >office on a change platform, in this area, his administration is >tracking with all that came before him since the early days of email. You refer to Blackberrys as "little mobile nightmares". Why? >Wow, there's about five articles in that answer, but let's look at a >few simple points. First, these device contain a lot of data and >that data can get lost. There are a bunch of examples of this, >including sensitive security information. Secondly, BlackBerry >devices and some other smartphones can be tapped with a hidden >software program that can turn them into locating devices, bugging >devices, and data logging devices. But, most of all, these - like >iPods - are really powerful little computers that can bring programs >like viruses (on purpose) behind secure firewalls and take data out >much easier than stuffing it in a briefcase. Old-school BlackBerry phones (from a year or so ago) can store about 64 megabytes of data. How much is 64 megabytes of data? The King James Bible is about 1,120 pages, or about 2.5 megabytes, so a typical 64 megabyte BlackBerry could hold about 25 King James Bible's worth of information. That's the equivalent in strategic U.S. government information of about 28,000 printed pages of data, or seven complete sets of all seven Harry Potter novels. Yikes. It does sound like a security nightmare. What do we have to do in order to sleep better at night? >Fundamentally, your best protection is learning. There are some >basic steps you can take that will improve your protection >considerably and I document them on my online safety page on my Web >site. There are ten steps listed at ><http://www.davidgewirtz.com/safety>http://www.davidgewirtz.com/safety >and if you follow those tips, I can't guarantee you'll be perfectly >safe, but you'll be measurably safer. Do other countries handle these issues better than we do? >Not so much. No. The U.K. has had some serious problems with missing >data off phones, cameras, and flash cards. Which news stories have vindicated your fears and warnings as pointed out in your many articles and recent book? >Oh, heck. So many. The scariest one was when a Mexican advance man >for a meeting between President Bush and the leaders of Mexico and >Canada stole BlackBerrys from White House personnel and had them in >his control for an extended period of time. But we're seeing an >almost constant flood of stories of cyberhacking, loss of data, >missing information, and more. I also wrote >an<http://www.outlookpower.com/issues/issue200807/00002198001> >article about security flaws at the FTC and Homeland Security >that'll curl your hair. Any chance someone might be listening and taking this seriously? >Absolutely. I first started to explore the issue of BlackBerry >security when I read congressional testimony by Susan Ralston, Karl >Rove's assistant. Before this, I hadn't realized the risk. But when >a deputy chief of staff loses a BlackBerry -- and you realize just >how much data can be stored on one -- I started to pay attention. Initially, it seemed like just another over-anxious tech geek whining about a problem. But then, when White House BlackBerrys were stolen by a Mexican operative, my earlier analysis seemed more and more prudent. As the White House BlackBerry theft story got out, more and more people started to pay attention. And then, as I learned more and realized that once a BlackBerry is in someone else's hands, it has the potential to be tapped and turned into a bugging device, I realized this was an actual threat. Yes, I know some people claim it can't be done, but there's software on the Internet sold to do just that -- marketed as a way to listen in on a cheating spouse. Some experts also claim you can't break BlackBerry's security, but I wouldn't want to put the determined efforts of a major nation state against some crypto created by a private company. The scale of the resources brought to the problem are radically different. I honestly believe this is why the story about President Obama's BlackBerry had such stickiness -- people were not only aware of the cool-factor of a tech-savvy President, but were also aware of the security issues. I'd probably done 50 interviews on BlackBerry security issues by that time, reaching millions of listeners and readers. I also ran a series of articles on this for CNN. President Obama, while keeping his phone, has indicated a clear awareness of what's appropriate and what's not, and has also indicated an awareness of both the security issues and the political issues and has kept the number of people he communicates with through his mobile device to an absolute minimum. <http://www.opednews.com/articles/Interview-with-David-Gewir-by-Joan-Brunwasser-090330-887.html>Part two of Interview with David Gewirtz, Author of Where Have All the Emails Gone? <http://www.opednews.com/articles/Interview-with-David-Gewir-by-Joan-Brunwasser-090330-887.html>http://www.opednews.com/articles/Interview-with-David-Gewir-by-Joan-Brunwasser-090330-887.html We've been talking with David Gewirtz, technology expert and author of <http://www.emailsgone.com/>Where Have All the Emails Gone? Welcome back, David, for the second part of our interview. We've already spoken about the cybersecurity situation that President Obama has inherited. Now, let's go a little further back in time, if you don't mind. What was the impetus behind Where Have All the Emails Gone? >We publish two magazines on email-related topics, one for IBM Lotus >professionals and one for Microsoft Outlook and Exchange >professionals. Back in April 2007, we ran a news story on the >missing email topics. Since it was on-topic for the magazines, I >decided I'd write one short article. Nothing made sense. 12 articles >and an amazing story later, we decided we had enough for a book. The >book was published in late 2007 and now, I've probably written >another 12 articles on the continuing saga. What time period are we talking about and how many emails have gone AWOL? >I discuss three key issues, only one of which is missing emails. I >consider some of the security issues inherent to how the White House >manages email a far greater concern. There's a beast called the >Hatch Act that can both give plausible deniability to storing email >according to the FRA and PRA, and also almost requires insecure >email for much of the White House's business. That said, there are reports of millions of missing messages. The only period for which there is formal confirmation (in the form of testimony to congress by the White House) is for the period March 1, 2003 and May 23, 2003. Full details on this are at: <http://www.outlookpower.com/issues/issue200805/00002168001.html>http://www.outlookpower.com/issues/issue200805/00002168001.html Why was the Bush administration's explanation for moving away from Lotus implausible? >The Bush administration claimed Lotus Notes was antiquated and not >up to the job. That is categorically incorrect. Lotus Notes is >regularly updated and is an IBM flagship products. I have personally >seen many extensive, enterprise-grade solutions with Notes that are >absolutely best-of-breed. As of today, we've published 10,358 >articles about Lotus Notes and it's quite excellent. In particular, >Notes is renown for it's security, something not quite as well >regarded for Microsoft Outlook. That's not to say Outlook and >Exchange (the Microsoft solution) aren't also great, but it's a >complete fallacy to claim Lotus isn't up to the job. That's, in >fact, what got me curious about the rest of the story. Does anyone besides for you get the immensity of the problem? If so, who? >Certainly the IT professionals who read our magazines get it. Some >of the folks in DC also get it. The groups who are suing the White >House understand part of the problem, but they're forwarding their >own agenda and in that agenda, suing the President is more sexy than >chasing obscure ISPs in Tennessee or fixing a 1939 law or repairing >basic security concerns. People I know in Homeland Security and the >FBI, at least at the individual contributor level very much get the >security issues. I've met some of the smartest and most impressive >people working on the front lines in America's security agencies. >The only problem for those guys is they work for politicians. Are people beginning to pay attention? Have you seen any encouraging signs so far? >Definitely. I've been interviewed a ton of times. I'm on the radio >or in an interview at least once a week on this topic and we've >reached, literally, millions of people. A nice side-stream benefit >has been that I've also been able to talk about regular Internet >security issues and help real people protect their own homes, just >as an outgrowth of explaining some of the White House's security >problems. And while I can't take direct credit, we've seen the discussion on both the missing email messages and overall White House IT moved along. It's still problematic, but I think that the book has gained enough attention that people are aware that IT at the White House is a national interest issue. What would you like people to take away from this book? >That email at the White House (at least during the Bush >administration) is broken and needs to be fixed. It's also likely to >be somewhat broken in the Obama administration, because the laws are >still in place to tie their hands, but we can be hopeful. People's eyes tend to glaze over as soon as something technical is discussed. Can you boil it all down to a few, simple points? >Sure. From a personal point of view, if you don't pay attention to >the security of your computer, you could lose everything. Someone >from Belarus could easily pop into your life and take all your >money, charge up your credit cards, and cause you no end of hurt. >From the perspective of White House security, the last thing we want >is an enemy nation or organization to be able to interfere with the >secure command and control of our government or, worst case, cause >us some grievous harm because they know something they shouldn't. You write about Blackberrys getting lost or highjacked, putting national security at risk. Karl Rove lost his at least once and maybe as many as five times. With the new president also a Blackberryphile, this problem is not going to go away. You have a few timely suggestions about how to safeguard these "mobile nightmares." Please share them with us. >Well, the biggest suggestion is to not hand your phone to anyone >else. Make sure you have complete control over it. Don't keep >confidential information in it, passwords, etc. For senior >government officials, home addresses are also confidential >information and shouldn't be in your phone. In the case of White >House staffers, if you must give up your phone for a time, only give >it to someone you, literally, trust with your life. That'd be >members of the Secret Service. Part of your narrative seems to fit the "well, the genie is out of the bottle" scenario. There's so much that no one seemed to understand about the ramifications of electronic technology. Were we much 'safer' in the pre-computer age? > Yes, and no. There were always risks of some sort. Our grandparents >didn't have to deal with people from other countries invisibly >sneaking into their computers and stealing their life savings, but >our parents, even those in their 80s, now do. But hey, back in the >Old West, there were gunfights and duels. We don't have them as >often (although we do have our own brand of gang violence). Fundamentally, when anyone ever says "this is the worst it's been" the answer is "no, it's not". Every generation and age had some really bad elements and some things that were truly beautiful. That said, cyberthreats are scary, just because they are so incredibly complex to defend against and the tools to launch them are so easy to come by. In the cyberthreat world, weapons of mass destruction (cheap PCs, iPods, flash cards, etc) can be bought at Wal-Mart. <http://www.opednews.com/articles/Interview-with-David-Gewir-by-Joan-Brunwasser-090330-887.html>Part three of Interview with David Gewirtz, Author of Where Have All the Emails Gone? Welcome back, faithful OpEdNews readers, for the final installment of our interview with technology expert, David Gewirtz. Let's see. What haven't we talked about yet, David? You claim that you have no political/partisan axe to grind. Can you prove that? >Well, I admit to voting both Democratic and Republican and generally >being annoyed by both parties. One way to judge a person is by >actions and while I've criticized the Bush administration for >management of White House email and security, I also pointed the >finger at some of Bill Clinton's policies. I also recently ran an >editorial critical of Senator Leahy's call for a truth squad to >investigate the Bush administration and I've been regularly critical >of the House Oversight Committee for overlooking some key elements >of testimony -- when that committee was run by Democrats. So, basically, I've picked on both sides. What I have found infinitely amusing is that when I've done radio interviews with both whack-job super right-wing Republicans and completely looney-tunes, totally left-wing Democrats, both have thought I was arguing their side. I've also had editorials written on conservative Web sites claiming I was a liberal and liberal Web sites claiming I was forwarding the conservative agenda. My agenda is America's security -- that and a quest for chocolate. Your two-point agenda sounds reasonable to me. What were you aiming for with Where Have All the Emails Gone? >My goal for the book is nothing less than fixing serious problems at >the White House as it pertains to their IT [Information Technology] >policy. I make six strong recommendations, but it really boils down >to two key issues: revising the Hatch Act and establishing an >administration-spanning professional IT division unrelated to the >political process. On another but related topic: Who are Mike Connell and SmarTech? What do they have to do with the missing emails? >I covered SmarTech extensively in the book. They're the ISP >[Internet Service Provider] I traced much of the RNC [Republican >National Committee] and White House email traffic through. Before I >go further, I need to say that the forensics I used didn't do any >sort of penetration or anything either illegal or unethical. I >gathered data from open sources like domain registry information and >whois queries -- data that's available to anyone on the Internet. I >believe that more than 100 million messages traveled through >SmarTech from and to the White House. I didn't cover Connell much, although the conspiracy theorists are having a field day. Connell was an IT guy for the GOP, designing Web sites and doing other IT stuff. He was involved in an investigation into vote tampering in Ohio in 2004's Presidential election*. The reason the conspiracy people are all wired about this is Connell died in a plane crash right in the middle of the investigation. You can draw your own conclusions, but I, personally, believe this to be just the sad accident it was reported to be. Is it a strange coincidence that Connell was in charge of the <http://rawstory.com/news/2008/Documents_reveal_how_Ohio_routed_2004_1031.html>routing of Ohio's votes through Chattanooga, Tennessee on Election Day 2004 and then back to Secretary of State Ken Blackwell's website? >I don't have any evidence of that, so I can't really discuss it. I >did find a few strange coincidences, however. First, I found >public-facing evidence of two PDF files belonging to the Office of >the Ohio Secretary of State on IP [Internet Protocol] addresses >owned and operated by SmarTech (who happen to be in Chattanooga). It is, however, curious that official state election documents do appear on a server operated by a firm under contract to the RNC. It is also curious that the senior election official in Ohio was also running for Governor of Ohio while this went on. It is further somewhat curious that a finance oversight agency of HUD runs its Web site on SmarTech's servers and that Mr. Blackwell (Ohio's Secretary of State at the time of the 2004 election) was previously undersecretary of HUD. Nothing of this, however, represents anything even close to a smoking gun. For the record, I've offered the founder of SmarTech the opportunity to tell his side of the story a few separate times, including in the book. The offer has never been accepted. Why would electronic votes be routed through a third party at all, and especially before the vote count was announced or made official? >I have no evidence this was done, so I don't have much intelligent >to say about it. Personally, though, as a formally trained computer scientist, the idea of electronic voting machines with no paper trail seems the height of irresponsibility and, frankly, stupidity. First, they're computers, so they could fail. But we also know almost any system is easy to hack and the risk of an unauditable voting machine being hacked and perhaps changing an election is far too high. Let's be clear: people will always try to swing elections -- they always have. But we don't need to make it ridiculously easy for them. I agree completely with your last point. And that's an excellent place to wrap up our interview. You've been very generous with your time, David. Thank you. I look forward to seeing where your research takes you. All of us have benefited from your extensive investigation of the many unanticipated security risks inherent in the technology we use. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to Mark Crispin Miller's "News From Underground" newsgroup. To unsubscribe, send a blank email to newsfromunderground-unsubscr...@googlegroups.com OR go to http://groups.google.com/group/newsfromunderground and click on the "Unsubscribe or change membership" link in the yellow bar at the top of the page, then click the "Unsubscribe" button on the next page. For more News From Underground, visit http://markcrispinmiller.com -~----------~----~----~----~------~----~------~--~---
